Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use HashiCorp Vault for OSH deployment #151

Closed
wants to merge 23 commits into from
Closed

Use HashiCorp Vault for OSH deployment #151

wants to merge 23 commits into from

Conversation

pratik705
Copy link
Contributor

@pratik705 pratik705 commented Mar 15, 2024

This commit will replace Kubernetes secrete creation step and consume the secrets from HashiCorp Vault using vault-secretes-operator for the OSH deployment.

@cloudnull
Copy link
Contributor

LGTM @pratik705 will you convert the rest of the services within this PR?

@cloudnull cloudnull requested a review from sulochan March 19, 2024 13:48
Copy link
Collaborator

@sulochan sulochan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One issue with mariadb secret and a few nitpicks.

Overall I think if we are changing this then we need to change this for all secrets generated on the command line. Just have 2 into vault and not having others is more confusing?

@@ -29,6 +19,65 @@ kubectl --namespace mariadb-system get pods -w

## Deploy the MariaDB Cluster

## Pre-requsites:

- Vault should be installed by following the instructions in [vault.md](https://github.com/rackerlabs/genestack/blob/main/docs/vault.md)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This link will take us to github .md page ... we can link back to mkdocs /vault/ page ?


- Vault should be installed by following the instructions in [vault.md](https://github.com/rackerlabs/genestack/blob/main/docs/vault.md)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above.

- Keystone RabbitMQ Password:
``` shell
kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
vault kv put -mount=osh/keystone \keystone-rabbitmq-password \
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there is one extra \ here ?

@@ -6,7 +6,7 @@ metadata:
spec:
rootPasswordSecretKeyRef:
name: mariadb
key: root-password
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changing this key will break all the service deploy? Example: glance, neutron, etc will do something like:

--set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \

which will look for mariadb secret with root-password. Will this work ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as per my understanding, if we update the password in the vault then its required to update helm charts to populate the correct password in the openstack services. I haven't validated it though.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For infra services I don't think we can change the password references; most of them are not goverened by helm.

@pratik705
Copy link
Contributor Author

I am facing some issue with my lab. I will work on other osp services once the lab is up

This commit will consume the secrets from HashiCorp Vault using
vault-secretes-operator for the MariaDB and Keystone deployment
This commit will consume the secrets from HashiCorp Vault using
vault-secretes-operator for the Glance deployment.
@pratik705 pratik705 changed the title Use HashiCorp Vault for MariaDB and Keystone deployment Use HashiCorp Vault for OSH deployment Mar 23, 2024
@pratik705 pratik705 changed the title Use HashiCorp Vault for OSH deployment [WIP] Use HashiCorp Vault for OSH deployment Mar 23, 2024
This commit will consume the secrets from HashiCorp Vault using
vault-secretes-operator for the Heat deployment.
This commit will consume the secrets from HashiCorp Vault using
vault-secretes-operator for the Cinder deployment.
  This commit will consume the secrets from HashiCorp Vault using
  vault-secretes-operator for the Compute Kit deployment.
This commit will consume the secrets from HashiCorp Vault using
vault-secretes-operator for the Horizon deployment.
This commit will consume the secrets from HashiCorp Vault using
vault-secretes-operator for the Skyline deployment.
This commit will consume the secrets from HashiCorp Vault using
vault-secretes-operator for the Octavia deployment.
This commit will consume the secrets from HashiCorp Vault using
vault-secretes-operator for the Gnocchi deployment.
This commit will consume the secrets from HashiCorp Vault using
vault-secretes-operator for the Ceilometer deployment.
This commit will consume the secrets from HashiCorp Vault using
vault-secretes-operator for the PostgreSQL deployment.
@pratik705
Copy link
Contributor Author

@cloudnull @sulochan All the OSH services[1] have been updated with Vault integration. Please let me know if anything is pending.

[1]
mariadb-cluster
postgresql
Keystone
Glance
Placement
Nova
Cinder
Heat
Horizon
Ironic
Designate
Skyline
Octavia
Gnochi
Ceilometer

@pratik705
Copy link
Contributor Author

pratik705 commented Mar 28, 2024

In the lab I created local users in the vault for testing. We can either go with local users or use ldap to integrate with vault. I have added an example to create local user with policy providing access to the secret path.

  This commit will provide an example to create local user and
  the policy to provide access vault secret path
@aedan
Copy link
Collaborator

aedan commented Apr 3, 2024

I am confused as to why we are doing this at all. I understand that we need vault for barbican, but why are we adding it into the infrastructure? Kubernetes already encrypts the secrets. So there is no need to vault in the infrastructure. All it really does in add a moving part and increase the chances of failure. While also making it harder for support to troubleshoot and fix. If you want to make kubernetes more secure. All you need to do is remove the /etc/kubernetes/admin.conf file and the ~/.kube/config file. Place it in password safe and if you want to access kubernetes. You will have to check it out.

my 2 cents.

@cloudnull cloudnull marked this pull request as draft April 6, 2024 00:39
@cloudnull cloudnull changed the title [WIP] Use HashiCorp Vault for OSH deployment Use HashiCorp Vault for OSH deployment Apr 6, 2024
@cloudnull
Copy link
Contributor

@pratik705 @sulochan - given the state of the Hashicorp licensing drama that is currently unfolding, I think we should revisit this change with OpenBao; a fork of the last open-source licensed release of vault.

@pratik705
Copy link
Contributor Author

I have created a script to generate and push the secrets required by OpenStack services to Vault, which will eliminate the manual steps needed to interact with Vault to create the required secrets. However, due to licensing issues with Vault, I am holding the work until we get some clarity on OpenBao, as it appears its in the development stage.

@pratik705 pratik705 closed this by deleting the head repository Sep 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants