diff --git a/components/01-secrets/README.md b/components/01-secrets/README.md deleted file mode 100644 index 505c8ad58..000000000 --- a/components/01-secrets/README.md +++ /dev/null @@ -1,234 +0,0 @@ -# Generate Secrets - -Secrets will be encrypted to your specific cluster and not re-usable so we'll do some setup for that. - -The unencrypted (just base64 encoded) secrets will be in `secret-$NAME.yaml` files while the -encrypted secrets, that can be committed to a public git repo, will be in `encrypted-$NAME.yaml` - -There's a helper script in this repo in `scripts/pwgen.sh` which creates a random 32 character password -that will be used. You can create these with any other source as well. If you have them stored in -another location then you can delete everything here. Otherwise, once they're encrypted you cannot -decrypt them (but if you have access to the k8s cluster you can grab them there). - -You **MUST** run these commands from the top-level of the repo. - -## MariaDB - -Let's generate the MariaDB root creds. - -```bash -kubectl --namespace openstack \ - create secret generic mariadb \ - --dry-run \ - -o yaml \ - --type Opaque \ - --from-literal=root-password="$(./scripts/pwgen.sh)" \ - > secret-mariadb.yaml -``` - -And encrypt it. - -```bash -kubeseal \ - --scope cluster-wide \ - --allow-empty-data \ - -o yaml \ - -f secret-mariadb.yaml \ - -w components/01-secrets/encrypted-mariadb.yaml -``` - -## Nautobot - -Now generate the Nautobot env secrets and the Redis (TODO: operator) - -```bash -kubectl --namespace nautobot \ - create secret generic nautobot-env \ - --dry-run \ - -o yaml \ - --type Opaque \ - --from-literal=NAUTOBOT_SECRET_KEY="$(./scripts/pwgen.sh)" \ - --from-literal=NAUTOBOT_SUPERUSER_API_TOKEN="$(./scripts/pwgen.sh)" \ - --from-literal=NAUTOBOT_SUPERUSER_PASSWORD="$(./scripts/pwgen.sh)" \ - > secret-nautobot-env.yaml - -kubectl --namespace nautobot \ - create secret generic nautobot-redis \ - --dry-run \ - -o yaml \ - --type Opaque \ - --from-literal=redis-password="$(./scripts/pwgen.sh)" \ - > secret-nautobot-redis.yaml -``` - -```bash -# This secret needs to be synchronized in both namespaces -NAUTOBOT_SSO_SECRET=$(./scripts/pwgen.sh) -for ns in nautobot dex; do - kubectl --namespace $ns \ - create secret generic nautobot-sso \ - --dry-run=client \ - -o yaml \ - --type Opaque \ - --from-literal=client-secret="$NAUTOBOT_SSO_SECRET" \ - > secret-nautobot-sso-$ns.yaml -done -unset NAUTOBOT_SSO_SECRET -``` - -Let's encrypt them. - -```bash -kubeseal \ - --scope cluster-wide \ - --allow-empty-data \ - -o yaml \ - -f secret-nautobot-env.yaml \ - -w components/01-secrets/encrypted-nautobot-env.yaml - -kubeseal \ - --scope cluster-wide \ - --allow-empty-data \ - -o yaml \ - -f secret-nautobot-redis.yaml \ - -w components/01-secrets/encrypted-nautobot-redis.yaml - -for ns in nautobot dex; do - kubeseal \ - --scope cluster-wide \ - --allow-empty-data \ - -o yaml \ - -f secret-nautobot-sso-$ns.yaml \ - -w components/01-secrets/encrypted-nautobot-sso-$ns.yaml -done -``` - -## Keystone - -Generate the necessary secrets for OpenStack Keystone. - -```bash -kubectl --namespace openstack \ - create secret generic keystone-rabbitmq-password \ - --type Opaque \ - --from-literal=username="keystone" \ - --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ - --dry-run -o yaml > secret-keystone-rabbitmq-password.yaml -kubectl --namespace openstack \ - create secret generic keystone-db-password \ - --type Opaque \ - --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ - --dry-run -o yaml > secret-keystone-db-password.yaml -kubectl --namespace openstack \ - create secret generic keystone-admin \ - --type Opaque \ - --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ - --dry-run -o yaml > secret-keystone-admin.yaml -``` - -Now let's seal them. - -```bash -for skrt in $(find . -name "secret-keystone*.yaml" -depth 1); do - encskrt=$(echo "${skrt}" | sed -e 's/secret-/components\/01-secrets\/encrypted-/') - kubeseal \ - --scope cluster-wide \ - --allow-empty-data \ - -o yaml \ - -f "${skrt}" \ - -w "${encskrt}" -done -``` - -## Ironic - -Generate the necessary secrets for OpenStack Ironic. - -```bash -kubectl --namespace openstack \ - create secret generic ironic-rabbitmq-password \ - --type Opaque \ - --from-literal=username="ironic" \ - --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ - --dry-run=client -o yaml > secret-ironic-rabbitmq-password.yaml -kubectl --namespace openstack \ - create secret generic ironic-db-password \ - --type Opaque \ - --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ - --dry-run=client -o yaml > secret-ironic-db-password.yaml -kubectl --namespace openstack \ - create secret generic ironic-keystone-password \ - --type Opaque \ - --from-literal=username="ironic" \ - --from-literal=password="$($(git rev-parse --show-toplevel)/scripts/pwgen.sh)" \ - --dry-run=client -o yaml > secret-ironic-keystone-password.yaml -``` - -Now let's seal them. - -```bash -for skrt in $(find . -maxdepth 1-name "secret-ironic*.yaml"); do - encskrt=$(echo "${skrt}" | sed -e 's/secret-/components\/01-secrets\/encrypted-/') - kubeseal \ - --scope cluster-wide \ - --allow-empty-data \ - -o yaml \ - -f "${skrt}" \ - -w "${encskrt}" -done - -``` -## Azure SSO authentication - -Setting up Understack for Azure backed authentication involves two steps: -1. Creating a Kubernetes secret that contains credentials to talk to AAD. -2. Updating Dexidp `Application` to use Azure settings/values - -Detailed steps are: - -First, you need to obtain necessary credentials from [PasswordSafe](https://passwordsafe.corp.rackspace.com/projects/37639/credentials/329301/). Replace the ``, `` and `` in the following command. - -PasswordSafe mappings: -- `` is stored as `Username` -- `` is stored in `Password` field -- `` needs to be constructed. The value should be -`https://login.microsoftonline.com//v2.0`, where `` is stored in -PasswordSafe under `Hostname` field. Pay particular attention to `/v2.0` at the -end of URL and don't add trailing slash. Example value would be: -`https://login.microsoftonline.com/1234abcd-1234-0000-beef-12345678900a/v2.0` - -```bash -kubectl --namespace dex \ - create secret generic azure-sso --dry-run=client \ - --from-literal=client-id= \ - --from-literal=client-secret= \ - --from-literal=issuer= \ - -o yaml > secret-azure-sso.yaml - -kubeseal \ - --scope cluster-wide \ - --allow-empty-data \ - -o yaml \ - -f secret-azure-sso.yaml \ - -w components/01-secrets/encrypted-azure-sso.yaml -``` - -The second part of the setup involves