From 1dfa1fff9df016df26638528a7d720c9d7c5a31e Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Tue, 26 Mar 2024 11:30:36 +0000 Subject: [PATCH] Use HashiCorp Vault for Compute Kit deployment This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Compute Kit deployment. --- docs/openstack-compute-kit.md | 314 +++++++++++++++--- .../designate/base/vault/designate-admin.yaml | 24 ++ .../designate/base/vault/kustomization.yaml | 5 + kustomize/designate/base/vault/vaultauth.yaml | 14 + .../designate/base/vault/vaultconnection.yaml | 18 + kustomize/ironic/base/vault/ironic-admin.yaml | 24 ++ .../ironic/base/vault/kustomization.yaml | 5 + kustomize/ironic/base/vault/vaultauth.yaml | 14 + .../ironic/base/vault/vaultconnection.yaml | 18 + .../neutron/base/vault/kustomization.yaml | 7 + .../neutron/base/vault/neutron-admin.yaml | 24 ++ .../base/vault/neutron-db-password.yaml | 24 ++ .../base/vault/neutron-rabbitmq-password.yaml | 24 ++ kustomize/neutron/base/vault/vaultauth.yaml | 14 + .../neutron/base/vault/vaultconnection.yaml | 18 + kustomize/nova/base/vault/kustomization.yaml | 8 + .../base/vault/metadata-shared-secret.yaml | 24 ++ kustomize/nova/base/vault/nova-admin.yaml | 24 ++ .../nova/base/vault/nova-db-password.yaml | 24 ++ .../base/vault/nova-rabbitmq-password.yaml | 24 ++ kustomize/nova/base/vault/vaultauth.yaml | 14 + .../nova/base/vault/vaultconnection.yaml | 18 + .../placement/base/vault/kustomization.yaml | 6 + .../placement/base/vault/placement-admin.yaml | 24 ++ .../base/vault/placement-db-password.yaml | 24 ++ kustomize/placement/base/vault/vaultauth.yaml | 14 + .../placement/base/vault/vaultconnection.yaml | 18 + 27 files changed, 714 insertions(+), 55 deletions(-) create mode 100644 kustomize/designate/base/vault/designate-admin.yaml create mode 100644 kustomize/designate/base/vault/kustomization.yaml create mode 100644 kustomize/designate/base/vault/vaultauth.yaml create mode 100644 kustomize/designate/base/vault/vaultconnection.yaml create mode 100644 kustomize/ironic/base/vault/ironic-admin.yaml create mode 100644 kustomize/ironic/base/vault/kustomization.yaml create mode 100644 kustomize/ironic/base/vault/vaultauth.yaml create mode 100644 kustomize/ironic/base/vault/vaultconnection.yaml create mode 100644 kustomize/neutron/base/vault/kustomization.yaml create mode 100644 kustomize/neutron/base/vault/neutron-admin.yaml create mode 100644 kustomize/neutron/base/vault/neutron-db-password.yaml create mode 100644 kustomize/neutron/base/vault/neutron-rabbitmq-password.yaml create mode 100644 kustomize/neutron/base/vault/vaultauth.yaml create mode 100644 kustomize/neutron/base/vault/vaultconnection.yaml create mode 100644 kustomize/nova/base/vault/kustomization.yaml create mode 100644 kustomize/nova/base/vault/metadata-shared-secret.yaml create mode 100644 kustomize/nova/base/vault/nova-admin.yaml create mode 100644 kustomize/nova/base/vault/nova-db-password.yaml create mode 100644 kustomize/nova/base/vault/nova-rabbitmq-password.yaml create mode 100644 kustomize/nova/base/vault/vaultauth.yaml create mode 100644 kustomize/nova/base/vault/vaultconnection.yaml create mode 100644 kustomize/placement/base/vault/kustomization.yaml create mode 100644 kustomize/placement/base/vault/placement-admin.yaml create mode 100644 kustomize/placement/base/vault/placement-db-password.yaml create mode 100644 kustomize/placement/base/vault/vaultauth.yaml create mode 100644 kustomize/placement/base/vault/vaultconnection.yaml diff --git a/docs/openstack-compute-kit.md b/docs/openstack-compute-kit.md index 3e33cd95..e9d6a860 100644 --- a/docs/openstack-compute-kit.md +++ b/docs/openstack-compute-kit.md @@ -2,81 +2,284 @@ [![asciicast](https://asciinema.org/a/629813.svg)](https://asciinema.org/a/629813) +## Pre-requsites + +- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/) +- User has access to following paths in the Vault: + - `osh/nova/` + - `osh/ironic/` + - `osh/designate/` + - `osh/neutron/` + ## Creating the Compute Kit Secrets Part of running Nova is also running placement. Setup all credentials now so we can use them across the nova and placement services. +### Create the secrets - Placement + +- Login to the vault: + +``` shell +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=nova +``` + +- List the existing secrets from `osh/placement/`: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/placement +``` + +- Placement Database Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/placement placement-db-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Placement Admin Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/placement placement-admin \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +#### Validate the secrets + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/placement +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/placement placement-admin +``` + +### Create the secrets - Nova + +- List the existing secrets from `osh/nova/`: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/nova +``` + +- Metadata-shared-secret Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/nova metadata-shared-secret \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Nova