Chapter 13. Changing service account passwords using director Operator
Red Hat OpenStack Platform (RHOSP) services and the databases that they use are authenticated by their Identity service (keystone) credentials. The Identity service generates these RHOSP passwords during the initial RHOSP deployment process. You might be required to periodically update passwords for threat mitigation or security compliance. You can use tools native to director Operator (OSPdO) to change many of the generated passwords after your RHOSP environment is deployed.
13.1. Rotating overcloud service account passwords with director Operator
You can rotate the overcloud service account passwords used with a director Operator (OSPdO) deployed Red Hat OpenStack Platform (RHOSP) environment.
Procedure
Create a backup of the current
tripleo-passwords
secret:$ oc get secret tripleo-passwords -n openstack -o yaml > tripleo-passwords_backup.yaml
Create a plain text file named
tripleo-overcloud-passwords_preserve_list
to specify that the passwords for the following services should not be rotated:parameter_defaults BarbicanSimpleCryptoKek KeystoneCredential0 KeystoneCredential1 KeystoneFernetKey0 KeystoneFernetKey1 KeystoneFernetKeys CephClientKey CephClusterFSID CephManilaClientKey CephRgwKey HeatAuthEncryptionKey MysqlClustercheckPassword MysqlMariabackupPassword PacemakerRemoteAuthkey PcsdPassword
You can add additional services to this list if there are other services for which you want to preserve the password.
Create a password parameter file,
tripleo-overcloud-passwords.yaml
, that lists the passwords that should not be modified:$ oc get secret tripleo-passwords -n openstack \ -o jsonpath='{.data.tripleo-overcloud-passwords\.yaml}' \ | base64 -d | grep -f ./tripleo-overcloud-passwords_preserve_list > tripleo-overcloud-passwords.yaml
-
Validate that the
tripleo-overcloud-passwords.yaml
file contains the passwords that you do not want to rotate. Update the
tripleo-password
secret:$ oc create secret generic tripleo-passwords -n openstack \ --from-file=./tripleo-overcloud-passwords.yaml \ --dry-run=client -o yaml | oc apply -f -
- Create Ansible playbooks to configure the overcloud with the OpenStackConfigGenerator CRD. For more information, see Creating Ansible playbooks for overcloud configuration with the OpenStackConfigGenerator CRD.
- Apply the updated configuration. For more information, see Applying overcloud configuration with director Operator.
Verification
Compare the new NovaPassword
in the secret to what is now installed on the Controller node.
Get the password from the updated secret:
$ oc get secret tripleo-passwords -n openstack -o jsonpath='{.data.tripleo-overcloud-passwords\.yaml}' | base64 -d | grep NovaPassword
Example output:
NovaPassword: hp4xpt7t2p79ktqjjnxpqwbp6
Retrieve the password for the Compute service (nova) running on the Controller nodes:
Access the
openstackclient
remote shell:$ oc rsh openstackclient -n openstack
Ensure that you are in the home directory:
$ cd
Retrieve the Compute service password:
$ ansible -i /home/cloud-admin/ctlplane-ansible-inventory Controller -b -a "grep ^connection /var/lib/config-data/puppet-generated/nova/etc/nova/nova.conf"
Example output:
172.22.0.120 | CHANGED | rc=0 >> connection=mysql+pymysql://nova_api:hp4xpt7t2p79ktqjjnxpqwbp6@172.17.0.10/nova_api?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo connection=mysql+pymysql://nova:hp4xpt7t2p79ktqjjnxpqwbp6@172.17.0.10/nova?read_default_file=/etc/my.cnf.d/tripleo.cnf&read_default_group=tripleo