From e43f21032e0a41faa0ccc56c58c4c520bac4e350 Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Mon, 25 Mar 2024 23:15:52 +0000 Subject: [PATCH] Use HashiCorp Vault for Heat deployment This commit will consume the secrets from HashiCorp Vault using vault-secretes-operator for the Heat deployment. --- docs/openstack-heat.md | 130 ++++++++++++++---- kustomize/heat/base/vault/heat-admin.yaml | 24 ++++ .../heat/base/vault/heat-db-password.yaml | 24 ++++ .../base/vault/heat-rabbitmq-password.yaml | 24 ++++ .../heat/base/vault/heat-stack-user.yaml | 24 ++++ kustomize/heat/base/vault/heat-trustee.yaml | 24 ++++ kustomize/heat/base/vault/kustomization.yaml | 9 ++ kustomize/heat/base/vault/vaultauth.yaml | 14 ++ .../heat/base/vault/vaultconnection.yaml | 18 +++ 9 files changed, 263 insertions(+), 28 deletions(-) create mode 100644 kustomize/heat/base/vault/heat-admin.yaml create mode 100644 kustomize/heat/base/vault/heat-db-password.yaml create mode 100644 kustomize/heat/base/vault/heat-rabbitmq-password.yaml create mode 100644 kustomize/heat/base/vault/heat-stack-user.yaml create mode 100644 kustomize/heat/base/vault/heat-trustee.yaml create mode 100644 kustomize/heat/base/vault/kustomization.yaml create mode 100644 kustomize/heat/base/vault/vaultauth.yaml create mode 100644 kustomize/heat/base/vault/vaultconnection.yaml diff --git a/docs/openstack-heat.md b/docs/openstack-heat.md index 9578cddc..78e06719 100644 --- a/docs/openstack-heat.md +++ b/docs/openstack-heat.md @@ -2,33 +2,107 @@ [![asciicast](https://asciinema.org/a/629807.svg)](https://asciinema.org/a/629807) -## Create secrets - -``` shell -kubectl --namespace openstack \ - create secret generic heat-rabbitmq-password \ - --type Opaque \ - --from-literal=username="heat" \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)" -kubectl --namespace openstack \ - create secret generic heat-db-password \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic heat-admin \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic heat-trustee \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -kubectl --namespace openstack \ - create secret generic heat-stack-user \ - --type Opaque \ - --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" -``` - -## Run the package deployment +## Pre-requsites + +- Vault should be installed by following the instructions in [vault documentation](https://docs.rackspacecloud.com/vault/) +- User has access to `osh/heat/` path in the Vault + +## Create secrets in the vault + +### Login to the vault + +``` shell +kubectl exec -it vault-0 -n vault -- \ + vault login -method userpass username=heat +``` + +### List the existing secrets from `osh/heat/` + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/heat +``` + +### Create the secrets + +- Heat RabbitMQ Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/heat heat-rabbitmq-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;) +``` + +- Heat Database Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/heat heat-db-password \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Heat Admin Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/heat heat-admin \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Heat Trustee Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/heat heat-trustee \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +- Heat Stack User Password: + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv put -mount=osh/heat heat-stack-user \ + password=$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;) +``` + +### Validate the secrets + +``` shell +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv list osh/heat +kubectl exec --stdin=true --tty=true vault-0 -n vault -- \ + vault kv get -mount=osh/heat heat-admin +``` + +## Install Heat + +- Ensure that the `vault-ca-secret` Kubernetes Secret exists in the OpenStack namespace containing the Vault CA certificate: + +```shell +kubectl get secret vault-ca-secret -o yaml -n openstack +``` + +- If it is absent, create one using the following command: + +``` shell +kubectl create secret generic vault-ca-secret \ + --from-literal=ca.crt="$(kubectl get secret vault-tls-secret \ + -o jsonpath='{.data.ca\.crt}' -n vault | base64 -d -)" -n openstack +``` + +- Deploy the necessary Vault resources to create Kubernetes secrets required by the Heat installation: + +``` shell +kubectl apply -k /opt/genestack/kustomize/heat/base/vault/ +``` + +- Validate whether the required Kubernetes secrets from Vault are populated: + +``` shell +kubectl get secrets -n openstack +``` + +### Deploy Heat helm chart ``` shell cd /opt/genestack/submodules/openstack-helm @@ -41,7 +115,7 @@ helm upgrade --install heat ./heat \ --set endpoints.identity.auth.heat.password="$(kubectl --namespace openstack get secret heat-admin -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.identity.auth.heat_trustee.password="$(kubectl --namespace openstack get secret heat-trustee -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.identity.auth.heat_stack_user.password="$(kubectl --namespace openstack get secret heat-stack-user -o jsonpath='{.data.password}' | base64 -d)" \ - --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \ + --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb-root-password -o jsonpath='{.data.root-password}' | base64 -d)" \ --set endpoints.oslo_db.auth.heat.password="$(kubectl --namespace openstack get secret heat-db-password -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \ --set endpoints.oslo_messaging.auth.heat.password="$(kubectl --namespace openstack get secret heat-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \ diff --git a/kustomize/heat/base/vault/heat-admin.yaml b/kustomize/heat/base/vault/heat-admin.yaml new file mode 100644 index 00000000..a0ef04ff --- /dev/null +++ b/kustomize/heat/base/vault/heat-admin.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: heat-admin + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/heat' + + # path of the secret + path: heat-admin + + # dest k8s secret + destination: + name: heat-admin + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/heat/base/vault/heat-db-password.yaml b/kustomize/heat/base/vault/heat-db-password.yaml new file mode 100644 index 00000000..b159e4c7 --- /dev/null +++ b/kustomize/heat/base/vault/heat-db-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: heat-db-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/heat' + + # path of the secret + path: heat-db-password + + # dest k8s secret + destination: + name: heat-db-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/heat/base/vault/heat-rabbitmq-password.yaml b/kustomize/heat/base/vault/heat-rabbitmq-password.yaml new file mode 100644 index 00000000..12847512 --- /dev/null +++ b/kustomize/heat/base/vault/heat-rabbitmq-password.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: heat-rabbitmq-password + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/heat' + + # path of the secret + path: heat-rabbitmq-password + + # dest k8s secret + destination: + name: heat-rabbitmq-password + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/heat/base/vault/heat-stack-user.yaml b/kustomize/heat/base/vault/heat-stack-user.yaml new file mode 100644 index 00000000..386620a4 --- /dev/null +++ b/kustomize/heat/base/vault/heat-stack-user.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: heat-stack-user + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/heat' + + # path of the secret + path: heat-stack-user + + # dest k8s secret + destination: + name: heat-stack-user + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/heat/base/vault/heat-trustee.yaml b/kustomize/heat/base/vault/heat-trustee.yaml new file mode 100644 index 00000000..3bb348c4 --- /dev/null +++ b/kustomize/heat/base/vault/heat-trustee.yaml @@ -0,0 +1,24 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: heat-trustee + namespace: openstack +spec: + type: kv-v2 + + # mount path + mount: 'osh/heat' + + # path of the secret + path: heat-trustee + + # dest k8s secret + destination: + name: heat-trustee + create: true + + # static secret refresh interval + refreshAfter: 30s + + # Name of the CRD to authenticate to Vault + vaultAuthRef: vault-auth diff --git a/kustomize/heat/base/vault/kustomization.yaml b/kustomize/heat/base/vault/kustomization.yaml new file mode 100644 index 00000000..14dd4832 --- /dev/null +++ b/kustomize/heat/base/vault/kustomization.yaml @@ -0,0 +1,9 @@ +namespace: openstack +resources: + - vaultauth.yaml + - vaultconnection.yaml + - heat-admin.yaml + - heat-db-password.yaml + - heat-rabbitmq-password.yaml + - heat-stack-user.yaml + - heat-trustee.yaml diff --git a/kustomize/heat/base/vault/vaultauth.yaml b/kustomize/heat/base/vault/vaultauth.yaml new file mode 100644 index 00000000..a4f6a50a --- /dev/null +++ b/kustomize/heat/base/vault/vaultauth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: openstack +spec: + method: kubernetes + mount: genestack + kubernetes: + role: osh + serviceAccount: default + audiences: + - vault + vaultConnectionRef: vault-connection diff --git a/kustomize/heat/base/vault/vaultconnection.yaml b/kustomize/heat/base/vault/vaultconnection.yaml new file mode 100644 index 00000000..61e878fd --- /dev/null +++ b/kustomize/heat/base/vault/vaultconnection.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultConnection +metadata: + namespace: openstack + name: vault-connection +spec: + # required configuration + # address to the Vault server. + address: https://vault.vault.svc.cluster.local:8200 + # optional configuration + # HTTP headers to be included in all Vault requests. + # headers: [] + # TLS server name to use as the SNI host for TLS connections. + # tlsServerName: "" + # skip TLS verification for TLS connections to Vault. + skipTLSVerify: false + # the trusted PEM encoded CA certificate chain stored in a Kubernetes Secret + caCertSecretRef: "vault-ca-secret"