diff --git a/docs/infrastructure-mariadb.md b/docs/infrastructure-mariadb.md index 02072e61..d6040a20 100644 --- a/docs/infrastructure-mariadb.md +++ b/docs/infrastructure-mariadb.md @@ -19,7 +19,7 @@ kubectl --namespace mariadb-system get pods -w ## Deploy the MariaDB Cluster -## Pre-requsites: +## Pre-requsites - Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/) - User has access to `osh/mariadb/` path in the Vault @@ -40,49 +40,55 @@ kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ vault kv list osh/mariadb ``` -### Create the secrets: +### Create the secrets - Mariadb root-password: + ``` shell kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ - vault kv put -mount=osh/mariadb mariadb-root-password root-password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) + vault kv put -mount=osh/mariadb mariadb root-password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) ``` - MaxScale password: + ``` shell kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ vault kv put -mount=osh/mariadb maxscale password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) ``` -### Validate the secrets: +### Validate the secrets ``` shell kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ vault kv list osh/mariadb kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ - vault kv get -mount=osh/mariadb mariadb-root-password + vault kv get -mount=osh/mariadb mariadb ``` -## Install mariadb cluster: +## Install mariadb cluster - Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: -```shell + +``` shell kubectl get secret vault-ca-secret -o yaml -n openstack ``` - If it is absent, create one using the following command: -```shell + +``` shell kubectl create secret generic vault-ca-secret \ --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \ -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack ``` - Deploy the necessary Vault resources to create Kubernetes secrets required by the mariadb installation: + ``` shell kubectl apply -k /opt/genestack/kustomize/mariadb-cluster/base/vault ``` - Validate whether the required Kubernetes secrets from Vault are populated: + ``` shell kubectl get secrets -n openstack ``` diff --git a/docs/openstack-glance.md b/docs/openstack-glance.md index f8f4a74c..e9b9ba8a 100644 --- a/docs/openstack-glance.md +++ b/docs/openstack-glance.md @@ -105,7 +105,7 @@ helm upgrade --install glance ./glance \ -f /opt/genestack/helm-configs/glance/glance-helm-overrides.yaml \ --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.identity.auth.glance.password="$(kubectl --namespace openstack get secret glance-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb-root-password -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ --set endpoints.oslo_db.auth.glance.password="$(kubectl --namespace openstack get secret glance-db-password -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.oslo_messaging.auth.glance.password="$(kubectl --namespace openstack get secret glance-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ diff --git a/docs/openstack-heat.md b/docs/openstack-heat.md index 4ed03005..85e96521 100644 --- a/docs/openstack-heat.md +++ b/docs/openstack-heat.md @@ -118,7 +118,7 @@ helm upgrade --install heat ./heat \ --set endpoints.identity.auth.heat.password="$(kubectl --namespace openstack get secret heat-admin -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.identity.auth.heat_trustee.password="$(kubectl --namespace openstack get secret heat-trustee -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.identity.auth.heat_stack_user.password="$(kubectl --namespace openstack get secret heat-stack-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb-root-password -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ --set endpoints.oslo_db.auth.heat.password="$(kubectl --namespace openstack get secret heat-db-password -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.oslo_messaging.auth.heat.password="$(kubectl --namespace openstack get secret heat-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ diff --git a/docs/openstack-keystone.md b/docs/openstack-keystone.md index 3a5548f9..2dd6d46c 100644 --- a/docs/openstack-keystone.md +++ b/docs/openstack-keystone.md @@ -100,7 +100,7 @@ helm upgrade --install keystone ./keystone \ --timeout 120m \ -f /opt/genestack/helm-configs/keystone/keystone-helm-overrides.yaml \ --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb-root-password -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ --set endpoints.oslo_db.auth.keystone.password="$(kubectl --namespace openstack get secret keystone-db-password -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.oslo_messaging.auth.keystone.password="$(kubectl --namespace openstack get secret keystone-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ diff --git a/kustomize/mariadb-cluster/base/mariadb-galera.yaml b/kustomize/mariadb-cluster/base/mariadb-galera.yaml index 67a77ca9..d77fdeaf 100644 --- a/kustomize/mariadb-cluster/base/mariadb-galera.yaml +++ b/kustomize/mariadb-cluster/base/mariadb-galera.yaml @@ -5,7 +5,7 @@ metadata: namespace: openstack spec: rootPasswordSecretKeyRef: - name: mariadb-root-password + name: mariadb key: root-password username: mariadb database: mariadb diff --git a/kustomize/mariadb-cluster/base/vault/kustomization.yaml b/kustomize/mariadb-cluster/base/vault/kustomization.yaml index 22438c37..e759ecb7 100644 --- a/kustomize/mariadb-cluster/base/vault/kustomization.yaml +++ b/kustomize/mariadb-cluster/base/vault/kustomization.yaml @@ -2,5 +2,5 @@ namespace: openstack resources: - vaultauth.yaml - vaultconnection.yaml - - mariadb-root-password.yaml + - mariadb.yaml - mariadb-maxscale.yaml diff --git a/kustomize/mariadb-cluster/base/vault/mariadb-root-password.yaml b/kustomize/mariadb-cluster/base/vault/mariadb.yaml similarity index 85% rename from kustomize/mariadb-cluster/base/vault/mariadb-root-password.yaml rename to kustomize/mariadb-cluster/base/vault/mariadb.yaml index 6bf87776..d01e778a 100644 --- a/kustomize/mariadb-cluster/base/vault/mariadb-root-password.yaml +++ b/kustomize/mariadb-cluster/base/vault/mariadb.yaml @@ -10,11 +10,11 @@ spec: mount: 'osh/mariadb' # path of the secret - path: mariadb-root-password + path: mariadb # dest k8s secret destination: - name: mariadb-root-password + name: mariadb create: true # static secret refresh interval