Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1441944

Summary: [Docs][Director] Document the steps for setting and changing overcloud service passwords
Product: Red Hat OpenStack Reporter: Lucy Bopf <lbopf>
Component: documentationAssignee: RHOS Documentation Team <rhos-docs>
Status: CLOSED EOL QA Contact: RHOS Documentation Team <rhos-docs>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 10.0 (Newton)CC: alee, ealcaniz, gcharot, hrybacki, josorior, mburns, nkinder, nlevinki, srevivo
Target Milestone: asyncKeywords: Documentation, Reopened, Triaged, ZStream
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-04 09:15:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1437427, 1446798, 1468499    
Bug Blocks:    

Description Lucy Bopf 2017-04-13 07:13:18 UTC 
An official procedure for setting and changing overcloud service passwords must be investigated.

This bug was raised in response to bug 1437427, where a senior field product manager noted that he was not able to find any documentation for setting and changing the passwords.
Comment 2 Scott Lewis 2018-06-22 12:34:44 UTC 
OSP11 is now retired, see details at https://access.redhat.com/errata/product/191/ver=11/rhel---7/x86_64/RHBA-2018:1828
Comment 3 Ade Lee 2018-07-13 13:37:50 UTC 
Reopening to target the long lived release OSP 10.

I have made some notes on how to do it for OSP 10.  Adding them here.

******************************************************
This is how to do password changes in < OSP14.

Method 1:
The basic method for doing password changes in an existing deployment is as follows:

1. Create a parameter file with the services passwords.

$ cat service-passwords.yaml
parameter_defaults:
  NeutronMetadataProxySharedSecret: apassword
  GlancePassword: apassword
  NovaPassword: apassword
  GnocchiPassword: apassword
  IronicPassword: apassword
  HeatPassword: apassword
  RabbitmqPassword: apassword
  RedisPassword: apassword
  TrovePassword: apassword
  CinderPassword: apassword
  SwiftPassword: apassword
  AdminToken: apassword

2. Redeploy the -e service-passwords.yaml


NOTE: Care should be taken not to modify the following passwords as they require special handling.

BarbicanSimpleCryptoKek - Changing this password will prevent any existing secrets from being decrypted.  Change this only after the relevant migrations have been done.

KeystoneFernetKey*, KeystoneCredential*:  There is a mistral action to rotate keystone keys correctly.  This should be used instead.

Method 2:

There is another method to change the passwords - and in particular, to allow Director to regenerate
new passwords.   For this method, we will:
* extract the plan environment,
* modify the environment to reflect the desired changes,
* save the environment
* redeploy

These steps are represented below:

1. Extract the plan environment to old.yaml:
    source ./stackrc
    openstack object save --file old.yaml overcloud plan-environment.yaml

2. Modify the plan
    cp old.yaml plan-environment.yaml
    vi plan-environment.yaml

   The passwords are in a section called passwords: as below -

passwords:
  AdminPassword: Vqr8AhJYEZkaJ6rjw9vEq2fEE
  AdminToken: uX6RvAyS8awoOgxE2AFcujV2x
  AodhPassword: jNcYtGdYSHp0zDu7N2EeY65wT
  BarbicanPassword: 9m5wv9OgvqkNcsNeJbWTG0TIO
  BarbicanSimpleCryptoKek: ADLQANGnAc8WmL6RMk-uc6iQn-17QO4oZDfJ1ZbcKnU=
  CeilometerMeteringSecret: KuGek5lOH1Ie1PF4GcFuSJwxc
  CeilometerPassword: 6CIuozJwb89y0lwb5C2GOM8U2
  CephAdminKey: AQDptyJbAAAAABAA5vanNCjQ4z2D8x5rfpn0dA==
  CephClientKey: AQDptyJbAAAAABAAMqyz4l5WMVz6yhZqmf+5lQ==
  ...

  To substitute a password value, simply modify the relevant password value.
  To have Director generate a new value, delete the parameter and its value from the
  file.  For instance, if we modified the fragment above as indicated below, we would
  have Director replace the AodhPassword with mypassword and regenerate the BarbicanPassword.

passwords:
  AdminPassword: Vqr8AhJYEZkaJ6rjw9vEq2fEE
  AdminToken: uX6RvAyS8awoOgxE2AFcujV2x
  AodhPassword: mypassword
  BarbicanSimpleCryptoKek: ADLQANGnAc8WmL6RMk-uc6iQn-17QO4oZDfJ1ZbcKnU=
  CeilometerMeteringSecret: KuGek5lOH1Ie1PF4GcFuSJwxc
  CeilometerPassword: 6CIuozJwb89y0lwb5C2GOM8U2
  CephAdminKey: AQDptyJbAAAAABAA5vanNCjQ4z2D8x5rfpn0dA==
  CephClientKey: AQDptyJbAAAAABAAMqyz4l5WMVz6yhZqmf+5lQ==
  ...

  NOTE: The same caveats not above about which passwords not to change apply here too.

3. Save the new environment

   swift upload --object-name plan-environment.yaml overcloud plan-environment.yaml

4. Redeploy:

   ./overcloud-deploy.sh
Comment 4 Lucy Bopf 2018-08-10 04:14:46 UTC 
Thanks, Ade. I'm moving this back to the default docs assignee so we can scope and review this for priority.