Chapter 13. Changing service account passwords using director Operator

download PDF

Red Hat OpenStack Platform (RHOSP) services and the databases that they use are authenticated by their Identity service (keystone) credentials. The Identity service generates these RHOSP passwords during the initial RHOSP deployment process. You might be required to periodically update passwords for threat mitigation or security compliance. You can use tools native to director Operator (OSPdO) to change many of the generated passwords after your RHOSP environment is deployed.

13.1. Rotating overcloud service account passwords with director Operator

You can rotate the overcloud service account passwords used with a director Operator (OSPdO) deployed Red Hat OpenStack Platform (RHOSP) environment.


  1. Create a backup of the current tripleo-passwords secret:

    $ oc get secret tripleo-passwords -n openstack -o yaml > tripleo-passwords_backup.yaml
  2. Create a plain text file named tripleo-overcloud-passwords_preserve_list to specify that the passwords for the following services should not be rotated:


    You can add additional services to this list if there are other services for which you want to preserve the password.

  3. Create a password parameter file, tripleo-overcloud-passwords.yaml, that lists the passwords that should not be modified:

    $ oc get secret tripleo-passwords -n openstack \
    -o jsonpath='{.data.tripleo-overcloud-passwords\.yaml}' \
    | base64 -d | grep -f ./tripleo-overcloud-passwords_preserve_list > tripleo-overcloud-passwords.yaml
  4. Validate that the tripleo-overcloud-passwords.yaml file contains the passwords that you do not want to rotate.
  5. Update the tripleo-password secret:

    $ oc create secret generic tripleo-passwords -n openstack \
    --from-file=./tripleo-overcloud-passwords.yaml \
    --dry-run=client -o yaml | oc apply -f -
  6. Create Ansible playbooks to configure the overcloud with the OpenStackConfigGenerator CRD. For more information, see Creating Ansible playbooks for overcloud configuration with the OpenStackConfigGenerator CRD.
  7. Apply the updated configuration. For more information, see Applying overcloud configuration with director Operator.


Compare the new NovaPassword in the secret to what is now installed on the Controller node.

  1. Get the password from the updated secret:

    $ oc get secret tripleo-passwords -n openstack -o jsonpath='{.data.tripleo-overcloud-passwords\.yaml}' | base64 -d | grep NovaPassword

    Example output:

    NovaPassword: hp4xpt7t2p79ktqjjnxpqwbp6
  2. Retrieve the password for the Compute service (nova) running on the Controller nodes:

    1. Access the openstackclient remote shell:

      $ oc rsh openstackclient -n openstack
    2. Ensure that you are in the home directory:

      $ cd
    3. Retrieve the Compute service password:

      $ ansible -i /home/cloud-admin/ctlplane-ansible-inventory Controller -b -a "grep ^connection /var/lib/config-data/puppet-generated/nova/etc/nova/nova.conf"

      Example output: | CHANGED | rc=0 >> connection=mysql+pymysql://nova_api:hp4xpt7t2p79ktqjjnxpqwbp6@ connection=mysql+pymysql://nova:hp4xpt7t2p79ktqjjnxpqwbp6@
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.