Chapter 13. Changing service account passwords using director Operator

Red Hat OpenStack Platform (RHOSP) services and the databases that they use are authenticated by their Identity service (keystone) credentials. The Identity service generates these RHOSP passwords during the initial RHOSP deployment process. You might be required to periodically update passwords for threat mitigation or security compliance. You can use tools native to director Operator (OSPdO) to change many of the generated passwords after your RHOSP environment is deployed.

13.1. Rotating overcloud service account passwords with director Operator

You can rotate the overcloud service account passwords used with a director Operator (OSPdO) deployed Red Hat OpenStack Platform (RHOSP) environment.

Procedure

  1. Create a backup of the current tripleo-passwords secret: 

    $ oc get secret tripleo-passwords -n openstack -o yaml > tripleo-passwords_backup.yaml

  2. Create a plain text file named tripleo-overcloud-passwords_preserve_list to specify that the passwords for the following services should not be rotated: 

    parameter_defaults
BarbicanSimpleCryptoKek
KeystoneCredential0
KeystoneCredential1
KeystoneFernetKey0
KeystoneFernetKey1
KeystoneFernetKeys
CephClientKey
CephClusterFSID
CephManilaClientKey
CephRgwKey
HeatAuthEncryptionKey
MysqlClustercheckPassword
MysqlMariabackupPassword
PacemakerRemoteAuthkey
PcsdPassword

    You can add additional services to this list if there are other services for which you want to preserve the password.

  3. Create a password parameter file, tripleo-overcloud-passwords.yaml, that lists the passwords that should not be modified: 

    $ oc get secret tripleo-passwords -n openstack \
-o jsonpath='{.data.tripleo-overcloud-passwords\.yaml}' \
| base64 -d | grep -f ./tripleo-overcloud-passwords_preserve_list > tripleo-overcloud-passwords.yaml
  4. Validate that the tripleo-overcloud-passwords.yaml file contains the passwords that you do not want to rotate.

  5. Update the tripleo-password secret: 

    $ oc create secret generic tripleo-passwords -n openstack \
--from-file=./tripleo-overcloud-passwords.yaml \
--dry-run=client -o yaml | oc apply -f -
  6. Create Ansible playbooks to configure the overcloud with the OpenStackConfigGenerator CRD. For more information, see Creating Ansible playbooks for overcloud configuration with the OpenStackConfigGenerator CRD.
  7. Apply the updated configuration. For more information, see Applying overcloud configuration with director Operator.

Verification

Compare the new NovaPassword in the secret to what is now installed on the Controller node.

  1. Get the password from the updated secret: 

    $ oc get secret tripleo-passwords -n openstack -o jsonpath='{.data.tripleo-overcloud-passwords\.yaml}' | base64 -d | grep NovaPassword

    Example output: 

    NovaPassword: hp4xpt7t2p79ktqjjnxpqwbp6

  2. Retrieve the password for the Compute service (nova) running on the Controller nodes:

    1. Access the openstackclient remote shell: 

      $ oc rsh openstackclient -n openstack

    2. Ensure that you are in the home directory: 

      $ cd

    3. Retrieve the Compute service password: 

      $ ansible -i /home/cloud-admin/ctlplane-ansible-inventory Controller -b -a "grep ^connection /var/lib/config-data/puppet-generated/nova/etc/nova/nova.conf"

      Example output: 

      172.22.0.120 | CHANGED | rc=0 >> connection=mysql+pymysql://nova_api:hp4xpt7t2p79ktqjjnxpqwbp6@172.17.0.10/nova_api?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo connection=mysql+pymysql://nova:hp4xpt7t2p79ktqjjnxpqwbp6@172.17.0.10/nova?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo