From 87e18cc0b9942e100229f790705916ef4c684d74 Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Wed, 13 Mar 2024 14:40:22 +0000 Subject: [PATCH 01/20] Use HashiCorp Vault for MariaDB and Keystone deployment This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the MariaDB and Keystone deployment --- docs/infrastructure-mariadb.md | 69 ++++++++++++--- docs/openstack-keystone.md | 88 +++++++++++++++---- .../keystone/base/vault/keystone-admin.yaml | 24 +++++ .../base/vault/keystone-db-password.yaml | 24 +++++ .../vault/keystone-rabbitmq-password.yaml | 24 +++++ .../keystone/base/vault/kustomization.yaml | 7 ++ kustomize/keystone/base/vault/vaultauth.yaml | 14 +++ .../keystone/base/vault/vaultconnection.yaml | 18 ++++ .../mariadb-cluster/base/mariadb-galera.yaml | 2 +- .../base/vault/kustomization.yaml | 5 ++ .../base/vault/mariadb-root-password.yaml | 24 +++++ .../mariadb-cluster/base/vault/vaultauth.yaml | 14 +++ .../base/vault/vaultconnection.yaml | 18 ++++ 13 files changed, 301 insertions(+), 30 deletions(-) create mode 100644 kustomize/keystone/base/vault/keystone-admin.yaml create mode 100644 kustomize/keystone/base/vault/keystone-db-password.yaml create mode 100644 kustomize/keystone/base/vault/keystone-rabbitmq-password.yaml create mode 100644 kustomize/keystone/base/vault/kustomization.yaml create mode 100644 kustomize/keystone/base/vault/vaultauth.yaml create mode 100644 kustomize/keystone/base/vault/vaultconnection.yaml create mode 100644 kustomize/mariadb-cluster/base/vault/kustomization.yaml create mode 100644 kustomize/mariadb-cluster/base/vault/mariadb-root-password.yaml create mode 100644 kustomize/mariadb-cluster/base/vault/vaultauth.yaml create mode 100644 kustomize/mariadb-cluster/base/vault/vaultconnection.yaml diff --git a/docs/infrastructure-mariadb.md b/docs/infrastructure-mariadb.md index 0f9bfbcb..9b637605 100644 --- a/docs/infrastructure-mariadb.md +++ b/docs/infrastructure-mariadb.md @@ -1,15 +1,5 @@ # Deploy the MariaDB Operator and a Galera Cluster -## Create secret - -``` shell -kubectl --namespace openstack \ - create secret generic mariadb \ - --type Opaque \ - --from-literal=root-password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -``` - ## Deploy the mariadb operator If you've changed your k8s cluster name from the default cluster.local, edit `clusterName` in `/opt/genestack/kustomize/mariadb-operator/kustomization.yaml` prior to deploying the mariadb operator. @@ -29,6 +19,65 @@ kubectl --namespace mariadb-system get pods -w ## Deploy the MariaDB Cluster +## Pre-requsites: + +- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/) +- User has access to `osh/mariadb/` path in the Vault + +## Create secrets in the vault: + +### Login to the vault: + +``` shell +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=mariadb +``` + +### List the existing secrets from `osh/mariadb/`: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/mariadb +``` + +### Create the secrets: + +- Mariadb root-password: +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/mariadb mariadb-root-password root-password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) +``` + +### Validate the secrets: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/mariadb +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/mariadb mariadb-root-password +``` + +## Install mariadb cluster: + +- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: +```shell +kubectl get secret vault-ca-secret -o yaml -n openstack +``` + +- If it is absent, create one using the following command: +```shell +kubectl create secret generic vault-ca-secret \ + --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \ + -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack +``` + +- Deploy the necessary Vault resources to create Kubernetes secrets required by the mariadb installation: +``` shell +kubectl apply -k /opt/genestack/kustomize/mariadb-cluster/base/vault +``` + +### Deploy mariadb-cluster + ``` shell kubectl --namespace openstack apply -k /opt/genestack/kustomize/mariadb-cluster/base ``` diff --git a/docs/openstack-keystone.md b/docs/openstack-keystone.md index 6e57225d..346af13e 100644 --- a/docs/openstack-keystone.md +++ b/docs/openstack-keystone.md @@ -2,29 +2,79 @@ [![asciicast](https://asciinema.org/a/629802.svg)](https://asciinema.org/a/629802) -## Create secrets. +## Pre-requsites: +- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/) +- User has access to `osh/keystone/` path in the Vault + +## Create secrets in the vault: + +### Login to the vault: + +``` shell +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=keystone +``` + +### List the existing secrets from `osh/keystone/`: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/keystone +``` + +### Create the secrets: + +- Keystone RabbitMQ Password: +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/keystone keystone-rabbitmq-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) +``` + +- Keystone Database Password: +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/keystone keystone-db-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Keystone Admin Password: +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/keystone keystone-admin \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +### Validate the secrets: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/keystone +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/keystone keystone-admin +``` + +## Install Keystone + +- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: +```shell +kubectl get secret vault-ca-secret -o yaml -n openstack +``` + +- If it is absent, create one using the following command: +``` shell +kubectl create secret generic vault-ca-secret \ + --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \ + -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack +``` + +- Deploy the necessary Vault resources to create Kubernetes secrets required by the Keystone installation: ``` shell -kubectl --namespace openstack \ - create secret generic keystone-rabbitmq-password \ - --type Opaque \ - --from-literal=username="keystone" \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)" -kubectl --namespace openstack \ - create secret generic keystone-db-password \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic keystone-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic keystone-credential-keys \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +kubectl apply -k /opt/genestack/kustomize/keystone/base/vault/ ``` -## Run the package deployment +### Deploy Keystone helm chart ``` shell cd /opt/genestack/submodules/openstack-helm diff --git a/kustomize/keystone/base/vault/keystone-admin.yaml b/kustomize/keystone/base/vault/keystone-admin.yaml new file mode 100644 index 00000000..62451f2a --- /dev/null +++ b/kustomize/keystone/base/vault/keystone-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: keystone-admin + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/keystone' + + # path of the secret + path: keystone-admin + + # dest k8s secret + destination: + name: keystone-admin + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/keystone/base/vault/keystone-db-password.yaml b/kustomize/keystone/base/vault/keystone-db-password.yaml new file mode 100644 index 00000000..23c9d323 --- /dev/null +++ b/kustomize/keystone/base/vault/keystone-db-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: keystone-db-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/keystone' + + # path of the secret + path: keystone-db-password + + # dest k8s secret + destination: + name: keystone-db-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/keystone/base/vault/keystone-rabbitmq-password.yaml b/kustomize/keystone/base/vault/keystone-rabbitmq-password.yaml new file mode 100644 index 00000000..af0b4178 --- /dev/null +++ b/kustomize/keystone/base/vault/keystone-rabbitmq-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: keystone-rabbitmq-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/keystone' + + # path of the secret + path: keystone-rabbitmq-password + + # dest k8s secret + destination: + name: keystone-rabbitmq-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/keystone/base/vault/kustomization.yaml b/kustomize/keystone/base/vault/kustomization.yaml new file mode 100644 index 00000000..551a31d5 --- /dev/null +++ b/kustomize/keystone/base/vault/kustomization.yaml @@ -0,0 +1,7 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - keystone-admin.yaml + - keystone-db-password.yaml + - keystone-rabbitmq-password.yaml diff --git a/kustomize/keystone/base/vault/vaultauth.yaml b/kustomize/keystone/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/keystone/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/keystone/base/vault/vaultconnection.yaml b/kustomize/keystone/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/keystone/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret" diff --git a/kustomize/mariadb-cluster/base/mariadb-galera.yaml b/kustomize/mariadb-cluster/base/mariadb-galera.yaml index 55ea560d..89f1d6ea 100644 --- a/kustomize/mariadb-cluster/base/mariadb-galera.yaml +++ b/kustomize/mariadb-cluster/base/mariadb-galera.yaml @@ -6,7 +6,7 @@ metadata: spec: rootPasswordSecretKeyRef: name: mariadb - key: root-password + key: mariadb-root-password username: mariadb database: mariadb diff --git a/kustomize/mariadb-cluster/base/vault/kustomization.yaml b/kustomize/mariadb-cluster/base/vault/kustomization.yaml new file mode 100644 index 00000000..7b3b9e58 --- /dev/null +++ b/kustomize/mariadb-cluster/base/vault/kustomization.yaml @@ -0,0 +1,5 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - mariadb-root-password.yaml diff --git a/kustomize/mariadb-cluster/base/vault/mariadb-root-password.yaml b/kustomize/mariadb-cluster/base/vault/mariadb-root-password.yaml new file mode 100644 index 00000000..6bf87776 --- /dev/null +++ b/kustomize/mariadb-cluster/base/vault/mariadb-root-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: mariadb-root-password + namespace: openstack +spec: + type: kv-v2 + +# mount path + mount: 'osh/mariadb' + +# path of the secret + path: mariadb-root-password + +# dest k8s secret + destination: + name: mariadb-root-password + create: true + +# static secret refresh interval + refreshAfter: 30s + +# Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/mariadb-cluster/base/vault/vaultauth.yaml b/kustomize/mariadb-cluster/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/mariadb-cluster/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/mariadb-cluster/base/vault/vaultconnection.yaml b/kustomize/mariadb-cluster/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/mariadb-cluster/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret" From 5a4b807ef57c454aac51699c9f9f688a0d3cddd2 Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Sat, 23 Mar 2024 02:57:23 +0000 Subject: [PATCH 02/20] Use HashiCorp Vault for Glance deployment This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Glance deployment. --- docs/openstack-glance.md | 89 +++++++++++++++---- docs/openstack-keystone.md | 5 ++ kustomize/glance/base/vault/glance-admin.yaml | 24 +++++ .../glance/base/vault/glance-db-password.yaml | 24 +++++ .../base/vault/glance-rabbitmq-password.yaml | 24 +++++ .../glance/base/vault/kustomization.yaml | 7 ++ kustomize/glance/base/vault/vaultauth.yaml | 14 +++ .../glance/base/vault/vaultconnection.yaml | 18 ++++ 8 files changed, 190 insertions(+), 15 deletions(-) create mode 100644 kustomize/glance/base/vault/glance-admin.yaml create mode 100644 kustomize/glance/base/vault/glance-db-password.yaml create mode 100644 kustomize/glance/base/vault/glance-rabbitmq-password.yaml create mode 100644 kustomize/glance/base/vault/kustomization.yaml create mode 100644 kustomize/glance/base/vault/vaultauth.yaml create mode 100644 kustomize/glance/base/vault/vaultconnection.yaml diff --git a/docs/openstack-glance.md b/docs/openstack-glance.md index 63e2aaac..c616f272 100644 --- a/docs/openstack-glance.md +++ b/docs/openstack-glance.md @@ -2,29 +2,88 @@ [![asciicast](https://asciinema.org/a/629806.svg)](https://asciinema.org/a/629806) -## Create secrets. +## Pre-requsites: + +- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/) +- User has access to `osh/glance/` path in the Vault + +## Create secrets in the vault: + +### Login to the vault: ``` shell -kubectl --namespace openstack \ - create secret generic glance-rabbitmq-password \ - --type Opaque \ - --from-literal=username="glance" \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)" -kubectl --namespace openstack \ - create secret generic glance-db-password \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic glance-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=glance +``` + +### List the existing secrets from `osh/glance/`: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/glance +``` + +### Create the secrets: + +- Glance RabbitMQ Password: +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/glance glance-rabbitmq-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) +``` + +- Glance Database Password: +``` +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/glance glance-db-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) +``` + +- Glance Admin Password: +``` +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/glance glance-admin \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) +``` + +### Validate the secrets: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/glance +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/glance glance-admin ``` !!! info Before running the Glance deployment you should configure the backend which is defined in the `helm-configs/glance/glance-helm-overrides.yaml` file. The default is a making the assumption we're running with Ceph deployed by Rook so the backend is configured to be cephfs with multi-attach functionality. While this works great, you should consider all of the available storage backends and make the right decision for your environment. -## Run the package deployment +## Install