From 053004b86768a02650b2e3e19bf9851754ca1ad0 Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Tue, 26 Mar 2024 10:12:37 +0000 Subject: [PATCH] Use HashiCorp Vault for Cinder deployment This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Cinder deployment. --- docs/openstack-cinder.md | 99 ++++++++++++++++--- kustomize/cinder/base/vault/cinder-admin.yaml | 24 +++++ .../cinder/base/vault/cinder-db-password.yaml | 24 +++++ .../base/vault/cinder-rabbitmq-password.yaml | 24 +++++ .../cinder/base/vault/kustomization.yaml | 7 ++ kustomize/cinder/base/vault/vaultauth.yaml | 14 +++ .../cinder/base/vault/vaultconnection.yaml | 18 ++++ 7 files changed, 195 insertions(+), 15 deletions(-) create mode 100644 kustomize/cinder/base/vault/cinder-admin.yaml create mode 100644 kustomize/cinder/base/vault/cinder-db-password.yaml create mode 100644 kustomize/cinder/base/vault/cinder-rabbitmq-password.yaml create mode 100644 kustomize/cinder/base/vault/kustomization.yaml create mode 100644 kustomize/cinder/base/vault/vaultauth.yaml create mode 100644 kustomize/cinder/base/vault/vaultconnection.yaml diff --git a/docs/openstack-cinder.md b/docs/openstack-cinder.md index 72fc3f26..ee95c771 100644 --- a/docs/openstack-cinder.md +++ b/docs/openstack-cinder.md @@ -2,25 +2,94 @@ [![asciicast](https://asciinema.org/a/629808.svg)](https://asciinema.org/a/629808) -## Create secrets +## Pre-requsites + +- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/) +- User has access to `osh/cinder/` path in the Vault + +## Create secrets in the vault + +### Login to the vault + +``` shell +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=cinder +``` + +### List the existing secrets from `osh/cinder/` + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/cinder +``` + +### Create the secrets + +- Cinder RabbitMQ Username and Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put osh/cinder/cinder-rabbitmq-password username=cinder + +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv patch -mount=osh/cinder cinder-rabbitmq-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) +``` + +- Cinder Database Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/cinder cinder-db-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) +``` + +- Cinder Admin Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/cinder cinder-admin \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) +``` + +### Validate the secrets + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/cinder +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/cinder cinder-admin +``` + +## Install Cinder + +- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: + +```shell +kubectl get secret vault-ca-secret -o yaml -n openstack +``` + +- If it is absent, create one using the following command: + +``` shell +kubectl create secret generic vault-ca-secret \ + --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \ + -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack +``` + +- Deploy the necessary Vault resources to create Kubernetes secrets required by the Cinder installation: + +``` shell +kubectl apply -k /opt/genestack/kustomize/cinder/base/vault/ +``` + +- Validate whether the required Kubernetes secrets from Vault are populated: ``` shell -kubectl --namespace openstack \ - create secret generic cinder-rabbitmq-password \ - --type Opaque \ - --from-literal=username="cinder" \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)" -kubectl --namespace openstack \ - create secret generic cinder-db-password \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic cinder-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +kubectl get secrets -n openstack ``` -## Run the package deployment +### Deploy Cinder helm chart ``` shell cd /opt/genestack/submodules/openstack-helm diff --git a/kustomize/cinder/base/vault/cinder-admin.yaml b/kustomize/cinder/base/vault/cinder-admin.yaml new file mode 100644 index 00000000..1f6b158f --- /dev/null +++ b/kustomize/cinder/base/vault/cinder-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: cinder-admin + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/cinder' + + # path of the secret + path: cinder-admin + + # dest k8s secret + destination: + name: cinder-admin + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/cinder/base/vault/cinder-db-password.yaml b/kustomize/cinder/base/vault/cinder-db-password.yaml new file mode 100644 index 00000000..cafa36cf --- /dev/null +++ b/kustomize/cinder/base/vault/cinder-db-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: cinder-db-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/cinder' + + # path of the secret + path: cinder-db-password + + # dest k8s secret + destination: + name: cinder-db-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/cinder/base/vault/cinder-rabbitmq-password.yaml b/kustomize/cinder/base/vault/cinder-rabbitmq-password.yaml new file mode 100644 index 00000000..9c80467a --- /dev/null +++ b/kustomize/cinder/base/vault/cinder-rabbitmq-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: cinder-rabbitmq-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/cinder' + + # path of the secret + path: cinder-rabbitmq-password + + # dest k8s secret + destination: + name: cinder-rabbitmq-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/cinder/base/vault/kustomization.yaml b/kustomize/cinder/base/vault/kustomization.yaml new file mode 100644 index 00000000..fc1b85fc --- /dev/null +++ b/kustomize/cinder/base/vault/kustomization.yaml @@ -0,0 +1,7 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - cinder-admin.yaml + - cinder-db-password.yaml + - cinder-rabbitmq-password.yaml diff --git a/kustomize/cinder/base/vault/vaultauth.yaml b/kustomize/cinder/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/cinder/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/cinder/base/vault/vaultconnection.yaml b/kustomize/cinder/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/cinder/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret"