Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1566806 - [RFE] encrypt hieradata on the overcloud controllers
Summary: [RFE] encrypt hieradata on the overcloud controllers
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo
Version: 15.0 (Stein)
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: James Slagle
QA Contact: Arik Chernetsky
Depends On:
TreeView+ depends on / blocked
Reported: 2018-04-13 02:54 UTC by Ade Lee
Modified: 2018-04-23 15:07 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-04-23 15:07:55 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Ade Lee 2018-04-13 02:54:49 UTC
Description of problem:

On the controller, /etc/puppet/hieradata/service_configs.json contains all service users passwords.

While the file and directory are accessible by root only, this data should be encrypted so as not to be in clear text.

Valid approaches could be:
   * Can we remove this data entirely after deployment?  What do folks use it 
   * Use hiera-yaml or hiera-vault perhaps?

Comment 1 Emilien Macchi 2018-04-23 15:07:55 UTC
With the containerized overcloud, /etc/puppet/ won't be used anymore and these files won't exist in that directory, so I'm closing it as it doesn't fit with our plans.

Note You need to log in before you can comment on or make changes to this bug.