Hello,


Just to clarify that this is already possible when using puppet-nova, it's up to the deployment to

make sure the database parameters for the classes is set.


We've been running without database credentials in nova.conf on our compute nodes for years.


Best regards

Tobias

From: Thomas Goirand <zigo@debian.org>
Sent: Saturday, November 21, 2020 2:47:23 AM
To: openstack maillist
Subject: Re: [nova][tripleo][rpm-packaging][kolla][puppet][debian][osa] Nova enforces that no DB credentials are allowed for the nova-compute service
 
On 11/18/20 8:24 PM, Dan Smith wrote:
> which things are
> _not_allowed_ to be set for a service (such as db credentials on the
> compute).

I still don't understand why this is forbidden.

Sure, I understand what people wrote: that it is a security problem.

Can't nova-compute just *ignore* the db credentials, and then everyone
is done with it, and moves on? That's a much more easy way to handle
this problem, IMO.

Cheers,

Thomas Goirand (zigo)