rackerlabs · reet8598 · Oct 27, 2025 · Oct 28, 2025 · Oct 30, 2025
diff --git a/.gitignore b/.gitignore
@@ -129,3 +129,6 @@ base-kustomize/**/charts
 
 # mkdocs
 site/
+
+# skyline secrets
+/etc/genestack/skylinesecrets.yaml
diff --git a/bin/create-secrets.sh b/bin/create-secrets.sh
@@ -71,9 +71,6 @@ neutron_db_password=$(generate_password 32)
 neutron_admin_password=$(generate_password 32)
 horizon_secret_key=$(generate_password 64)
 horizon_db_password=$(generate_password 32)
-skyline_service_password=$(generate_password 32)
-skyline_db_password=$(generate_password 32)
-skyline_secret_key_password=$(generate_password 32)
 octavia_rabbitmq_password=$(generate_password 64)
 octavia_db_password=$(generate_password 32)
 octavia_admin_password=$(generate_password 32)
@@ -456,31 +453,6 @@ data:
 ---
 apiVersion: v1
 kind: Secret
-metadata:
-  name: skyline-apiserver-secrets
-  namespace: openstack
-type: Opaque
-data:
-  service-username: $(echo -n "skyline" | base64)
-  service-password: $(echo -n $skyline_service_password | base64 -w0)
-  service-domain: $(echo -n "service" | base64)
-  service-project: $(echo -n "service" | base64)
-  service-project-domain: $(echo -n "service" | base64)
-  db-endpoint: $(echo -n "mariadb-cluster-primary.openstack.svc.cluster.local" | base64 -w0)
-  db-name: $(echo -n "skyline" | base64)
-  db-username: $(echo -n "skyline" | base64)
-  db-password: $(echo -n $skyline_db_password | base64 -w0)
-  secret-key: $(echo -n $skyline_secret_key_password | base64 -w0)
-  keystone-endpoint: $(echo -n "http://keystone-api.openstack.svc.cluster.local:5000/v3" | base64 -w0)
-  keystone-username: $(echo -n "skyline" | base64)
-  default-region: $(echo -n "$region" | base64)
-  prometheus_basic_auth_password: $(echo -n "" | base64)
-  prometheus_basic_auth_user: $(echo -n "" | base64)
-  prometheus_enable_basic_auth: $(echo -n "false" | base64)
-  prometheus_endpoint: $(echo -n "http://kube-prometheus-stack-prometheus.prometheus.svc.cluster.local:9090" | base64 -w0)
----
-apiVersion: v1
-kind: Secret
 metadata:
   name: octavia-rabbitmq-password
   namespace: openstack
@@ -880,6 +852,17 @@ data:
   password: $(echo -n $zaqar_keystone_test_password | base64 -w0)
 EOF
 
