nixos/keystone: secrets can be read from files

A secret can be stored in a file. It is written at runtime in the configuration file. Note it is also possible to write them in the nix store for dev purposes.
2016-12-10 23:14:50 +01:00
parent 415c9ff90b
commit a932f68d9c
3 changed files with 131 additions and 22 deletions
--- a/nixos/tests/keystone.nix
+++ b/nixos/tests/keystone.nix
@@ -4,13 +4,17 @@ with import ../lib/testing.nix { inherit system; };
 with pkgs.lib;

 let
+  keystoneMysqlPassword = "keystoneMysqlPassword";
+  keystoneMysqlPasswordFile = "/var/run/keystoneMysqlPassword";
+  keystoneAdminPassword = "keystoneAdminPassword";
+
  createKeystoneDb = pkgs.writeText "create-keystone-db.sql" ''
    create database keystone;
-    GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
-    GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
+    GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '${keystoneMysqlPassword}';
+    GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '${keystoneMysqlPassword}';
  '';
  # The admin keystone account
-  adminOpenstackCmd = "OS_TENANT_NAME=admin OS_USERNAME=admin OS_PASSWORD=admin OS_AUTH_URL=http://localhost:5000/v3 OS_IDENTITY_API_VERSION=3 openstack";
+  adminOpenstackCmd = "OS_TENANT_NAME=admin OS_USERNAME=admin OS_PASSWORD=${keystoneAdminPassword} OS_AUTH_URL=http://localhost:5000/v3 OS_IDENTITY_API_VERSION=3 openstack";
  # The created demo keystone account
  demoOpenstackCmd = "OS_TENANT_NAME=demo OS_USERNAME=demo OS_PASSWORD=demo OS_AUTH_URL=http://localhost:5000/v3 OS_IDENTITY_API_VERSION=3 openstack";

@@ -18,12 +22,34 @@ in makeTest {
  machine =
    { config, pkgs, ... }:
    {
+      # This is to simulate nixops deployment process.
+      # https://nixos.org/nixops/manual/#opt-deployment.keys
+      boot.postBootCommands = "echo ${keystoneMysqlPassword} > ${keystoneMysqlPasswordFile}";
+
      services.mysql.enable = true;
      services.mysql.initialScript = createKeystoneDb;

      virtualisation = {
-        openstack.keystone.enable = true;
-	openstack.keystone.bootstrap.enable = true;
+
+        openstack.keystone = {
+	  enable = true;
+	  # Check if we can get the secret from a file
+	  database.password = {
+	    value = keystoneMysqlPasswordFile;
+	    storage = "fromFile";
+	  };
+	  adminToken = {
+	    value = "adminToken";
+	    storage = "fromNixStore";
+	  };
+
+	  bootstrap.enable = true;
+	  # Check if we can get the secret from the store
+	  bootstrap.adminPassword = {
+	    value = keystoneAdminPassword;
+	    storage = "fromNixStore";
+	  };
+	};

        memorySize = 2096;
        diskSize = 4 * 1024;