From a932f68d9c2a020e04b49f225310decf39bb34d0 Mon Sep 17 00:00:00 2001
From: Antoine Eiche <lewo@abesis.fr>
Date: Sat, 10 Dec 2016 23:14:50 +0100
Subject: nixos/keystone: secrets can be read from files

A secret can be stored in a file. It is written at runtime in the
configuration file.
Note it is also possible to write them in the nix store for dev
purposes.
---
 nixos/tests/keystone.nix | 36 +++++++++++++++++++++++++++++++-----
 1 file changed, 31 insertions(+), 5 deletions(-)

(limited to 'nixos/tests')

diff --git a/nixos/tests/keystone.nix b/nixos/tests/keystone.nix
index 15e86db381f..872d6c0784b 100644
--- a/nixos/tests/keystone.nix
+++ b/nixos/tests/keystone.nix
@@ -4,13 +4,17 @@ with import ../lib/testing.nix { inherit system; };
 with pkgs.lib;
 
 let
+  keystoneMysqlPassword = "keystoneMysqlPassword";
+  keystoneMysqlPasswordFile = "/var/run/keystoneMysqlPassword";
+  keystoneAdminPassword = "keystoneAdminPassword";
+
   createKeystoneDb = pkgs.writeText "create-keystone-db.sql" ''
     create database keystone;
-    GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
-    GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
+    GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '${keystoneMysqlPassword}';
+    GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '${keystoneMysqlPassword}';
   '';
   # The admin keystone account
-  adminOpenstackCmd = "OS_TENANT_NAME=admin OS_USERNAME=admin OS_PASSWORD=admin OS_AUTH_URL=http://localhost:5000/v3 OS_IDENTITY_API_VERSION=3 openstack";
+  adminOpenstackCmd = "OS_TENANT_NAME=admin OS_USERNAME=admin OS_PASSWORD=${keystoneAdminPassword} OS_AUTH_URL=http://localhost:5000/v3 OS_IDENTITY_API_VERSION=3 openstack";
   # The created demo keystone account
   demoOpenstackCmd = "OS_TENANT_NAME=demo OS_USERNAME=demo OS_PASSWORD=demo OS_AUTH_URL=http://localhost:5000/v3 OS_IDENTITY_API_VERSION=3 openstack";
 
@@ -18,12 +22,34 @@ in makeTest {
   machine =
     { config, pkgs, ... }:
     {
+      # This is to simulate nixops deployment process.
+      # https://nixos.org/nixops/manual/#opt-deployment.keys
+      boot.postBootCommands = "echo ${keystoneMysqlPassword} > ${keystoneMysqlPasswordFile}";
+
       services.mysql.enable = true;
       services.mysql.initialScript = createKeystoneDb;
 
       virtualisation = {
-        openstack.keystone.enable = true;
-	openstack.keystone.bootstrap.enable = true;
+
+        openstack.keystone = {
+	  enable = true;
+	  # Check if we can get the secret from a file
+	  database.password = {
+	    value = keystoneMysqlPasswordFile;
+	    storage = "fromFile";
+	  };
+	  adminToken = {
+	    value = "adminToken";
+	    storage = "fromNixStore";
+	  };
+
+	  bootstrap.enable = true;
+	  # Check if we can get the secret from the store
+	  bootstrap.adminPassword = {
+	    value = keystoneAdminPassword;
+	    storage = "fromNixStore";
+	  };
+	};
 
         memorySize = 2096;
         diskSize = 4 * 1024;
-- 
cgit 1.4.1