switching Dex to use the Azure backend. -This can be done by executing: - -```shell -argocd app set argocd/dexidp --values '$values/components/dexidp/values-azure.yaml' -``` - - -## Generate Kustomize for the Install - -Now generate the kustomize for this. - -```bash -cd components/01-secrets -kustomize create --autodetect -cd ../.. -``` - -At this point you can return to the main README. diff --git a/components/dexidp/README.md b/components/dexidp/README.md index f5877b9f3..2177cd59b 100644 --- a/components/dexidp/README.md +++ b/components/dexidp/README.md @@ -40,10 +40,6 @@ via DNS names and not have to patch your `/etc/hosts` or the DNS resolution in t ## Azure authentication -Dex can optionally be configured to allow authentication through Azure SSO. The -exact steps to configure this are available in -[01-secrets/README.md](../01-secrets/README.md). - [socialauth]: https://python-social-auth.readthedocs.io/en/latest/backends/oidc.html [disco]: https://openid.net/specs/openid-connect-discovery-1_0.html [authzcodegrant]: https://datatracker.ietf.org/doc/html/rfc6749#section-4.1 diff --git a/docs/gitops-install.md b/docs/gitops-install.md index bb7e6c542..d4dbda1c1 100644 --- a/docs/gitops-install.md +++ b/docs/gitops-install.md @@ -1,8 +1,8 @@ -# GitOps based Install +# Dev Environment GitOps based Install This guide is not meant to be a definitive guide to [GitOps][gitops] and how it can be used with UnderStack or even a best practices example -but instead focused on an example development oriented installation. +but instead focused on an example _development_ oriented installation. It will make a few assumptions and some opinionated choices that may not align with a production best practices installation. Most notable assumptions are: diff --git a/docs/install-understack-ubuntu-k3s.md b/docs/install-understack-ubuntu-k3s.md index 042f903c8..808181dd0 100644 --- a/docs/install-understack-ubuntu-k3s.md +++ b/docs/install-understack-ubuntu-k3s.md @@ -131,9 +131,6 @@ Generate secrets: # make the namespaces where the secrets will live kubectl create ns openstack kubectl create ns nautobot - -# load the secrets -kubectl apply -k components/01-secrets/ ``` ```bash diff --git a/scripts/easy-secrets-gen.sh b/scripts/easy-secrets-gen.sh deleted file mode 100755 index fd84a24b9..000000000 --- a/scripts/easy-secrets-gen.sh +++ /dev/null @@ -1,236 +0,0 @@ -#!/bin/bash -e - -cd $(git rev-parse --show-toplevel) - -DEST_DIR=${1:-.} - -if ! type -p kubeseal kubectl > /dev/null; then - echo "You must have kubeseal & kubectl installed to use this script" >&2 - exit 1 -fi - -if ! $(kubectl api-resources | grep -q sealedsecrets); then - echo "Your cluster doesn't appear to have the sealed secrets operator installed." >&2 - exit 1 -fi - -function secret-seal-stdin() { - # this is meant to be piped to - # $1 is output file, -w - kubeseal \ - --scope cluster-wide \ - --allow-empty-data \ - -o yaml \ - -w $1 -} - -[ ! -f "${DEST_DIR}/secret-mariadb.yaml" ] && \ -kubectl --namespace openstack \ - create secret generic mariadb \ - --dry-run=client \ - -o yaml \ - --type Opaque \ - --from-literal=root-password="$(./scripts/pwgen.sh)" \ - --from-literal=password="$(./scripts/pwgen.sh)" \ - | secret-seal-stdin "${DEST_DIR}/secret-mariadb.yaml" - -NAUTOBOT_SECRET_KEY="$(./scripts/pwgen.sh)" -if [ ! -f "${DEST_DIR}/secret-nautobot-django.yaml" ]; then - kubectl --namespace nautobot \ - create secret generic nautobot-django \ - --dry-run=client \ - -o yaml \ - --type Opaque \ - --from-literal="NAUTOBOT_SECRET_KEY=${NAUTOBOT_SECRET_KEY}" \ - | secret-seal-stdin "${DEST_DIR}/secret-nautobot-django.yaml" -fi - -[ ! -f "${DEST_DIR}/secret-nautobot-redis.yaml" ] && \ -kubectl --namespace nautobot \ - create secret generic nautobot-redis \ - --dry-run=client \ - -o yaml \ - --type Opaque \ - --from-literal=redis-password="$(./scripts/pwgen.sh)" \ - | secret-seal-stdin "${DEST_DIR}/secret-nautobot-redis.yaml" - -NAUTOBOT_SSO_SECRET=$(./scripts/pwgen.sh) -for ns in nautobot dex; do - [ ! -f "${DEST_DIR}/secret-nautobot-sso-$ns.yaml" ] && \ - kubectl --namespace $ns \ - create secret generic nautobot-sso \ - --dry-run=client \ - -o yaml \ - --type Opaque \ - --from-literal=client-secret="$NAUTOBOT_SSO_SECRET" \ - | secret-seal-stdin "${DEST_DIR}/secret-nautobot-sso-$ns.yaml" -done -unset NAUTOBOT_SSO_SECRET - -ARGO_SSO_SECRET=$(./scripts/pwgen.sh) -for ns in argo argo-events dex; do - [ ! -f "${DEST_DIR}/secret-argo-sso-$ns.yaml" ] && \ - kubectl --namespace $ns \ - create secret generic argo-sso \ - --dry-run=client \ - -o yaml \ - --type Opaque \ - --from-literal=client-secret="$ARGO_SSO_SECRET" \ - --from-literal=client-id=argo \ - | secret-seal-stdin "${DEST_DIR}/secret-argo-sso-$ns.yaml" -done -unset ARGO_SSO_SECRET - -ARGOCD_SSO_SECRET=$(./scripts/pwgen.sh) -for ns in argocd dex; do - [ ! -f "${DEST_DIR}/secret-argocd-sso-$ns.yaml" ] && \ - kubectl --namespace $ns \ - create secret generic argocd-sso \ - --dry-run=client \ - -o yaml \ - --type Opaque \ - --from-literal=issuer="https://dex.${DNS_ZONE}" \ - --from-literal=client-secret="$ARGOCD_SSO_SECRET" \ - --from-literal=client-id=argocd \ - | yq '.metadata.labels |= {"app.kubernetes.io/part-of": "argocd"}' \ - | secret-seal-stdin "${DEST_DIR}/secret-argocd-sso-$ns.yaml" -done -unset ARGOCD_SSO_SECRET -mkdir -p "${DEST_DIR}/cluster/" -mv -f "${DEST_DIR}/secret-argocd-sso-argocd.yaml" "${DEST_DIR}/cluster/" - -# create constant OpenStack memcache key to avoid cache invalidation on deploy -export MEMCACHE_SECRET_KEY="$(./scripts/pwgen.sh 64)" -# keystone admin user password -export KEYSTONE_ADMIN_PASSWORD="$(./scripts/pwgen.sh)" -# keystone user password in mariadb for keystone db -export KEYSTONE_DB_PASSWORD="$(./scripts/pwgen.sh)" -# rabbitmq user password for the keystone queues -export KEYSTONE_RABBITMQ_PASSWORD="$(./scripts/pwgen.sh)" -# ironic keystone service account -export IRONIC_KEYSTONE_PASSWORD="$(./scripts/pwgen.sh)" -# ironic user password in mariadb for ironic db -export IRONIC_DB_PASSWORD="$(./scripts/pwgen.sh)" -# rabbitmq user password for the ironic queues -export IRONIC_RABBITMQ_PASSWORD="$(./scripts/pwgen.sh)" -# neutron keystone service account -export NEUTRON_KEYSTONE_PASSWORD="$(./scripts/pwgen.sh)" -# neutron user password in mariadb for neutron db -export NEUTRON_DB_PASSWORD="$(./scripts/pwgen.sh)" -# rabbitmq user password for the neutron queues -export NEUTRON_RABBITMQ_PASSWORD="$(./scripts/pwgen.sh)" -# nova keystone service account -export NOVA_KEYSTONE_PASSWORD="$(./scripts/pwgen.sh)" -# nova user password in