Skip to content

Commit

Permalink
Use HashiCorp Vault for Glance deployment
Browse files Browse the repository at this point in the history
This commit will consume the secrets from HashiCorp Vault using
vault-secretes-operator for the Glance deployment.
  • Loading branch information
pratik705 committed Mar 23, 2024
1 parent 2ac53fe commit 5a4b807
Show file tree
Hide file tree
Showing 8 changed files with 190 additions and 15 deletions.
89 changes: 74 additions & 15 deletions docs/openstack-glance.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,29 +2,88 @@

[![asciicast](https://asciinema.org/a/629806.svg)](https://asciinema.org/a/629806)

## Create secrets.
## Pre-requsites:

- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
- User has access to `osh/glance/` path in the Vault

## Create secrets in the vault:

### Login to the vault:

``` shell
kubectl --namespace openstack \
create secret generic glance-rabbitmq-password \
--type Opaque \
--from-literal=username="glance" \
--from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
kubectl --namespace openstack \
create secret generic glance-db-password \
--type Opaque \
--from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
kubectl --namespace openstack \
create secret generic glance-admin \
--type Opaque \
--from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
kubectl exec -it vault-0 -n vault -- \
vault login -method userpass username=glance
```

### List the existing secrets from `osh/glance/`:

``` shell
kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
vault kv list osh/glance
```

### Create the secrets:

- Glance RabbitMQ Password:
``` shell
kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
vault kv put -mount=osh/glance glance-rabbitmq-password \
password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
```

- Glance Database Password:
```
kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
vault kv put -mount=osh/glance glance-db-password \
password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
```

- Glance Admin Password:
```
kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
vault kv put -mount=osh/glance glance-admin \
password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
```

### Validate the secrets:

``` shell
kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
vault kv list osh/glance
kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
vault kv get -mount=osh/glance glance-admin
```

!!! info

Before running the Glance deployment you should configure the backend which is defined in the `helm-configs/glance/glance-helm-overrides.yaml` file. The default is a making the assumption we're running with Ceph deployed by Rook so the backend is configured to be cephfs with multi-attach functionality. While this works great, you should consider all of the available storage backends and make the right decision for your environment.

## Run the package deployment
## Install Glance

- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
```shell
kubectl get secret vault-ca-secret -o yaml -n openstack
```

- If it is absent, create one using the following command:
``` shell
kubectl create secret generic vault-ca-secret \
--from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
-o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
```

- Deploy the necessary Vault resources to create Kubernetes secrets required by the Glance installation:
``` shell
kubectl apply -k /opt/genestack/kustomize/glance/base/vault/
```

- Validate whether the required Kubernetes secrets from Vault are populated:
``` shell
kubectl get secrets -n openstack
```

### Deploy Glance helm chart

``` shell
cd /opt/genestack/submodules/openstack-helm
Expand Down
5 changes: 5 additions & 0 deletions docs/openstack-keystone.md
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,11 @@ kubectl create secret generic vault-ca-secret \
kubectl apply -k /opt/genestack/kustomize/keystone/base/vault/
```

- Validate whether the required Kubernetes secrets from Vault are populated:
``` shell
kubectl get secrets -n openstack
```

### Deploy Keystone helm chart

``` shell
Expand Down
24 changes: 24 additions & 0 deletions kustomize/glance/base/vault/glance-admin.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: glance-admin
namespace: openstack
spec:
type: kv-v2

# mount path
mount: 'osh/glace'

# path of the secret
path: glance-admin

# dest k8s secret
destination:
name: glance-admin
create: true

# static secret refresh interval
refreshAfter: 30s

# Name of the CRD to authenticate to Vault
vaultAuthRef: vault-auth
24 changes: 24 additions & 0 deletions kustomize/glance/base/vault/glance-db-password.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: glance-db-password
namespace: openstack
spec:
type: kv-v2

# mount path
mount: 'osh/glance'

# path of the secret
path: glance-db-password

# dest k8s secret
destination:
name: glance-db-password
create: true

# static secret refresh interval
refreshAfter: 30s

# Name of the CRD to authenticate to Vault
vaultAuthRef: vault-auth
24 changes: 24 additions & 0 deletions kustomize/glance/base/vault/glance-rabbitmq-password.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: glance-rabbitmq-password
namespace: openstack
spec:
type: kv-v2

# mount path
mount: 'osh/glance'

# path of the secret
path: glance-rabbitmq-password

# dest k8s secret
destination:
name: glance-rabbitmq-password
create: true

# static secret refresh interval
refreshAfter: 30s

# Name of the CRD to authenticate to Vault
vaultAuthRef: vault-auth
7 changes: 7 additions & 0 deletions kustomize/glance/base/vault/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
namespace: openstack
resources:
- vaultauth.yaml
- vaultconnection.yaml
- glance-admin.yaml
- glance-db-password.yaml
- glance-rabbitmq-password.yaml
14 changes: 14 additions & 0 deletions kustomize/glance/base/vault/vaultauth.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault-auth
namespace: openstack
spec:
method: kubernetes
mount: genestack
kubernetes:
role: osh
serviceAccount: default
audiences:
- vault
vaultConnectionRef: vault-connection
18 changes: 18 additions & 0 deletions kustomize/glance/base/vault/vaultconnection.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultConnection
metadata:
namespace: openstack
name: vault-connection
spec:
# required configuration
# address to the Vault server.
address: https://vault.vault.svc.cluster.local:8200
# optional configuration
# HTTP headers to be included in all Vault requests.
# headers: []
# TLS server name to use as the SNI host for TLS connections.
# tlsServerName: ""
# skip TLS verification for TLS connections to Vault.
skipTLSVerify: false
# the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
caCertSecretRef: "vault-ca-secret"

0 comments on commit 5a4b807

Please sign in to comment.