diff options
author | Antoine Eiche <lewo@abesis.fr> | 2016-12-10 23:14:50 +0100 |
---|---|---|
committer | Jörg Thalheim <joerg@higgsboson.tk> | 2016-12-16 20:53:32 +0100 |
commit | a932f68d9c2a020e04b49f225310decf39bb34d0 (patch) | |
tree | d3da8cd0d0ce5439f556f16a1a898d5d45808f0a /nixos/tests | |
parent | 415c9ff90b4aa9f6452f618e60aa948ab94a93fb (diff) |
nixos/keystone: secrets can be read from files
A secret can be stored in a file. It is written at runtime in the
configuration file.
Note it is also possible to write them in the nix store for dev
purposes.
Diffstat (limited to 'nixos/tests')
-rw-r--r-- | nixos/tests/keystone.nix | 36 |
1 files changed, 31 insertions, 5 deletions
diff --git a/nixos/tests/keystone.nix b/nixos/tests/keystone.nix index 15e86db381fb..872d6c0784bf 100644 --- a/nixos/tests/keystone.nix +++ b/nixos/tests/keystone.nix @@ -4,13 +4,17 @@ with import ../lib/testing.nix { inherit system; }; with pkgs.lib; let + keystoneMysqlPassword = "keystoneMysqlPassword"; + keystoneMysqlPasswordFile = "/var/run/keystoneMysqlPassword"; + keystoneAdminPassword = "keystoneAdminPassword"; + createKeystoneDb = pkgs.writeText "create-keystone-db.sql" '' create database keystone; - GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone'; - GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone'; + GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '${keystoneMysqlPassword}'; + GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '${keystoneMysqlPassword}'; ''; # The admin keystone account - adminOpenstackCmd = "OS_TENANT_NAME=admin OS_USERNAME=admin OS_PASSWORD=admin OS_AUTH_URL=http://localhost:5000/v3 OS_IDENTITY_API_VERSION=3 openstack"; + adminOpenstackCmd = "OS_TENANT_NAME=admin OS_USERNAME=admin OS_PASSWORD=${keystoneAdminPassword} OS_AUTH_URL=http://localhost:5000/v3 OS_IDENTITY_API_VERSION=3 openstack"; # The created demo keystone account demoOpenstackCmd = "OS_TENANT_NAME=demo OS_USERNAME=demo OS_PASSWORD=demo OS_AUTH_URL=http://localhost:5000/v3 OS_IDENTITY_API_VERSION=3 openstack"; @@ -18,12 +22,34 @@ in makeTest { machine = { config, pkgs, ... }: { + # This is to simulate nixops deployment process. + # https://nixos.org/nixops/manual/#opt-deployment.keys + boot.postBootCommands = "echo ${keystoneMysqlPassword} > ${keystoneMysqlPasswordFile}"; + services.mysql.enable = true; services.mysql.initialScript = createKeystoneDb; virtualisation = { - openstack.keystone.enable = true; - openstack.keystone.bootstrap.enable = true; + + openstack.keystone = { + enable = true; + # Check if we can get the secret from a file + database.password = { + value = keystoneMysqlPasswordFile; + storage = "fromFile"; + }; + adminToken = { + value = "adminToken"; + storage = "fromNixStore"; + }; + + bootstrap.enable = true; + # Check if we can get the secret from the store + bootstrap.adminPassword = { + value = keystoneAdminPassword; + storage = "fromNixStore"; + }; + }; memorySize = 2096; diskSize = 4 * 1024; |