+# Check if skylinesecrets.yaml exists and append it
+SKYLINE_SECRETS_FILE="/etc/genestack/skylinesecrets.yaml"
+if [[ -f ${SKYLINE_SECRETS_FILE} ]]; then
+    echo "Found existing ${SKYLINE_SECRETS_FILE}, appending skyline secrets..."
+    cat ${SKYLINE_SECRETS_FILE} >> ${OUTPUT_FILE}
+    echo "✓ Skyline secrets appended from ${SKYLINE_SECRETS_FILE}"
+else
+    echo "Note: ${SKYLINE_SECRETS_FILE} not found. Run create-skyline-secrets.sh to add skyline secrets."
+fi
+
 rm nova_ssh_key nova_ssh_key.pub
 chmod 0640 ${OUTPUT_FILE}
-echo "Secrets YAML file created as ${OUTPUT_FILE}"
+echo ""
+echo "✓ Secrets YAML file created as ${OUTPUT_FILE}"
diff --git a/bin/create-skyline-secrets.sh b/bin/create-skyline-secrets.sh
@@ -0,0 +1,115 @@
+#!/bin/bash
+# shellcheck disable=SC2086
+
+usage() {
+    echo "Usage: $0 [--region <region [RegionOne]>"
+    exit 1
+}
+
+region="RegionOne"
+
+# Parse command-line arguments
+while [[ "$#" -gt 0 ]]; do
+    case $1 in
+        --help)
+            usage
+            ;;
+        -h)
+            usage
+            ;;
+        --region)
+            region="$2"
+            shift 2
+            ;;
+        *)
+            echo "Unknown parameter passed: $1"
+            usage
+            ;;
+    esac
+done
+
+# Check if the region argument is provided
+if [ -z "$region" ]; then
+    usage
+fi
+
+# Generate random password function
+generate_password() {
+    < /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32}
+}
+
+OUTPUT_FILE="/etc/genestack/kubesecrets.yaml"
+SKYLINE_SECRETS_FILE="/etc/genestack/skylinesecrets.yaml"
+
+# Check if skylinesecrets.yaml already exists
+if [[ -f ${SKYLINE_SECRETS_FILE} ]]; then
+    echo "Error: ${SKYLINE_SECRETS_FILE} already exists."
+    echo "       Skyline secrets have already been generated."
+    echo "       If you want to regenerate skyline secrets, please delete ${SKYLINE_SECRETS_FILE} first."
+    echo "       WARNING: This will generate NEW passwords and break existing Skyline installations!"
+    exit 1
+fi
+
+# Check if kubesecrets.yaml exists
+if [[ ! -f ${OUTPUT_FILE} ]]; then
+    echo "Error: ${OUTPUT_FILE} does not exist."
+    echo "       Please run create-secrets.sh first to generate the base secrets file."
+    exit 1
+fi
+
+# Generate Skyline passwords
+echo "Generating new Skyline secrets..."
+skyline_service_password=$(generate_password 32)
+skyline_db_password=$(generate_password 32)
+skyline_secret_key_password=$(generate_password 32)
+
+# Create the Skyline secrets YAML content
+SKYLINE_SECRET_CONTENT="---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: skyline-apiserver-secrets
+  namespace: openstack
+type: Opaque
+data:
+  service-username: $(echo -n "skyline" | base64)
+  service-password: $(echo -n $skyline_service_password | base64 -w0)
+  service-domain: $(echo -n "service" | base64)
+  service-project: $(echo -n "service" | base64)
+  service-project-domain: $(echo -n "service" | base64)
+  db-endpoint: $(echo -n "mariadb-cluster-primary.openstack.svc.cluster.local" | base64 -w0)
+  db-name: $(echo -n "skyline" | base64)
+  db-username: $(echo -n "skyline" | base64)
+  db-password: $(echo -n $skyline_db_password | base64 -w0)
+  secret-key: $(echo -n $skyline_secret_key_password | base64 -w0)
+  keystone-endpoint: $(echo -n "http://keystone-api.openstack.svc.cluster.local:5000/v3" | base64 -w0)
+  keystone-username: $(echo -n "skyline" | base64)
+  default-region: $(echo -n "$region" | base64)
+  prometheus_basic_auth_password: $(echo -n "" | base64)
+  prometheus_basic_auth_user: $(echo -n "" | base64)
+  prometheus_enable_basic_auth: $(echo -n "false" | base64)
+  prometheus_endpoint: $(echo -n "http://kube-prometheus-stack-prometheus.prometheus.svc.cluster.local:9090" | base64 -w0)"
+
+# Write to skylinesecrets.yaml
+echo "$SKYLINE_SECRET_CONTENT" > ${SKYLINE_SECRETS_FILE}
+chmod 0640 ${SKYLINE_SECRETS_FILE}
+echo "Created ${SKYLINE_SECRETS_FILE}"
+
+# Check if skyline section already exists in kubesecrets.yaml
+if grep -q "name: skyline-apiserver-secrets" ${OUTPUT_FILE}; then
+    echo "Warning: skyline-apiserver-secrets already exists in ${OUTPUT_FILE}"
+    echo "         This suggests skylinesecrets.yaml was previously generated."
+    echo "         Aborting to prevent duplicate entries."
+    exit 1
+fi
+
+# Append to kubesecrets.yaml
+echo "$SKYLINE_SECRET_CONTENT" >> $OUTPUT_FILE
+
+echo "Skyline secret appended to ${OUTPUT_FILE}"
+echo ""
+echo "✓ Successfully created ${SKYLINE_SECRETS_FILE}"
+echo "✓ Successfully appended skyline secret to ${OUTPUT_FILE}"
+echo ""
+echo "IMPORTANT: Keep ${SKYLINE_SECRETS_FILE} safe!"
+echo "           It will be used to preserve skyline secret when regenerating ${OUTPUT_FILE}"
diff --git a/docs/openstack-skyline.md b/docs/openstack-skyline.md
@@ -4,41 +4,67 @@ OpenStack Skyline is the next-generation web-based dashboard designed to provide
 
 ## Create secrets
 
-!!! note "Information about the secretes used"
-
-    Manual secret generation is only required if you haven't run the `create-secrets.sh` script located in `/opt/genestack/bin`.
-
-    ??? example "Example secret generation"
-
-        Skyline is a little different because there's no helm integration. Given this difference the deployment is far simpler, and all secrets
-        can be managed in one object.
-
-        ``` shell
-        kubectl --namespace openstack \
-                create secret generic skyline-apiserver-secrets \
-                --type Opaque \
-                --from-literal=service-username="skyline" \
-                --from-literal=service-password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \
-                --from-literal=service-domain="service" \
-                --from-literal=service-project="service" \
-                --from-literal=service-project-domain="service" \
-                --from-literal=db-endpoint="mariadb-cluster-primary.openstack.svc.cluster.local" \
-                --from-literal=db-name="skyline" \
-                --from-literal=db-username="skyline" \
-                --from-literal=db-password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \
-                --from-literal=secret-key="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \
-                --from-literal=keystone-endpoint="$(kubectl --namespace openstack get secret keystone-keystone-admin -o jsonpath='{.data.OS_AUTH_URL}' | base64 -d)" \
-                --from-literal=keystone-username="skyline" \
-                --from-literal=default-region="RegionOne" \
-                --from-literal=prometheus_basic_auth_password="" \
-                --from-literal=prometheus_basic_auth_user="" \
-                --from-literal=prometheus_enable_basic_auth="false" \
-                --from-literal=prometheus_endpoint="http://kube-prometheus-stack-prometheus.prometheus.svc.cluster.local:9090"
-        ```
+Skyline secret can be generated using the `create-skyline-secrets.sh` script located in `/opt/genestack/bin`. This script integrates with the `create-secrets.sh` workflow and handles all secret generation.
+
+``` shell
+# Generate Skyline secrets with default region (RegionOne)
+/opt/genestack/bin/create-skyline-secrets.sh
+```
+
+The script will:
+
+- Generate secure random passwords for the Skyline service
+- Create `/etc/genestack/skylinesecrets.yaml` with the Skyline-specific secret
+- Append the secret to `/etc/genestack/kubesecrets.yaml` for integration with the main workflow
+- Perform safety checks to prevent duplicate secret generation
+- Ensure the `kubesecrets.yaml` file exists before proceeding
+
+!!! warning "Prerequisites"
+
+    The `create-skyline-secrets.sh` script requires that `/etc/genestack/kubesecrets.yaml` already exists. Run the `create-secrets.sh` script first if you haven't already.
+
+
+### Enable Federation (use Keystone public endpoint)
+
+If you plan to enable federation in Skyline, ensure the Keystone endpoint used for secrets is the public endpoint (not the internal cluster service).
 
 !!! note
 
-    All the configuration is in this one secret, so be sure to set your entries accordingly.
+    Edit `/opt/genestack/bin/create-skyline-secrets.sh` and set the `keystone-endpoint` value to your public Keystone URL (for example, `https://keystone.example.com/v3`). Then run the script:
+
+    ``` shell
+    /opt/genestack/bin/create-skyline-secrets.sh
+    ```
+
+
+### Manual Secret Generation (Alternative)
+
+Manual secret generation is only required if you haven't run the `create-skyline-secrets.sh` script located in `/opt/genestack/bin`.
+
+??? example "Manual secret generation"
+
+    ``` shell
+    kubectl --namespace openstack \
+            create secret generic skyline-apiserver-secrets \
+            --type Opaque \
+            --from-literal=service-username="skyline" \
+            --from-literal=service-password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \
+            --from-literal=service-domain="service" \
+            --from-literal=service-project="service" \
+            --from-literal=service-project-domain="service" \
+            --from-literal=db-endpoint="mariadb-cluster-primary.openstack.svc.cluster.local" \
+            --from-literal=db-name="skyline" \
+            --from-literal=db-username="skyline" \
+            --from-literal=db-password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \
+            --from-literal=secret-key="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)" \
+            --from-literal=keystone-endpoint="http://keystone-api.openstack.svc.cluster.local:5000/v3" \
+            --from-literal=keystone-username="skyline" \
+            --from-literal=default-region="RegionOne" \
+            --from-literal=prometheus_basic_auth_password="" \
+            --from-literal=prometheus_basic_auth_user="" \
+            --from-literal=prometheus_enable_basic_auth="false" \
+            --from-literal=prometheus_endpoint="http://kube-prometheus-stack-prometheus.prometheus.svc.cluster.local:9090"
+    ```
 
 ## Run the deployment