https://github.com/kubevirt/common-templates/issues/187

The idea is to replace the hard coded password with an auto generated one using the generation scheme of templates like:

```
parameters:
- description: The cloud user password to be used
  from: '[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}'
  generate: expression
  name: CLOUD_USER_PASSWORD
```

This will generate a unique password for every VM.

Realtes to bug #1876440

Is this relying on the generation on "oc process" or after submitting to the api? Because UI does not call the oc process since the UI needs to allow to do "anything" with the VM - e.g. before submitting it the user can remove the cloud init completely or add / remove disks etc. So what the UI does it just takes the template, fills the wizard by it and than submits the resulting vm yaml. But does not call oc process in the middle.

Good that you mention it: Yes, it depends on OCP Templates processing functionality.

In the worst case the UI can generate a password and replace the relevant parameter.

In general I'd recommend the UI to assume that we'll be leveraging all of the template features.

(In reply to Fabian Deutsch from comment #6)
> In the worst case the UI can generate a password and replace the relevant
> parameter.

Im a little afraid to try to get this in for 4.6 though

> 
> In general I'd recommend the UI to assume that we'll be leveraging all of
> the template features.

Ok - I think it's not mandatory for 4.6, but would have been nice.
As we will have to fix this bug for 4.6/2.5.

(In reply to Fabian Deutsch from comment #8)
> Ok - I think it's not mandatory for 4.6, but would have been nice.

I know it would have been nice but it came very late in the game...

> As we will have to fix this bug for 4.6/2.5.

can you please move it out of 2.5 to avoid accidentally do it and break the ui?

After discussing this offline:

The template will include

        - cloudInitNoCloud:
            userData: |-
              #cloud-config
              password: ${CLOUD_USER_PASSWORD}
              chpasswd: { expire: False }
          name: cloudinitdisk

Where CLOUD_USER_PASSWORD will be following the scheme xxxx-xxxx-xxxx.
Where x are random characters from the set [a-zA-Z0-9]

The agreement is that for 2.5.0 the UI will replace the value of the `password:` line in the cloud init stanza.

The common-templates part got merged upstream https://github.com/kubevirt/common-templates/pull/213

Tested with kubevirt-ssp-operator-container-v2.5.0-50, fedora has a wrong user in the description:

- description: Randomized password for cloud-user
  from: '[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}'
  generate: expression
  name: CLOUD_USER_PASSWORD

(In reply to Ruth Netser from comment #12)
> Tested with kubevirt-ssp-operator-container-v2.5.0-50, fedora has a wrong
> user in the description:
> 
> - description: Randomized password for cloud-user
>   from: '[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}'
>   generate: expression
>   name: CLOUD_USER_PASSWORD

That's not a bug here, but a confusing typo
Fix: https://github.com/kubevirt/common-templates/pull/247

Verified with kubevirt-ssp-operator-container-v2.5.0-55:

Fedora:
- description: Randomized password for the cloud-init user fedora
  from: '[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}'
  generate: expression
  name: CLOUD_USER_PASSWORD

In UI:
#cloud-config
user: fedora
password: a0ji-1bl4-6az5
chpasswd:
  expire: false

RHEL:
- description: Randomized password for the cloud-init user cloud-user
  from: '[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}'
  generate: expression
  name: CLOUD_USER_PASSWORD

In UI:
#cloud-config
user: cloud-user
password: l1bi-fvza-pjih
chpasswd:
  expire: false

Release notes PR is now merged: https://github.com/openshift/openshift-docs/pull/26998