rackerlabs · cardoe · Jul 3, 2024 · Jun 24, 2024
diff --git a/apps/appsets/openstack/openstack.yaml b/apps/appsets/openstack/openstack.yaml
@@ -24,6 +24,8 @@ spec:
                   chartVersion: 0.3.44
                 - component: nova
                   chartVersion: 0.3.42
+                - component: horizon
+                  chartVersion: 0.3.26
   template:
     metadata:
       name: '{{.name}}-{{.component}}'

diff --git a/components/horizon/README.md b/components/horizon/README.md
@@ -0,0 +1 @@
+# OpenStack Horizon
diff --git a/components/horizon/aio-values.yaml b/components/horizon/aio-values.yaml
@@ -0,0 +1,53 @@
+---
+release_group: null
+
+conf:
+  horizon:
+    local_settings:
+      config:
+        debug: "False"
+        endpoint_type: "publicURL"
+        use_ssl: "True"
+        csrf_cookie_secure: "True"
+        session_cookie_secure: "True"
+        session_cookie_httponly: "True"
+        allowed_hosts:
+          - '*'
+
+network:
+  # configure OpenStack Helm to use Undercloud's ingress
+  # instead of expecting the ingress controller provided
+  # by OpenStack Helm
+  use_external_ingress_controller: true
+
+# (nicholas.kuechler) updating the jobs list to remove the 'horizon-db-init' job.
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs: null
+  static:
+    db_sync:
+      jobs:
+
+manifests:
+  job_db_init: false
+
+# We don't want to enable OpenStack Helm's
+# helm.sh/hooks because they set them as
+# post-install,post-upgrade which in ArgoCD
+# maps to PostSync. However the deployments
+# and statefulsets in OpenStack Helm
+# depend on the jobs to complete to become
+# healthy. Which they cannot because they are in
+# the post step and not in the main step.
+# Turning this on results in the keys jobs
+# editing the annotation which deletes the item
+# and wipes our keys.
+helm3_hook: false
+
+annotations:
+  job:
+    horizon_db_sync:
+      argocd.argoproj.io/hook: Sync
+      argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
diff --git a/components/horizon/horizon-mariadb-db.yaml b/components/horizon/horizon-mariadb-db.yaml
@@ -0,0 +1,52 @@
+---
+apiVersion: mariadb.mmontes.io/v1alpha1
+kind: Database
+metadata:
+  name: horizon
+  namespace: openstack
+spec:
+  # If you want the database to be created with a different name than the resource name
+  # name: data-custom
+  mariaDbRef:
+    name: mariadb  # name of the MariaDB kind
+    waitForIt: true
+  characterSet: utf8
+  collate: utf8_general_ci
+  retryInterval: 5s
+---
+apiVersion: mariadb.mmontes.io/v1alpha1
+kind: User
+metadata:
+  name: horizon
+  namespace: openstack
+spec:
+  # If you want the user to be created with a different name than the resource name
+  # name: user-custom
+  mariaDbRef:
+    name: mariadb  # name of the MariaDB kind
+    waitForIt: true
+  passwordSecretKeyRef:
+    name: horizon-db-password
+    key: password
+  # This field is immutable and defaults to 10, 0 means unlimited.
+  maxUserConnections: 0
+  host: "%"
+  retryInterval: 5s
+---
+apiVersion: mariadb.mmontes.io/v1alpha1
+kind: Grant
+metadata:
+  name: horizon-grant
+  namespace: openstack
+spec:
+  mariaDbRef:
+    name: mariadb  # name of the MariaDB kind
+    waitForIt: true
+  privileges:
+    - "ALL"
+  database: "horizon"
+  table: "*"
+  username: horizon
+  grantOption: true
+  host: "%"
+  retryInterval: 5s
diff --git a/components/horizon/kustomization.yaml b/components/horizon/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - horizon-mariadb-db.yaml
diff --git a/components/horizon/values.tpl.yaml b/components/horizon/values.tpl.yaml
@@ -0,0 +1,17 @@
+# add your values.yaml overrides for the helm chart here
+
+conf:
+  horizon:
+    local_settings:
+      config:
+        allowed_hosts:
+          - 'horizon.${DNS_ZONE}'
+        csrf_trusted_origins:
+          - "https://horizon.${DNS_ZONE}"
+
+network:
+  dashboard:
+    ingress:
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        cert-manager.io/cluster-issuer: ${DEPLOY_NAME}-cluster-issuer
diff --git a/components/openstack-secrets.tpl.yaml b/components/openstack-secrets.tpl.yaml
@@ -61,6 +61,9 @@ endpoints:
       # this is what the placement services uses to connect to MariaDB
       placement:
         password: "${PLACEMENT_DB_PASSWORD}"
+      # this is what the horizon dashboard service uses to connect to MariaDB
+      horizon:
+        password: "${HORIZON_DB_PASSWORD}"
 
   # 'oslo_db_api' is for MariaDB specific for nova
   oslo_db_api:
@@ -160,4 +163,7 @@ secrets:
     placement:
       api:
         public: placement-tls-public
+    dashboard:
+      dashboard:
+        public: horizon-tls-public
 ...
diff --git a/scripts/gitops-secrets-gen.sh b/scripts/gitops-secrets-gen.sh
@@ -197,6 +197,8 @@ export NOVA_RABBITMQ_PASSWORD="$(./scripts/pwgen.sh)"
 export PLACEMENT_KEYSTONE_PASSWORD="$(./scripts/pwgen.sh)"
 # placement user password in mariadb for placement db
 export PLACEMENT_DB_PASSWORD="$(./scripts/pwgen.sh)"
+# horizon user password for database
+export HORIZON_DB_PASSWORD="$(./scripts/pwgen.sh)"
 
 [ ! -f "${DEST_DIR}/secret-keystone-rabbitmq-password.yaml" ] && \
 kubectl --namespace openstack \
@@ -311,6 +313,14 @@ kubectl --namespace openstack \
     --from-literal=password="${PLACEMENT_DB_PASSWORD}" \
     --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-placement-db-password.yaml"
 
+# horizon credentials
+[ ! -f "${DEST_DIR}/secret-horizon-db-password.yaml" ] && \
+kubectl --namespace openstack \
+    create secret generic horizon-db-password \
+    --type Opaque \
+    --from-literal=password="${HORIZON_DB_PASSWORD}" \
+    --dry-run=client -o yaml | secret-seal-stdin "${DEST_DIR}/secret-horizon-db-password.yaml"
+
 if [ "x${DO_TMPL_VALUES}" = "xy" ]; then
     [ ! -f "${DEST_DIR}/secret-openstack.yaml" ] && \
     yq '(.. | select(tag == "!!str")) |= envsubst' \