diff --git a/docs/infrastructure-postgresql.md b/docs/infrastructure-postgresql.md index 23536cf9..8804764c 100644 --- a/docs/infrastructure-postgresql.md +++ b/docs/infrastructure-postgresql.md @@ -1,23 +1,94 @@ # Deploy PostgreSQL -## Create Secrets +## Pre-requsites + +- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/) +- User has access to `osh/postgresql/` path in the Vault + +## Create secrets in the vault: + +### Login to the vault: + +``` shell +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=postgresql +``` + +### List the existing secrets from `osh/postgresql/`: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/postgresql +``` + +### Create the secrets + +- Postgresql-identity-admin: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/postgresql postgresql-identity-admin password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Postgresql-db-admin: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/postgresql postgresql-db-admin password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Postgresql-db-exporter: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/postgresql postgresql-db-exporter password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Postgresql-db-audit: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/postgresql postgresql-db-audit password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +### Validate the secrets + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/postgresql +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/postgresql postgresql-identity-admin +``` + +## Install PostgreSQL + +- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: + +``` shell +kubectl get secret vault-ca-secret -o yaml -n openstack +``` + +- If it is absent, create one using the following command: + +``` shell +kubectl create secret generic vault-ca-secret \ + --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \ + -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack +``` + +- Deploy the necessary Vault resources to create Kubernetes secrets required by the postgresql installation: + +``` shell +kubectl apply -k /opt/genestack/kustomize/postgresql/base/vault +``` + +- Validate whether the required Kubernetes secrets from Vault are populated: ``` shell -kubectl --namespace openstack create secret generic postgresql-identity-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack create secret generic postgresql-db-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack create secret generic postgresql-db-exporter \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack create secret generic postgresql-db-audit \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +kubectl get secrets -n openstack ``` -## Run the package deployment +### Deploy PostgreSQL !!! tip diff --git a/kustomize/postgresql/base/vault/kustomization.yaml b/kustomize/postgresql/base/vault/kustomization.yaml new file mode 100644 index 00000000..f2e6fc7a --- /dev/null +++ b/kustomize/postgresql/base/vault/kustomization.yaml @@ -0,0 +1,8 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - postgresql-db-audit.yaml + - postgresql-identity-admin.yaml + - postgresql-db-admin.yaml + - postgresql-db-exporter.yaml diff --git a/kustomize/postgresql/base/vault/postgresql-db-admin.yaml b/kustomize/postgresql/base/vault/postgresql-db-admin.yaml new file mode 100644 index 00000000..69c396ee --- /dev/null +++ b/kustomize/postgresql/base/vault/postgresql-db-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: postgresql-db-admin + namespace: openstack +spec: + type: kv-v2 + +# mount path + mount: 'osh/postgresql' + +# path of the secret + path: postgresql-db-admin + +# dest k8s secret + destination: + name: postgresql-db-admin + create: true + +# static secret refresh interval + refreshAfter: 30s + +# Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/postgresql/base/vault/postgresql-db-audit.yaml b/kustomize/postgresql/base/vault/postgresql-db-audit.yaml new file mode 100644 index 00000000..3263f25e --- /dev/null +++ b/kustomize/postgresql/base/vault/postgresql-db-audit.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: postgresql-db-audit + namespace: openstack +spec: + type: kv-v2 + +# mount path + mount: 'osh/postgresql' + +# path of the secret + path: postgresql-db-audit + +# dest k8s secret + destination: + name: postgresql-db-audit + create: true + +# static secret refresh interval + refreshAfter: 30s + +# Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/postgresql/base/vault/postgresql-db-exporter.yaml b/kustomize/postgresql/base/vault/postgresql-db-exporter.yaml new file mode 100644 index 00000000..7b844cbd --- /dev/null +++ b/kustomize/postgresql/base/vault/postgresql-db-exporter.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: postgresql-db-exporter + namespace: openstack +spec: + type: kv-v2 + +# mount path + mount: 'osh/postgresql' + +# path of the secret + path: postgresql-db-exporter + +# dest k8s secret + destination: + name: postgresql-db-exporter + create: true + +# static secret refresh interval + refreshAfter: 30s + +# Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/postgresql/base/vault/postgresql-identity-admin.yaml b/kustomize/postgresql/base/vault/postgresql-identity-admin.yaml new file mode 100644 index 00000000..3d482233 --- /dev/null +++ b/kustomize/postgresql/base/vault/postgresql-identity-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: postgresql-identity-admin + namespace: openstack +spec: + type: kv-v2 + +# mount path + mount: 'osh/postgresql' + +# path of the secret + path: postgresql-identity-admin + +# dest k8s secret + destination: + name: postgresql-identity-admin + create: true + +# static secret refresh interval + refreshAfter: 30s + +# Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/postgresql/base/vault/vaultauth.yaml b/kustomize/postgresql/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/postgresql/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/postgresql/base/vault/vaultconnection.yaml b/kustomize/postgresql/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/postgresql/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret"