Add Vault installation chart

.github/workflows/kustomize-vault.yaml

@@ -0,0 +1,37 @@
+name: Kustomize GitHub Actions for vault
+
+on:
+  pull_request:
+    paths:
+      - kustomize/vault/**
+      - .github/workflows/kustomize-vault.yaml
+jobs:
+  kustomize:
+    strategy:
+      matrix:
+        overlays:
+          - base
+    name: Kustomize
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: azure/setup-helm@v3
+        with:
+          version: latest
+          token: "${{ secrets.GITHUB_TOKEN }}"
+        id: helm
+      - name: Kustomize Install
+        working-directory: /usr/local/bin/
+        run: |
+          if [ ! -f /usr/local/bin/kustomize ]; then
+            curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | sudo bash
+          fi
+      - name: Run Kustomize Build
+        run: |
+          kustomize build kustomize/vault/${{ matrix.overlays }} --enable-helm --helm-command ${{ steps.helm.outputs.helm-path }} > /tmp/rendered.yaml
+      - name: Return Kustomize Build
+        uses: actions/upload-artifact@v2
+        with:
+          name: kustomize-vault-artifact-${{ matrix.overlays }}
+          path: /tmp/rendered.yaml

docs/vault.md

@@ -0,0 +1,139 @@
+# HashiCorp Vault Setup for Genestack Installation
+
+HashiCorp Vault is a versatile tool designed for secret management and data protection. It allows you to securely store and control access to various sensitive data, such as tokens, passwords, certificates, and API keys. In this guide, we will use HashiCorp Vault to store Kubernetes Secrets for the Genestack installation.
+
+## Prerequisites
+Before starting the installation, ensure the following prerequisites are met:
+- **Storage:** Kubernetes Cluster should have available storage to create a PVC for data storage, especially when using integrated storage backend and storing audit logs.
+- **Ingress Controller:** An Ingress Controller should be available as Vault's UI will be exposed using Ingress.
+- **Sealed-secret:** If the Vault UI URL will use a domain certificate then, the Kubernetes secret should be deployed in the vault namespace. Make sure the secret manifest is encrypted using sealed-secret for secure storage in a Git repository.
+- **Cert-Manager:** The installation will use end-to-end TLS generated using cert-manager. Hence, cert-manager should be available.
+
+## Installation
+```bash
+cd kustomize/vault/base
+```
+Modify the `values.yaml` file with your desired configurations. Refer to the sample configuration in this directory, already updated for installation.
+
+```bash
+vi values.yaml
+```
+
+- Perform the installation:
+```bash
+kustomize build . --enable-helm | kubectl apply -f -
+```
+
+## Configure Vault
+After installing Vault, the Vault pods will initially be in a not-ready state. Initialization and unsealing are required.
+```
+NAME                                    READY   STATUS    RESTARTS   AGE
+vault-0                                 0/1     Running   0          55s
+vault-1                                 0/1     Running   0          55s
+vault-2                                 0/1     Running   0          55s
+vault-agent-injector-7f9f668fd5-wk7tm   1/1     Running   0          55s
+```
+
+### Initialize Vault
+```bash
+kubectl exec vault-0 -n vault -- vault operator init -key-shares=5 -key-threshold=3 -format=json > cluster-keys.json
+```
+This command provides unseal keys and a root token in cluster-keys.json. Keep this information secure.
+
+### Join Vault Pods to Form a Cluster
+```bash
+kubectl exec -it vault-1 -n vault -- sh
+vault operator raft join -leader-ca-cert=@/vault/userconfig/vault-server-tls/ca.crt https://vault-0.vault-internal:8200
+```
+```bash
+kubectl exec -it vault-2 -n vault -- sh
+vault operator raft join -leader-ca-cert=@/vault/userconfig/vault-server-tls/ca.crt https://vault-0.vault-internal:8200
+```
+
+### Unseal Vault
+On each Vault pod (vault-0, vault-1, vault-2), use any of the 3 unseal keys obtained during initialization:
+```bash
+kubectl exec -it vault-1 -n vault -- sh
+vault operator unseal
+```
+Repeat the unseal command as needed with different unseal keys.
+
+### Authenticate to Vault
+Use the root token obtained during initialization to authenticate:
+```bash
+kubectl exec -it vault-0 -- vault login
+```
+
+## Validation
+Login to vault-0 and list the raft peers:
+```
+kubectl exec vault-0 -n vault -it -- sh
+/ $ vault operator raft list-peers
+Node       Address                        State       Voter
+----       -------                        -----       -----
+vault-0    vault-0.vault-internal:8201    leader      true
+vault-1    vault-1.vault-internal:8201    follower    true
+vault-2    vault-2.vault-internal:8201    follower    true
+```
+---
+
+## Example to create secrets in Vault for Keystone:
+
+- Enable Kubernetes auth method:
+```bash
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault auth enable -path genestack kubernetes
+```
+
+- Define Kubernetes connection:
+```bash
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault write auth/genestack/config  kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"
+```
+
+- Define secret path for keystone:
+```bash
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault secrets enable -path=osh/keystone kv-v2
+```
+
+- Create a policy to access `osh/*` path:
+```bash
+vault policy write osh - <<EOF
+path "osh/*" {
+   capabilities = ["read"]
+}
+EOF
+```
+
+- Create a role which will restrict the access as per your requirement:
+```bash
+vault write auth/genestack/role/osh \
+   bound_service_account_names=default \
+   bound_service_account_namespaces=openstack \
+   policies=osh \
+   audience=vault \
+   ttl=24h
+```
+
+- Create secrets for keystone:
+Now, generate and store secrets for Keystone within the designated path.
+  - Keystone RabbitMQ Username:
+    ```bash
+    vault kv put -mount=osh/keystone keystone-rabbitmq-username username=keystone
+    ```
+  - Keystone RabbitMQ Password:
+    ```bash
+    vault kv put -mount=osh/keystone keystone-rabbitmq-password password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
+    ```
+  - Keystone Database Password:
+    ```bash
+    vault kv put -mount=osh/keystone keystone-db-password password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+    ```
+  - Keystone Admin Password:
+    ```bash
+    vault kv put -mount=osh/keystone keystone-admin  password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+    ```
+  - Keystone Credential Key:
+    ```bash
+    vault kv put -mount=osh/keystone keystone-credential-keys  password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+    ```
+---
+Once the secrets are created in Vault, we can use `vault-secrets-operator` to populate the Kubernetes secret resources in Kubernetes cluster.

kustomize/vault/base/kustomization.yaml

@@ -0,0 +1,14 @@
+resources:
+  - './namespace.yaml'
+  - './ssl/'
+
+namespace: vault
+helmGlobals:
+  chartHome: ../charts/
+helmCharts:
+- name: vault
+  includeCRDs: true
+  valuesFile: values.yaml
+  releaseName: vault
+  version: 0.27.0
+  repo: https://helm.releases.hashicorp.com

kustomize/vault/base/namespace.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    kubernetes.io/metadata.name: vault
+    name: vault
+  name: vault

kustomize/vault/base/ssl/kustomization.yaml

@@ -0,0 +1,6 @@
+namespace: vault
+resources:
+  - './vault-selfsigned-issuer.yaml'
+  - './vault-selfsigned-ca.yaml'
+  - './vault-ca-issuer.yaml'
+  - './vault-cert.yaml'

kustomize/vault/base/ssl/vault-ca-issuer.yaml

@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: vault-ca-issuer
+spec:
+  ca:
+    secretName: vault-root-secret

kustomize/vault/base/ssl/vault-cert.yaml

@@ -0,0 +1,25 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: vault-cert
+spec:
+  isCA: false
+  dnsNames:
+    - "vault.vault.svc"
+    - "vault.vault.svc.cluster.local"
+    - "*.vault-internal"
+    - "*.vault-internal.vault"
+    - "*.vault-internal.vault.svc"
+    - "*.vault-internal.vault.svc.cluster.local"
+  ipAddresses:
+    - 127.0.0.1
+  secretName: vault-tls-secret
+  duration: 8760h0m0s
+  renewBefore: 360h0m0s
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: vault-ca-issuer
+    kind: Issuer
+    group: cert-manager.io

kustomize/vault/base/ssl/vault-selfsigned-ca.yaml

@@ -0,0 +1,17 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: vault-selfsigned-ca
+spec:
+  isCA: true
+  commonName: rackspace.com
+  secretName: vault-root-secret
+  duration: 87600h0m0s
+  renewBefore: 360h0m0s
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: vault-selfsigned-issuer
+    kind: Issuer
+    group: cert-manager.io

kustomize/vault/base/ssl/vault-selfsigned-issuer.yaml

@@ -0,0 +1,6 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: vault-selfsigned-issuer
+spec:
+  selfSigned: {}