Skip to content

Commit 01604fb

Browse files
d34dh0r53d34dh0r53
committed
Add Keystone Federation secrets
Keystone federation requires a couple of secrets to work properly. I'm adding them here to improve QOL for the development and testing of OIDC federation in the openstack-operators.
1 parent 44f7e9c commit 01604fb

File tree

2 files changed

+14
-0
lines changed

2 files changed

+14
-0
lines changed

Makefile

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,8 @@ endif
3131
# Barbican encryption key should be a random 32-byte string that is base64
3232
# encoded. e.g. head --bytes=32 /dev/urandom | base64
3333
BARBICAN_SIMPLE_CRYPTO_ENCRYPTION_KEY ?= sEFmdFjDUqRM2VemYslV5yGNWjokioJXsg8Nrlc3drU=
34+
KEYSTONE_FEDERATION_CLIENT_SECRET ?= COX8bmlKAWn56XCGMrKQJj7dgHNAOl6f
35+
KEYSTONE_CRYPTO_PASSPHRASE ?= openstack
3436

3537
# Allows overriding the cleanup command used in *_cleanup targets.
3638
# Useful in CI, to allow injectin kustomization in each operator CR directory
@@ -520,6 +522,8 @@ ${1}: export PASSWORD=${PASSWORD}
520522
${1}: export METADATA_SHARED_SECRET=${METADATA_SHARED_SECRET}
521523
${1}: export HEAT_AUTH_ENCRYPTION_KEY=${HEAT_AUTH_ENCRYPTION_KEY}
522524
${1}: export BARBICAN_SIMPLE_CRYPTO_ENCRYPTION_KEY=${BARBICAN_SIMPLE_CRYPTO_ENCRYPTION_KEY}
525+
${1}: export KEYSTONE_FEDERATION_CLIENT_SECRET=${KEYSTONE_FEDERATION_CLIENT_SECRET}
526+
${1}: export KEYSTONE_CRYPTO_PASSPHRASE=${KEYSTONE_CRYPTO_PASSPHRASE}
523527
${1}: export LIBVIRT_SECRET=${LIBVIRT_SECRET}
524528
${1}: export STORAGE_CLASS=${STORAGE_CLASS}
525529
${1}: export OUT=${OUT}

scripts/gen-input-kustomize.sh

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,14 @@ if [ -z "$BARBICAN_SIMPLE_CRYPTO_ENCRYPTION_KEY" ]; then
4040
echo "Please set BARBICAN_SIMPLE_CRYPTO_ENCRYPTION_KEY"; exit 1
4141
fi
4242

43+
if [ -z "$KEYSTONE_FEDERATION_CLIENT_SECRET" ]; then
44+
echo "Please set KEYSTONE_FEDERATION_CLIENT_SECRET"; exit 1
45+
fi
46+
47+
if [ -z "$KEYSTONE_CRYPTO_PASSPHRASE" ]; then
48+
echo "Please set KEYSTONE_CRYPTO_PASSPHRASE"; exit 1
49+
fi
50+
4351
if [ -z "$LIBVIRT_SECRET" ]; then
4452
echo "Please set LIBVIRT_SECRET"; exit 1
4553
fi
@@ -76,6 +84,8 @@ secretGenerator:
7684
- CinderPassword=${PASSWORD}
7785
- IronicPassword=${PASSWORD}
7886
- IronicInspectorPassword=${PASSWORD}
87+
- KeystoneClientSecret=${KEYSTONE_FEDERATION_CLIENT_SECRET}
88+
- KeystoneCryptoPassphrase=${KEYSTONE_CRYPTO_PASSPHRASE}
7989
- OctaviaPassword=${PASSWORD}
8090
- OctaviaHeartbeatKey=${PASSWORD}
8191
- NovaPassword=${PASSWORD}

0 commit comments

Comments
 (0)