Use HashiCorp Vault for OSH deployment #151
Conversation
pratik705
force-pushed
the
vault-integration
branch
from
af160a9
to
102684d
Compare
pratik705
force-pushed
the
vault-integration
branch
from
102684d
to
9821211
Compare
|
LGTM @pratik705 will you convert the rest of the services within this PR? |
docs/infrastructure-mariadb.md
Outdated
| @@ -29,6 +19,65 @@ kubectl --namespace mariadb-system get pods -w | |||
|
|
|||
| ## Deploy the MariaDB Cluster | |||
|
|
|||
| ## Pre-requsites: | |||
|
|
|||
| - Vault should be installed by following the instructions in [vault.md](https://github.com/rackerlabs/genestack/blob/main/docs/vault.md) | |||
There was a problem hiding this comment.
This link will take us to github .md page ... we can link back to mkdocs /vault/ page ?
docs/openstack-keystone.md
Outdated
|
|
||
| - Vault should be installed by following the instructions in [vault.md](https://github.com/rackerlabs/genestack/blob/main/docs/vault.md) |
docs/openstack-keystone.md
Outdated
| - Keystone RabbitMQ Password: | ||
| ``` shell | ||
| kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ | ||
| vault kv put -mount=osh/keystone \keystone-rabbitmq-password \ |
There was a problem hiding this comment.
there is one extra \ here ?
| @@ -6,7 +6,7 @@ metadata: | |||
| spec: | |||
| rootPasswordSecretKeyRef: | |||
| name: mariadb | |||
| key: root-password | |||
There was a problem hiding this comment.
Changing this key will break all the service deploy? Example: glance, neutron, etc will do something like:
--set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \
which will look for mariadb secret with root-password. Will this work ?
There was a problem hiding this comment.
as per my understanding, if we update the password in the vault then its required to update helm charts to populate the correct password in the openstack services. I haven't validated it though.
There was a problem hiding this comment.
For infra services I don't think we can change the password references; most of them are not goverened by helm.
|
I am facing some issue with my lab. I will work on other osp services once the lab is up |
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the MariaDB and Keystone deployment
pratik705
force-pushed
the
vault-integration
branch
from
9821211
to
87e18cc
Compare
pratik705
force-pushed
the
vault-integration
branch
from
0974c59
to
9dd7234
Compare
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Glance deployment.
pratik705
force-pushed
the
vault-integration
branch
from
9dd7234
to
5a4b807
Compare
pratik705
changed the title
pratik705
changed the title
pratik705
force-pushed
the
vault-integration
branch
from
e0f54e2
to
f17de43
Compare
pratik705
force-pushed
the
vault-integration
branch
from
a35340e
to
48f89a6
Compare
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Heat deployment.
pratik705
force-pushed
the
vault-integration
branch
from
e43f210
to
d5e932e
Compare
pratik705
force-pushed
the
vault-integration
branch
from
7f337dd
to
fe8a2df
Compare
pratik705
force-pushed
the
vault-integration
branch
from
fe8a2df
to
7b19a18
Compare
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Cinder deployment.
pratik705
force-pushed
the
vault-integration
branch
4 times, most recently
from
42760cd
to
1dfa1ff
Compare
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Compute Kit deployment.
pratik705
force-pushed
the
vault-integration
branch
from
1dfa1ff
to
39e129d
Compare
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Horizon deployment.
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Skyline deployment.
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Octavia deployment.
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Gnocchi deployment.
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Ceilometer deployment.
This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the PostgreSQL deployment.
|
@cloudnull @sulochan All the OSH services[1] have been updated with Vault integration. Please let me know if anything is pending. [1] |
|
In the lab I created local users in the vault for testing. We can either go with local users or use ldap to integrate with vault. I have added an example to create local user with policy providing access to the secret path. |
This commit will provide an example to create local user and the policy to provide access vault secret path
pratik705
force-pushed
the
vault-integration
branch
from
93bd384
to
35b025f
Compare
|
I am confused as to why we are doing this at all. I understand that we need vault for barbican, but why are we adding it into the infrastructure? Kubernetes already encrypts the secrets. So there is no need to vault in the infrastructure. All it really does in add a moving part and increase the chances of failure. While also making it harder for support to troubleshoot and fix. If you want to make kubernetes more secure. All you need to do is remove the /etc/kubernetes/admin.conf file and the ~/.kube/config file. Place it in password safe and if you want to access kubernetes. You will have to check it out. my 2 cents. |
cloudnull
changed the title
|
@pratik705 @sulochan - given the state of the Hashicorp licensing drama that is currently unfolding, I think we should revisit this change with OpenBao; a fork of the last open-source licensed release of vault. |
|
I have created a script to generate and push the secrets required by OpenStack services to Vault, which will eliminate the manual steps needed to interact with Vault to create the required secrets. However, due to licensing issues with Vault, I am holding the work until we get some clarity on OpenBao, as it appears its in the development stage. |
This commit will replace Kubernetes secrete creation step and consume the secrets from HashiCorp Vault using vault-secretes-operator for the OSH deployment.