From af4b97ca2c4d16a24102e3ddbcad18793dd19d5a Mon Sep 17 00:00:00 2001 From: reet8598 Date: Mon, 27 Oct 2025 22:38:07 +0530 Subject: [PATCH 1/3] separate skyline secret creation and update docs --- bin/create-secrets.sh | 41 +++------- bin/create-skyline-secrets.sh | 141 ++++++++++++++++++++++++++++++++++ docs/openstack-skyline.md | 92 +++++++++++++--------- 3 files changed, 210 insertions(+), 64 deletions(-) create mode 100644 bin/create-skyline-secrets.sh diff --git a/bin/create-secrets.sh b/bin/create-secrets.sh index 5009ed0b5..580d68df8 100755 --- a/bin/create-secrets.sh +++ b/bin/create-secrets.sh @@ -71,9 +71,6 @@ neutron_db_password=$(generate_password 32) neutron_admin_password=$(generate_password 32) horizon_secret_key=$(generate_password 64) horizon_db_password=$(generate_password 32) -skyline_service_password=$(generate_password 32) -skyline_db_password=$(generate_password 32) -skyline_secret_key_password=$(generate_password 32) octavia_rabbitmq_password=$(generate_password 64) octavia_db_password=$(generate_password 32) octavia_admin_password=$(generate_password 32) @@ -456,31 +453,6 @@ data: --- apiVersion: v1 kind: Secret -metadata: - name: skyline-apiserver-secrets - namespace: openstack -type: Opaque -data: - service-username: $(echo -n "skyline" | base64) - service-password: $(echo -n $skyline_service_password | base64 -w0) - service-domain: $(echo -n "service" | base64) - service-project: $(echo -n "service" | base64) - service-project-domain: $(echo -n "service" | base64) - db-endpoint: $(echo -n "mariadb-cluster-primary.openstack.svc.cluster.local" | base64 -w0) - db-name: $(echo -n "skyline" | base64) - db-username: $(echo -n "skyline" | base64) - db-password: $(echo -n $skyline_db_password | base64 -w0) - secret-key: $(echo -n $skyline_secret_key_password | base64 -w0) - keystone-endpoint: $(echo -n "http://keystone-api.openstack.svc.cluster.local:5000/v3" | base64 -w0) - keystone-username: $(echo -n "skyline" | base64) - default-region: $(echo -n "$region" | base64) - prometheus_basic_auth_password: $(echo -n "" | base64) - prometheus_basic_auth_user: $(echo -n "" | base64) - prometheus_enable_basic_auth: $(echo -n "false" | base64) - prometheus_endpoint: $(echo -n "http://kube-prometheus-stack-prometheus.prometheus.svc.cluster.local:9090" | base64 -w0) ---- -apiVersion: v1 -kind: Secret metadata: name: octavia-rabbitmq-password namespace: openstack @@ -880,6 +852,17 @@ data: password: $(echo -n $zaqar_keystone_test_password | base64 -w0) EOF +# Check if skylinesecrets.yaml exists and append it +SKYLINE_SECRETS_FILE="/etc/genestack/skylinesecrets.yaml" +if [[ -f ${SKYLINE_SECRETS_FILE} ]]; then + echo "Found existing ${SKYLINE_SECRETS_FILE}, appending skyline secrets..." + cat ${SKYLINE_SECRETS_FILE} >> ${OUTPUT_FILE} + echo "✓ Skyline secrets appended from ${SKYLINE_SECRETS_FILE}" +else + echo "Note: ${SKYLINE_SECRETS_FILE} not found. Run create-skyline-secrets.sh to add skyline secrets." +fi + rm nova_ssh_key nova_ssh_key.pub chmod 0640 ${OUTPUT_FILE} -echo "Secrets YAML file created as ${OUTPUT_FILE}" +echo "" +echo "✓ Secrets YAML file created as ${OUTPUT_FILE}" diff --git a/bin/create-skyline-secrets.sh b/bin/create-skyline-secrets.sh new file mode 100644 index 000000000..8191c42d9 --- /dev/null +++ b/bin/create-skyline-secrets.sh @@ -0,0 +1,141 @@ +#!/bin/bash +# shellcheck disable=SC2086 + +usage() { + echo "Usage: $0 [--region " + exit 1 +} + +region="RegionOne" + +# Parse command-line arguments +while [[ "$#" -gt 0 ]]; do + case $1 in + --help) + usage + ;; + -h) + usage + ;; + --region) + region="$2" + shift 2 + ;; + *) + echo "Unknown parameter passed: $1" + usage + ;; + esac +done + +# Check if the region argument is provided +if [ -z "$region" ]; then + usage +fi + +# Generate random password function +generate_password() { + < /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32} +} + +OUTPUT_FILE="/etc/genestack/kubesecrets.yaml" +SKYLINE_SECRETS_FILE="/etc/genestack/skylinesecrets.yaml" + +# Check if skylinesecrets.yaml already exists +if [[ -f ${SKYLINE_SECRETS_FILE} ]]; then + echo "Error: ${SKYLINE_SECRETS_FILE} already exists." + echo " Skyline secrets have already been generated." + echo " If you want to regenerate skyline secrets, please delete ${SKYLINE_SECRETS_FILE} first." + echo " WARNING: This will generate NEW passwords and break existing Skyline installations!" + exit 1 +fi + +# Check if kubesecrets.yaml exists +if [[ ! -f ${OUTPUT_FILE} ]]; then + echo "Error: ${OUTPUT_FILE} does not exist." + echo " Please run create-secrets.sh first to generate the base secrets file." + exit 1 +fi + +# Generate Skyline passwords +echo "Generating new Skyline secrets..." +skyline_service_password=$(generate_password 32) +skyline_db_password=$(generate_password 32) +skyline_secret_key_password=$(generate_password 32) + +# Create the Skyline secrets YAML content +SKYLINE_SECRET_CONTENT="--- +apiVersion: v1 +kind: Secret +metadata: + name: skyline-apiserver-secrets + namespace: openstack +type: Opaque +data: + service-username: $(echo -n "skyline" | base64) + service-password: $(echo -n $skyline_service_password | base64 -w0) + service-domain: $(echo -n "service" | base64) + service-project: $(echo -n "service" | base64) + service-project-domain: $(echo -n "service" | base64) + db-endpoint: $(echo -n "mariadb-cluster-primary.openstack.svc.cluster.local" | base64 -w0) + db-name: $(echo -n "skyline" | base64) + db-username: $(echo -n "skyline" | base64) + db-password: $(echo -n $skyline_db_password | base64 -w0) + secret-key: $(echo -n $skyline_secret_key_password | base64 -w0) + keystone-endpoint: $(echo -n "http://keystone-api.openstack.svc.cluster.local:5000/v3" | base64 -w0) + keystone-username: $(echo -n "skyline" | base64) + default-region: $(echo -n "$region" | base64) + prometheus_basic_auth_password: $(echo -n "" | base64) + prometheus_basic_auth_user: $(echo -n "" | base64) + prometheus_enable_basic_auth: $(echo -n "false" | base64) + prometheus_endpoint: $(echo -n "http://kube-prometheus-stack-prometheus.prometheus.svc.cluster.local:9090" | base64 -w0)" + +# Write to skylinesecrets.yaml +echo "$SKYLINE_SECRET_CONTENT" > ${SKYLINE_SECRETS_FILE} +chmod 0640 ${SKYLINE_SECRETS_FILE} +echo "Created ${SKYLINE_SECRETS_FILE}" + +# Check if skyline section already exists in kubesecrets.yaml +if grep -q "name: skyline-apiserver-secrets" ${OUTPUT_FILE}; then + echo "Warning: skyline-apiserver-secrets already exists in ${OUTPUT_FILE}" + echo " This suggests skylinesecrets.yaml was previously generated." + echo " Aborting to prevent duplicate entries." + exit 1 +fi + +# Append to kubesecrets.yaml +cat <> $OUTPUT_FILE +--- +apiVersion: v1 +kind: Secret +metadata: + name: skyline-apiserver-secrets + namespace: openstack +type: Opaque +data: + service-username: $(echo -n "skyline" | base64) + service-password: $(echo -n $skyline_service_password | base64 -w0) + service-domain: $(echo -n "service" | base64) + service-project: $(echo -n "service" | base64) + service-project-domain: $(echo -n "service" | base64) + db-endpoint: $(echo -n "mariadb-cluster-primary.openstack.svc.cluster.local" | base64 -w0) + db-name: $(echo -n "skyline" | base64) + db-username: $(echo -n "skyline" | base64) + db-password: $(echo -n $skyline_db_password | base64 -w0) + secret-key: $(echo -n $skyline_secret_key_password | base64 -w0) + keystone-endpoint: $(echo -n "http://keystone-api.openstack.svc.cluster.local:5000/v3" | base64 -w0) + keystone-username: $(echo -n "skyline" | base64) + default-region: $(echo -n "$region" | base64) + prometheus_basic_auth_password: $(echo -n "" | base64) + prometheus_basic_auth_user: $(echo -n "" | base64) + prometheus_enable_basic_auth: $(echo -n "false" | base64) + prometheus_endpoint: $(echo -n "http://kube-prometheus-stack-prometheus.prometheus.svc.cluster.local:9090" | base64 -w0) +EOF + +echo "Skyline secrets appended to ${OUTPUT_FILE}" +echo "" +echo "✓ Successfully created ${SKYLINE_SECRETS_FILE}" +echo "✓ Successfully appended skyline secrets to ${OUTPUT_FILE}" +echo "" +echo "IMPORTANT: Keep ${SKYLINE_SECRETS_FILE} safe!" +echo " It will be used to preserve skyline secrets when regenerating ${OUTPUT_FILE}" diff --git a/docs/openstack-skyline.md b/docs/openstack-skyline.md index 6c9242ab1..0e3d1acd8 100644 --- a/docs/openstack-skyline.md +++ b/docs/openstack-skyline.md @@ -4,41 +4,63 @@ OpenStack Skyline is the next-generation web-based dashboard designed to provide ## Create secrets -!!! note "Information about the secretes used" - - Manual secret generation is only required if you haven't run the `create-secrets.sh` script located in `/opt/genestack/bin`. - - ??? example "Example secret generation" - - Skyline is a little different because there's no helm integration. Given this difference the deployment is far simpler, and all secrets - can be managed in one object. - - ``` shell - kubectl --namespace openstack \ - create secret generic skyline-apiserver-secrets \ - --type Opaque \ - --from-literal=service-username="skyline" \ - --from-literal=service-password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \ - --from-literal=service-domain="service" \ - --from-literal=service-project="service" \ - --from-literal=service-project-domain="service" \ - --from-literal=db-endpoint="mariadb-cluster-primary.openstack.svc.cluster.local" \ - --from-literal=db-name="skyline" \ - --from-literal=db-username="skyline" \ - --from-literal=db-password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \ - --from-literal=secret-key="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \ - --from-literal=keystone-endpoint="$(kubectl --namespace openstack get secret keystone-keystone-admin -o jsonpath='{.data.OS_AUTH_URL}' | base64 -d)" \ - --from-literal=keystone-username="skyline" \ - --from-literal=default-region="RegionOne" \ - --from-literal=prometheus_basic_auth_password="" \ - --from-literal=prometheus_basic_auth_user="" \ - --from-literal=prometheus_enable_basic_auth="false" \ - --from-literal=prometheus_endpoint="http://kube-prometheus-stack-prometheus.prometheus.svc.cluster.local:9090" - ``` - -!!! note - - All the configuration is in this one secret, so be sure to set your entries accordingly. +!!! note "Automated secret generation" + + Skyline secrets can be generated automatically using the `create-skyline-secrets.sh` script located in `/opt/genestack/bin`. This script integrates with the main `create-secrets.sh` workflow and handles all secret generation automatically. + +### Automated Secret Generation + +The recommended approach is to use the automated script: + +``` shell +# Generate Skyline secrets with default region (RegionOne) +/opt/genestack/bin/create-skyline-secrets.sh +``` + +The script will: + +- Generate secure random passwords for all Skyline services +- Create `/etc/genestack/skylinesecrets.yaml` with the Skyline-specific secrets +- Append the secrets to `/etc/genestack/kubesecrets.yaml` for integration with the main workflow +- Perform safety checks to prevent duplicate secret generation +- Ensure the main `kubesecrets.yaml` file exists before proceeding + +!!! warning "Prerequisites" + + The `create-skyline-secrets.sh` script requires that `/etc/genestack/kubesecrets.yaml` already exists. Run the main `create-secrets.sh` script first if you haven't already. + +!!! note "Secret Management" + + All Skyline configuration is managed in a single secret object (`skyline-apiserver-secrets`), making deployment simpler compared to other OpenStack services that use Helm integration. + +### Manual Secret Generation (Alternative) + +If you prefer manual control or need to customize specific values, you can still create secrets manually: + +??? example "Manual secret generation" + + ``` shell + kubectl --namespace openstack \ + create secret generic skyline-apiserver-secrets \ + --type Opaque \ + --from-literal=service-username="skyline" \ + --from-literal=service-password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \ + --from-literal=service-domain="service" \ + --from-literal=service-project="service" \ + --from-literal=service-project-domain="service" \ + --from-literal=db-endpoint="mariadb-cluster-primary.openstack.svc.cluster.local" \ + --from-literal=db-name="skyline" \ + --from-literal=db-username="skyline" \ + --from-literal=db-password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \ + --from-literal=secret-key="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \ + --from-literal=keystone-endpoint="http://keystone-api.openstack.svc.cluster.local:5000/v3" \ + --from-literal=keystone-username="skyline" \ + --from-literal=default-region="RegionOne" \ + --from-literal=prometheus_basic_auth_password="" \ + --from-literal=prometheus_basic_auth_user="" \ + --from-literal=prometheus_enable_basic_auth="false" \ + --from-literal=prometheus_endpoint="http://kube-prometheus-stack-prometheus.prometheus.svc.cluster.local:9090" + ``` ## Run the deployment From 940b23d5753dfcc17d88d390dccde8ca3582cafa Mon Sep 17 00:00:00 2001 From: reet8598 Date: Tue, 28 Oct 2025 19:21:44 +0530 Subject: [PATCH 2/3] docs: update skyline docs for cleaner info and refactor code --- bin/create-skyline-secrets.sh | 34 ++++------------------------------ docs/openstack-skyline.md | 23 +++++++---------------- 2 files changed, 11 insertions(+), 46 deletions(-) diff --git a/bin/create-skyline-secrets.sh b/bin/create-skyline-secrets.sh index 8191c42d9..0c7623d17 100644 --- a/bin/create-skyline-secrets.sh +++ b/bin/create-skyline-secrets.sh @@ -104,38 +104,12 @@ if grep -q "name: skyline-apiserver-secrets" ${OUTPUT_FILE}; then fi # Append to kubesecrets.yaml -cat <> $OUTPUT_FILE ---- -apiVersion: v1 -kind: Secret -metadata: - name: skyline-apiserver-secrets - namespace: openstack -type: Opaque -data: - service-username: $(echo -n "skyline" | base64) - service-password: $(echo -n $skyline_service_password | base64 -w0) - service-domain: $(echo -n "service" | base64) - service-project: $(echo -n "service" | base64) - service-project-domain: $(echo -n "service" | base64) - db-endpoint: $(echo -n "mariadb-cluster-primary.openstack.svc.cluster.local" | base64 -w0) - db-name: $(echo -n "skyline" | base64) - db-username: $(echo -n "skyline" | base64) - db-password: $(echo -n $skyline_db_password | base64 -w0) - secret-key: $(echo -n $skyline_secret_key_password | base64 -w0) - keystone-endpoint: $(echo -n "http://keystone-api.openstack.svc.cluster.local:5000/v3" | base64 -w0) - keystone-username: $(echo -n "skyline" | base64) - default-region: $(echo -n "$region" | base64) - prometheus_basic_auth_password: $(echo -n "" | base64) - prometheus_basic_auth_user: $(echo -n "" | base64) - prometheus_enable_basic_auth: $(echo -n "false" | base64) - prometheus_endpoint: $(echo -n "http://kube-prometheus-stack-prometheus.prometheus.svc.cluster.local:9090" | base64 -w0) -EOF +echo "$SKYLINE_SECRET_CONTENT" >> $OUTPUT_FILE -echo "Skyline secrets appended to ${OUTPUT_FILE}" +echo "Skyline secret appended to ${OUTPUT_FILE}" echo "" echo "✓ Successfully created ${SKYLINE_SECRETS_FILE}" -echo "✓ Successfully appended skyline secrets to ${OUTPUT_FILE}" +echo "✓ Successfully appended skyline secret to ${OUTPUT_FILE}" echo "" echo "IMPORTANT: Keep ${SKYLINE_SECRETS_FILE} safe!" -echo " It will be used to preserve skyline secrets when regenerating ${OUTPUT_FILE}" +echo " It will be used to preserve skyline secret when regenerating ${OUTPUT_FILE}" diff --git a/docs/openstack-skyline.md b/docs/openstack-skyline.md index 0e3d1acd8..27348d8eb 100644 --- a/docs/openstack-skyline.md +++ b/docs/openstack-skyline.md @@ -4,13 +4,7 @@ OpenStack Skyline is the next-generation web-based dashboard designed to provide ## Create secrets -!!! note "Automated