mariadb for nova db -export NOVA_DB_PASSWORD="$(./scripts/pwgen.sh)" -# rabbitmq user password for the inovaronic queues -export NOVA_RABBITMQ_PASSWORD="$(./scripts/pwgen.sh)" - -[ ! -f "${DEST_DIR}/secret-keystone-rabbitmq-password.yaml" ] && \ -kubectl --namespace openstack \ - create secret generic keystone-rabbitmq-password \ - --type Opaque \ - --from-literal=username="keystone" \ - --from-literal=password="${KEYSTONE_RABBITMQ_PASSWORD}" \ - --dry-run=client -o yaml \ - | secret-seal-stdin "${DEST_DIR}/secret-keystone-rabbitmq-password.yaml" - -[ ! -f "${DEST_DIR}/secret-keystone-db-password.yaml" ] && \ -kubectl --namespace openstack \ - create secret generic keystone-db-password \ - --type Opaque \ - --from-literal=password="${KEYSTONE_DB_PASSWORD}" \ - --dry-run=client -o yaml \ - | secret-seal-stdin "${DEST_DIR}/secret-keystone-db-password.yaml" - -[ ! -f "${DEST_DIR}/secret-keystone-admin.yaml" ] && \ -kubectl --namespace openstack \ - create secret generic keystone-admin \ - --type Opaque \ - --from-literal=password="${KEYSTONE_ADMIN_PASSWORD}" \ - --dry-run=client -o yaml \ - | secret-seal-stdin "${DEST_DIR}/secret-keystone-admin.yaml" - -# ironic credentials -[ ! -f "${DEST_DIR}/secret-ironic-rabbitmq-password.yaml" ] && \ -kubectl --namespace openstack \ - create secret generic ironic-rabbitmq-password \ - --type Opaque \ - --from-literal=username="ironic" \ - --from-literal=password="${IRONIC_RABBITMQ_PASSWORD}" \ - --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-ironic-rabbitmq-password.yaml" - -[ ! -f "${DEST_DIR}/secret-ironic-db-password.yaml" ] && \ -kubectl --namespace openstack \ - create secret generic ironic-db-password \ - --type Opaque \ - --from-literal=password="${IRONIC_DB_PASSWORD}" \ - --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-ironic-db-password.yaml" - -[ ! -f "${DEST_DIR}/secret-ironic-keystone-password.yaml" ] && \ -kubectl --namespace openstack \ - create secret generic ironic-keystone-password \ - --type Opaque \ - --from-literal=username="ironic" \ - --from-literal=password="${IRONIC_KEYSTONE_PASSWORD}" \ - --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-ironic-keystone-password.yaml" - -# neutron credentials -[ ! -f "${DEST_DIR}/secret-neutron-rabbitmq-password.yaml" ] && \ -kubectl --namespace openstack \ - create secret generic neutron-rabbitmq-password \ - --type Opaque \ - --from-literal=username="neutron" \ - --from-literal=password="${NEUTRON_RABBITMQ_PASSWORD}" \ - --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-neutron-rabbitmq-password.yaml" - -[ ! -f "${DEST_DIR}/secret-neutron-db-password.yaml" ] && \ -kubectl --namespace openstack \ - create secret generic neutron-db-password \ - --type Opaque \ - --from-literal=password="${NEUTRON_DB_PASSWORD}" \ - --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-neutron-db-password.yaml" - -[ ! -f "${DEST_DIR}/secret-neutron-keystone-password.yaml" ] && \ -kubectl --namespace openstack \ - create secret generic neutron-keystone-password \ - --type Opaque \ - --from-literal=username="neutron" \ - --from-literal=password="${NEUTRON_KEYSTONE_PASSWORD}" \ - --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-neutron-keystone-password.yaml" - -# nova credentials -[ ! -f "${DEST_DIR}/secret-nova-rabbitmq-password.yaml" ] && \ -kubectl --namespace openstack \ - create secret generic nova-rabbitmq-password \ - --type Opaque \ - --from-literal=username="nova" \ - --from-literal=password="${NOVA_RABBITMQ_PASSWORD}" \ - --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-nova-rabbitmq-password.yaml" - -[ ! -f "${DEST_DIR}/secret-nova-db-password.yaml" ] && \ -kubectl --namespace openstack \ - create secret generic nova-db-password \ - --type Opaque \ - --from-literal=password="${NOVA_DB_PASSWORD}" \ - --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-nova-db-password.yaml" - -[ ! -f "${DEST_DIR}/secret-nova-keystone-password.yaml" ] && \ -kubectl --namespace openstack \ - create secret generic nova-keystone-password \ - --type Opaque \ - --from-literal=username="nova" \ - --from-literal=password="${NOVA_KEYSTONE_PASSWORD}" \ - --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-nova-keystone-password.yaml" - -if [ "x${DO_TMPL_VALUES}" = "xy" ]; then - [ ! -f "${DEST_DIR}/secret-openstack.yaml" ] && \ - yq '(.. | select(tag == "!!str")) |= envsubst' \ - "./components/openstack-secrets.tpl.yaml" \ - > "${DEST_DIR}/secret-openstack.yaml" -fi - -cd ${DEST_DIR} -rm -f kustomization.yaml -kustomize create --autodetect -cd - diff --git a/scripts/gitops-secrets-gen.sh b/scripts/gitops-secrets-gen.sh index 47958bf08..ac50dc6ee 100755 --- a/scripts/gitops-secrets-gen.sh +++ b/scripts/gitops-secrets-gen.sh @@ -90,7 +90,213 @@ export DNS_ZONE export DEPLOY_NAME export DO_TMPL_VALUES=y mkdir -p "${UC_DEPLOY}/secrets/${DEPLOY_NAME}" -"${SCRIPTS_DIR}/easy-secrets-gen.sh" "${UC_DEPLOY}/secrets/${DEPLOY_NAME}" +DEST_DIR="${UC_DEPLOY}/secrets/${DEPLOY_NAME}" + +[ ! -f "${DEST_DIR}/secret-mariadb.yaml" ] && \ +kubectl --namespace openstack \ + create secret generic mariadb \ + --dry-run=client \ + -o yaml \ + --type Opaque \ + --from-literal=root-password="$(./scripts/pwgen.sh)" \ + --from-literal=password="$(./scripts/pwgen.sh)" \ + | secret-seal-stdin "${DEST_DIR}/secret-mariadb.yaml" + +NAUTOBOT_SECRET_KEY="$(./scripts/pwgen.sh)" +if [ ! -f "${DEST_DIR}/secret-nautobot-django.yaml" ]; then + kubectl --namespace nautobot \ + create secret generic nautobot-django \ + --dry-run=client \ + -o yaml \ + --type Opaque \ + --from-literal="NAUTOBOT_SECRET_KEY=${NAUTOBOT_SECRET_KEY}" \ + | secret-seal-stdin "${DEST_DIR}/secret-nautobot-django.yaml" +fi + +[ ! -f "${DEST_DIR}/secret-nautobot-redis.yaml" ] && \ +kubectl --namespace nautobot \ + create secret generic nautobot-redis \ + --dry-run=client \ + -o yaml \ + --type Opaque \ + --from-literal=redis-password="$(./scripts/pwgen.sh)" \ + | secret-seal-stdin "${DEST_DIR}/secret-nautobot-redis.yaml" + +NAUTOBOT_SSO_SECRET=$(./scripts/pwgen.sh) +for ns in nautobot dex; do + [ ! -f "${DEST_DIR}/secret-nautobot-sso-$ns.yaml" ] && \ + kubectl --namespace $ns \ + create secret generic nautobot-sso \ + --dry-run=client \ + -o yaml \ + --type Opaque \ + --from-literal=client-secret="$NAUTOBOT_SSO_SECRET" \ + | secret-seal-stdin "${DEST_DIR}/secret-nautobot-sso-$ns.yaml" +done +unset NAUTOBOT_SSO_SECRET + +ARGO_SSO_SECRET=$(./scripts/pwgen.sh) +for ns in argo argo-events dex; do + [ ! -f "${DEST_DIR}/secret-argo-sso-$ns.yaml" ] && \ + kubectl --namespace $ns \ + create secret generic argo-sso \ + --dry-run=client \ + -o yaml \ + --type Opaque \ + --from-literal=client-secret="$ARGO_SSO_SECRET" \ + --from-literal=client-id=argo \ + | secret-seal-stdin "${DEST_DIR}/secret-argo-sso-$ns.yaml" +done +unset ARGO_SSO_SECRET + +ARGOCD_SSO_SECRET=$(./scripts/pwgen.sh) +for ns in argocd dex; do + [ ! -f "${DEST_DIR}/secret-argocd-sso-$ns.yaml" ] && \ + kubectl --namespace $ns \ + create secret generic argocd-sso \ + --dry-run=client \ + -o yaml \ + --type Opaque \ + --from-literal=issuer="https://dex.${DNS_ZONE}" \ + --from-literal=client-secret="$ARGOCD_SSO_SECRET" \ + --from-literal=client-id=argocd \ + | yq '.metadata.labels |= {"app.kubernetes.io/part-of": "argocd"}' \ + | secret-seal-stdin "${DEST_DIR}/secret-argocd-sso-$ns.yaml" +done +unset ARGOCD_SSO_SECRET +mkdir -p "${DEST_DIR}/cluster/" +mv -f "${DEST_DIR}/secret-argocd-sso-argocd.yaml" "${DEST_DIR}/cluster/" + +# create constant OpenStack memcache key to avoid cache invalidation on deploy +export MEMCACHE_SECRET_KEY="$(./scripts/pwgen.sh 64)" +# keystone admin user password +export KEYSTONE_ADMIN_PASSWORD="$(./scripts/pwgen.sh)" +# keystone user password in mariadb for keystone db +export KEYSTONE_DB_PASSWORD="$(./scripts/pwgen.sh)" +# rabbitmq user password for the keystone queues +export KEYSTONE_RABBITMQ_PASSWORD="$(./scripts/pwgen.sh)" +# ironic keystone service account +export IRONIC_KEYSTONE_PASSWORD="$(./scripts/pwgen.sh)" +# ironic user password in mariadb for ironic db +export IRONIC_DB_PASSWORD="$(./scripts/pwgen.sh)" +# rabbitmq user password for the ironic queues +export IRONIC_RABBITMQ_PASSWORD="$(./scripts/pwgen.sh)" +# neutron keystone service account +export NEUTRON_KEYSTONE_PASSWORD="$(./scripts/pwgen.sh)" +# neutron user password in mariadb for neutron db +export NEUTRON_DB_PASSWORD="$(./scripts/pwgen.sh)" +# rabbitmq user password for the neutron queues +export NEUTRON_RABBITMQ_PASSWORD="$(./scripts/pwgen.sh)" +# nova keystone service account +export NOVA_KEYSTONE_PASSWORD="$(./scripts/pwgen.sh)" +# nova user password in mariadb for nova db +export NOVA_DB_PASSWORD="$(./scripts/pwgen.sh)" +# rabbitmq user password for the inovaronic queues +export NOVA_RABBITMQ_PASSWORD="$(./scripts/pwgen.sh)" + +[ ! -f "${DEST_DIR}/secret-keystone-rabbitmq-password.yaml" ] && \ +kubectl --namespace openstack \ + create secret generic keystone-rabbitmq-password \ + --type Opaque \ + --from-literal=username="keystone" \ + --from-literal=password="${KEYSTONE_RABBITMQ_PASSWORD}" \ + --dry-run=client -o yaml \ + | secret-seal-stdin "${DEST_DIR}/secret-keystone-rabbitmq-password.yaml" + +[ ! -f "${DEST_DIR}/secret-keystone-db-password.yaml" ] && \ +kubectl --namespace openstack \ + create secret generic keystone-db-password \ + --type Opaque \ + --from-literal=password="${KEYSTONE_DB_PASSWORD}" \ + --dry-run=client -o yaml \ + | secret-seal-stdin "${DEST_DIR}/secret-keystone-db-password.yaml" + +[ ! -f "${DEST_DIR}/secret-keystone-admin.yaml" ] && \ +kubectl --namespace openstack \ + create secret generic keystone-admin \ + --type Opaque \ + --from-literal=password="${KEYSTONE_ADMIN_PASSWORD}" \ + --dry-run=client -o yaml \ + | secret-seal-stdin "${DEST_DIR}/secret-keystone-admin.yaml" + +# ironic credentials +[ ! -f "${DEST_DIR}/secret-ironic-rabbitmq-password.yaml" ] && \ +kubectl --namespace openstack \ + create secret generic ironic-rabbitmq-password \ + --type Opaque \ + --from-literal=username="ironic" \ + --from-literal=password="${IRONIC_RABBITMQ_PASSWORD}" \ + --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-ironic-rabbitmq-password.yaml" + +[ ! -f "${DEST_DIR}/secret-ironic-db-password.yaml" ] && \ +kubectl --namespace openstack \ + create secret generic ironic-db-password \ + --type Opaque \ + --from-literal=password="${IRONIC_DB_PASSWORD}" \ + --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-ironic-db-password.yaml" + +[ ! -f "${DEST_DIR}/secret-ironic-keystone-password.yaml" ] && \ +kubectl --namespace openstack \ + create secret generic ironic-keystone-password \ + --type Opaque \ + --from-literal=username="ironic" \ + --from-literal=password="${IRONIC_KEYSTONE_PASSWORD}" \ + --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-ironic-keystone-password.yaml" + +# neutron credentials +[ ! -f "${DEST_DIR}/secret-neutron-rabbitmq-password.yaml" ] && \ +kubectl --namespace openstack \ + create secret generic neutron-rabbitmq-password \ + --type Opaque \ + --from-literal=username="neutron" \ + --from-literal=password="${NEUTRON_RABBITMQ_PASSWORD}" \ + --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-neutron-rabbitmq-password.yaml" + +[ ! -f "${DEST_DIR}/secret-neutron-db-password.yaml" ] && \ +kubectl --namespace openstack \ + create secret generic neutron-db-password \ + --type Opaque \ + --from-literal=password="${NEUTRON_DB_PASSWORD}" \ + --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-neutron-db-password.yaml" + +[ ! -f "${DEST_DIR}/secret-neutron-keystone-password.yaml" ] && \ +kubectl --namespace openstack \ + create secret generic neutron-keystone-password \ + --type Opaque \ + --from-literal=username="neutron" \ + --from-literal=password="${NEUTRON_KEYSTONE_PASSWORD}" \ + --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-neutron-keystone-password.yaml" + +# nova credentials +[ ! -f "${DEST_DIR}/secret-nova-rabbitmq-password.yaml" ] && \ +kubectl --namespace openstack \ + create secret generic nova-rabbitmq-password \ + --type Opaque \ + --from-literal=username="nova" \ + --from-literal=password="${NOVA_RABBITMQ_PASSWORD}" \ + --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-nova-rabbitmq-password.yaml" + +[ ! -f "${DEST_DIR}/secret-nova-db-password.yaml" ] && \ +kubectl --namespace openstack \ + create secret generic nova-db-password \ + --type Opaque \ + --from-literal=password="${NOVA_DB_PASSWORD}" \ + --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-nova-db-password.yaml" + +[ ! -f "${DEST_DIR}/secret-nova-keystone-password.yaml" ] && \ +kubectl --namespace openstack \ + create secret generic nova-keystone-password \ + --type Opaque \ + --from-literal=username="nova" \ + --from-literal=password="${NOVA_KEYSTONE_PASSWORD}" \ + --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-nova-keystone-password.yaml" + +if [ "x${DO_TMPL_VALUES}" = "xy" ]; then + [ ! -f "${DEST_DIR}/secret-openstack.yaml" ] && \ + yq '(.. | select(tag == "!!str")) |= envsubst' \ + "./components/openstack-secrets.tpl.yaml" \ + > "${DEST_DIR}/secret-openstack.yaml" +fi mkdir -p "${UC_DEPLOY}/secrets/${DEPLOY_NAME}/cluster" echo "Creating ArgoCD ${DEPLOY_NAME} cluster"