Database Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/nova nova-db-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Nova Admin Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/nova nova-admin \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Nova RabbitMQ Username and Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put osh/nova/nova-rabbitmq-password username=nova + +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv patch -mount=osh/nova nova-rabbitmq-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) +``` + +#### Validate the secrets + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/nova +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/nova nova-admin +``` + +### Create the secrets - Ironic(NOT IMPLEMENTED YET) + +- Login to the vault: + +``` shell +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=ironic +``` + +- List the existing secrets from `osh/ironic/`: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/ironic +``` + +- Ironic Admin Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/ironic ironic-admin \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +#### Validate the secrets + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/ironic +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/ironic ironic-admin +``` + +### Create the secrets - Designate(NOT IMPLEMENTED YET) + +- Login to the vault: + +``` shell +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=designate +``` + +- List the existing secrets from `osh/designate/`: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/designate +``` + +- Designate Admin Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/designate designate-admin \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +#### Validate the secrets + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/designate +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/designate designate-admin +``` + +### Create the secrets - Neutron + +- Login to the vault: + +``` shell +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=neutron +``` + +- List the existing secrets from `osh/neutron/`: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/neutron +``` + +- Neutron Database Password: + ``` shell -# Shared -kubectl --namespace openstack \ - create secret generic metadata-shared-secret \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/neutron neutron-db-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) ``` +- Neutron Admin Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/neutron neutron-admin \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Neutron RabbitMQ Username and Password: + ``` shell -# Placement -kubectl --namespace openstack \ - create secret generic placement-db-password \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic placement-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put osh/neutron/neutron-rabbitmq-password username=neutron + +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv patch -mount=osh/neutron neutron-rabbitmq-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) ``` +#### Validate the secrets + ``` shell -# Nova -kubectl --namespace openstack \ - create secret generic nova-db-password \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic nova-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic nova-rabbitmq-password \ - --type Opaque \ - --from-literal=username="nova" \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)" +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/neutron +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/neutron neutron-admin +``` + +## Deploy vault-secret-operator resources + +- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: + +```shell +kubectl get secret vault-ca-secret -o yaml -n openstack ``` +- If it is absent, create one using the following command: + ``` shell -# Ironic (NOT IMPLEMENTED YET) -kubectl --namespace openstack \ - create secret generic ironic-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +kubectl create secret generic vault-ca-secret \ + --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \ + -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack ``` +- Deploy the necessary Vault resources to create Kubernetes secrets required by the placement installation: + ``` shell -# Designate (NOT IMPLEMENTED YET) -kubectl --namespace openstack \ - create secret generic designate-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +kubectl apply -k /opt/genestack/kustomize/placement/base/vault/ ``` +- Deploy the necessary Vault resources to create Kubernetes secrets required by the nova installation: + ``` shell -# Neutron -kubectl --namespace openstack \ - create secret generic neutron-rabbitmq-password \ - --type Opaque \ - --from-literal=username="neutron" \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)" -kubectl --namespace openstack \ - create secret generic neutron-db-password \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic neutron-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +kubectl apply -k /opt/genestack/kustomize/nova/base/vault/ ``` -## Deploy Placement +- Deploy the necessary Vault resources to create Kubernetes secrets required by the ironic installation: + +``` shell +kubectl apply -k /opt/genestack/kustomize/ironic/base/vault/ +``` + +- Deploy the necessary Vault resources to create Kubernetes secrets required by the designate installation: + +``` shell +kubectl apply -k /opt/genestack/kustomize/designate/base/vault/ +``` + +- Deploy the necessary Vault resources to create Kubernetes secrets required by the neutron installation: + +``` shell +kubectl apply -k /opt/genestack/kustomize/neutron/base/vault/ +``` + +- Validate whether the required Kubernetes secrets from Vault are populated: + +``` shell +kubectl get secrets -n openstack +``` + +## Deploy Placement helm chart ``` shell cd /opt/genestack/submodules/openstack-helm @@ -94,7 +297,7 @@ helm upgrade --install placement ./placement --namespace=openstack \ --post-renderer-args placement/base ``` -## Deploy Nova +## Deploy Nova helm chart ``` shell cd /opt/genestack/submodules/openstack-helm @@ -140,7 +343,8 @@ If running in an environment that doesn't have hardware virtualization extension In a production like environment you may need to include production specific files like the example variable file found in `helm-configs/prod-example-openstack-overrides.yaml`. -## Deploy Neutron + +## Deploy Neutron helm chart ``` shell cd /opt/genestack/submodules/openstack-helm diff --git a/kustomize/designate/base/vault/designate-admin.yaml b/kustomize/designate/base/vault/designate-admin.yaml new file mode 100644 index 00000000..78154cf1 --- /dev/null +++ b/kustomize/designate/base/vault/designate-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: designate-admin + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/neutron' + + # path of the secret + path: designate-admin + + # dest k8s secret + destination: + name: designate-admin + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/designate/base/vault/kustomization.yaml b/kustomize/designate/base/vault/kustomization.yaml new file mode 100644 index 00000000..1cf12f2b --- /dev/null +++ b/kustomize/designate/base/vault/kustomization.yaml @@ -0,0 +1,5 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - designate-admin.yaml diff --git a/kustomize/designate/base/vault/vaultauth.yaml b/kustomize/designate/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/designate/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/designate/base/vault/vaultconnection.yaml b/kustomize/designate/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/designate/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret" diff --git a/kustomize/ironic/base/vault/ironic-admin.yaml b/kustomize/ironic/base/vault/ironic-admin.yaml new file mode 100644 index 00000000..19b1ba20 --- /dev/null +++ b/kustomize/ironic/base/vault/ironic-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: ironic-admin + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/neutron' + + # path of the secret + path: ironic-admin + + # dest k8s secret + destination: + name: ironic-admin + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/ironic/base/vault/kustomization.yaml b/kustomize/ironic/base/vault/kustomization.yaml new file mode 100644 index 00000000..78034a91 --- /dev/null +++ b/kustomize/ironic/base/vault/kustomization.yaml @@ -0,0 +1,5 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - ironic-admin.yaml diff --git a/kustomize/ironic/base/vault/vaultauth.yaml b/kustomize/ironic/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/ironic/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/ironic/base/vault/vaultconnection.yaml b/kustomize/ironic/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/ironic/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret" diff --git a/kustomize/neutron/base/vault/kustomization.yaml b/kustomize/neutron/base/vault/kustomization.yaml new file mode 100644 index 00000000..c96cbe7d --- /dev/null +++ b/kustomize/neutron/base/vault/kustomization.yaml @@ -0,0 +1,7 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - neutron-admin.yaml + - neutron-db-password.yaml + - neutron-rabbitmq-password.yaml diff --git a/kustomize/neutron/base/vault/neutron-admin.yaml b/kustomize/neutron/base/vault/neutron-admin.yaml new file mode 100644 index 00000000..a34ecc70 --- /dev/null +++ b/kustomize/neutron/base/vault/neutron-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: neutron-admin + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/neutron' + + # path of the secret + path: neutron-admin + + # dest k8s secret + destination: + name: neutron-admin + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/neutron/base/vault/neutron-db-password.yaml b/kustomize/neutron/base/vault/neutron-db-password.yaml new file mode 100644 index 00000000..96cee38c --- /dev/null +++ b/kustomize/neutron/base/vault/neutron-db-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: neutron-db-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/neutron' + + # path of the secret + path: neutron-db-password + + # dest k8s secret + destination: + name: neutron-db-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/neutron/base/vault/neutron-rabbitmq-password.yaml b/kustomize/neutron/base/vault/neutron-rabbitmq-password.yaml new file mode 100644 index 00000000..27461c1c --- /dev/null +++ b/kustomize/neutron/base/vault/neutron-rabbitmq-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: neutron-rabbitmq-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/neutron' + + # path of the secret + path: neutron-rabbitmq-password + + # dest k8s secret + destination: + name: neutron-rabbitmq-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/neutron/base/vault/vaultauth.yaml b/kustomize/neutron/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/neutron/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/neutron/base/vault/vaultconnection.yaml b/kustomize/neutron/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/neutron/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret" diff --git a/kustomize/nova/base/vault/kustomization.yaml b/kustomize/nova/base/vault/kustomization.yaml new file mode 100644 index 00000000..803c3f2c --- /dev/null +++ b/kustomize/nova/base/vault/kustomization.yaml @@ -0,0 +1,8 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - metadata-shared-secret.yaml + - nova-admin.yaml + - nova-db-password.yaml + - nova-rabbitmq-password.yaml diff --git a/kustomize/nova/base/vault/metadata-shared-secret.yaml b/kustomize/nova/base/vault/metadata-shared-secret.yaml new file mode 100644 index 00000000..f92dcc54 --- /dev/null +++ b/kustomize/nova/base/vault/metadata-shared-secret.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: metadata-shared-secret + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/nova' + + # path of the secret + path: metadata-shared-secret + + # dest k8s secret + destination: + name: metadata-shared-secret + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/nova/base/vault/nova-admin.yaml b/kustomize/nova/base/vault/nova-admin.yaml new file mode 100644 index 00000000..019e96f9 --- /dev/null +++ b/kustomize/nova/base/vault/nova-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: nova-admin + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/nova' + + # path of the secret + path: nova-admin + + # dest k8s secret + destination: + name: nova-admin + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/nova/base/vault/nova-db-password.yaml b/kustomize/nova/base/vault/nova-db-password.yaml new file mode 100644 index 00000000..72d3ff8c --- /dev/null +++ b/kustomize/nova/base/vault/nova-db-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: nova-db-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/nova' + + # path of the secret + path: nova-db-password + + # dest k8s secret + destination: + name: nova-db-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/nova/base/vault/nova-rabbitmq-password.yaml b/kustomize/nova/base/vault/nova-rabbitmq-password.yaml new file mode 100644 index 00000000..cd091480 --- /dev/null +++ b/kustomize/nova/base/vault/nova-rabbitmq-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: nova-rabbitmq-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/nova' + + # path of the secret + path: nova-rabbitmq-password + + # dest k8s secret + destination: + name: nova-rabbitmq-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/nova/base/vault/vaultauth.yaml b/kustomize/nova/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/nova/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/nova/base/vault/vaultconnection.yaml b/kustomize/nova/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/nova/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret" diff --git a/kustomize/placement/base/vault/kustomization.yaml b/kustomize/placement/base/vault/kustomization.yaml new file mode 100644 index 00000000..d29125d7 --- /dev/null +++ b/kustomize/placement/base/vault/kustomization.yaml @@ -0,0 +1,6 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - placement-admin.yaml + - placement-db-password.yaml diff --git a/kustomize/placement/base/vault/placement-admin.yaml b/kustomize/placement/base/vault/placement-admin.yaml new file mode 100644 index 00000000..886f03a1 --- /dev/null +++ b/kustomize/placement/base/vault/placement-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: placement-admin + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/placement' + + # path of the secret + path: placement-admin + + # dest k8s secret + destination: + name: placement-admin + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/placement/base/vault/placement-db-password.yaml b/kustomize/placement/base/vault/placement-db-password.yaml new file mode 100644 index 00000000..8ffdea42 --- /dev/null +++ b/kustomize/placement/base/vault/placement-db-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: placement-db-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/placement' + + # path of the secret + path: placement-db-password + + # dest k8s secret + destination: + name: placement-db-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/placement/base/vault/vaultauth.yaml b/kustomize/placement/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/placement/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/placement/base/vault/vaultconnection.yaml b/kustomize/placement/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/placement/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret"