diff --git a/docs/infrastructure-mariadb.md b/docs/infrastructure-mariadb.md index 0f9bfbcb..7855f45d 100644 --- a/docs/infrastructure-mariadb.md +++ b/docs/infrastructure-mariadb.md @@ -1,15 +1,5 @@ # Deploy the MariaDB Operator and a Galera Cluster -## Create secret - -``` shell -kubectl --namespace openstack \ - create secret generic mariadb \ - --type Opaque \ - --from-literal=root-password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -``` - ## Deploy the mariadb operator If you've changed your k8s cluster name from the default cluster.local, edit `clusterName` in `/opt/genestack/kustomize/mariadb-operator/kustomization.yaml` prior to deploying the mariadb operator. @@ -29,6 +19,48 @@ kubectl --namespace mariadb-system get pods -w ## Deploy the MariaDB Cluster +## Pre-requsites: +- Vault should be installed by following the instructions in [vault.md](https://github.com/rackerlabs/genestack/blob/main/docs/vault.md) +- User has access to `osh/mariadb/` path in the Vault + +## Create secrets in the vault: + +### Login to the vault: +```shell +kubectl exec -it vault-0 -n vault -- vault login -method userpass username=mariadb +``` +### List the existing secrets from `osh/mariadb/`: +```shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault kv list osh/mariadb +``` +### Create the secrets: +- Mariadb root-password: +```shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault kv put -mount=osh/mariadb mariadb-root-password root-password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) +``` +### Validate the secrets: +```shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault kv list osh/mariadb +kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault kv get -mount=osh/mariadb mariadb-root-password +``` + +## Install mariadb cluster: +- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: +```shell +kubectl get secret vault-ca-secret -o yaml -n openstack +``` + +- If it is absent, create one using the following command: +```shell +kubectl create secret generic vault-ca-secret --from-literal=ca.crt="$(kubectl get secret vault-tls-secret -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack +``` + +- Deploy the necessary Vault resources to create Kubernetes secrets required by the mariadb installation: +```shell +kubectl apply -k /opt/genestack/kustomize/mariadb-cluster/base/vault +``` + +### Deploy mariadb-cluster ``` shell kubectl --namespace openstack apply -k /opt/genestack/kustomize/mariadb-cluster/base ``` diff --git a/docs/openstack-keystone.md b/docs/openstack-keystone.md index 6e57225d..91efcb60 100644 --- a/docs/openstack-keystone.md +++ b/docs/openstack-keystone.md @@ -2,30 +2,59 @@ [![asciicast](https://asciinema.org/a/629802.svg)](https://asciinema.org/a/629802) -## Create secrets. +## Pre-requsites: +- Vault should be installed by following the instructions in [vault.md](https://github.com/rackerlabs/genestack/blob/main/docs/vault.md) +- User has access to `osh/keystone/` path in the Vault -``` shell -kubectl --namespace openstack \ - create secret generic keystone-rabbitmq-password \ - --type Opaque \ - --from-literal=username="keystone" \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)" -kubectl --namespace openstack \ - create secret generic keystone-db-password \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic keystone-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic keystone-credential-keys \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +## Create secrets in the vault: + +### Login to the vault: +```shell +kubectl exec -it vault-0 -n vault -- vault login -method userpass username=keystone +``` +### List the existing secrets from `osh/keystone/`: +```shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault kv list osh/keystone +``` +### Create the secrets: +- Keystone RabbitMQ Password: +```shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault kv put -mount=osh/keystone keystone-rabbitmq-password password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) +``` + +- Keystone Database Password: +```shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault kv put -mount=osh/keystone keystone-db-password password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Keystone Admin Password: +```shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault kv put -mount=osh/keystone keystone-admin password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) ``` -## Run the package deployment +### Validate the secrets: +```shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault kv list osh/keystone +kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault kv get -mount=osh/keystone keystone-admin +``` + +## Install Keystone +- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: +```shell +kubectl get secret vault-ca-secret -o yaml -n openstack +``` + +- If it is absent, create one using the following command: +```shell +kubectl create secret generic vault-ca-secret --from-literal=ca.crt="$(kubectl get secret vault-tls-secret -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack +``` + +- Deploy the necessary Vault resources to create Kubernetes secrets required by the Keystone installation: +```shell +kubectl apply -k /opt/genestack/kustomize/keystone/base/vault/ +``` +### Deploy Keystone helm chart ``` shell cd /opt/genestack/submodules/openstack-helm diff --git a/kustomize/keystone/base/vault/keystone-admin.yaml b/kustomize/keystone/base/vault/keystone-admin.yaml new file mode 100644 index 00000000..62451f2a --- /dev/null +++ b/kustomize/keystone/base/vault/keystone-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: keystone-admin + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/keystone' + + # path of the secret + path: keystone-admin + + # dest k8s secret + destination: + name: keystone-admin + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/keystone/base/vault/keystone-db-password.yaml b/kustomize/keystone/base/vault/keystone-db-password.yaml new file mode 100644 index 00000000..23c9d323 --- /dev/null +++ b/kustomize/keystone/base/vault/keystone-db-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: keystone-db-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/keystone' + + # path of the secret + path: keystone-db-password + + # dest k8s secret + destination: + name: keystone-db-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/keystone/base/vault/keystone-rabbitmq-password.yaml b/kustomize/keystone/base/vault/keystone-rabbitmq-password.yaml new file mode 100644 index 00000000..af0b4178 --- /dev/null +++ b/kustomize/keystone/base/vault/keystone-rabbitmq-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: keystone-rabbitmq-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/keystone' + + # path of the secret + path: keystone-rabbitmq-password + + # dest k8s secret + destination: + name: keystone-rabbitmq-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/keystone/base/vault/kustomization.yaml b/kustomize/keystone/base/vault/kustomization.yaml new file mode 100644 index 00000000..551a31d5 --- /dev/null +++ b/kustomize/keystone/base/vault/kustomization.yaml @@ -0,0 +1,7 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - keystone-admin.yaml + - keystone-db-password.yaml + - keystone-rabbitmq-password.yaml diff --git a/kustomize/keystone/base/vault/vaultauth.yaml b/kustomize/keystone/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/keystone/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/keystone/base/vault/vaultconnection.yaml b/kustomize/keystone/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/keystone/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret" diff --git a/kustomize/mariadb-cluster/base/mariadb-galera.yaml b/kustomize/mariadb-cluster/base/mariadb-galera.yaml index 55ea560d..89f1d6ea 100644 --- a/kustomize/mariadb-cluster/base/mariadb-galera.yaml +++ b/kustomize/mariadb-cluster/base/mariadb-galera.yaml @@ -6,7 +6,7 @@ metadata: spec: rootPasswordSecretKeyRef: name: mariadb - key: root-password + key: mariadb-root-password username: mariadb database: mariadb diff --git a/kustomize/mariadb-cluster/base/vault/kustomization.yaml b/kustomize/mariadb-cluster/base/vault/kustomization.yaml new file mode 100644 index 00000000..7b3b9e58 --- /dev/null +++ b/kustomize/mariadb-cluster/base/vault/kustomization.yaml @@ -0,0 +1,5 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - mariadb-root-password.yaml diff --git a/kustomize/mariadb-cluster/base/vault/mariadb-root-password.yaml b/kustomize/mariadb-cluster/base/vault/mariadb-root-password.yaml new file mode 100644 index 00000000..6bf87776 --- /dev/null +++ b/kustomize/mariadb-cluster/base/vault/mariadb-root-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: mariadb-root-password + namespace: openstack +spec: + type: kv-v2 + +# mount path + mount: 'osh/mariadb' + +# path of the secret + path: mariadb-root-password + +# dest k8s secret + destination: + name: mariadb-root-password + create: true + +# static secret refresh interval + refreshAfter: 30s + +# Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/mariadb-cluster/base/vault/vaultauth.yaml b/kustomize/mariadb-cluster/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/mariadb-cluster/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/mariadb-cluster/base/vault/vaultconnection.yaml b/kustomize/mariadb-cluster/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/mariadb-cluster/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret"