Infra Password Hashes are Moved to Internal Hiera

[Anton Marchukov]

Hello All.

As part of an effort to make Jenkins slaves easy to create I have moved
infra users' password variables from Foreman to our internal infra-hiera
repo.

The values are removed from Foreman and placed to common.yaml there as is.
So you won't note any changes unless you need to change your hash. And if
you do need to do that feel free to submit changes via gerrit as usual.

Please note the additional things uncovered as part of this:

1. Puppet did not unset the password if it was removed. This is because
"user" class won't set any password if the value is "undef" and hence it
will just leave it as it was before. The following change is merged to
address it https://gerrit.ovirt.org/#/c/65348/ It also polices the value to
make sure we accept the values with proper hashes that we consider secure
enough and disable anything else.

2. Some old users still use MD5 for hashing. We need to ask all of them to
rehash and then drop MD5 support in puppet. I opened
https://ovirt-jira.atlassian.net/browse/OVIRT-768 for that.

3. As I said infra-hiera is already used and basically it deploys along
with puppet code by existing jenkins job. We just need to enable hooks in
gerrit and I think we can just use the same that we use for infra-puppet.
Another ticket opened https://ovirt-jira.atlassian.net/browse/OVIRT-769

Anton.

-- 
Anton Marchukov
Senior Software Engineer - RHEV CI - Red Hat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/infra/attachments/20161011/1e92b855/attachment.html>