Glance + +- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: +```shell +kubectl get secret vault-ca-secret -o yaml -n openstack +``` + +- If it is absent, create one using the following command: +``` shell +kubectl create secret generic vault-ca-secret \ + --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \ + -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack +``` + +- Deploy the necessary Vault resources to create Kubernetes secrets required by the Glance installation: +``` shell +kubectl apply -k /opt/genestack/kustomize/glance/base/vault/ +``` + +- Validate whether the required Kubernetes secrets from Vault are populated: +``` shell +kubectl get secrets -n openstack +``` + +### Deploy Glance helm chart ``` shell cd /opt/genestack/submodules/openstack-helm diff --git a/docs/openstack-keystone.md b/docs/openstack-keystone.md index 346af13e..50c17a73 100644 --- a/docs/openstack-keystone.md +++ b/docs/openstack-keystone.md @@ -74,6 +74,11 @@ kubectl create secret generic vault-ca-secret \ kubectl apply -k /opt/genestack/kustomize/keystone/base/vault/ ``` +- Validate whether the required Kubernetes secrets from Vault are populated: +``` shell +kubectl get secrets -n openstack +``` + ### Deploy Keystone helm chart ``` shell diff --git a/kustomize/glance/base/vault/glance-admin.yaml b/kustomize/glance/base/vault/glance-admin.yaml new file mode 100644 index 00000000..87d1efea --- /dev/null +++ b/kustomize/glance/base/vault/glance-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: glance-admin + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/glace' + + # path of the secret + path: glance-admin + + # dest k8s secret + destination: + name: glance-admin + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/glance/base/vault/glance-db-password.yaml b/kustomize/glance/base/vault/glance-db-password.yaml new file mode 100644 index 00000000..bfb33277 --- /dev/null +++ b/kustomize/glance/base/vault/glance-db-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: glance-db-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/glance' + + # path of the secret + path: glance-db-password + + # dest k8s secret + destination: + name: glance-db-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/glance/base/vault/glance-rabbitmq-password.yaml b/kustomize/glance/base/vault/glance-rabbitmq-password.yaml new file mode 100644 index 00000000..54be28a7 --- /dev/null +++ b/kustomize/glance/base/vault/glance-rabbitmq-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: glance-rabbitmq-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/glance' + + # path of the secret + path: glance-rabbitmq-password + + # dest k8s secret + destination: + name: glance-rabbitmq-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/glance/base/vault/kustomization.yaml b/kustomize/glance/base/vault/kustomization.yaml new file mode 100644 index 00000000..2dda30af --- /dev/null +++ b/kustomize/glance/base/vault/kustomization.yaml @@ -0,0 +1,7 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - glance-admin.yaml + - glance-db-password.yaml + - glance-rabbitmq-password.yaml diff --git a/kustomize/glance/base/vault/vaultauth.yaml b/kustomize/glance/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/glance/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/glance/base/vault/vaultconnection.yaml b/kustomize/glance/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/glance/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret" From f17de43d21b49f82ffce7d58e8b54cb6b84545bf Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Sun, 24 Mar 2024 21:48:54 +0000 Subject: [PATCH 03/20] Use HashiCorp Vault to fetch password required by MariaDB MaxScale --- docs/infrastructure-mariadb.md | 1 + .../base/vault/kustomization.yaml | 1 + .../base/vault/mariadb-maxscale.yaml | 24 +++++++++++++++++++ 3 files changed, 26 insertions(+) create mode 100644 kustomize/mariadb-cluster/base/vault/mariadb-maxscale.yaml diff --git a/docs/infrastructure-mariadb.md b/docs/infrastructure-mariadb.md index f69f8b0a..02072e61 100644 --- a/docs/infrastructure-mariadb.md +++ b/docs/infrastructure-mariadb.md @@ -47,6 +47,7 @@ kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ vault kv put -mount=osh/mariadb mariadb-root-password root-password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) ``` + - MaxScale password: ``` shell kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ diff --git a/kustomize/mariadb-cluster/base/vault/kustomization.yaml b/kustomize/mariadb-cluster/base/vault/kustomization.yaml index 7b3b9e58..22438c37 100644 --- a/kustomize/mariadb-cluster/base/vault/kustomization.yaml +++ b/kustomize/mariadb-cluster/base/vault/kustomization.yaml @@ -3,3 +3,4 @@ resources: - vaultauth.yaml - vaultconnection.yaml - mariadb-root-password.yaml + - mariadb-maxscale.yaml diff --git a/kustomize/mariadb-cluster/base/vault/mariadb-maxscale.yaml b/kustomize/mariadb-cluster/base/vault/mariadb-maxscale.yaml new file mode 100644 index 00000000..a4ef5265 --- /dev/null +++ b/kustomize/mariadb-cluster/base/vault/mariadb-maxscale.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: maxscale + namespace: openstack +spec: + type: kv-v2 + +# mount path + mount: 'osh/mariadb' + +# path of the secret + path: maxscale + +# dest k8s secret + destination: + name: maxscale + create: true + +# static secret refresh interval + refreshAfter: 30s + +# Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth From 48f89a61a1dc81c0267ff02f73f14a8f40f2e6f5 Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Sun, 24 Mar 2024 22:37:05 +0000 Subject: [PATCH 04/20] Fix rootPasswordSecretKeyRef to point correct values from Vault --- docs/openstack-keystone.md | 2 +- kustomize/mariadb-cluster/base/mariadb-galera.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/openstack-keystone.md b/docs/openstack-keystone.md index 50c17a73..59fa6d51 100644 --- a/docs/openstack-keystone.md +++ b/docs/openstack-keystone.md @@ -90,7 +90,7 @@ helm upgrade --install keystone ./keystone \ --timeout 120m \ -f /opt/genestack/helm-configs/keystone/keystone-helm-overrides.yaml \ --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb-root-password -o jsonpath='{.data.root-password}' | base64 -d)" \ --set endpoints.oslo_db.auth.keystone.password="$(kubectl --namespace openstack get secret keystone-db-password -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.oslo_messaging.auth.keystone.password="$(kubectl --namespace openstack get secret keystone-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ diff --git a/kustomize/mariadb-cluster/base/mariadb-galera.yaml b/kustomize/mariadb-cluster/base/mariadb-galera.yaml index 0cc03314..67a77ca9 100644 --- a/kustomize/mariadb-cluster/base/mariadb-galera.yaml +++ b/kustomize/mariadb-cluster/base/mariadb-galera.yaml @@ -5,8 +5,8 @@ metadata: namespace: openstack spec: rootPasswordSecretKeyRef: - name: mariadb - key: mariadb-root-password + name: mariadb-root-password + key: root-password username: mariadb database: mariadb From 08d9f92eca56b3205ea38d1d7169d41dba00ac01 Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Mon, 25 Mar 2024 00:42:20 +0000 Subject: [PATCH 05/20] Fix typo in vault/glance-admin and update mariadb-root-password vault reference --- docs/openstack-glance.md | 2 +- kustomize/glance/base/vault/glance-admin.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/openstack-glance.md b/docs/openstack-glance.md index c616f272..8e1ab6f8 100644 --- a/docs/openstack-glance.md +++ b/docs/openstack-glance.md @@ -95,7 +95,7 @@ helm upgrade --install glance ./glance \ -f /opt/genestack/helm-configs/glance/glance-helm-overrides.yaml \ --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.identity.auth.glance.password="$(kubectl --namespace openstack get secret glance-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb-root-password -o jsonpath='{.data.root-password}' | base64 -d)" \ --set endpoints.oslo_db.auth.glance.password="$(kubectl --namespace openstack get secret glance-db-password -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.oslo_messaging.auth.glance.password="$(kubectl --namespace openstack get secret glance-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ diff --git a/kustomize/glance/base/vault/glance-admin.yaml b/kustomize/glance/base/vault/glance-admin.yaml index 87d1efea..c87efe28 100644 --- a/kustomize/glance/base/vault/glance-admin.yaml +++ b/kustomize/glance/base/vault/glance-admin.yaml @@ -7,7 +7,7 @@ spec: type: kv-v2 # mount path - mount: 'osh/glace' + mount: 'osh/glance' # path of the secret path: glance-admin From d5e932e6c32e65a57db8b87dc48a060679f53993 Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Mon, 25 Mar 2024 23:15:52 +0000 Subject: [PATCH 06/20] Use HashiCorp Vault for Heat deployment This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Heat deployment. --- docs/openstack-heat.md | 133 ++++++++++++++---- kustomize/heat/base/vault/heat-admin.yaml | 24 ++++ .../heat/base/vault/heat-db-password.yaml | 24 ++++ .../base/vault/heat-rabbitmq-password.yaml | 24 ++++ .../heat/base/vault/heat-stack-user.yaml | 24 ++++ kustomize/heat/base/vault/heat-trustee.yaml | 24 ++++ kustomize/heat/base/vault/kustomization.yaml | 9 ++ kustomize/heat/base/vault/vaultauth.yaml | 14 ++ .../heat/base/vault/vaultconnection.yaml | 18 +++ 9 files changed, 266 insertions(+), 28 deletions(-) create mode 100644 kustomize/heat/base/vault/heat-admin.yaml create mode 100644 kustomize/heat/base/vault/heat-db-password.yaml create mode 100644 kustomize/heat/base/vault/heat-rabbitmq-password.yaml create mode 100644 kustomize/heat/base/vault/heat-stack-user.yaml create mode 100644 kustomize/heat/base/vault/heat-trustee.yaml create mode 100644 kustomize/heat/base/vault/kustomization.yaml create mode 100644 kustomize/heat/base/vault/vaultauth.yaml create mode 100644 kustomize/heat/base/vault/vaultconnection.yaml diff --git a/docs/openstack-heat.md b/docs/openstack-heat.md index 9578cddc..4ed03005 100644 --- a/docs/openstack-heat.md +++ b/docs/openstack-heat.md @@ -2,33 +2,110 @@ [![asciicast](https://asciinema.org/a/629807.svg)](https://asciinema.org/a/629807) -## Create secrets - -``` shell -kubectl --namespace openstack \ - create secret generic heat-rabbitmq-password \ - --type Opaque \ - --from-literal=username="heat" \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)" -kubectl --namespace openstack \ - create secret generic heat-db-password \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic heat-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic heat-trustee \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic heat-stack-user \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -``` - -## Run the package deployment +## Pre-requsites + +- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/) +- User has access to `osh/heat/` path in the Vault + +## Create secrets in the vault + +### Login to the vault + +``` shell +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=heat +``` + +### List the existing secrets from `osh/heat/` + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/heat +``` + +### Create the secrets + +- Heat RabbitMQ Username and Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put osh/heat/heat-rabbitmq-password username=heat + +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv patch -mount=osh/heat heat-rabbitmq-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) +``` + +- Heat Database Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/heat heat-db-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Heat Admin Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/heat heat-admin \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Heat Trustee Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/heat heat-trustee \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Heat Stack User Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/heat heat-stack-user \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +### Validate the secrets + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/heat +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/heat heat-admin +``` + +## Install Heat + +- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: + +```shell +kubectl get secret vault-ca-secret -o yaml -n openstack +``` + +- If it is absent, create one using the following command: + +``` shell +kubectl create secret generic vault-ca-secret \ + --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \ + -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack +``` + +- Deploy the necessary Vault resources to create Kubernetes secrets required by the Heat installation: + +``` shell +kubectl apply -k /opt/genestack/kustomize/heat/base/vault/ +``` + +- Validate whether the required Kubernetes secrets from Vault are populated: + +``` shell +kubectl get secrets -n openstack +``` + +### Deploy Heat helm chart ``` shell cd /opt/genestack/submodules/openstack-helm @@ -41,7 +118,7 @@ helm upgrade --install heat ./heat \ --set endpoints.identity.auth.heat.password="$(kubectl --namespace openstack get secret heat-admin -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.identity.auth.heat_trustee.password="$(kubectl --namespace openstack get secret heat-trustee -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.identity.auth.heat_stack_user.password="$(kubectl --namespace openstack get secret heat-stack-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb-root-password -o jsonpath='{.data.root-password}' | base64 -d)" \ --set endpoints.oslo_db.auth.heat.password="$(kubectl --namespace openstack get secret heat-db-password -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.oslo_messaging.auth.heat.password="$(kubectl --namespace openstack get secret heat-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ diff --git a/kustomize/heat/base/vault/heat-admin.yaml b/kustomize/heat/base/vault/heat-admin.yaml new file mode 100644 index 00000000..a0ef04ff --- /dev/null +++ b/kustomize/heat/base/vault/heat-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: heat-admin + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/heat' + + # path of the secret + path: heat-admin + + # dest k8s secret + destination: + name: heat-admin + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/heat/base/vault/heat-db-password.yaml b/kustomize/heat/base/vault/heat-db-password.yaml new file mode 100644 index 00000000..b159e4c7 --- /dev/null +++ b/kustomize/heat/base/vault/heat-db-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: heat-db-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/heat' + + # path of the secret + path: heat-db-password + + # dest k8s secret + destination: + name: heat-db-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/heat/base/vault/heat-rabbitmq-password.yaml b/kustomize/heat/base/vault/heat-rabbitmq-password.yaml new file mode 100644 index 00000000..12847512 --- /dev/null +++ b/kustomize/heat/base/vault/heat-rabbitmq-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: heat-rabbitmq-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/heat' + + # path of the secret + path: heat-rabbitmq-password + + # dest k8s secret + destination: + name: heat-rabbitmq-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/heat/base/vault/heat-stack-user.yaml b/kustomize/heat/base/vault/heat-stack-user.yaml new file mode 100644 index 00000000..386620a4 --- /dev/null +++ b/kustomize/heat/base/vault/heat-stack-user.