Drop static passwords
For security reasons, all passwords must be generated. That's why
all password related parameters has been moved to defaults but
commented out, so they will be required and one have to set needed
parameters if any of them used but missing, and also to have a reference.
Exclusions:
- `opencontrail_message_queue_password` must be defined due of
limitations in OpenContrail over OpenStack
- `rabbitmq_guest_password` for backward compatibility
- `keepalived_openstack_telemetry_vip_password` for backward
compatibility
- `gerrit_ldap_bind_password` for backward compatibility
- `opencontrail_identity_password` for backward compatibility
- `kubernetes_openstack_provider_cloud_password` for backward
compatibility
Depends-on: https://gerrit.mcp.mirantis.com/#/c/34073/
Depends-on: https://gerrit.mcp.mirantis.com/#/c/36474/
Depends-on: https://gerrit.mcp.mirantis.com/#/c/36650/
Depends-on: https://gerrit.mcp.mirantis.com/#/c/36656/
Prod-related: PROD-26560 (PROD:26560)
Change-Id: Ia2203cf59349850ecd55c89208285e65b65899cd
diff --git a/defaults/init.yml b/defaults/init.yml
index 978671c..db9fca9 100644
--- a/defaults/init.yml
+++ b/defaults/init.yml
@@ -20,6 +20,7 @@
- system.defaults.gerrit
- system.defaults.keepalived
- system.defaults.salt
+- system.defaults.secrets
- system.defaults.stacklight
- system.defaults.xtrabackup
- system.defaults.backup
diff --git a/defaults/secrets.yml b/defaults/secrets.yml
new file mode 100644
index 0000000..f47c1e0
--- /dev/null
+++ b/defaults/secrets.yml
@@ -0,0 +1,74 @@
+# All commented params just for reference, should be auto-generated
+# Actually all must be genertated but keep some uncommented for backward
+# compatibility.
+parameters:
+ _param:
+# PostgreSQL
+# postgresql_admin_user_password: <<CHANGEME>>
+# postgresql_client_password: <<CHANGEME>>
+# rundeck_db_user_password: <<CHANGEME>>
+# sfdc_db_user_password: <<CHANGEME>>
+# alertmanager_db_user_password: <<CHANGEME>>
+# pushkin_db_user_password: <<CHANGEME>>
+# postgresql_billometer_password: <<CHANGEME>>
+# postgresql_graphite_password: <<CHANGEME>>
+
+# Opencontrail
+ opencontrail_identity_password: contrail123
+# opencontrail_stats_password: <<CHANGEME>>
+ opencontrail_message_queue_password: guest
+
+# RabbitMQ
+# rabbitmq_monitor_password: <<CHANGEME>>
+# rabbitmq_admin_password: <<CHANGEME>>
+ rabbitmq_guest_password: guest
+# rabbitmq_billometer_password: <<CHANGEME>>
+# rabbitmq_graphite_password: <<CHANGEME>>
+# rabbitmq_cold_password: <<CHANGEME>>
+# rabbitmq_secret_key: <<CHANGEME>>
+
+# Keepalived
+# keepalived_k8s_apiserver_vip_password: <<CHANGEME>>
+# keepalived_openstack_web_public_vip_password: <<CHANGEME>>
+# keepalived_openstack_baremetal_password: <<CHANGEME>>
+ keepalived_openstack_telemetry_vip_password: password
+# keepalived_openstack_manila_vip_password: <<CHANGEME>>
+# keepalived_openstack_barbican_vip_password: <<CHANGEME>>
+
+# Jenkins
+# jenkins_admin_password: <<CHANGEME>>
+# jenkins_client_password: <<CHANGEME>>
+# jenkins_security_ldap_manager_password: <<CHANGEME>>
+# oss_jenkins_password: <<CHANGEME>>
+
+# Gerrit/LDAP
+ gerrit_ldap_bind_password: password
+
+# Docker
+# keycloak_admin_password: <<CHANGEME>>
+# kqueen_api_ldap_password: <<CHANGEME>>
+# kqueen_credentials:
+# kqueen_api_admin_password: <<CHANGEME>>
+# pushkin_email_sender_password: <<CHANGEME>>
+# sfdc_password: <<CHANGEME>>
+
+# Billometer
+# keystone_billometer_password: <<CHANGEME>>
+
+# Nova
+# metadata_password: <<CHANGEME>>
+
+# Grafana
+# grafana_password: <<CHANGEME>>
+# grafana_database_password: <<CHANGEME>>
+
+# Keystone
+# keystone_admin_password: <<CHANGEME>>
+# mysql_admin_password: <<CHANGEME>>
+# mysql_keystone_password: <<CHANGEME>>
+
+# Kubernetes
+ kubernetes_openstack_provider_cloud_password: password
+
+# Galera
+# galera_clustercheck_password: <<CHANGEME>>