As part of an effort to make Jenkins slaves easy to create I have moved infra users' password variables from Foreman to our internal infra-hiera repo.

The values are removed from Foreman and placed to common.yaml there as is. So you won't note any changes unless you need to change your hash. And if you do need to do that feel free to submit changes via gerrit as usual.

Please note the additional things uncovered as part of this:

1. Puppet did not unset the password if it was removed. This is because "user" class won't set any password if the value is "undef" and hence it will just leave it as it was before. The following change is merged to address it https://gerrit.ovirt.org/#/c/65348/ It also polices the value to make sure we accept the values with proper hashes that we consider secure enough and disable anything else.

2. Some old users still use MD5 for hashing. We need to ask all of them to rehash and then drop MD5 support in puppet. I opened https://ovirt-jira.atlassian.net/browse/OVIRT-768 for that.

3. As I said infra-hiera is already used and basically it deploys along with puppet code by existing jenkins job. We just need to enable hooks in gerrit and I think we can just use the same that we use for infra-puppet. Another ticket opened https://ovirt-jira.atlassian.net/browse/OVIRT-769

Anton.
--