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: heat-stack-user + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/heat' + + # path of the secret + path: heat-stack-user + + # dest k8s secret + destination: + name: heat-stack-user + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/heat/base/vault/heat-trustee.yaml b/kustomize/heat/base/vault/heat-trustee.yaml new file mode 100644 index 00000000..3bb348c4 --- /dev/null +++ b/kustomize/heat/base/vault/heat-trustee.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: heat-trustee + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/heat' + + # path of the secret + path: heat-trustee + + # dest k8s secret + destination: + name: heat-trustee + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/heat/base/vault/kustomization.yaml b/kustomize/heat/base/vault/kustomization.yaml new file mode 100644 index 00000000..14dd4832 --- /dev/null +++ b/kustomize/heat/base/vault/kustomization.yaml @@ -0,0 +1,9 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - heat-admin.yaml + - heat-db-password.yaml + - heat-rabbitmq-password.yaml + - heat-stack-user.yaml + - heat-trustee.yaml diff --git a/kustomize/heat/base/vault/vaultauth.yaml b/kustomize/heat/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/heat/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/heat/base/vault/vaultconnection.yaml b/kustomize/heat/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/heat/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret" From 7eab299ee025c3cf5c06f6674f05c4d5f5c630c1 Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Tue, 26 Mar 2024 01:39:52 +0000 Subject: [PATCH 07/20] Add username to the vault for Keystone and Glance Rabbitmq secret --- docs/openstack-glance.md | 30 ++++++++++++++++++++---------- docs/openstack-keystone.md | 24 +++++++++++++++++------- 2 files changed, 37 insertions(+), 17 deletions(-) diff --git a/docs/openstack-glance.md b/docs/openstack-glance.md index 8e1ab6f8..f8f4a74c 100644 --- a/docs/openstack-glance.md +++ b/docs/openstack-glance.md @@ -2,51 +2,57 @@ [![asciicast](https://asciinema.org/a/629806.svg)](https://asciinema.org/a/629806) -## Pre-requsites: +## Pre-requsites - Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/) - User has access to `osh/glance/` path in the Vault -## Create secrets in the vault: +## Create secrets in the vault -### Login to the vault: +### Login to the vault ``` shell kubectl exec -it vault-0 -n vault -- \ vault login -method userpass username=glance ``` -### List the existing secrets from `osh/glance/`: +### List the existing secrets from `osh/glance/` ``` shell kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ vault kv list osh/glance ``` -### Create the secrets: +### Create the secrets + +- Glance RabbitMQ Username and Password: -- Glance RabbitMQ Password: ``` shell kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ - vault kv put -mount=osh/glance glance-rabbitmq-password \ + vault kv put osh/heat/glance-rabbitmq-password username=glance + +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv patch -mount=osh/glance glance-rabbitmq-password \ password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) ``` - Glance Database Password: -``` + +``` shell kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ vault kv put -mount=osh/glance glance-db-password \ password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) ``` - Glance Admin Password: -``` + +``` shell kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ vault kv put -mount=osh/glance glance-admin \ password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) ``` -### Validate the secrets: +### Validate the secrets ``` shell kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ @@ -62,11 +68,13 @@ kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ ## Install Glance - Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: + ```shell kubectl get secret vault-ca-secret -o yaml -n openstack ``` - If it is absent, create one using the following command: + ``` shell kubectl create secret generic vault-ca-secret \ --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \ @@ -74,11 +82,13 @@ kubectl create secret generic vault-ca-secret \ ``` - Deploy the necessary Vault resources to create Kubernetes secrets required by the Glance installation: + ``` shell kubectl apply -k /opt/genestack/kustomize/glance/base/vault/ ``` - Validate whether the required Kubernetes secrets from Vault are populated: + ``` shell kubectl get secrets -n openstack ``` diff --git a/docs/openstack-keystone.md b/docs/openstack-keystone.md index 59fa6d51..3a5548f9 100644 --- a/docs/openstack-keystone.md +++ b/docs/openstack-keystone.md @@ -2,14 +2,14 @@ [![asciicast](https://asciinema.org/a/629802.svg)](https://asciinema.org/a/629802) -## Pre-requsites: +## Pre-requsites - Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/) - User has access to `osh/keystone/` path in the Vault -## Create secrets in the vault: +## Create secrets in the vault -### Login to the vault: +### Login to the vault ``` shell kubectl exec -it vault-0 -n vault -- \ @@ -23,16 +23,21 @@ kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ vault kv list osh/keystone ``` -### Create the secrets: +### Create the secrets + +- Keystone RabbitMQ Username and Password: -- Keystone RabbitMQ Password: ``` shell kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ - vault kv put -mount=osh/keystone keystone-rabbitmq-password \ + vault kv put osh/heat/keystone-rabbitmq-password username=keystone + +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv patch -mount=osh/keystone keystone-rabbitmq-password \ password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) ``` - Keystone Database Password: + ``` shell kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ vault kv put -mount=osh/keystone keystone-db-password \ @@ -40,13 +45,14 @@ kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ ``` - Keystone Admin Password: + ``` shell kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ vault kv put -mount=osh/keystone keystone-admin \ password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) ``` -### Validate the secrets: +### Validate the secrets ``` shell kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ @@ -58,11 +64,13 @@ kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ ## Install Keystone - Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: + ```shell kubectl get secret vault-ca-secret -o yaml -n openstack ``` - If it is absent, create one using the following command: + ``` shell kubectl create secret generic vault-ca-secret \ --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \ @@ -70,11 +78,13 @@ kubectl create secret generic vault-ca-secret \ ``` - Deploy the necessary Vault resources to create Kubernetes secrets required by the Keystone installation: + ``` shell kubectl apply -k /opt/genestack/kustomize/keystone/base/vault/ ``` - Validate whether the required Kubernetes secrets from Vault are populated: + ``` shell kubectl get secrets -n openstack ``` From 7b19a183c1e78b78afb7310e633e2c3f86bc717a Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Tue, 26 Mar 2024 01:49:11 +0000 Subject: [PATCH 08/20] Revert change in the mariadb secret naming convention --- docs/infrastructure-mariadb.md | 22 ++++++++++++------- docs/openstack-glance.md | 2 +- docs/openstack-heat.md | 2 +- docs/openstack-keystone.md | 2 +- .../mariadb-cluster/base/mariadb-galera.yaml | 2 +- .../base/vault/kustomization.yaml | 2 +- ...ariadb-root-password.yaml => mariadb.yaml} | 4 ++-- 7 files changed, 21 insertions(+), 15 deletions(-) rename kustomize/mariadb-cluster/base/vault/{mariadb-root-password.yaml => mariadb.yaml} (85%) diff --git a/docs/infrastructure-mariadb.md b/docs/infrastructure-mariadb.md index 02072e61..d6040a20 100644 --- a/docs/infrastructure-mariadb.md +++ b/docs/infrastructure-mariadb.md @@ -19,7 +19,7 @@ kubectl --namespace mariadb-system get pods -w ## Deploy the MariaDB Cluster -## Pre-requsites: +## Pre-requsites - Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/) - User has access to `osh/mariadb/` path in the Vault @@ -40,49 +40,55 @@ kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ vault kv list osh/mariadb ``` -### Create the secrets: +### Create the secrets - Mariadb root-password: + ``` shell kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ - vault kv put -mount=osh/mariadb mariadb-root-password root-password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) + vault kv put -mount=osh/mariadb mariadb root-password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) ``` - MaxScale password: + ``` shell kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ vault kv put -mount=osh/mariadb maxscale password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) ``` -### Validate the secrets: +### Validate the secrets ``` shell kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ vault kv list osh/mariadb kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ - vault kv get -mount=osh/mariadb mariadb-root-password + vault kv get -mount=osh/mariadb mariadb ``` -## Install mariadb cluster: +## Install mariadb cluster - Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: -```shell + +``` shell kubectl get secret vault-ca-secret -o yaml -n openstack ``` - If it is absent, create one using the following command: -```shell + +``` shell kubectl create secret generic vault-ca-secret \ --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \ -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack ``` - Deploy the necessary Vault resources to create Kubernetes secrets required by the mariadb installation: + ``` shell kubectl apply -k /opt/genestack/kustomize/mariadb-cluster/base/vault ``` - Validate whether the required Kubernetes secrets from Vault are populated: + ``` shell kubectl get secrets -n openstack ``` diff --git a/docs/openstack-glance.md b/docs/openstack-glance.md index f8f4a74c..e9b9ba8a 100644 --- a/docs/openstack-glance.md +++ b/docs/openstack-glance.md @@ -105,7 +105,7 @@ helm upgrade --install glance ./glance \ -f /opt/genestack/helm-configs/glance/glance-helm-overrides.yaml \ --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.identity.auth.glance.password="$(kubectl --namespace openstack get secret glance-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb-root-password -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ --set endpoints.oslo_db.auth.glance.password="$(kubectl --namespace openstack get secret glance-db-password -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.oslo_messaging.auth.glance.password="$(kubectl --namespace openstack get secret glance-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ diff --git a/docs/openstack-heat.md b/docs/openstack-heat.md index 4ed03005..85e96521 100644 --- a/docs/openstack-heat.md +++ b/docs/openstack-heat.md @@ -118,7 +118,7 @@ helm upgrade --install heat ./heat \ --set endpoints.identity.auth.heat.password="$(kubectl --namespace openstack get secret heat-admin -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.identity.auth.heat_trustee.password="$(kubectl --namespace openstack get secret heat-trustee -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.identity.auth.heat_stack_user.password="$(kubectl --namespace openstack get secret heat-stack-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb-root-password -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ --set endpoints.oslo_db.auth.heat.password="$(kubectl --namespace openstack get secret heat-db-password -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.oslo_messaging.auth.heat.password="$(kubectl --namespace openstack get secret heat-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ diff --git a/docs/openstack-keystone.md b/docs/openstack-keystone.md index 3a5548f9..2dd6d46c 100644 --- a/docs/openstack-keystone.md +++ b/docs/openstack-keystone.md @@ -100,7 +100,7 @@ helm upgrade --install keystone ./keystone \ --timeout 120m \ -f /opt/genestack/helm-configs/keystone/keystone-helm-overrides.yaml \ --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb-root-password -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ --set endpoints.oslo_db.auth.keystone.password="$(kubectl --namespace openstack get secret keystone-db-password -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.oslo_messaging.auth.keystone.password="$(kubectl --namespace openstack get secret keystone-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ diff --git a/kustomize/mariadb-cluster/base/mariadb-galera.yaml b/kustomize/mariadb-cluster/base/mariadb-galera.yaml index 67a77ca9..d77fdeaf 100644 --- a/kustomize/mariadb-cluster/base/mariadb-galera.yaml +++ b/kustomize/mariadb-cluster/base/mariadb-galera.yaml @@ -5,7 +5,7 @@ metadata: namespace: openstack spec: rootPasswordSecretKeyRef: - name: mariadb-root-password + name: mariadb key: root-password username: mariadb database: mariadb diff --git a/kustomize/mariadb-cluster/base/vault/kustomization.yaml b/kustomize/mariadb-cluster/base/vault/kustomization.yaml index 22438c37..e759ecb7 100644 --- a/kustomize/mariadb-cluster/base/vault/kustomization.yaml +++ b/kustomize/mariadb-cluster/base/vault/kustomization.yaml @@ -2,5 +2,5 @@ namespace: openstack resources: - vaultauth.yaml - vaultconnection.yaml - - mariadb-root-password.yaml + - mariadb.yaml - mariadb-maxscale.yaml diff --git a/kustomize/mariadb-cluster/base/vault/mariadb-root-password.yaml b/kustomize/mariadb-cluster/base/vault/mariadb.yaml similarity index 85% rename from kustomize/mariadb-cluster/base/vault/mariadb-root-password.yaml rename to kustomize/mariadb-cluster/base/vault/mariadb.yaml index 6bf87776..d01e778a 100644 --- a/kustomize/mariadb-cluster/base/vault/mariadb-root-password.yaml +++ b/kustomize/mariadb-cluster/base/vault/mariadb.yaml @@ -10,11 +10,11 @@ spec: mount: 'osh/mariadb' # path of the secret - path: mariadb-root-password + path: mariadb # dest k8s secret destination: - name: mariadb-root-password + name: mariadb create: true # static secret refresh interval From 3c41fa6565738b2fc8de8260bc41c8054ed7fe02 Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Tue, 26 Mar 2024 02:21:39 +0000 Subject: [PATCH 09/20] Fix typo is vault secret path --- docs/openstack-glance.md | 2 +- docs/openstack-keystone.