Skip to content

Commit

Permalink
Add Keystone Federation secrets
Browse files Browse the repository at this point in the history
Keystone federation requires a couple of secrets to work properly. I'm
adding them here to improve QOL for the development and testing of OIDC
federation in the openstack-operators.
  • Loading branch information
d34dh0r53 committed Oct 23, 2024
1 parent 44f7e9c commit 01604fb
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 0 deletions.
4 changes: 4 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ endif
# Barbican encryption key should be a random 32-byte string that is base64
# encoded. e.g. head --bytes=32 /dev/urandom | base64
BARBICAN_SIMPLE_CRYPTO_ENCRYPTION_KEY ?= sEFmdFjDUqRM2VemYslV5yGNWjokioJXsg8Nrlc3drU=
KEYSTONE_FEDERATION_CLIENT_SECRET ?= COX8bmlKAWn56XCGMrKQJj7dgHNAOl6f
KEYSTONE_CRYPTO_PASSPHRASE ?= openstack

# Allows overriding the cleanup command used in *_cleanup targets.
# Useful in CI, to allow injectin kustomization in each operator CR directory
Expand Down Expand Up @@ -520,6 +522,8 @@ ${1}: export PASSWORD=${PASSWORD}
${1}: export METADATA_SHARED_SECRET=${METADATA_SHARED_SECRET}
${1}: export HEAT_AUTH_ENCRYPTION_KEY=${HEAT_AUTH_ENCRYPTION_KEY}
${1}: export BARBICAN_SIMPLE_CRYPTO_ENCRYPTION_KEY=${BARBICAN_SIMPLE_CRYPTO_ENCRYPTION_KEY}
${1}: export KEYSTONE_FEDERATION_CLIENT_SECRET=${KEYSTONE_FEDERATION_CLIENT_SECRET}
${1}: export KEYSTONE_CRYPTO_PASSPHRASE=${KEYSTONE_CRYPTO_PASSPHRASE}
${1}: export LIBVIRT_SECRET=${LIBVIRT_SECRET}
${1}: export STORAGE_CLASS=${STORAGE_CLASS}
${1}: export OUT=${OUT}
Expand Down
10 changes: 10 additions & 0 deletions scripts/gen-input-kustomize.sh
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,14 @@ if [ -z "$BARBICAN_SIMPLE_CRYPTO_ENCRYPTION_KEY" ]; then
echo "Please set BARBICAN_SIMPLE_CRYPTO_ENCRYPTION_KEY"; exit 1
fi

if [ -z "$KEYSTONE_FEDERATION_CLIENT_SECRET" ]; then
echo "Please set KEYSTONE_FEDERATION_CLIENT_SECRET"; exit 1
fi

if [ -z "$KEYSTONE_CRYPTO_PASSPHRASE" ]; then
echo "Please set KEYSTONE_CRYPTO_PASSPHRASE"; exit 1
fi

if [ -z "$LIBVIRT_SECRET" ]; then
echo "Please set LIBVIRT_SECRET"; exit 1
fi
Expand Down Expand Up @@ -76,6 +84,8 @@ secretGenerator:
- CinderPassword=${PASSWORD}
- IronicPassword=${PASSWORD}
- IronicInspectorPassword=${PASSWORD}
- KeystoneClientSecret=${KEYSTONE_FEDERATION_CLIENT_SECRET}
- KeystoneCryptoPassphrase=${KEYSTONE_CRYPTO_PASSPHRASE}
- OctaviaPassword=${PASSWORD}
- OctaviaHeartbeatKey=${PASSWORD}
- NovaPassword=${PASSWORD}
Expand Down

0 comments on commit 01604fb

Please sign in to comment.