From c6f604d5fd1cfb8f824f532492921d6817520ec5 Mon Sep 17 00:00:00 2001
From: Pratik Bandarkar <pratik.bandarkar@proton.me>
Date: Wed, 27 Mar 2024 16:37:39 +0000
Subject: [PATCH] Use HashiCorp Vault for Skyline deployment

This commit will consume the secrets from HashiCorp Vault using
vault-secretes-operator for the Skyline deployment.
---
 docs/openstack-skyline.md                     | 93 +++++++++++++++----
 .../skyline/base/vault/kustomization.yaml     |  5 +
 .../base/vault/skyline-apiserver-secrets.yaml | 24 +++++
 kustomize/skyline/base/vault/vaultauth.yaml   | 14 +++
 .../skyline/base/vault/vaultconnection.yaml   | 18 ++++
 5 files changed, 137 insertions(+), 17 deletions(-)
 create mode 100644 kustomize/skyline/base/vault/kustomization.yaml
 create mode 100644 kustomize/skyline/base/vault/skyline-apiserver-secrets.yaml
 create mode 100644 kustomize/skyline/base/vault/vaultauth.yaml
 create mode 100644 kustomize/skyline/base/vault/vaultconnection.yaml

diff --git a/docs/openstack-skyline.md b/docs/openstack-skyline.md
index 588bff41..856ce1cb 100644
--- a/docs/openstack-skyline.md
+++ b/docs/openstack-skyline.md
@@ -4,33 +4,92 @@
 
 Skyline is an alternative Web UI for OpenStack. If you deploy horizon there's no need for Skyline.
 
-## Create secrets
+## Pre-requsites
+
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to `osh/skyline/` path in the Vault
+
+## Create secrets in the vault
+
+### Login to the vault
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=skyline
+```
+
+### List the existing secrets from `osh/skyline/`
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/skyline
+```
+
+### Create the secrets
 
 Skyline is a little different because there's no helm integration. Given this difference the deployment is far simpler, and all secrets can be managed in one object.
 
+- Skyline-apiserver-secrets:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/skyline skyline-apiserver-secrets \
+    service-username=skyline \
+    service-password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) \
+    service-domain=service \
+    service-project=service \
+    service-project-domain=service \
+    db-endpoint=maxscale-galera.openstack.svc.cluster.local \
+    db-name=skyline \
+    db-username=skyline \
+    db-password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) \
+    secret-key=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) \
+    keystone-endpoint=http://keystone-api.openstack.svc.cluster.local:5000 \
+    default-region=RegionOne
+```
+
+### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/skyline
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/skyline skyline-apiserver-secrets
+```
+
+## Install Skyline
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+
+```shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
+```
+
+- If it is absent, create one using the following command:
+
+``` shell
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the Skyline installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/skyline/base/vault/
+```
+
+- Validate whether the required Kubernetes secrets from Vault are populated:
+
 ``` shell
-kubectl --namespace openstack \
-        create secret generic skyline-apiserver-secrets \
-        --type Opaque \
-        --from-literal=service-username="skyline" \
-        --from-literal=service-password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \
-        --from-literal=service-domain="service" \
-        --from-literal=service-project="service" \
-        --from-literal=service-project-domain="service" \
-        --from-literal=db-endpoint="maxscale-galera.openstack.svc.cluster.local" \
-        --from-literal=db-name="skyline" \
-        --from-literal=db-username="skyline" \
-        --from-literal=db-password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \
-        --from-literal=secret-key="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \
-        --from-literal=keystone-endpoint="http://keystone-api.openstack.svc.cluster.local:5000" \
-        --from-literal=default-region="RegionOne"
+kubectl get secrets -n openstack
 ```
 
 !!! note
 
     All the configuration is in this one secret, so be sure to set your entries accordingly.
 
-## Run the deployment
+### Deploy Skyline
 
 !!! tip
 
diff --git a/kustomize/skyline/base/vault/kustomization.yaml b/kustomize/skyline/base/vault/kustomization.yaml
new file mode 100644
index 00000000..bc700885
--- /dev/null
+++ b/kustomize/skyline/base/vault/kustomization.yaml
@@ -0,0 +1,5 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - skyline-apiserver-secrets.yaml
diff --git a/kustomize/skyline/base/vault/skyline-apiserver-secrets.yaml b/kustomize/skyline/base/vault/skyline-apiserver-secrets.yaml
new file mode 100644
index 00000000..96a5a0cf
--- /dev/null
+++ b/kustomize/skyline/base/vault/skyline-apiserver-secrets.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: skyline-apiserver-secrets
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/skyline'
+
+  # path of the secret
+  path: skyline-apiserver-secrets
+
+  # dest k8s secret
+  destination:
+    name: skyline-apiserver-secrets
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/skyline/base/vault/vaultauth.yaml b/kustomize/skyline/base/vault/vaultauth.yaml
new file mode 100644
index 00000000..a4f6a50a
--- /dev/null
+++ b/kustomize/skyline/base/vault/vaultauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection
diff --git a/kustomize/skyline/base/vault/vaultconnection.yaml b/kustomize/skyline/base/vault/vaultconnection.yaml
new file mode 100644
index 00000000..61e878fd
--- /dev/null
+++ b/kustomize/skyline/base/vault/vaultconnection.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"