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/openstack-glance.md b/docs/openstack-glance.md index e9b9ba8a..e0c15f24 100644 --- a/docs/openstack-glance.md +++ b/docs/openstack-glance.md @@ -29,7 +29,7 @@ kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ ``` shell kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ - vault kv put osh/heat/glance-rabbitmq-password username=glance + vault kv put osh/glance/glance-rabbitmq-password username=glance kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ vault kv patch -mount=osh/glance glance-rabbitmq-password \ diff --git a/docs/openstack-keystone.md b/docs/openstack-keystone.md index 2dd6d46c..f878b578 100644 --- a/docs/openstack-keystone.md +++ b/docs/openstack-keystone.md @@ -29,7 +29,7 @@ kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ ``` shell kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ - vault kv put osh/heat/keystone-rabbitmq-password username=keystone + vault kv put osh/keystone/keystone-rabbitmq-password username=keystone kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ vault kv patch -mount=osh/keystone keystone-rabbitmq-password \ From 053004b86768a02650b2e3e19bf9851754ca1ad0 Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Tue, 26 Mar 2024 10:12:37 +0000 Subject: [PATCH 10/20] Use HashiCorp Vault for Cinder deployment This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Cinder deployment. --- docs/openstack-cinder.md | 99 ++++++++++++++++--- kustomize/cinder/base/vault/cinder-admin.yaml | 24 +++++ .../cinder/base/vault/cinder-db-password.yaml | 24 +++++ .../base/vault/cinder-rabbitmq-password.yaml | 24 +++++ .../cinder/base/vault/kustomization.yaml | 7 ++ kustomize/cinder/base/vault/vaultauth.yaml | 14 +++ .../cinder/base/vault/vaultconnection.yaml | 18 ++++ 7 files changed, 195 insertions(+), 15 deletions(-) create mode 100644 kustomize/cinder/base/vault/cinder-admin.yaml create mode 100644 kustomize/cinder/base/vault/cinder-db-password.yaml create mode 100644 kustomize/cinder/base/vault/cinder-rabbitmq-password.yaml create mode 100644 kustomize/cinder/base/vault/kustomization.yaml create mode 100644 kustomize/cinder/base/vault/vaultauth.yaml create mode 100644 kustomize/cinder/base/vault/vaultconnection.yaml diff --git a/docs/openstack-cinder.md b/docs/openstack-cinder.md index 72fc3f26..ee95c771 100644 --- a/docs/openstack-cinder.md +++ b/docs/openstack-cinder.md @@ -2,25 +2,94 @@ [![asciicast](https://asciinema.org/a/629808.svg)](https://asciinema.org/a/629808) -## Create secrets +## Pre-requsites + +- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/) +- User has access to `osh/cinder/` path in the Vault + +## Create secrets in the vault + +### Login to the vault + +``` shell +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=cinder +``` + +### List the existing secrets from `osh/cinder/` + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/cinder +``` + +### Create the secrets + +- Cinder RabbitMQ Username and Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put osh/cinder/cinder-rabbitmq-password username=cinder + +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv patch -mount=osh/cinder cinder-rabbitmq-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) +``` + +- Cinder Database Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/cinder cinder-db-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) +``` + +- Cinder Admin Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/cinder cinder-admin \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) +``` + +### Validate the secrets + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/cinder +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/cinder cinder-admin +``` + +## Install Cinder + +- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: + +```shell +kubectl get secret vault-ca-secret -o yaml -n openstack +``` + +- If it is absent, create one using the following command: + +``` shell +kubectl create secret generic vault-ca-secret \ + --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \ + -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack +``` + +- Deploy the necessary Vault resources to create Kubernetes secrets required by the Cinder installation: + +``` shell +kubectl apply -k /opt/genestack/kustomize/cinder/base/vault/ +``` + +- Validate whether the required Kubernetes secrets from Vault are populated: ``` shell -kubectl --namespace openstack \ - create secret generic cinder-rabbitmq-password \ - --type Opaque \ - --from-literal=username="cinder" \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)" -kubectl --namespace openstack \ - create secret generic cinder-db-password \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic cinder-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +kubectl get secrets -n openstack ``` -## Run the package deployment +### Deploy Cinder helm chart ``` shell cd /opt/genestack/submodules/openstack-helm diff --git a/kustomize/cinder/base/vault/cinder-admin.yaml b/kustomize/cinder/base/vault/cinder-admin.yaml new file mode 100644 index 00000000..1f6b158f --- /dev/null +++ b/kustomize/cinder/base/vault/cinder-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: cinder-admin + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/cinder' + + # path of the secret + path: cinder-admin + + # dest k8s secret + destination: + name: cinder-admin + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/cinder/base/vault/cinder-db-password.yaml b/kustomize/cinder/base/vault/cinder-db-password.yaml new file mode 100644 index 00000000..cafa36cf --- /dev/null +++ b/kustomize/cinder/base/vault/cinder-db-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: cinder-db-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/cinder' + + # path of the secret + path: cinder-db-password + + # dest k8s secret + destination: + name: cinder-db-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/cinder/base/vault/cinder-rabbitmq-password.yaml b/kustomize/cinder/base/vault/cinder-rabbitmq-password.yaml new file mode 100644 index 00000000..9c80467a --- /dev/null +++ b/kustomize/cinder/base/vault/cinder-rabbitmq-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: cinder-rabbitmq-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/cinder' + + # path of the secret + path: cinder-rabbitmq-password + + # dest k8s secret + destination: + name: cinder-rabbitmq-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/cinder/base/vault/kustomization.yaml b/kustomize/cinder/base/vault/kustomization.yaml new file mode 100644 index 00000000..fc1b85fc --- /dev/null +++ b/kustomize/cinder/base/vault/kustomization.yaml @@ -0,0 +1,7 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - cinder-admin.yaml + - cinder-db-password.yaml + - cinder-rabbitmq-password.yaml diff --git a/kustomize/cinder/base/vault/vaultauth.yaml b/kustomize/cinder/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/cinder/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/cinder/base/vault/vaultconnection.yaml b/kustomize/cinder/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/cinder/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret" From 39e129d5f34f04e7aa4a7b0d188a8334003012f0 Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Tue, 26 Mar 2024 11:30:36 +0000 Subject: [PATCH 11/20] Use HashiCorp Vault for Compute Kit deployment This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Compute Kit deployment. --- docs/openstack-compute-kit.md | 314 +++++++++++++++--- .../designate/base/vault/designate-admin.yaml | 24 ++ .../designate/base/vault/kustomization.yaml | 5 + kustomize/designate/base/vault/vaultauth.yaml | 14 + .../designate/base/vault/vaultconnection.yaml | 18 + kustomize/ironic/base/vault/ironic-admin.yaml | 24 ++ .../ironic/base/vault/kustomization.yaml | 5 + kustomize/ironic/base/vault/vaultauth.yaml | 14 + .../ironic/base/vault/vaultconnection.yaml | 18 + .../neutron/base/vault/kustomization.yaml | 7 + .../neutron/base/vault/neutron-admin.yaml | 24 ++ .../base/vault/neutron-db-password.yaml | 24 ++ .../base/vault/neutron-rabbitmq-password.yaml | 24 ++ kustomize/neutron/base/vault/vaultauth.yaml | 14 + .../neutron/base/vault/vaultconnection.yaml | 18 + kustomize/nova/base/vault/kustomization.yaml | 8 + .../base/vault/metadata-shared-secret.yaml | 24 ++ kustomize/nova/base/vault/nova-admin.yaml | 24 ++ .../nova/base/vault/nova-db-password.yaml | 24 ++ .../base/vault/nova-rabbitmq-password.yaml | 24 ++ kustomize/nova/base/vault/vaultauth.yaml | 14 + .../nova/base/vault/vaultconnection.yaml | 18 + .../placement/base/vault/kustomization.yaml | 6 + .../placement/base/vault/placement-admin.yaml | 24 ++ .../base/vault/placement-db-password.yaml | 24 ++ kustomize/placement/base/vault/vaultauth.yaml | 14 + .../placement/base/vault/vaultconnection.yaml | 18 + 27 files changed, 714 insertions(+), 55 deletions(-) create mode 100644 kustomize/designate/base/vault/designate-admin.yaml create mode 100644 kustomize/designate/base/vault/kustomization.yaml create mode 100644 kustomize/designate/base/vault/vaultauth.yaml create mode 100644 kustomize/designate/base/vault/vaultconnection.yaml create mode 100644 kustomize/ironic/base/vault/ironic-admin.yaml create mode 100644 kustomize/ironic/base/vault/kustomization.yaml create mode 100644 kustomize/ironic/base/vault/vaultauth.yaml create mode 100644 kustomize/ironic/base/vault/vaultconnection.yaml create mode 100644 kustomize/neutron/base/vault/kustomization.yaml create mode 100644 kustomize/neutron/base/vault/neutron-admin.yaml create mode 100644 kustomize/neutron/base/vault/neutron-db-password.yaml create mode 100644 kustomize/neutron/base/vault/neutron-rabbitmq-password.yaml create mode 100644 kustomize/neutron/base/vault/vaultauth.yaml create mode 100644 kustomize/neutron/base/vault/vaultconnection.yaml create mode 100644 kustomize/nova/base/vault/kustomization.yaml create mode 100644 kustomize/nova/base/vault/metadata-shared-secret.yaml create mode 100644 kustomize/nova/base/vault/nova-admin.yaml create mode 100644 kustomize/nova/base/vault/nova-db-password.yaml create mode 100644 kustomize/nova/base/vault/nova-rabbitmq-password.yaml create mode 100644 kustomize/nova/base/vault/vaultauth.yaml create mode 100644 kustomize/nova/base/vault/vaultconnection.yaml create mode 100644 kustomize/placement/base/vault/kustomization.yaml create mode 100644 kustomize/placement/base/vault/placement-admin.yaml create mode 100644 kustomize/placement/base/vault/placement-db-password.yaml create mode 100644 kustomize/placement/base/vault/vaultauth.yaml create mode 100644 kustomize/placement/base/vault/vaultconnection.yaml diff --git a/docs/openstack-compute-kit.md b/docs/openstack-compute-kit.md index 3e33cd95..e9d6a860 100644 --- a/docs/openstack-compute-kit.md +++ b/docs/openstack-compute-kit.md @@ -2,81 +2,284 @@ [![asciicast](https://asciinema.org/a/629813.svg)](https://asciinema.org/a/629813) +## Pre-requsites + +- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/) +- User has access to following paths in the Vault: + - `osh/nova/` + - `osh/ironic/` + - `osh/designate/` + - `osh/neutron/` + ## Creating the Compute Kit Secrets Part of running Nova is also running placement. Setup all credentials now so we can use them across the nova and placement services. +### Create the secrets - Placement + +- Login to the vault: + +``` shell +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=nova +``` + +- List the existing secrets from `osh/placement/`: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/placement +``` + +- Placement Database Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/placement placement-db-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Placement Admin Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/placement placement-admin \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +#### Validate the secrets + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/placement +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/placement placement-admin +``` + +### Create the secrets - Nova + +- List the existing secrets from `osh/nova/`: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/nova +``` + +- Metadata-shared-secret Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/nova metadata-shared-secret \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Nova Database Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/nova nova-db-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Nova Admin Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/nova nova-admin \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Nova RabbitMQ Username and Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put osh/nova/nova-rabbitmq-password username=nova + +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv patch -mount=osh/nova nova-rabbitmq-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) +``` + +#### Validate the secrets + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/nova +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/nova nova-admin +``` + +### Create the secrets - Ironic(NOT IMPLEMENTED YET) + +- Login to the vault: + +``` shell +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=ironic +``` + +- List the existing secrets from `osh/ironic/`: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/ironic +``` + +- Ironic Admin Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/ironic ironic-admin \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +#### Validate the secrets + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/ironic +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/ironic ironic-admin +``` + +### Create the secrets - Designate(NOT IMPLEMENTED YET) + +- Login to the vault: + +``` shell +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=designate +``` + +- List the existing secrets from `osh/designate/`: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/designate +``` + +- Designate Admin Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/designate designate-admin \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +#### Validate the secrets + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/designate +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/designate designate-admin +``` + +### Create the secrets - Neutron + +- Login to the vault: + +``` shell +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=neutron +``` + +- List the existing secrets from `osh/neutron/`: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/neutron +``` + +- Neutron Database Password: + ``` shell -# Shared -kubectl --namespace openstack \ - create secret generic metadata-shared-secret \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/neutron neutron-db-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) ``` +- Neutron Admin Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/neutron neutron-admin \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Neutron RabbitMQ Username and Password: + ``` shell -# Placement -kubectl --namespace openstack \ - create secret generic placement-db-password \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic placement-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put osh/neutron/neutron-rabbitmq-password username=neutron + +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv patch -mount=osh/neutron neutron-rabbitmq-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) ``` +#### Validate the secrets + ``` shell -# Nova -kubectl --namespace openstack \ - create secret generic nova-db-password \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic nova-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic nova-rabbitmq-password \ - --type Opaque \ - --from-literal=username="nova" \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)" +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/neutron +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/neutron neutron-admin +``` + +## Deploy vault-secret-operator resources + +- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: + +```shell +kubectl get secret vault-ca-secret -o yaml -n openstack ``` +- If it is absent, create one using the following command: + ``` shell -# Ironic (NOT IMPLEMENTED YET) -kubectl --namespace openstack \ - create secret generic ironic-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +kubectl create secret generic vault-ca-secret \ + --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \ + -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack ``` +- Deploy the necessary Vault resources to create Kubernetes secrets required by the placement installation: + ``` shell -# Designate (NOT IMPLEMENTED YET) -kubectl --namespace openstack \ - create secret generic designate-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +kubectl apply -k /opt/genestack/kustomize/placement/base/vault/ ``` +- Deploy the necessary Vault resources to create Kubernetes secrets required by the nova installation: + ``` shell -# Neutron -kubectl --namespace openstack \ - create secret generic neutron-rabbitmq-password \ - --type Opaque \ - --from-literal=username="neutron" \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)" -kubectl --namespace openstack \ - create secret generic neutron-db-password \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic neutron-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +kubectl apply -k /opt/genestack/kustomize/nova/base/vault/ ``` -## Deploy Placement +- Deploy the necessary Vault resources to create Kubernetes secrets required by the ironic installation: + +``` shell +kubectl apply -k /opt/genestack/kustomize/ironic/base/vault/ +``` + +- Deploy the necessary Vault resources to create Kubernetes secrets required by the designate installation: + +``` shell +kubectl apply -k /opt/genestack/kustomize/designate/base/vault/ +``` + +- Deploy the necessary Vault resources to create Kubernetes secrets required by the neutron installation: + +``` shell +kubectl apply -k /opt/genestack/kustomize/neutron/base/vault/ +``` + +- Validate whether the required Kubernetes secrets from Vault are populated: + +``` shell +kubectl get secrets -n openstack +``` + +## Deploy Placement helm chart ``` shell cd /opt/genestack/submodules/openstack-helm @@ -94,7 +297,7 @@ helm upgrade --install placement ./placement --namespace=openstack \ --post-renderer-args placement/base ``` -## Deploy Nova +## Deploy Nova helm chart ``` shell cd /opt/genestack/submodules/openstack-helm @@ -140,7 +343,8 @@ If running in an environment that doesn't have hardware virtualization extension In a production like environment you may need to include production specific files like the example variable file found in `helm-configs/prod-example-openstack-overrides.yaml`. -## Deploy Neutron + +## Deploy Neutron helm chart ``` shell cd /opt/genestack/submodules/openstack-helm diff --git a/kustomize/designate/base/vault/designate-admin.yaml b/kustomize/designate/base/vault/designate-admin.yaml new file mode 100644 index 00000000..ee509cee --- /dev/null +++ b/kustomize/designate/base/vault/designate-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: designate-admin + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/designate' + + # path of the secret + path: designate-admin + + # dest k8s secret + destination: + name: designate-admin + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/designate/base/vault/kustomization.yaml b/kustomize/designate/base/vault/kustomization.yaml new file mode 100644 index 00000000..1cf12f2b --- /dev/null +++ b/kustomize/designate/base/vault/kustomization.yaml @@ -0,0 +1,5 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - designate-admin.yaml diff --git a/kustomize/designate/base/vault/vaultauth.yaml b/kustomize/designate/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/designate/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/designate/base/vault/vaultconnection.yaml b/kustomize/designate/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/designate/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret" diff --git a/kustomize/ironic/base/vault/ironic-admin.yaml b/kustomize/ironic/base/vault/ironic-admin.yaml new file mode 100644 index 00000000..99558377 --- /dev/null +++ b/kustomize/ironic/base/vault/ironic-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: ironic-admin + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/ironic' + + # path of the secret + path: ironic-admin + + # dest k8s secret + destination: + name: ironic-admin + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/ironic/base/vault/kustomization.yaml b/kustomize/ironic/base/vault/kustomization.yaml new file mode 100644 index 00000000..78034a91 --- /dev/null +++ b/kustomize/ironic/base/vault/kustomization.yaml @@ -0,0 +1,5 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - ironic-admin.yaml diff --git a/kustomize/ironic/base/vault/vaultauth.yaml b/kustomize/ironic/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/ironic/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/ironic/base/vault/vaultconnection.yaml b/kustomize/ironic/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/ironic/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret" diff --git a/kustomize/neutron/base/vault/kustomization.yaml b/kustomize/neutron/base/vault/kustomization.yaml new file mode 100644 index 00000000..c96cbe7d --- /dev/null +++ b/kustomize/neutron/base/vault/kustomization.yaml @@ -0,0 +1,7 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - neutron-admin.yaml + - neutron-db-password.yaml + - neutron-rabbitmq-password.yaml diff --git a/kustomize/neutron/base/vault/neutron-admin.yaml b/kustomize/neutron/base/vault/neutron-admin.yaml new file mode 100644 index 00000000..a34ecc70 --- /dev/null +++ b/kustomize/neutron/base/vault/neutron-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: neutron-admin + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/neutron' + + # path of the secret + path: neutron-admin + + # dest k8s secret + destination: + name: neutron-admin + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/neutron/base/vault/neutron-db-password.yaml b/kustomize/neutron/base/vault/neutron-db-password.yaml new file mode 100644 index 00000000..96cee38c --- /dev/null +++ b/kustomize/neutron/base/vault/neutron-db-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: neutron-db-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/neutron' + + # path of the secret + path: neutron-db-password + + # dest k8s secret + destination: + name: neutron-db-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/neutron/base/vault/neutron-rabbitmq-password.yaml b/kustomize/neutron/base/vault/neutron-rabbitmq-password.yaml new file mode 100644 index 00000000..27461c1c --- /dev/null +++ b/kustomize/neutron/base/vault/neutron-rabbitmq-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: neutron-rabbitmq-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/neutron' + + # path of the secret + path: neutron-rabbitmq-password + + # dest k8s secret + destination: + name: neutron-rabbitmq-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/neutron/base/vault/vaultauth.yaml b/kustomize/neutron/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/neutron/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/neutron/base/vault/vaultconnection.yaml b/kustomize/neutron/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/neutron/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret" diff --git a/kustomize/nova/base/vault/kustomization.yaml b/kustomize/nova/base/vault/kustomization.yaml new file mode 100644 index 00000000..803c3f2c --- /dev/null +++ b/kustomize/nova/base/vault/kustomization.yaml @@ -0,0 +1,8 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - metadata-shared-secret.yaml + - nova-admin.yaml + - nova-db-password.yaml + - nova-rabbitmq-password.yaml diff --git a/kustomize/nova/base/vault/metadata-shared-secret.yaml b/kustomize/nova/base/vault/metadata-shared-secret.yaml new file mode 100644 index 00000000..f92dcc54 --- /dev/null +++ b/kustomize/nova/base/vault/metadata-shared-secret.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: metadata-shared-secret + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/nova' + + # path of the secret + path: metadata-shared-secret + + # dest k8s secret + destination: + name: metadata-shared-secret + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/nova/base/vault/nova-admin.yaml b/kustomize/nova/base/vault/nova-admin.yaml new file mode 100644 index 00000000..019e96f9 --- /dev/null +++ b/kustomize/nova/base/vault/nova-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: nova-admin + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/nova' + + # path of the secret + path: nova-admin + + # dest k8s secret + destination: + name: nova-admin + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/nova/base/vault/nova-db-password.yaml b/kustomize/nova/base/vault/nova-db-password.yaml new file mode 100644 index 00000000..72d3ff8c --- /dev/null +++ b/kustomize/nova/base/vault/nova-db-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: nova-db-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/nova' + + # path of the secret + path: nova-db-password + + # dest k8s secret + destination: + name: nova-db-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/nova/base/vault/nova-rabbitmq-password.yaml b/kustomize/nova/base/vault/nova-rabbitmq-password.yaml new file mode 100644 index 00000000..cd091480 --- /dev/null +++ b/kustomize/nova/base/vault/nova-rabbitmq-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: nova-rabbitmq-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/nova' + + # path of the secret + path: nova-rabbitmq-password + + # dest k8s secret + destination: + name: nova-rabbitmq-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/nova/base/vault/vaultauth.yaml b/kustomize/nova/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/nova/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/nova/base/vault/vaultconnection.yaml b/kustomize/nova/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/nova/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret" diff --git a/kustomize/placement/base/vault/kustomization.yaml b/kustomize/placement/base/vault/kustomization.yaml new file mode 100644 index 00000000..d29125d7 --- /dev/null +++ b/kustomize/placement/base/vault/kustomization.yaml @@ -0,0 +1,6 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - placement-admin.yaml + - placement-db-password.yaml diff --git a/kustomize/placement/base/vault/placement-admin.yaml