Use HashiCorp Vault for MariaDB and Keystone deployment

This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the MariaDB and Keystone deployment
rackerlabs · Mar 20, 2024 · 87e18cc · 87e18cc
1 parent 0d8157e
commit 87e18cc
Show file tree

Hide file tree

Showing 13 changed files with 301 additions and 30 deletions.
diff --git a/docs/infrastructure-mariadb.md b/docs/infrastructure-mariadb.md
@@ -1,15 +1,5 @@
 # Deploy the MariaDB Operator and a Galera Cluster
 
-## Create secret
-
-``` shell
-kubectl --namespace openstack \
-        create secret generic mariadb \
-        --type Opaque \
-        --from-literal=root-password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-```
-
 ## Deploy the mariadb operator
 
 If you've changed your k8s cluster name from the default cluster.local, edit `clusterName` in `/opt/genestack/kustomize/mariadb-operator/kustomization.yaml` prior to deploying the mariadb operator.
@@ -29,6 +19,65 @@ kubectl --namespace mariadb-system get pods -w
 
 ## Deploy the MariaDB Cluster
 
+## Pre-requsites:
+
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to `osh/mariadb/` path in the Vault
+
+## Create secrets in the vault:
+
+### Login to the vault:
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=mariadb
+```
+
+### List the existing secrets from `osh/mariadb/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/mariadb
+```
+
+### Create the secrets:
+
+- Mariadb root-password:
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/mariadb mariadb-root-password root-password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
+```
+
+### Validate the secrets:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/mariadb
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/mariadb mariadb-root-password
+```
+
+## Install mariadb cluster:
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+```shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
+```
+
+- If it is absent, create one using the following command:
+```shell
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the mariadb installation:
+``` shell
+kubectl apply -k /opt/genestack/kustomize/mariadb-cluster/base/vault
+```
+
+### Deploy mariadb-cluster
+
 ``` shell
 kubectl --namespace openstack apply -k /opt/genestack/kustomize/mariadb-cluster/base
 ```

diff --git a/docs/openstack-keystone.md b/docs/openstack-keystone.md
@@ -2,29 +2,79 @@
 
 [![asciicast](https://asciinema.org/a/629802.svg)](https://asciinema.org/a/629802)
 
-## Create secrets.
+## Pre-requsites:
 
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to `osh/keystone/` path in the Vault
+
+## Create secrets in the vault:
+
+### Login to the vault:
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=keystone
+```
+
+### List the existing secrets from `osh/keystone/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/keystone
+```
+
+### Create the secrets:
+
+- Keystone RabbitMQ Password:
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/keystone keystone-rabbitmq-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
+```
+
+- Keystone Database Password:
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/keystone keystone-db-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Keystone Admin Password:
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/keystone keystone-admin  \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+### Validate the secrets:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/keystone
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/keystone  keystone-admin
+```
+
+## Install Keystone
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+```shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
+```
+
+- If it is absent, create one using the following command:
+``` shell
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the Keystone installation:
 ``` shell
-kubectl --namespace openstack \
-        create secret generic keystone-rabbitmq-password \
-        --type Opaque \
-        --from-literal=username="keystone" \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
-kubectl --namespace openstack \
-        create secret generic keystone-db-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic keystone-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic keystone-credential-keys \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl apply -k /opt/genestack/kustomize/keystone/base/vault/
 ```
 
-## Run the package deployment
+### Deploy Keystone helm chart
 
 ``` shell
 cd /opt/genestack/submodules/openstack-helm

diff --git a/kustomize/keystone/base/vault/keystone-admin.yaml b/kustomize/keystone/base/vault/keystone-admin.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: keystone-admin
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/keystone'
+
+  # path of the secret
+  path: keystone-admin
+
+  # dest k8s secret
+  destination:
+    name: keystone-admin
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/keystone/base/vault/keystone-db-password.yaml b/kustomize/keystone/base/vault/keystone-db-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: keystone-db-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/keystone'
+
+  # path of the secret
+  path: keystone-db-password
+
+  # dest k8s secret
+  destination:
+    name: keystone-db-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/keystone/base/vault/keystone-rabbitmq-password.yaml b/kustomize/keystone/base/vault/keystone-rabbitmq-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: keystone-rabbitmq-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/keystone'
+
+  # path of the secret
+  path: keystone-rabbitmq-password
+
+  # dest k8s secret
+  destination:
+    name: keystone-rabbitmq-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/keystone/base/vault/kustomization.yaml b/kustomize/keystone/base/vault/kustomization.yaml
@@ -0,0 +1,7 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - keystone-admin.yaml
+  - keystone-db-password.yaml
+  - keystone-rabbitmq-password.yaml
diff --git a/kustomize/keystone/base/vault/vaultauth.yaml b/kustomize/keystone/base/vault/vaultauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection
diff --git a/kustomize/keystone/base/vault/vaultconnection.yaml b/kustomize/keystone/base/vault/vaultconnection.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"
diff --git a/kustomize/mariadb-cluster/base/mariadb-galera.yaml b/kustomize/mariadb-cluster/base/mariadb-galera.yaml
@@ -6,7 +6,7 @@ metadata:
 spec:
   rootPasswordSecretKeyRef:
     name: mariadb
-    key: root-password
+    key: mariadb-root-password
   username: mariadb
   database: mariadb
 

diff --git a/kustomize/mariadb-cluster/base/vault/kustomization.yaml b/kustomize/mariadb-cluster/base/vault/kustomization.yaml
@@ -0,0 +1,5 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - mariadb-root-password.yaml
diff --git a/kustomize/mariadb-cluster/base/vault/mariadb-root-password.yaml b/kustomize/mariadb-cluster/base/vault/mariadb-root-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: mariadb-root-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+# mount path
+  mount: 'osh/mariadb'
+
+# path of the secret
+  path: mariadb-root-password
+
+# dest k8s secret
+  destination:
+     name: mariadb-root-password
+     create: true
+
+# static secret refresh interval
+  refreshAfter: 30s
+
+# Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/mariadb-cluster/base/vault/vaultauth.yaml b/kustomize/mariadb-cluster/base/vault/vaultauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection
diff --git a/kustomize/mariadb-cluster/base/vault/vaultconnection.yaml b/kustomize/mariadb-cluster/base/vault/vaultconnection.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"