Skip to content

Commit

Permalink
Use HashiCorp Vault for MariaDB and Keystone deployment
Browse files Browse the repository at this point in the history
This commit will consume the secrets from HashiCorp Vault using
vault-secretes-operator for the MariaDB and Keystone deployment
  • Loading branch information
pratik705 committed Mar 15, 2024
1 parent 0d8157e commit af160a9
Show file tree
Hide file tree
Showing 14 changed files with 265 additions and 32 deletions.
52 changes: 42 additions & 10 deletions docs/infrastructure-mariadb.md
Original file line number Diff line number Diff line change
@@ -1,15 +1,5 @@
# Deploy the MariaDB Operator and a Galera Cluster

## Create secret

``` shell
kubectl --namespace openstack \
create secret generic mariadb \
--type Opaque \
--from-literal=root-password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \
--from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
```

## Deploy the mariadb operator

If you've changed your k8s cluster name from the default cluster.local, edit `clusterName` in `/opt/genestack/kustomize/mariadb-operator/kustomization.yaml` prior to deploying the mariadb operator.
Expand All @@ -29,6 +19,48 @@ kubectl --namespace mariadb-system get pods -w

## Deploy the MariaDB Cluster

## Pre-requsites:
- Vault should be installed by following the instructions in [vault.md](https://github.com/rackerlabs/genestack/blob/main/docs/vault.md)
- User has access to `osh/mariadb/` path in the Vault

## Create secrets in the vault:

### Login to the vault:
```shell
kubectl exec -it vault-0 -n vault -- vault login -method userpass username=mariadb
```
### List the existing secrets from `osh/mariadb/`:
```shell
kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault kv list osh/mariadb
```
### Create the secrets:
- Mariadb root-password:
```shell
kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault kv put -mount=osh/mariadb mariadb-root-password root-password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
```
### Validate the secrets:
```shell
kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault kv list osh/mariadb
kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault kv get -mount=osh/mariadb mariadb-root-password
```

## Install mariadb cluster:
- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
```shell
kubectl get secret vault-ca-secret -o yaml -n openstack
```

- If it is absent, create one using the following command:
```shell
kubectl create secret generic vault-ca-secret --from-literal=ca.crt="$(kubectl get secret vault-tls-secret -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
```

- Deploy the necessary Vault resources to create Kubernetes secrets required by the mariadb installation:
```shell
kubectl apply -k /opt/genestack/kustomize/mariadb-cluster/base/vault
```

### Deploy mariadb-cluster
``` shell
kubectl --namespace openstack apply -k /opt/genestack/kustomize/mariadb-cluster/base
```
Expand Down
69 changes: 49 additions & 20 deletions docs/openstack-keystone.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,30 +2,59 @@

[![asciicast](https://asciinema.org/a/629802.svg)](https://asciinema.org/a/629802)

## Create secrets.
## Pre-requsites:
- Vault should be installed by following the instructions in [vault.md](https://github.com/rackerlabs/genestack/blob/main/docs/vault.md)
- User has access to `osh/keystone/` path in the Vault

``` shell
kubectl --namespace openstack \
create secret generic keystone-rabbitmq-password \
--type Opaque \
--from-literal=username="keystone" \
--from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
kubectl --namespace openstack \
create secret generic keystone-db-password \
--type Opaque \
--from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
kubectl --namespace openstack \
create secret generic keystone-admin \
--type Opaque \
--from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
kubectl --namespace openstack \
create secret generic keystone-credential-keys \
--type Opaque \
--from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
## Create secrets in the vault:

### Login to the vault:
```shell
kubectl exec -it vault-0 -n vault -- vault login -method userpass username=keystone
```
### List the existing secrets from `osh/keystone/`:
```shell
kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault kv list osh/keystone
```
### Create the secrets:
- Keystone RabbitMQ Password:
```shell
kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault kv put -mount=osh/keystone keystone-rabbitmq-password password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
```

- Keystone Database Password:
```shell
kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault kv put -mount=osh/keystone keystone-db-password password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
```

- Keystone Admin Password:
```shell
kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault kv put -mount=osh/keystone keystone-admin password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
```

## Run the package deployment
### Validate the secrets:
```shell
kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault kv list osh/keystone
kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault kv get -mount=osh/keystone keystone-admin
```

## Install Keystone
- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
```shell
kubectl get secret vault-ca-secret -o yaml -n openstack
```

- If it is absent, create one using the following command:
```shell
kubectl create secret generic vault-ca-secret --from-literal=ca.crt="$(kubectl get secret vault-tls-secret -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
```

- Deploy the necessary Vault resources to create Kubernetes secrets required by the Keystone installation:
```shell
kubectl apply -k /opt/genestack/kustomize/keystone/base/vault/
```

### Deploy Keystone helm chart
``` shell
cd /opt/genestack/submodules/openstack-helm

