tripleo

  1. Bug #1871482
  2. Comment #6

Comment 6 for bug 1871482

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/718552
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/9d82364de8d6d1fba083993e085fb8cafcc08268
Submitter: Zuul
Branch: master

commit 9d82364de8d6d1fba083993e085fb8cafcc08268
Author: Oliver Walsh <email address hidden>
Date: Wed Apr 8 21:04:49 2020 +0100

    Refactor nova db config

    It is best to avoid placing db creds on the compute nodes to limit the
    exposure if an attacker succeeds in gaining access to the hypervisor
    host.

    Related patches in puppet-nova remove the credentials from nova.conf
    however the current scope of db credential hieradata is all nova tripleo
    services - so it will but written to the hieradata keys on compute
    nodes.

    This patch refactors the nova hieradata structure, splitting the
    nova-api/nova database hieradata out into individual templates and
    selectively including only where necessary, ensuring we have no db
    creds on a compute node (unless it is an all-in-one api+compute node).

    Depends-On: I07caa3185427b48e6e7d60965fa3e6157457018c
    Change-Id: Ia4a29bdd2cd8e894bcc7c0078cf0f0ab0f97de0a
    Closes-bug: #1871482