Use HashiCorp Vault for Compute Kit deployment

This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Compute Kit deployment.
rackerlabs · Mar 26, 2024 · 1dfa1ff · 1dfa1ff
1 parent 053004b
commit 1dfa1ff
Show file tree

Hide file tree

Showing 27 changed files with 714 additions and 55 deletions.
diff --git a/docs/openstack-compute-kit.md b/docs/openstack-compute-kit.md
@@ -2,81 +2,284 @@
 
 [![asciicast](https://asciinema.org/a/629813.svg)](https://asciinema.org/a/629813)
 
+## Pre-requsites
+
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to following paths in the Vault:
+  - `osh/nova/`
+  - `osh/ironic/`
+  - `osh/designate/`
+  - `osh/neutron/`
+
 ## Creating the Compute Kit Secrets
 
 Part of running Nova is also running placement. Setup all credentials now so we can use them across the nova and placement services.
 
+### Create the secrets - Placement
+
+- Login to the vault:
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=nova
+```
+
+- List the existing secrets from `osh/placement/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/placement
+```
+
+- Placement Database Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/placement placement-db-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Placement Admin Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/placement placement-admin \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+#### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/placement
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/placement  placement-admin
+```
+
+### Create the secrets - Nova
+
+- List the existing secrets from `osh/nova/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/nova
+```
+
+- Metadata-shared-secret Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/nova metadata-shared-secret \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Nova Database Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/nova nova-db-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Nova Admin Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/nova nova-admin \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Nova RabbitMQ Username and Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put osh/nova/nova-rabbitmq-password username=nova
+
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv patch -mount=osh/nova nova-rabbitmq-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
+```
+
+#### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/nova
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/nova  nova-admin
+```
+
+### Create the secrets - Ironic(NOT IMPLEMENTED YET)
+
+- Login to the vault:
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=ironic
+```
+
+- List the existing secrets from `osh/ironic/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/ironic
+```
+
+- Ironic Admin Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/ironic ironic-admin \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+#### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/ironic
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/ironic  ironic-admin
+```
+
+### Create the secrets - Designate(NOT IMPLEMENTED YET)
+
+- Login to the vault:
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=designate
+```
+
+- List the existing secrets from `osh/designate/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/designate
+```
+
+- Designate Admin Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/designate designate-admin \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+#### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/designate
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/designate  designate-admin
+```
+
+### Create the secrets - Neutron
+
+- Login to the vault:
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=neutron
+```
+
+- List the existing secrets from `osh/neutron/`:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/neutron
+```
+
+- Neutron Database Password:
+
 ``` shell
-# Shared
-kubectl --namespace openstack \
-        create secret generic metadata-shared-secret \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/neutron neutron-db-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
 ```
 
+- Neutron Admin Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/neutron neutron-admin \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Neutron RabbitMQ Username and Password:
+
 ``` shell
-# Placement
-kubectl --namespace openstack \
-        create secret generic placement-db-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic placement-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put osh/neutron/neutron-rabbitmq-password username=neutron
+
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv patch -mount=osh/neutron neutron-rabbitmq-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
 ```
 
+#### Validate the secrets
+
 ``` shell
-# Nova
-kubectl --namespace openstack \
-        create secret generic nova-db-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic nova-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic nova-rabbitmq-password \
-        --type Opaque \
-        --from-literal=username="nova" \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/neutron
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/neutron  neutron-admin
+```
+
+## Deploy vault-secret-operator resources
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+
+```shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
 ```
 
+- If it is absent, create one using the following command:
+
 ``` shell
-# Ironic (NOT IMPLEMENTED YET)
-kubectl --namespace openstack \
-        create secret generic ironic-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
 ```
 
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the placement installation:
+
 ``` shell
-# Designate (NOT IMPLEMENTED YET)
-kubectl --namespace openstack \
-        create secret generic designate-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl apply -k /opt/genestack/kustomize/placement/base/vault/
 ```
 
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the nova installation:
+
 ``` shell
-# Neutron
-kubectl --namespace openstack \
-        create secret generic neutron-rabbitmq-password \
-        --type Opaque \
-        --from-literal=username="neutron" \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
-kubectl --namespace openstack \
-        create secret generic neutron-db-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic neutron-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
+kubectl apply -k /opt/genestack/kustomize/nova/base/vault/
 ```
 
-## Deploy Placement
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the ironic installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/ironic/base/vault/
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the designate installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/designate/base/vault/
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the neutron installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/neutron/base/vault/
+```
+
+- Validate whether the required Kubernetes secrets from Vault are populated:
+
+``` shell
+kubectl get secrets -n openstack
+```
+
+## Deploy Placement helm chart
 
 ``` shell
 cd /opt/genestack/submodules/openstack-helm
@@ -94,7 +297,7 @@ helm upgrade --install placement ./placement --namespace=openstack \
     --post-renderer-args placement/base
 ```
 
-## Deploy Nova
+## Deploy Nova helm chart
 
 ``` shell
 cd /opt/genestack/submodules/openstack-helm
@@ -140,7 +343,8 @@ If running in an environment that doesn't have hardware virtualization extension
 
     In a production like environment you may need to include production specific files like the example variable file found in `helm-configs/prod-example-openstack-overrides.yaml`.
 
-## Deploy Neutron
+
+## Deploy Neutron helm chart
 
 ``` shell
 cd /opt/genestack/submodules/openstack-helm

diff --git a/kustomize/designate/base/vault/designate-admin.yaml b/kustomize/designate/base/vault/designate-admin.yaml
@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: designate-admin
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/neutron'
+
+  # path of the secret
+  path: designate-admin
+
+  # dest k8s secret
+  destination:
+    name: designate-admin
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth
diff --git a/kustomize/designate/base/vault/kustomization.yaml b/kustomize/designate/base/vault/kustomization.yaml
@@ -0,0 +1,5 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - designate-admin.yaml