b/kustomize/placement/base/vault/placement-admin.yaml new file mode 100644 index 00000000..886f03a1 --- /dev/null +++ b/kustomize/placement/base/vault/placement-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: placement-admin + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/placement' + + # path of the secret + path: placement-admin + + # dest k8s secret + destination: + name: placement-admin + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/placement/base/vault/placement-db-password.yaml b/kustomize/placement/base/vault/placement-db-password.yaml new file mode 100644 index 00000000..8ffdea42 --- /dev/null +++ b/kustomize/placement/base/vault/placement-db-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: placement-db-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/placement' + + # path of the secret + path: placement-db-password + + # dest k8s secret + destination: + name: placement-db-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/placement/base/vault/vaultauth.yaml b/kustomize/placement/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/placement/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/placement/base/vault/vaultconnection.yaml b/kustomize/placement/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/placement/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret" From d6e56ef1aa2bd9f1eb5a9e71c106c4ab8f0890e2 Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Tue, 26 Mar 2024 17:03:08 +0000 Subject: [PATCH 12/20] Use HashiCorp Vault for Horizon deployment This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Horizon deployment. --- docs/openstack-horizon.md | 87 ++++++++++++++++--- .../base/vault/horizon-db-password.yaml | 24 +++++ .../base/vault/horizon-secrete-key.yaml | 24 +++++ .../horizon/base/vault/kustomization.yaml | 6 ++ kustomize/horizon/base/vault/vaultauth.yaml | 14 +++ .../horizon/base/vault/vaultconnection.yaml | 18 ++++ 6 files changed, 162 insertions(+), 11 deletions(-) create mode 100644 kustomize/horizon/base/vault/horizon-db-password.yaml create mode 100644 kustomize/horizon/base/vault/horizon-secrete-key.yaml create mode 100644 kustomize/horizon/base/vault/kustomization.yaml create mode 100644 kustomize/horizon/base/vault/vaultauth.yaml create mode 100644 kustomize/horizon/base/vault/vaultconnection.yaml diff --git a/docs/openstack-horizon.md b/docs/openstack-horizon.md index 6672744c..4156c5e0 100644 --- a/docs/openstack-horizon.md +++ b/docs/openstack-horizon.md @@ -2,21 +2,86 @@ [![asciicast](https://asciinema.org/a/629815.svg)](https://asciinema.org/a/629815) -## Create secrets +## Pre-requsites + +- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/) +- User has access to `osh/horizon/` path in the Vault + +## Create secrets in the vault + +### Login to the vault + +``` shell +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=horizon +``` + +### List the existing secrets from `osh/horizon/` + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/horizon +``` + +### Create the secrets + +- Horizon-secrete-key Username and Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put osh/horizon/horizon-secrete-key username=horizon + +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv patch -mount=osh/horizon horizon-secrete-key \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) +``` + +- Horizon Database Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/horizon horizon-db-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +### Validate the secrets + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/horizon +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/horizon horizon-secrete-key +``` + +## Install Horizon + +- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: + +```shell +kubectl get secret vault-ca-secret -o yaml -n openstack +``` + +- If it is absent, create one using the following command: + +``` shell +kubectl create secret generic vault-ca-secret \ + --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \ + -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack +``` + +- Deploy the necessary Vault resources to create Kubernetes secrets required by the Horizon installation: + +``` shell +kubectl apply -k /opt/genestack/kustomize/horizon/base/vault/ +``` + +- Validate whether the required Kubernetes secrets from Vault are populated: ``` shell -kubectl --namespace openstack \ - create secret generic horizon-secrete-key \ - --type Opaque \ - --from-literal=username="horizon" \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)" -kubectl --namespace openstack \ - create secret generic horizon-db-password \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +kubectl get secrets -n openstack ``` -## Run the package deployment +### Deploy Horizon helm chart ``` shell cd /opt/genestack/submodules/openstack-helm diff --git a/kustomize/horizon/base/vault/horizon-db-password.yaml b/kustomize/horizon/base/vault/horizon-db-password.yaml new file mode 100644 index 00000000..14dedb24 --- /dev/null +++ b/kustomize/horizon/base/vault/horizon-db-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: horizon-db-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/horizon' + + # path of the secret + path: horizon-db-password + + # dest k8s secret + destination: + name: horizon-db-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/horizon/base/vault/horizon-secrete-key.yaml b/kustomize/horizon/base/vault/horizon-secrete-key.yaml new file mode 100644 index 00000000..60c52a48 --- /dev/null +++ b/kustomize/horizon/base/vault/horizon-secrete-key.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: horizon-secrete-key + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/horizon' + + # path of the secret + path: horizon-secrete-key + + # dest k8s secret + destination: + name: horizon-secrete-key + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/horizon/base/vault/kustomization.yaml b/kustomize/horizon/base/vault/kustomization.yaml new file mode 100644 index 00000000..83a19417 --- /dev/null +++ b/kustomize/horizon/base/vault/kustomization.yaml @@ -0,0 +1,6 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - horizon-db-password.yaml + - horizon-secrete-key.yaml diff --git a/kustomize/horizon/base/vault/vaultauth.yaml b/kustomize/horizon/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/horizon/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/horizon/base/vault/vaultconnection.yaml b/kustomize/horizon/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/horizon/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret" From c6f604d5fd1cfb8f824f532492921d6817520ec5 Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Wed, 27 Mar 2024 16:37:39 +0000 Subject: [PATCH 13/20] Use HashiCorp Vault for Skyline deployment This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Skyline deployment. --- docs/openstack-skyline.md | 93 +++++++++++++++---- .../skyline/base/vault/kustomization.yaml | 5 + .../base/vault/skyline-apiserver-secrets.yaml | 24 +++++ kustomize/skyline/base/vault/vaultauth.yaml | 14 +++ .../skyline/base/vault/vaultconnection.yaml | 18 ++++ 5 files changed, 137 insertions(+), 17 deletions(-) create mode 100644 kustomize/skyline/base/vault/kustomization.yaml create mode 100644 kustomize/skyline/base/vault/skyline-apiserver-secrets.yaml create mode 100644 kustomize/skyline/base/vault/vaultauth.yaml create mode 100644 kustomize/skyline/base/vault/vaultconnection.yaml diff --git a/docs/openstack-skyline.md b/docs/openstack-skyline.md index 588bff41..856ce1cb 100644 --- a/docs/openstack-skyline.md +++ b/docs/openstack-skyline.md @@ -4,33 +4,92 @@ Skyline is an alternative Web UI for OpenStack. If you deploy horizon there's no need for Skyline. -## Create secrets +## Pre-requsites + +- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/) +- User has access to `osh/skyline/` path in the Vault + +## Create secrets in the vault + +### Login to the vault + +``` shell +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=skyline +``` + +### List the existing secrets from `osh/skyline/` + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/skyline +``` + +### Create the secrets Skyline is a little different because there's no helm integration. Given this difference the deployment is far simpler, and all secrets can be managed in one object. +- Skyline-apiserver-secrets: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/skyline skyline-apiserver-secrets \ + service-username=skyline \ + service-password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) \ + service-domain=service \ + service-project=service \ + service-project-domain=service \ + db-endpoint=maxscale-galera.openstack.svc.cluster.local \ + db-name=skyline \ + db-username=skyline \ + db-password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) \ + secret-key=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) \ + keystone-endpoint=http://keystone-api.openstack.svc.cluster.local:5000 \ + default-region=RegionOne +``` + +### Validate the secrets + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/skyline +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/skyline skyline-apiserver-secrets +``` + +## Install Skyline + +- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: + +```shell +kubectl get secret vault-ca-secret -o yaml -n openstack +``` + +- If it is absent, create one using the following command: + +``` shell +kubectl create secret generic vault-ca-secret \ + --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \ + -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack +``` + +- Deploy the necessary Vault resources to create Kubernetes secrets required by the Skyline installation: + +``` shell +kubectl apply -k /opt/genestack/kustomize/skyline/base/vault/ +``` + +- Validate whether the required Kubernetes secrets from Vault are populated: + ``` shell -kubectl --namespace openstack \ - create secret generic skyline-apiserver-secrets \ - --type Opaque \ - --from-literal=service-username="skyline" \ - --from-literal=service-password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \ - --from-literal=service-domain="service" \ - --from-literal=service-project="service" \ - --from-literal=service-project-domain="service" \ - --from-literal=db-endpoint="maxscale-galera.openstack.svc.cluster.local" \ - --from-literal=db-name="skyline" \ - --from-literal=db-username="skyline" \ - --from-literal=db-password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \ - --from-literal=secret-key="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \ - --from-literal=keystone-endpoint="http://keystone-api.openstack.svc.cluster.local:5000" \ - --from-literal=default-region="RegionOne" +kubectl get secrets -n openstack ``` !!! note All the configuration is in this one secret, so be sure to set your entries accordingly. -## Run the deployment +### Deploy Skyline !!! tip diff --git a/kustomize/skyline/base/vault/kustomization.yaml b/kustomize/skyline/base/vault/kustomization.yaml new file mode 100644 index 00000000..bc700885 --- /dev/null +++ b/kustomize/skyline/base/vault/kustomization.yaml @@ -0,0 +1,5 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - skyline-apiserver-secrets.yaml diff --git a/kustomize/skyline/base/vault/skyline-apiserver-secrets.yaml b/kustomize/skyline/base/vault/skyline-apiserver-secrets.yaml new file mode 100644 index 00000000..96a5a0cf --- /dev/null +++ b/kustomize/skyline/base/vault/skyline-apiserver-secrets.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: skyline-apiserver-secrets + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/skyline' + + # path of the secret + path: skyline-apiserver-secrets + + # dest k8s secret + destination: + name: skyline-apiserver-secrets + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/skyline/base/vault/vaultauth.yaml b/kustomize/skyline/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/skyline/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/skyline/base/vault/vaultconnection.yaml b/kustomize/skyline/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/skyline/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret" From 58541f72ff0b3138a73fb4c051ae55c26c9ca276 Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Thu, 28 Mar 2024 12:53:23 +0000 Subject: [PATCH 14/20] Use HashiCorp Vault for Octavia deployment This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Octavia deployment. --- docs/openstack-octavia.md | 115 ++++++++++++++---- .../octavia/base/vault/kustomization.yaml | 8 ++ .../octavia/base/vault/octavia-admin.yaml | 24 ++++ .../base/vault/octavia-certificates.yaml | 24 ++++ .../base/vault/octavia-db-password.yaml | 24 ++++ .../base/vault/octavia-rabbitmq-password.yaml | 24 ++++ kustomize/octavia/base/vault/vaultauth.yaml | 14 +++ .../octavia/base/vault/vaultconnection.yaml | 18 +++ 8 files changed, 228 insertions(+), 23 deletions(-) create mode 100644 kustomize/octavia/base/vault/kustomization.yaml create mode 100644 kustomize/octavia/base/vault/octavia-admin.yaml create mode 100644 kustomize/octavia/base/vault/octavia-certificates.yaml create mode 100644 kustomize/octavia/base/vault/octavia-db-password.yaml create mode 100644 kustomize/octavia/base/vault/octavia-rabbitmq-password.yaml create mode 100644 kustomize/octavia/base/vault/vaultauth.yaml create mode 100644 kustomize/octavia/base/vault/vaultconnection.yaml diff --git a/docs/openstack-octavia.md b/docs/openstack-octavia.md index 51c8b669..d8853922 100644 --- a/docs/openstack-octavia.md +++ b/docs/openstack-octavia.md @@ -2,29 +2,102 @@ [![asciicast](https://asciinema.org/a/629814.svg)](https://asciinema.org/a/629814) -### Create secrets +## Pre-requsites + +- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/) +- User has access to `osh/octavia/` path in the Vault + +## Create secrets in the vault + +### Login to the vault + +``` shell +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=octavia +``` + +### List the existing secrets from `osh/octavia/`: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/octavia +``` + +### Create the secrets + +- Octavia RabbitMQ Username and Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put osh/octavia/octavia-rabbitmq-password username=octavia + +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv patch -mount=osh/octavia octavia-rabbitmq-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) +``` + +- Octavia Database Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/octavia octavia-db-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Octavia Admin Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/octavia octavia-admin \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Octavia-certificates Password: ``` shell -kubectl --namespace openstack \ - create secret generic octavia-rabbitmq-password \ - --type Opaque \ - --from-literal=username="octavia" \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)" -kubectl --namespace openstack \ - create secret generic octavia-db-password \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic octavia-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic octavia-certificates \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/octavia octavia-certificates \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) ``` -## Run the package deployment +### Validate the secrets + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/octavia +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/octavia octavia-admin +``` + +## Install Octavia + +- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: + +```shell +kubectl get secret vault-ca-secret -o yaml -n openstack +``` + +- If it is absent, create one using the following command: + +``` shell +kubectl create secret generic vault-ca-secret \ + --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \ + -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack +``` + +- Deploy the necessary Vault resources to create Kubernetes secrets required by the Octavia installation: + +``` shell +kubectl apply -k /opt/genestack/kustomize/octavia/base/vault/ +``` + +- Validate whether the required Kubernetes secrets from Vault are populated: + +``` shell +kubectl get secrets -n openstack +``` + +### Deploy Octavia helm chart ``` shell cd /opt/genestack/submodules/openstack-helm @@ -52,7 +125,3 @@ helm upgrade --install octavia ./octavia \ In a production like environment you may need to include production specific files like the example variable file found in `helm-configs/prod-example-openstack-overrides.yaml`. Now validate functionality - -``` shell - -``` diff --git a/kustomize/octavia/base/vault/kustomization.yaml b/kustomize/octavia/base/vault/kustomization.yaml new file mode 100644 index 00000000..4f2eff2c --- /dev/null +++ b/kustomize/octavia/base/vault/kustomization.yaml @@ -0,0 +1,8 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - octavia-admin.yaml + - octavia-db-password.yaml + - octavia-rabbitmq-password.yaml + - octavia-certificates.yaml diff --git a/kustomize/octavia/base/vault/octavia-admin.yaml b/kustomize/octavia/base/vault/octavia-admin.yaml new file mode 100644 index 00000000..fb81715e --- /dev/null +++ b/kustomize/octavia/base/vault/octavia-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: octavia-admin + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/octavia' + + # path of the secret + path: octavia-admin + + # dest k8s secret + destination: + name: octavia-admin + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/octavia/base/vault/octavia-certificates.yaml b/kustomize/octavia/base/vault/octavia-certificates.yaml new file mode 100644 index 00000000..6b93f94b --- /dev/null +++ b/kustomize/octavia/base/vault/octavia-certificates.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: octavia-certificates + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/octavia' + + # path of the secret + path: octavia-certificates + + # dest k8s secret + destination: + name: octavia-certificates + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/octavia/base/vault/octavia-db-password.yaml b/kustomize/octavia/base/vault/octavia-db-password.yaml new file mode 100644 index 00000000..0e50e95f --- /dev/null +++ b/kustomize/octavia/base/vault/octavia-db-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: octavia-db-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/octavia' + + # path of the secret + path: octavia-db-password + + # dest k8s secret + destination: + name: octavia-db-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/octavia/base/vault/octavia-rabbitmq-password.yaml b/kustomize/octavia/base/vault/octavia-rabbitmq-password.yaml new file mode 100644 index 00000000..26070251 --- /dev/null +++ b/kustomize/octavia/base/vault/octavia-rabbitmq-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: octavia-rabbitmq-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/octavia' + + # path of the secret + path: octavia-rabbitmq-password + + # dest k8s secret + destination: + name: octavia-rabbitmq-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/octavia/base/vault/vaultauth.yaml b/kustomize/octavia/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/octavia/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/octavia/base/vault/vaultconnection.yaml b/kustomize/octavia/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/octavia/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret" From 873de978f19d5290d8a5506d4533be537c064134 Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Thu, 28 Mar 2024 13:17:46 +0000 Subject: [PATCH 15/20] Use HashiCorp Vault for Gnocchi deployment This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Gnocchi deployment. --- docs/openstack-gnocchi.md | 96 ++++++++++++++++--- .../gnocchi/base/vault/gnocchi-admin.yaml | 24 +++++ .../base/vault/gnocchi-db-password.yaml | 24 +++++ .../base/vault/gnocchi-pgsql-password.yaml | 24 +++++ .../gnocchi/base/vault/kustomization.yaml | 7 ++ kustomize/gnocchi/base/vault/vaultauth.yaml | 14 +++ .../gnocchi/base/vault/vaultconnection.yaml | 18 ++++ 7 files changed, 194 insertions(+), 13 deletions(-) create mode 100644 kustomize/gnocchi/base/vault/gnocchi-admin.yaml create mode 100644 kustomize/gnocchi/base/vault/gnocchi-db-password.yaml create mode 100644 kustomize/gnocchi/base/vault/gnocchi-pgsql-password.yaml create mode 100644 kustomize/gnocchi/base/vault/kustomization.yaml create mode 100644 kustomize/gnocchi/base/vault/vaultauth.yaml create mode 100644 kustomize/gnocchi/base/vault/vaultconnection.yaml diff --git a/docs/openstack-gnocchi.md b/docs/openstack-gnocchi.md index 3961d0ee..3efee557 100644 --- a/docs/openstack-gnocchi.md +++ b/docs/openstack-gnocchi.md @@ -1,20 +1,90 @@ # Deploy Gnocchi -## Create Secrets +## Pre-requsites + +- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/) +- User has access to `osh/gnocchi/` path in the Vault + +## Create secrets in the vault + +### Login to the vault + +``` shell +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=gnocchi +``` + +### List the existing secrets from `osh/gnocchi/`: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/gnocchi +``` + +### Create the secrets + +- Gnocchi Database Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/gnocchi gnocchi-db-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Gnocchi Admin Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/gnocchi gnocchi-admin \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Gnocchi-pgsql Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/gnocchi gnocchi-pgsql-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +### Validate the secrets + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/ghocchi +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/ghocchi gnocchi-admin +``` + +## Install Gnocchi + +- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: + +```shell +kubectl get secret vault-ca-secret -o yaml -n openstack +``` + +- If it is absent, create one using the following command: + +``` shell +kubectl create secret generic vault-ca-secret \ + --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \ + -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack +``` + +- Deploy the necessary Vault resources to create Kubernetes secrets required by the Gnocchi installation: + +``` shell +kubectl apply -k /opt/genestack/kustomize/gnocchi/base/vault/ +``` + +- Validate whether the required Kubernetes secrets from Vault are populated: ``` shell -kubectl --namespace openstack create secret generic gnocchi-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack create secret generic gnocchi-db-password \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack create secret generic gnocchi-pgsql-password \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +kubectl get secrets -n openstack ``` -## Create ceph-etc configmap +### Create ceph-etc configmap While the below example should work fine for most environments, depending on the use case it may be necessary to provide additional client configuration @@ -38,7 +108,7 @@ data: EOF ``` -## Verify the ceph-etc configmap is sane +### Verify the ceph-etc configmap is sane Below is an example of what you're looking for to verify the configmap was created as expected - a CSV of the mon hosts, colon seperated with default @@ -50,7 +120,7 @@ mon port, 6789. mon_host = 172.31.3.7:6789,172.31.1.112:6789,172.31.0.46:6789 ``` -## Run the package deployment +### Deploy Gnocchi helm chart ``` shell cd /opt/genestack/submodules/openstack-helm-infra diff --git a/kustomize/gnocchi/base/vault/gnocchi-admin.yaml b/kustomize/gnocchi/base/vault/gnocchi-admin.yaml new file mode 100644 index 00000000..c48ab5b0 --- /dev/null +++ b/kustomize/gnocchi/base/vault/gnocchi-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: gnocchi-admin + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/gnocchi' + + # path of the secret + path: gnocchi-admin + + # dest k8s secret + destination: + name: gnocchi-admin + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/gnocchi/base/vault/gnocchi-db-password.yaml b/kustomize/gnocchi/base/vault/gnocchi-db-password.yaml new file mode 100644 index 00000000..c2474d2a --- /dev/null +++ b/kustomize/gnocchi/base/vault/gnocchi-db-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: gnocchi-db-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/gnocchi' + + # path of the secret + path: gnocchi-db-password + + # dest k8s secret + destination: + name: gnocchi-db-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/gnocchi/base/vault/gnocchi-pgsql-password.yaml b/kustomize/gnocchi/base/vault/gnocchi-pgsql-password.yaml new file mode 100644 index 00000000..fb974d00 --- /dev/null +++ b/kustomize/gnocchi/base/vault/gnocchi-pgsql-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: gnocchi-pgsql-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/gnocchi' + + # path of the secret + path: gnocchi-pgsql-password + + # dest k8s secret + destination: + name: gnocchi-pgsql-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/gnocchi/base/vault/kustomization.yaml b/kustomize/gnocchi/base/vault/kustomization.yaml new file mode 100644 index 00000000..bbe46cca --- /dev/null +++ b/kustomize/gnocchi/base/vault/kustomization.yaml @@ -0,0 +1,7 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - gnocchi-admin.yaml + - gnocchi-db-password.yaml + - gnocchi-pgsql-password.yaml diff --git a/kustomize/gnocchi/base/vault/vaultauth.yaml b/kustomize/gnocchi/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/gnocchi/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/gnocchi/base/vault/vaultconnection.yaml b/kustomize/gnocchi/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/gnocchi/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret" From c941292559b236fb8e7da2b1eddba64ea2f8967f Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Thu, 28 Mar 2024 14:29:26 +0000 Subject: [PATCH 16/20] Use HashiCorp Vault for Ceilometer deployment This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Ceilometer deployment. --- docs/openstack-ceilometer.md | 91 ++++++++++++++++--- .../ceilometer-keystone-admin-password.yaml | 24 +++++ .../ceilometer-keystone-test-password.yaml | 24 +++++ .../vault/ceilometer-rabbitmq-password.yaml | 24 +++++ .../ceilometer/base/vault/kustomization.yaml | 7 ++ .../ceilometer/base/vault/vaultauth.yaml | 14 +++ .../base/vault/vaultconnection.yaml | 18 ++++ 7 files changed, 191 insertions(+), 11 deletions(-) create mode 100644 kustomize/ceilometer/base/vault/ceilometer-keystone-admin-password.yaml create mode 100644 kustomize/ceilometer/base/vault/ceilometer-keystone-test-password.yaml create mode 100644 kustomize/ceilometer/base/vault/ceilometer-rabbitmq-password.yaml create mode 100644 kustomize/ceilometer/base/vault/kustomization.yaml create mode 100644 kustomize/ceilometer/base/vault/vaultauth.yaml create mode 100644 kustomize/ceilometer/base/vault/vaultconnection.yaml diff --git a/docs/openstack-ceilometer.md b/docs/openstack-ceilometer.md index 9d67fb4f..2ee3c7f9 100644 --- a/docs/openstack-ceilometer.md +++ b/docs/openstack-ceilometer.md @@ -1,20 +1,89 @@ # Deploy Ceilometer -## Create Secrets +## Pre-requsites + +- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/) +- User has access to `osh/ceilometer/` path in the Vault + +## Create secrets in the vault + +### Login to the vault + +``` shell +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=ceilometer +``` + +### List the existing secrets from `osh/ceilometer/`: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/ceilometer +``` + +### Create the secrets + +- Ceilometer-keystone-admin-password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put osh/ceilometer/ceilometer-keystone-admin-password password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Ceilometer-keystone-test-password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/ceilometer ceilometer-keystone-test-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Ceilometer-rabbitmq-password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/ceilometer ceilometer-rabbitmq-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +### Validate the secrets + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/ceilometer +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/ceilometer ceilometer-keystone-admin-password +``` + +## Install Ceilometer + +- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: + +```shell +kubectl get secret vault-ca-secret -o yaml -n openstack +``` + +- If it is absent, create one using the following command: + +``` shell +kubectl create secret generic vault-ca-secret \ + --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \ + -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack +``` + +- Deploy the necessary Vault resources to create Kubernetes secrets required by the Ceilometer installation: + +``` shell +kubectl apply -k /opt/genestack/kustomize/ceilometer/base/vault/ +``` + +- Validate whether the required Kubernetes secrets from Vault are populated: ``` shell -kubectl --namespace openstack create secret generic ceilometer-keystone-admin-password \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack create secret generic ceilometer-keystone-test-password \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack create secret generic ceilometer-rabbitmq-password \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +kubectl get secrets -n openstack ``` -## Run the package deployment +### Deploy Ceilometer helm chart ``` shell cd /opt/genestack/submodules/openstack-helm diff --git a/kustomize/ceilometer/base/vault/ceilometer-keystone-admin-password.yaml b/kustomize/ceilometer/base/vault/ceilometer-keystone-admin-password.yaml new file mode 100644 index 00000000..aefd9c4d --- /dev/null +++ b/kustomize/ceilometer/base/vault/ceilometer-keystone-admin-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: ceilometer-keystone-admin-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/ceilometer' + + # path of the secret + path: ceilometer-keystone-admin-password + + # dest k8s secret + destination: + name: ceilometer-keystone-admin-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/ceilometer/base/vault/ceilometer-keystone-test-password.yaml b/kustomize/ceilometer/base/vault/ceilometer-keystone-test-password.yaml new file mode 100644 index 00000000..0c74d01e --- /dev/null +++ b/kustomize/ceilometer/base/vault/ceilometer-keystone-test-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: ceilometer-keystone-test-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/ceilometer' + + # path of the secret + path: ceilometer-keystone-test-password + + # dest k8s secret + destination: + name: ceilometer-keystone-test-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/ceilometer/base/vault/ceilometer-rabbitmq-password.yaml b/kustomize/ceilometer/base/vault/ceilometer-rabbitmq-password.yaml new file mode 100644 index 00000000..da0bae5a --- /dev/null +++ b/kustomize/ceilometer/base/vault/ceilometer-rabbitmq-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: ceilometer-rabbitmq-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/ceilometer' + + # path of the secret + path: ceilometer-rabbitmq-password + + # dest k8s secret + destination: + name: ceilometer-rabbitmq-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/ceilometer/base/vault/kustomization.yaml b/kustomize/ceilometer/base/vault/kustomization.yaml new file mode 100644 index 00000000..6c9be785 --- /dev/null +++ b/kustomize/ceilometer/base/vault/kustomization.yaml @@ -0,0 +1,7 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - ceilometer-keystone-admin-password.yaml + - ceilometer-keystone-test-password.yaml + - ceilometer-rabbitmq-password.yaml diff --git a/kustomize/ceilometer/base/vault/vaultauth.yaml b/kustomize/ceilometer/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/ceilometer/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/ceilometer/base/vault/vaultconnection.yaml b/kustomize/ceilometer/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/ceilometer/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret" From b74daeea18fc0fbca7ffb0bab42f17ca48abb671 Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Thu, 28 Mar 2024 18:56:54 +0000 Subject: [PATCH 17/20] Use HashiCorp Vault for PostgreSQL deployment This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the PostgreSQL deployment. --- docs/infrastructure-postgresql.md | 99 ++++++++++++++++--- .../postgresql/base/vault/kustomization.yaml | 8 ++ .../base/vault/postgresql-db-admin.yaml | 24 +++++ .../base/vault/postgresql-db-audit.yaml | 24 +++++ .../base/vault/postgresql-db-exporter.yaml | 24 +++++ .../base/vault/postgresql-identity-admin.yaml | 24 +++++ .../postgresql/base/vault/vaultauth.yaml | 14 +++ .../base/vault/vaultconnection.yaml | 18 ++++ 8 files changed, 221 insertions(+), 14 deletions(-) create mode 100644 kustomize/postgresql/base/vault/kustomization.yaml create mode 100644 kustomize/postgresql/base/vault/postgresql-db-admin.yaml create mode 100644 kustomize/postgresql/base/vault/postgresql-db-audit.yaml create mode 100644 kustomize/postgresql/base/vault/postgresql-db-exporter.yaml create mode 100644 kustomize/postgresql/base/vault/postgresql-identity-admin.yaml create mode 100644 kustomize/postgresql/base/vault/vaultauth.yaml create mode 100644 kustomize/postgresql/base/vault/vaultconnection.yaml diff --git a/docs/infrastructure-postgresql.md b/docs/infrastructure-postgresql.md index 23536cf9..8804764c 100644 --- a/docs/infrastructure-postgresql.md +++ b/docs/infrastructure-postgresql.md @@ -1,23 +1,94 @@ # Deploy PostgreSQL -## Create Secrets +## Pre-requsites + +- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/) +- User has access to `osh/postgresql/` path in the Vault + +## Create secrets in the vault: + +### Login to the vault: + +``` shell +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=postgresql +``` + +### List the existing secrets from `osh/postgresql/`: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/postgresql +``` + +### Create the secrets + +- Postgresql-identity-admin: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/postgresql postgresql-identity-admin password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Postgresql-db-admin: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/postgresql postgresql-db-admin password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Postgresql-db-exporter: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/postgresql postgresql-db-exporter password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Postgresql-db-audit: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/postgresql postgresql-db-audit password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +### Validate the secrets + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/postgresql +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/postgresql postgresql-identity-admin +``` + +## Install PostgreSQL + +- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: + +``` shell +kubectl get secret vault-ca-secret -o yaml -n openstack +``` + +- If it is absent, create one using the following command: + +``` shell +kubectl create secret generic vault-ca-secret \ + --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \ + -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack +``` + +- Deploy the necessary Vault resources to create Kubernetes secrets required by the postgresql installation: + +``` shell +kubectl apply -k /opt/genestack/kustomize/postgresql/base/vault +``` + +- Validate whether the required Kubernetes secrets from Vault are populated: ``` shell -kubectl --namespace openstack create secret generic postgresql-identity-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack create secret generic postgresql-db-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack create secret generic postgresql-db-exporter \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack create secret generic postgresql-db-audit \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" +kubectl get secrets -n openstack ``` -## Run the package deployment +### Deploy PostgreSQL !!! tip diff --git a/kustomize/postgresql/base/vault/kustomization.yaml b/kustomize/postgresql/base/vault/kustomization.yaml new file mode 100644 index 00000000..f2e6fc7a --- /dev/null +++ b/kustomize/postgresql/base/vault/kustomization.yaml @@ -0,0 +1,8 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - postgresql-db-audit.yaml + - postgresql-identity-admin.yaml + - postgresql-db-admin.yaml + - postgresql-db-exporter.yaml diff --git a/kustomize/postgresql/base/vault/postgresql-db-admin.yaml b/kustomize/postgresql/base/vault/postgresql-db-admin.yaml new file mode 100644 index 00000000..69c396ee --- /dev/null +++ b/kustomize/postgresql/base/vault/postgresql-db-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: postgresql-db-admin + namespace: openstack +spec: + type: kv-v2 + +# mount path + mount: 'osh/postgresql' + +# path of the secret + path: postgresql-db-admin + +# dest k8s secret + destination: + name: postgresql-db-admin + create: true + +# static secret refresh interval + refreshAfter: 30s + +# Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/postgresql/base/vault/postgresql-db-audit.yaml b/kustomize/postgresql/base/vault/postgresql-db-audit.yaml new file mode 100644 index 00000000..3263f25e --- /dev/null +++ b/kustomize/postgresql/base/vault/postgresql-db-audit.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: postgresql-db-audit + namespace: openstack +spec: + type: kv-v2 + +# mount path + mount: 'osh/postgresql' + +# path of the secret + path: postgresql-db-audit + +# dest k8s secret + destination: + name: postgresql-db-audit + create: true + +# static secret refresh interval + refreshAfter: 30s + +# Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/postgresql/base/vault/postgresql-db-exporter.yaml b/kustomize/postgresql/base/vault/postgresql-db-exporter.yaml new file mode 100644 index 00000000..7b844cbd --- /dev/null +++ b/kustomize/postgresql/base/vault/postgresql-db-exporter.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: postgresql-db-exporter + namespace: openstack +spec: + type: kv-v2 + +# mount path + mount: 'osh/postgresql' + +# path of the secret + path: postgresql-db-exporter + +# dest k8s secret + destination: + name: postgresql-db-exporter + create: true + +# static secret refresh interval + refreshAfter: 30s + +# Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/postgresql/base/vault/postgresql-identity-admin.yaml b/kustomize/postgresql/base/vault/postgresql-identity-admin.yaml new file mode 100644 index 00000000..3d482233 --- /dev/null +++ b/kustomize/postgresql/base/vault/postgresql-identity-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: postgresql-identity-admin + namespace: openstack +spec: + type: kv-v2 + +# mount path + mount: 'osh/postgresql' + +# path of the secret + path: postgresql-identity-admin + +# dest k8s secret + destination: + name: postgresql-identity-admin + create: true + +# static secret refresh interval + refreshAfter: 30s + +# Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/postgresql/base/vault/vaultauth.yaml b/kustomize/postgresql/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/postgresql/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/postgresql/base/vault/vaultconnection.yaml b/kustomize/postgresql/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/postgresql/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret" From bd1139ca7c8daea3ec9b00d9abdea6e05efc8f76 Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Thu, 28 Mar 2024 19:07:05 +0000 Subject: [PATCH 18/20] Fix mariadb vaultstaticsecret name --- kustomize/mariadb-cluster/base/vault/mariadb.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kustomize/mariadb-cluster/base/vault/mariadb.yaml b/kustomize/mariadb-cluster/base/vault/mariadb.yaml index d01e778a..e26bb546 100644 --- a/kustomize/mariadb-cluster/base/vault/mariadb.yaml +++ b/kustomize/mariadb-cluster/base/vault/mariadb.yaml @@ -1,7 +1,7 @@ apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultStaticSecret metadata: - name: mariadb-root-password + name: mariadb namespace: openstack spec: type: kv-v2 From 35b025f98d2f06f4b1f83d62f3a8f99822a03726 Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Fri, 29 Mar 2024 12:41:58 +0000 Subject: [PATCH 19/20] Add example to create local user in vault This commit will provide an example to create local user and the policy to provide access vault secret path --- docs/vault.md | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/docs/vault.md b/docs/vault.md index dc911161..42aff7dd 100644 --- a/docs/vault.md +++ b/docs/vault.md @@ -187,4 +187,72 @@ vault kv put -mount=osh/keystone keystone-credential-keys password=$(< /dev/ura --- +## Example to create local users in Vault and provide access to the secret path + +- Login with root token and enable userpass authentication method: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- sh +vault login +vault auth enable userpass +``` + +- Create keystone user and the required policy: + +``` +vault policy write keystone - < Date: Tue, 2 Apr 2024 13:54:21 +0100 Subject: [PATCH 20/20] Update skyline-apiserver-secrets secret --- docs/openstack-skyline.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/openstack-skyline.md b/docs/openstack-skyline.md index 856ce1cb..c05fd929 100644 --- a/docs/openstack-skyline.md +++ b/docs/openstack-skyline.md @@ -44,8 +44,13 @@ kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ db-username=skyline \ db-password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) \ secret-key=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) \ - keystone-endpoint=http://keystone-api.openstack.svc.cluster.local:5000 \ - default-region=RegionOne + keystone-endpoint="$(kubectl --namespace openstack get secret keystone-keystone-admin -o jsonpath='{.data.OS_AUTH_URL}' | base64 -d)" \ + keystone-username=skyline \ + default-region=RegionOne \ + prometheus_basic_auth_password="" \ + prometheus_basic_auth_user="" \ + prometheus_enable_basic_auth=false \ + prometheus_endpoint=http://kube-prometheus-stack-prometheus.prometheus.svc.cluster.local:9090 ``` ### Validate the secrets