-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use HashiCorp Vault for OSH deployment #151
Conversation
LGTM @pratik705 will you convert the rest of the services within this PR? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One issue with mariadb secret and a few nitpicks.
Overall I think if we are changing this then we need to change this for all secrets generated on the command line. Just have 2 into vault and not having others is more confusing?
docs/infrastructure-mariadb.md
Outdated
@@ -29,6 +19,65 @@ kubectl --namespace mariadb-system get pods -w | |||
|
|||
## Deploy the MariaDB Cluster | |||
|
|||
## Pre-requsites: | |||
|
|||
- Vault should be installed by following the instructions in [vault.md](https://github.com/rackerlabs/genestack/blob/main/docs/vault.md) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This link will take us to github .md page ... we can link back to mkdocs /vault/ page ?
docs/openstack-keystone.md
Outdated
|
||
- Vault should be installed by following the instructions in [vault.md](https://github.com/rackerlabs/genestack/blob/main/docs/vault.md) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as above.
docs/openstack-keystone.md
Outdated
- Keystone RabbitMQ Password: | ||
``` shell | ||
kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ | ||
vault kv put -mount=osh/keystone \keystone-rabbitmq-password \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there is one extra \ here ?
@@ -6,7 +6,7 @@ metadata: | |||
spec: | |||
rootPasswordSecretKeyRef: | |||
name: mariadb | |||
key: root-password |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changing this key will break all the service deploy? Example: glance, neutron, etc will do something like:
--set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \
which will look for mariadb secret with root-password. Will this work ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as per my understanding, if we update the password in the vault then its required to update helm charts to populate the correct password in the openstack services. I haven't validated it though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For infra services I don't think we can change the password references; most of them are not goverened by helm.
I am facing some issue with my lab. I will work on other osp services once the lab is up |
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the MariaDB and Keystone deployment
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Glance deployment.
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Heat deployment.
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Cinder deployment.
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Compute Kit deployment.
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Horizon deployment.
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Skyline deployment.
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Octavia deployment.
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Gnocchi deployment.
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Ceilometer deployment.
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the PostgreSQL deployment.
@cloudnull @sulochan All the OSH services[1] have been updated with Vault integration. Please let me know if anything is pending. [1] |
In the lab I created local users in the vault for testing. We can either go with local users or use ldap to integrate with vault. I have added an example to create local user with policy providing access to the secret path. |
This commit will provide an example to create local user and the policy to provide access vault secret path
I am confused as to why we are doing this at all. I understand that we need vault for barbican, but why are we adding it into the infrastructure? Kubernetes already encrypts the secrets. So there is no need to vault in the infrastructure. All it really does in add a moving part and increase the chances of failure. While also making it harder for support to troubleshoot and fix. If you want to make kubernetes more secure. All you need to do is remove the /etc/kubernetes/admin.conf file and the ~/.kube/config file. Place it in password safe and if you want to access kubernetes. You will have to check it out. my 2 cents. |
@pratik705 @sulochan - given the state of the Hashicorp licensing drama that is currently unfolding, I think we should revisit this change with OpenBao; a fork of the last open-source licensed release of vault. |
I have created a script to generate and push the secrets required by OpenStack services to Vault, which will eliminate the manual steps needed to interact with Vault to create the required secrets. However, due to licensing issues with Vault, I am holding the work until we get some clarity on OpenBao, as it appears its in the development stage. |
This commit will replace Kubernetes secrete creation step and consume the secrets from HashiCorp Vault using vault-secretes-operator for the OSH deployment.