secret generation" - - Skyline secrets can be generated automatically using the `create-skyline-secrets.sh` script located in `/opt/genestack/bin`. This script integrates with the main `create-secrets.sh` workflow and handles all secret generation automatically. - -### Automated Secret Generation - -The recommended approach is to use the automated script: +Skyline secret can be generated using the `create-skyline-secrets.sh` script located in `/opt/genestack/bin`. This script integrates with the `create-secrets.sh` workflow and handles all secret generation. ``` shell # Generate Skyline secrets with default region (RegionOne) @@ -19,23 +13,20 @@ The recommended approach is to use the automated script: The script will: -- Generate secure random passwords for all Skyline services -- Create `/etc/genestack/skylinesecrets.yaml` with the Skyline-specific secrets -- Append the secrets to `/etc/genestack/kubesecrets.yaml` for integration with the main workflow +- Generate secure random passwords for the Skyline service +- Create `/etc/genestack/skylinesecrets.yaml` with the Skyline-specific secret +- Append the secret to `/etc/genestack/kubesecrets.yaml` for integration with the main workflow - Perform safety checks to prevent duplicate secret generation -- Ensure the main `kubesecrets.yaml` file exists before proceeding +- Ensure the `kubesecrets.yaml` file exists before proceeding !!! warning "Prerequisites" - The `create-skyline-secrets.sh` script requires that `/etc/genestack/kubesecrets.yaml` already exists. Run the main `create-secrets.sh` script first if you haven't already. - -!!! note "Secret Management" + The `create-skyline-secrets.sh` script requires that `/etc/genestack/kubesecrets.yaml` already exists. Run the `create-secrets.sh` script first if you haven't already. - All Skyline configuration is managed in a single secret object (`skyline-apiserver-secrets`), making deployment simpler compared to other OpenStack services that use Helm integration. ### Manual Secret Generation (Alternative) -If you prefer manual control or need to customize specific values, you can still create secrets manually: +Manual secret generation is only required if you haven't run the `create-skyline-secrets.sh` script located in `/opt/genestack/bin`. ??? example "Manual secret generation" From e74df385f24baf819cf8e946d48b91b797ccd157 Mon Sep 17 00:00:00 2001 From: reet8598 Date: Thu, 30 Oct 2025 17:04:52 +0530 Subject: [PATCH 3/3] docs: update skyline doc to include enable federation section and add skylinesecrets to gitignore --- .gitignore | 3 +++ docs/openstack-skyline.md | 13 +++++++++++++ 2 files changed, 16 insertions(+) diff --git a/.gitignore b/.gitignore index 967e4284a..4ee9e6a1f 100644 --- a/.gitignore +++ b/.gitignore @@ -129,3 +129,6 @@ base-kustomize/**/charts # mkdocs site/ + +# skyline secrets +/etc/genestack/skylinesecrets.yaml \ No newline at end of file diff --git a/docs/openstack-skyline.md b/docs/openstack-skyline.md index 27348d8eb..f75ae82e5 100644 --- a/docs/openstack-skyline.md +++ b/docs/openstack-skyline.md @@ -24,6 +24,19 @@ The script will: The `create-skyline-secrets.sh` script requires that `/etc/genestack/kubesecrets.yaml` already exists. Run the `create-secrets.sh` script first if you haven't already. +### Enable Federation (use Keystone public endpoint) + +If you plan to enable federation in Skyline, ensure the Keystone endpoint used for secrets is the public endpoint (not the internal cluster service). + +!!! note + + Edit `/opt/genestack/bin/create-skyline-secrets.sh` and set the `keystone-endpoint` value to your public Keystone URL (for example, `https://keystone.example.com/v3`). Then run the script: + + ``` shell + /opt/genestack/bin/create-skyline-secrets.sh + ``` + + ### Manual Secret Generation (Alternative) Manual secret generation is only required if you haven't run the `create-skyline-secrets.sh` script located in `/opt/genestack/bin`.