Use HashiCorp Vault for Octavia deployment

This commit will consume the secrets from HashiCorp Vault using
vault-secretes-operator for the Octavia deployment.

docs/openstack-octavia.md

@@ -2,29 +2,102 @@
 
 [![asciicast](https://asciinema.org/a/629814.svg)](https://asciinema.org/a/629814)
 
-### Create secrets
+## Pre-requsites
+
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to `osh/octavia/` path in the Vault
+
+## Create secrets in the vault
+
+### Login to the vault
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=octavia
+```
+
+### List the existing secrets from `osh/octavia/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/octavia
+```
+
+### Create the secrets
+
+- Octavia RabbitMQ Username and Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put osh/octavia/octavia-rabbitmq-password username=octavia
+
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv patch -mount=osh/octavia octavia-rabbitmq-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
+```
+
+- Octavia Database Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/octavia octavia-db-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Octavia Admin Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/octavia octavia-admin  \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Octavia-certificates Password:
 
 ``` shell
-kubectl --namespace openstack \
-        create secret generic octavia-rabbitmq-password \
-        --type Opaque \
-        --from-literal=username="octavia" \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
-kubectl --namespace openstack \
-        create secret generic octavia-db-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic octavia-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic octavia-certificates \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/octavia octavia-certificates  \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
 ```
 
-## Run the package deployment
+### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/octavia
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/octavia  octavia-admin
+```
+
+## Install Octavia
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+
+```shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
+```
+
+- If it is absent, create one using the following command:
+
+``` shell
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the Octavia installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/octavia/base/vault/
+```
+
+- Validate whether the required Kubernetes secrets from Vault are populated:
+
+``` shell
+kubectl get secrets -n openstack
+```
+
+### Deploy Octavia helm chart
 
 ``` shell
 cd /opt/genestack/submodules/openstack-helm
@@ -52,7 +125,3 @@ helm upgrade --install octavia ./octavia \
     In a production like environment you may need to include production specific files like the example variable file found in `helm-configs/prod-example-openstack-overrides.yaml`.
 
 Now validate functionality
-
-``` shell
-
-```

kustomize/octavia/base/vault/kustomization.yaml

@@ -0,0 +1,8 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - octavia-admin.yaml
+  - octavia-db-password.yaml
+  - octavia-rabbitmq-password.yaml
+  - octavia-certificates.yaml

kustomize/octavia/base/vault/octavia-admin.yaml

@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: octavia-admin
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/octavia'
+
+  # path of the secret
+  path: octavia-admin
+
+  # dest k8s secret
+  destination:
+    name: octavia-admin
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth

kustomize/octavia/base/vault/octavia-certificates.yaml

@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: octavia-certificates
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/octavia'
+
+  # path of the secret
+  path: octavia-certificates
+
+  # dest k8s secret
+  destination:
+    name: octavia-certificates
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth

kustomize/octavia/base/vault/octavia-db-password.yaml

@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: octavia-db-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/octavia'
+
+  # path of the secret
+  path: octavia-db-password
+
+  # dest k8s secret
+  destination:
+    name: octavia-db-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth

kustomize/octavia/base/vault/octavia-rabbitmq-password.yaml

@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: octavia-rabbitmq-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/octavia'
+
+  # path of the secret
+  path: octavia-rabbitmq-password
+
+  # dest k8s secret
+  destination:
+    name: octavia-rabbitmq-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth

kustomize/octavia/base/vault/vaultauth.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection

kustomize/octavia/base/vault/vaultconnection.yaml

@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"