1566806 – [RFE] encrypt hieradata on the overcloud controllers

Bug 1566806 - [RFE] encrypt hieradata on the overcloud controllers

Summary: [RFE] encrypt hieradata on the overcloud controllers

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo
Sub Component:
Version:	15.0 (Stein)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	James Slagle
QA Contact:	Arik Chernetsky
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-04-13 02:54 UTC by Ade Lee
Modified:	2018-04-23 15:07 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-23 15:07:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Ade Lee 2018-04-13 02:54:49 UTC

Description of problem:

On the controller, /etc/puppet/hieradata/service_configs.json contains all service users passwords.

While the file and directory are accessible by root only, this data should be encrypted so as not to be in clear text.

Valid approaches could be:
   * Can we remove this data entirely after deployment?  What do folks use it 
     for?
   * Use hiera-yaml or hiera-vault perhaps?

Comment 1 Emilien Macchi 2018-04-23 15:07:55 UTC

With the containerized overcloud, /etc/puppet/ won't be used anymore and these files won't exist in that directory, so I'm closing it as it doesn't fit with our plans.

Note You need to log in before you can comment on or make changes to this bug.