Use HashiCorp Vault for Heat deployment

This commit will consume the secrets from HashiCorp Vault using
vault-secretes-operator for the Heat deployment.

docs/openstack-heat.md

@@ -2,33 +2,107 @@
 
 [![asciicast](https://asciinema.org/a/629807.svg)](https://asciinema.org/a/629807)
 
-## Create secrets
-
-``` shell
-kubectl --namespace openstack \
-        create secret generic heat-rabbitmq-password \
-        --type Opaque \
-        --from-literal=username="heat" \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
-kubectl --namespace openstack \
-        create secret generic heat-db-password \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic heat-admin \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic heat-trustee \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-kubectl --namespace openstack \
-        create secret generic heat-stack-user \
-        --type Opaque \
-        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
-```
-
-## Run the package deployment
+## Pre-requsites
+
+- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/)
+- User has access to `osh/heat/` path in the Vault
+
+## Create secrets in the vault
+
+### Login to the vault
+
+``` shell
+kubectl  exec -it vault-0 -n vault -- \
+    vault login -method userpass username=heat
+```
+
+### List the existing secrets from `osh/heat/`
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/heat
+```
+
+### Create the secrets
+
+- Heat RabbitMQ Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/heat heat-rabbitmq-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)
+```
+
+- Heat Database Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/heat heat-db-password \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Heat Admin Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/heat heat-admin  \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Heat Trustee Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/heat heat-trustee  \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+- Heat Stack User Password:
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv put -mount=osh/heat heat-stack-user  \
+    password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)
+```
+
+### Validate the secrets
+
+``` shell
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv list osh/heat
+kubectl exec --stdin=true --tty=true vault-0 -n vault -- \
+    vault kv get -mount=osh/heat  heat-admin
+```
+
+## Install Heat
+
+- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate:
+
+```shell
+kubectl get secret vault-ca-secret -o yaml -n openstack
+```
+
+- If it is absent, create one using the following command:
+
+``` shell
+kubectl create secret generic vault-ca-secret \
+    --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \
+    -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack
+```
+
+- Deploy the necessary Vault resources to create Kubernetes secrets required by the Heat installation:
+
+``` shell
+kubectl apply -k /opt/genestack/kustomize/heat/base/vault/
+```
+
+- Validate whether the required Kubernetes secrets from Vault are populated:
+
+``` shell
+kubectl get secrets -n openstack
+```
+
+### Deploy Heat helm chart
 
 ``` shell
 cd /opt/genestack/submodules/openstack-helm
@@ -41,7 +115,7 @@ helm upgrade --install heat ./heat \
     --set endpoints.identity.auth.heat.password="$(kubectl --namespace openstack get secret heat-admin -o jsonpath='{.data.password}' | base64 -d)" \
     --set endpoints.identity.auth.heat_trustee.password="$(kubectl --namespace openstack get secret heat-trustee -o jsonpath='{.data.password}' | base64 -d)" \
     --set endpoints.identity.auth.heat_stack_user.password="$(kubectl --namespace openstack get secret heat-stack-user -o jsonpath='{.data.password}' | base64 -d)" \
-    --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \
+    --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb-root-password -o jsonpath='{.data.root-password}' | base64 -d)" \
     --set endpoints.oslo_db.auth.heat.password="$(kubectl --namespace openstack get secret heat-db-password -o jsonpath='{.data.password}' | base64 -d)" \
     --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \
     --set endpoints.oslo_messaging.auth.heat.password="$(kubectl --namespace openstack get secret heat-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \

kustomize/heat/base/vault/heat-admin.yaml

@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: heat-admin
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/heat'
+
+  # path of the secret
+  path: heat-admin
+
+  # dest k8s secret
+  destination:
+    name: heat-admin
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth

kustomize/heat/base/vault/heat-db-password.yaml

@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: heat-db-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/heat'
+
+  # path of the secret
+  path: heat-db-password
+
+  # dest k8s secret
+  destination:
+    name: heat-db-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth

kustomize/heat/base/vault/heat-rabbitmq-password.yaml

@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: heat-rabbitmq-password
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/heat'
+
+  # path of the secret
+  path: heat-rabbitmq-password
+
+  # dest k8s secret
+  destination:
+    name: heat-rabbitmq-password
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth

kustomize/heat/base/vault/heat-stack-user.yaml

@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: heat-stack-user
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/heat'
+
+  # path of the secret
+  path: heat-stack-user
+
+  # dest k8s secret
+  destination:
+    name: heat-stack-user
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth

kustomize/heat/base/vault/heat-trustee.yaml

@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: heat-trustee
+  namespace: openstack
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: 'osh/heat'
+
+  # path of the secret
+  path: heat-trustee
+
+  # dest k8s secret
+  destination:
+    name: heat-trustee
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: vault-auth

kustomize/heat/base/vault/kustomization.yaml

@@ -0,0 +1,9 @@
+namespace: openstack
+resources:
+  - vaultauth.yaml
+  - vaultconnection.yaml
+  - heat-admin.yaml
+  - heat-db-password.yaml
+  - heat-rabbitmq-password.yaml
+  - heat-stack-user.yaml
+  - heat-trustee.yaml

kustomize/heat/base/vault/vaultauth.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: openstack
+spec:
+  method: kubernetes
+  mount: genestack
+  kubernetes:
+    role: osh
+    serviceAccount: default
+    audiences:
+      - vault
+  vaultConnectionRef: vault-connection

kustomize/heat/base/vault/vaultconnection.yaml

@@ -0,0 +1,18 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  namespace: openstack
+  name: vault-connection
+spec:
+  # required configuration
+  # address to the Vault server.
+  address: https://vault.vault.svc.cluster.local:8200
+  # optional configuration
+  # HTTP headers to be included in all Vault requests.
+  # headers: []
+  # TLS server name to use as the SNI host for TLS connections.
+  # tlsServerName: ""
+  # skip TLS verification for TLS connections to Vault.
+  skipTLSVerify: false
+  # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret
+  caCertSecretRef: "vault-ca-secret"