rackerlabs · cardoe · May 5, 2025 · Apr 30, 2025
diff --git a/apps/appsets/openstack.yaml b/apps/appsets/openstack.yaml
@@ -43,6 +43,9 @@ spec:
                 - component: horizon
                   repoURL: https://tarballs.opendev.org/openstack/openstack-helm
                   chartVersion: 2024.2.1+34d1672a-93ed069c
+                - component: skyline
+                  repoURL: https://tarballs.opendev.org/openstack/openstack-helm
+                  chartVersion: 2025.1.1+12830ffa1
   template:
     metadata:
       name: '{{.name}}-{{.component}}'

diff --git a/components/skyline/README.md b/components/skyline/README.md
@@ -0,0 +1 @@
+# OpenStack Skyline
diff --git a/components/skyline/kustomization.yaml b/components/skyline/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - skyline-mariadb-db.yaml
diff --git a/components/skyline/skyline-mariadb-db.yaml b/components/skyline/skyline-mariadb-db.yaml
@@ -0,0 +1,52 @@
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Database
+metadata:
+  name: skyline
+  namespace: openstack
+spec:
+  # If you want the database to be created with a different name than the resource name
+  # name: data-custom
+  mariaDbRef:
+    name: mariadb  # name of the MariaDB kind
+    waitForIt: true
+  characterSet: utf8
+  collate: utf8_general_ci
+  retryInterval: 5s
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: User
+metadata:
+  name: skyline
+  namespace: openstack
+spec:
+  # If you want the user to be created with a different name than the resource name
+  # name: user-custom
+  mariaDbRef:
+    name: mariadb  # name of the MariaDB kind
+    waitForIt: true
+  passwordSecretKeyRef:
+    name: skyline-db-password
+    key: password
+  # This field is immutable and defaults to 10, 0 means unlimited.
+  maxUserConnections: 0
+  host: "%"
+  retryInterval: 5s
+---
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Grant
+metadata:
+  name: skyline-grant
+  namespace: openstack
+spec:
+  mariaDbRef:
+    name: mariadb  # name of the MariaDB kind
+    waitForIt: true
+  privileges:
+    - "ALL"
+  database: "skyline"
+  table: "*"
+  username: skyline
+  grantOption: true
+  host: "%"
+  retryInterval: 5s
diff --git a/components/skyline/values.yaml b/components/skyline/values.yaml
@@ -0,0 +1,65 @@
+---
+endpoints:
+  skyline:
+    host_fqdn_override:
+      public:
+        tls:
+          secretName: skyline-tls-public
+          issuerRef:
+            name: understack-cluster-issuer
+            kind: ClusterIssuer
+
+network:
+  # configure OpenStack Helm to use Undercloud's ingress
+  # instead of expecting the ingress controller provided
+  # by OpenStack Helm
+  use_external_ingress_controller: true
+  skyline:
+    ingress:
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        # set our default issuer
+        cert-manager.io/cluster-issuer: understack-cluster-issuer
+
+# (nicholas.kuechler) updating the jobs list to remove the 'skyline-db-init' job.
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs: null
+  static:
+    db_sync:
+      jobs:
+
+manifests:
+  job_db_init: false
+  secret_db: false
+  service_ingress: false
+
+pod:
+  lifecycle:
+    disruption_budget:
+      skyline:
+        # this should be set to no more than (pod.replicas.skyline - 1)
+        # usually set on per-deployment basis.
+        min_available: 0
+
+# We don't want to enable OpenStack Helm's
+# helm.sh/hooks because they set them as
+# post-install,post-upgrade which in ArgoCD
+# maps to PostSync. However the deployments
+# and statefulsets in OpenStack Helm
+# depend on the jobs to complete to become
+# healthy. Which they cannot because they are in
+# the post step and not in the main step.
+# Turning this on results in the keys jobs
+# editing the annotation which deletes the item
+# and wipes our keys.
+helm3_hook: false
+
+annotations:
+  job:
+    skyline_db_sync:
+      argocd.argoproj.io/hook: Sync
+      argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+      argocd.argoproj.io/sync-options: Replace=true
diff --git a/scripts/gitops-secrets-gen.sh b/scripts/gitops-secrets-gen.sh
@@ -342,6 +342,25 @@ load_or_gen_os_secret "${VARNAME_DB_PASSWORD}" "${SECRET_DB_PASSWORD}" && \
 # export the variable for templating into the openstack secret / values.yaml
 export HORIZON_DB_PASSWORD
 
+echo "Checking skyline"
+# horizon credentials
+mkdir -p "${DEST_DIR}/skyline"
+# skyline user password for database
+VARNAME_DB_PASSWORD="SKYLINE_DB_PASSWORD"
+SECRET_DB_PASSWORD="skyline-db-password"
+load_or_gen_os_secret "${VARNAME_DB_PASSWORD}" "${SECRET_DB_PASSWORD}" && \
+    create_os_secret "DB_PASSWORD" "skyline" "skyline"
+# export the variable for templating into the openstack secret / values.yaml
+export SKYLINE_DB_PASSWORD
+
+VARNAME_KEYSTONE_PASSWORD="$(convert_to_var_name "skyline" "KEYSTONE_PASSWORD")"
+SECRET_KEYSTONE_PASSWORD="$(convert_to_secret_name "${VARNAME_KEYSTONE_PASSWORD}")"
+load_or_gen_os_secret "${VARNAME_KEYSTONE_PASSWORD}" "${SECRET_KEYSTONE_PASSWORD}" && \
+    create_os_secret "KEYSTONE_PASSWORD" "skyline" "skyline"
+
+export "${VARNAME_KEYSTONE_PASSWORD?}"
+
+
 # generate the secret-openstack.yaml file every time from our secrets data
 # this is a helm values.yaml but it contains secrets because of the lack
 # of secrets references in OpenStack Helm