rackerlabs · pratik705 · Mar 13, 2024 · Mar 22, 2024 · Mar 23, 2024 · Mar 24, 2024
diff --git a/docs/infrastructure-mariadb.md b/docs/infrastructure-mariadb.md
@@ -1,22 +1,5 @@
 # Deploy the MariaDB Operator and a Galera Cluster
 
-## Create secret
-
-``` shell
-# MariaDB
-kubectl --namespace openstack \
-        create secret generic mariadb \
-        --type Opaque \
-        --from-literal=root-password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-
-# MaxScale
-kubectl --namespace openstack \
-        create secret generic maxscale \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-```
-
 ## Deploy the mariadb operator
 
 ``` shell
@@ -37,6 +20,82 @@ kubectl --namespace mariadb-system get pods -w
 
 ## Deploy the MariaDB Cluster
 
+## Pre-requsites
+
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to `osh/mariadb/` path in the Vault
+
+## Create secrets in the vault:
+
+### Login to the vault:
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=mariadb
+```
+
+### List the existing secrets from `osh/mariadb/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/mariadb
+```
+
+### Create the secrets
+
+- Mariadb root-password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/mariadb mariadb root-password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- MaxScale password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/mariadb maxscale password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/mariadb
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/mariadb mariadb
+```
+
+## Install mariadb cluster
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+
+``` shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
+```
+
+- If it is absent, create one using the following command:
+
+``` shell
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the mariadb installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/mariadb-cluster/base/vault
+```
+
+- Validate whether the required Kubernetes secrets from Vault are populated:
+
+``` shell
+kubectl get secrets -n openstack
+```
+
+### Deploy mariadb-cluster
+
 ``` shell
 kubectl --namespace openstack apply -k /opt/genestack/kustomize/mariadb-cluster/base
 ```

diff --git a/docs/infrastructure-postgresql.md b/docs/infrastructure-postgresql.md
@@ -1,23 +1,94 @@
 # Deploy PostgreSQL
 
-## Create Secrets
+## Pre-requsites
+
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to `osh/postgresql/` path in the Vault
+
+## Create secrets in the vault:
+
+### Login to the vault:
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=postgresql
+```
+
+### List the existing secrets from `osh/postgresql/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/postgresql
+```
+
+### Create the secrets
+
+- Postgresql-identity-admin:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/postgresql postgresql-identity-admin password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Postgresql-db-admin:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/postgresql postgresql-db-admin password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Postgresql-db-exporter:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/postgresql postgresql-db-exporter password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Postgresql-db-audit:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/postgresql postgresql-db-audit password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/postgresql
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/postgresql postgresql-identity-admin
+```
+
+## Install PostgreSQL
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+
+``` shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
+```
+
+- If it is absent, create one using the following command:
+
+``` shell
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the postgresql installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/postgresql/base/vault
+```
+
+- Validate whether the required Kubernetes secrets from Vault are populated:
 
 ``` shell
-kubectl --namespace openstack create secret generic postgresql-identity-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack create secret generic postgresql-db-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack create secret generic postgresql-db-exporter \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack create secret generic postgresql-db-audit \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl get secrets -n openstack
 ```
 
-## Run the package deployment
+### Deploy PostgreSQL
 
 !!! tip
 

diff --git a/docs/openstack-ceilometer.md b/docs/openstack-ceilometer.md
@@ -1,20 +1,89 @@
 # Deploy Ceilometer
 
-## Create Secrets
+## Pre-requsites
+
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to `osh/ceilometer/` path in the Vault
+
+## Create secrets in the vault
+
+### Login to the vault
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=ceilometer
+```
+
+### List the existing secrets from `osh/ceilometer/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/ceilometer
+```
+
+### Create the secrets
+
+- Ceilometer-keystone-admin-password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put osh/ceilometer/ceilometer-keystone-admin-password password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Ceilometer-keystone-test-password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/ceilometer ceilometer-keystone-test-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Ceilometer-rabbitmq-password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/ceilometer ceilometer-rabbitmq-password  \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/ceilometer
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/ceilometer  ceilometer-keystone-admin-password
+```
+
+## Install Ceilometer
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+
+```shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
+```
+
+- If it is absent, create one using the following command:
+
+``` shell
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the Ceilometer installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/ceilometer/base/vault/
+```
+
+- Validate whether the required Kubernetes secrets from Vault are populated:
 
 ``` shell
-kubectl --namespace openstack create secret generic ceilometer-keystone-admin-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack create secret generic ceilometer-keystone-test-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack create secret generic ceilometer-rabbitmq-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl get secrets -n openstack
 ```
 
-## Run the package deployment
+### Deploy Ceilometer helm chart
 
 ``` shell
 cd /opt/genestack/submodules/openstack-helm