Expand Down
2 changes: 1 addition & 1 deletion kustomize/keystone/base/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
resources:
- keystone-mariadb-database.yaml
- keystone-rabbitmq-queue.yaml
- keystone-rabbitmq-queue.yaml
- all.yaml
- hpa-keystone-api.yaml
24 changes: 24 additions & 0 deletions kustomize/keystone/base/vault/keystone-admin.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: keystone-admin
namespace: openstack
spec:
type: kv-v2

# mount path
mount: 'osh/keystone'

# path of the secret
path: keystone-admin

# dest k8s secret
destination:
name: keystone-admin
create: true

# static secret refresh interval
refreshAfter: 30s

# Name of the CRD to authenticate to Vault
vaultAuthRef: vault-auth
24 changes: 24 additions & 0 deletions kustomize/keystone/base/vault/keystone-db-password.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: keystone-db-password
namespace: openstack
spec:
type: kv-v2

# mount path
mount: 'osh/keystone'

# path of the secret
path: keystone-db-password

# dest k8s secret
destination:
name: keystone-db-password
create: true

# static secret refresh interval
refreshAfter: 30s

# Name of the CRD to authenticate to Vault
vaultAuthRef: vault-auth
24 changes: 24 additions & 0 deletions kustomize/keystone/base/vault/keystone-rabbitmq-password.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: keystone-rabbitmq-password
namespace: openstack
spec:
type: kv-v2

# mount path
mount: 'osh/keystone'

# path of the secret
path: keystone-rabbitmq-password

# dest k8s secret
destination:
name: keystone-rabbitmq-password
create: true

# static secret refresh interval
refreshAfter: 30s

# Name of the CRD to authenticate to Vault
vaultAuthRef: vault-auth
7 changes: 7 additions & 0 deletions kustomize/keystone/base/vault/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
namespace: openstack
resources:
- vaultauth.yaml
- vaultconnection.yaml
- keystone-admin.yaml
- keystone-db-password.yaml
- keystone-rabbitmq-password.yaml
14 changes: 14 additions & 0 deletions kustomize/keystone/base/vault/vaultauth.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault-auth
namespace: openstack
spec:
method: kubernetes
mount: genestack
kubernetes:
role: osh
serviceAccount: default
audiences:
- vault
vaultConnectionRef: vault-connection
18 changes: 18 additions & 0 deletions kustomize/keystone/base/vault/vaultconnection.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultConnection
metadata:
namespace: openstack
name: vault-connection
spec:
# required configuration
# address to the Vault server.
address: https://vault.vault.svc.cluster.local:8200
# optional configuration
# HTTP headers to be included in all Vault requests.
# headers: []
# TLS server name to use as the SNI host for TLS connections.
# tlsServerName: ""
# skip TLS verification for TLS connections to Vault.
skipTLSVerify: false
# the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
caCertSecretRef: "vault-ca-secret"
2 changes: 1 addition & 1 deletion kustomize/mariadb-cluster/base/mariadb-galera.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ metadata:
spec:
rootPasswordSecretKeyRef:
name: mariadb
key: root-password
key: mariadb-root-password
username: mariadb
database: mariadb

Expand Down
5 changes: 5 additions & 0 deletions kustomize/mariadb-cluster/base/vault/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
namespace: openstack
resources:
- vaultauth.yaml
- vaultconnection.yaml
- mariadb-root-password.yaml
24 changes: 24 additions & 0 deletions kustomize/mariadb-cluster/base/vault/mariadb-root-password.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: mariadb-root-password
namespace: openstack
spec:
type: kv-v2

# mount path
mount: 'osh/mariadb'

# path of the secret
path: mariadb-root-password

# dest k8s secret
destination:
name: mariadb-root-password
create: true

# static secret refresh interval
refreshAfter: 30s

# Name of the CRD to authenticate to Vault
vaultAuthRef: vault-auth
14 changes: 14 additions & 0 deletions kustomize/mariadb-cluster/base/vault/vaultauth.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault-auth
namespace: openstack
spec:
method: kubernetes
mount: genestack
kubernetes:
role: osh
serviceAccount: default
audiences:
- vault
vaultConnectionRef: vault-connection
18 changes: 18 additions & 0 deletions kustomize/mariadb-cluster/base/vault/vaultconnection.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultConnection
metadata:
namespace: openstack
name: vault-connection
spec:
# required configuration
# address to the Vault server.
address: https://vault.vault.svc.cluster.local:8200
# optional configuration
# HTTP headers to be included in all Vault requests.
# headers: []
# TLS server name to use as the SNI host for TLS connections.
# tlsServerName: ""
# skip TLS verification for TLS connections to Vault.
skipTLSVerify: false
# the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
caCertSecretRef: "vault-ca-secret"

0 comments on commit af160a9

Please sign in to comment.