Allow/Support Changing the passwords on the Overcloud
Currently once you do a deployment with TripleO, you are unable to change or rotate any of the passwords used in the overcloud.
For day 2 operations we need to be able to change all passwords in the environment in a case where an Operator leaves, or as part of standard security protocol (passwords rotated every 6 months).
Ideally we would support you specifying the passwords you would like in tripleo-
Blueprint information
- Status:
- Complete
- Approver:
- Steven Hardy
- Priority:
- High
- Drafter:
- Graeme Gillies
- Direction:
- Approved
- Assignee:
- None
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Informational
- Milestone target:
- ocata-3
- Started by
- Completed by
- Emilien Macchi
Related branches
Sprints
Whiteboard
(shardy) Would fixing bug #1611704 be sufficient for this? Then you can do openstack overcloud deploy --templates -e the_passwords.yaml ?
If there's specific interface improvements beyond that it'd be good to define them (not necessarily via a spec, a linked etherpad with use-case examples would be enough). In particular do we need to support some way of forcibly re-generating random passwords, or can we always assume operators provide them?
(ggillies) I think that bug is likely covering all aspects hopefully. As long as there is a clear interface to setting the passwords how I like. As for supporting generating random passwords, I guess that would be nice to have, but I understand that might make things harder, so I would be happy to just make operators generate their own passwords outside of tripleo and pass them in (as it's a trivial task for us to do)
(emilien) I'm closing this blueprint since it will be covered by https:/