Use HashiCorp Vault for Glance deployment

This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Glance deployment.
rackerlabs · Mar 23, 2024 · 0974c59 · 0974c59
1 parent 2ac53fe
commit 0974c59
Show file tree

Hide file tree

Showing 8 changed files with 190 additions and 15 deletions.
diff --git a/docs/openstack-glance.md b/docs/openstack-glance.md
@@ -2,29 +2,88 @@
 
 [![asciicast](https://asciinema.org/a/629806.svg)](https://asciinema.org/a/629806)
 
-## Create secrets.
+## Pre-requsites:
+
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to `osh/glance/` path in the Vault
+
+## Create secrets in the vault:
+
+### Login to the vault:
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=glance
+```
+
+### List the existing secrets from `osh/glance/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/glance
+```
+
+### Create the secrets:
+
+- Glance RabbitMQ Password:
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/glance glance-rabbitmq-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
+```
+
+- Glance Database Password:
+```
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/glance glance-db-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
+```
+
+- Glance Admin Password:
+```
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/glance glance-admin \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
+```
+
+### Validate the secrets:
 
 ``` shell
-kubectl --namespace openstack \
-        create secret generic glance-rabbitmq-password \
-        --type Opaque \
-        --from-literal=username="glance" \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
-kubectl --namespace openstack \
-        create secret generic glance-db-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic glance-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/glance
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/glance  glance-admin
 ```
 
 !!! info
 
     Before running the Glance deployment you should configure the backend which is defined in the `helm-configs/glance/glance-helm-overrides.yaml` file. The default is a making the assumption we're running with Ceph deployed by Rook so the backend is configured to be cephfs with multi-attach functionality. While this works great, you should consider all of the available storage backends and make the right decision for your environment.
 
-## Run the package deployment
+## Install Glance
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+```shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
+```
+
+- If it is absent, create one using the following command:
+``` shell
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the Glance installation:
+``` shell
+kubectl apply -k /opt/genestack/kustomize/glance/base/vault/
+```
+
+- Validate whether the required Kubernetes secrets from Vault are populated:
+``` shell
+kubectl get secrets -n openstack
+``` 
+
+### Deploy Glance helm chart
 
 ``` shell
 cd /opt/genestack/submodules/openstack-helm

diff --git a/docs/openstack-keystone.md b/docs/openstack-keystone.md
@@ -74,6 +74,11 @@ kubectl create secret generic vault-ca-secret \
 kubectl apply -k /opt/genestack/kustomize/keystone/base/vault/
 ```
 
+- Validate whether the required Kubernetes secrets from Vault are populated:
+``` shell
+kubectl get secrets -n openstack
+``` 
+
 ### Deploy Keystone helm chart
 
 ``` shell

diff --git a/kustomize/glance/base/vault/glance-admin.yaml b/kustomize/glance/base/vault/glance-admin.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: glance-admin
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/glace'
+
+  # path of the secret
+  path: glance-admin
+
+  # dest k8s secret
+  destination:
+    name: glance-admin
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/glance/base/vault/glance-db-password.yaml b/kustomize/glance/base/vault/glance-db-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: glance-db-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/glance'
+
+  # path of the secret
+  path: glance-db-password
+
+  # dest k8s secret
+  destination:
+    name: glance-db-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/glance/base/vault/glance-rabbitmq-password.yaml b/kustomize/glance/base/vault/glance-rabbitmq-password.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: glance-rabbitmq-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/glance'
+
+  # path of the secret
+  path: glance-rabbitmq-password
+
+  # dest k8s secret
+  destination:
+    name: glance-rabbitmq-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/glance/base/vault/kustomization.yaml b/kustomize/glance/base/vault/kustomization.yaml
@@ -0,0 +1,7 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - glance-admin.yaml
+  - glance-db-password.yaml
+  - glance-rabbitmq-password.yaml
diff --git a/kustomize/glance/base/vault/vaultauth.yaml b/kustomize/glance/base/vault/vaultauth.yaml
@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection
diff --git a/kustomize/glance/base/vault/vaultconnection.yaml b/kustomize/glance/base/vault/vaultconnection.yaml
@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"