An official procedure for setting and changing overcloud service passwords must be investigated. This bug was raised in response to bug 1437427, where a senior field product manager noted that he was not able to find any documentation for setting and changing the passwords.
OSP11 is now retired, see details at https://access.redhat.com/errata/product/191/ver=11/rhel---7/x86_64/RHBA-2018:1828
Reopening to target the long lived release OSP 10. I have made some notes on how to do it for OSP 10. Adding them here. ****************************************************** This is how to do password changes in < OSP14. Method 1: The basic method for doing password changes in an existing deployment is as follows: 1. Create a parameter file with the services passwords. $ cat service-passwords.yaml parameter_defaults: NeutronMetadataProxySharedSecret: apassword GlancePassword: apassword NovaPassword: apassword GnocchiPassword: apassword IronicPassword: apassword HeatPassword: apassword RabbitmqPassword: apassword RedisPassword: apassword TrovePassword: apassword CinderPassword: apassword SwiftPassword: apassword AdminToken: apassword 2. Redeploy the -e service-passwords.yaml NOTE: Care should be taken not to modify the following passwords as they require special handling. BarbicanSimpleCryptoKek - Changing this password will prevent any existing secrets from being decrypted. Change this only after the relevant migrations have been done. KeystoneFernetKey*, KeystoneCredential*: There is a mistral action to rotate keystone keys correctly. This should be used instead. Method 2: There is another method to change the passwords - and in particular, to allow Director to regenerate new passwords. For this method, we will: * extract the plan environment, * modify the environment to reflect the desired changes, * save the environment * redeploy These steps are represented below: 1. Extract the plan environment to old.yaml: source ./stackrc openstack object save --file old.yaml overcloud plan-environment.yaml 2. Modify the plan cp old.yaml plan-environment.yaml vi plan-environment.yaml The passwords are in a section called passwords: as below - passwords: AdminPassword: Vqr8AhJYEZkaJ6rjw9vEq2fEE AdminToken: uX6RvAyS8awoOgxE2AFcujV2x AodhPassword: jNcYtGdYSHp0zDu7N2EeY65wT BarbicanPassword: 9m5wv9OgvqkNcsNeJbWTG0TIO BarbicanSimpleCryptoKek: ADLQANGnAc8WmL6RMk-uc6iQn-17QO4oZDfJ1ZbcKnU= CeilometerMeteringSecret: KuGek5lOH1Ie1PF4GcFuSJwxc CeilometerPassword: 6CIuozJwb89y0lwb5C2GOM8U2 CephAdminKey: AQDptyJbAAAAABAA5vanNCjQ4z2D8x5rfpn0dA== CephClientKey: AQDptyJbAAAAABAAMqyz4l5WMVz6yhZqmf+5lQ== ... To substitute a password value, simply modify the relevant password value. To have Director generate a new value, delete the parameter and its value from the file. For instance, if we modified the fragment above as indicated below, we would have Director replace the AodhPassword with mypassword and regenerate the BarbicanPassword. passwords: AdminPassword: Vqr8AhJYEZkaJ6rjw9vEq2fEE AdminToken: uX6RvAyS8awoOgxE2AFcujV2x AodhPassword: mypassword BarbicanSimpleCryptoKek: ADLQANGnAc8WmL6RMk-uc6iQn-17QO4oZDfJ1ZbcKnU= CeilometerMeteringSecret: KuGek5lOH1Ie1PF4GcFuSJwxc CeilometerPassword: 6CIuozJwb89y0lwb5C2GOM8U2 CephAdminKey: AQDptyJbAAAAABAA5vanNCjQ4z2D8x5rfpn0dA== CephClientKey: AQDptyJbAAAAABAAMqyz4l5WMVz6yhZqmf+5lQ== ... NOTE: The same caveats not above about which passwords not to change apply here too. 3. Save the new environment swift upload --object-name plan-environment.yaml overcloud plan-environment.yaml 4. Redeploy: ./overcloud-deploy.sh
Thanks, Ade. I'm moving this back to the default docs assignee so we can scope and review this for priority.