Merge pull request #127 from portdirect/glance/command

Fix glance containers entrypoints
2017-01-19 20:51:11 -06:00 · 2017-01-19 20:51:11 -06:00 · 206215cee4
commit 206215cee4
parent fc81612392 09efab76ca
4 changed files with 68 additions and 3 deletions
--- a/glance/templates/configmap-etc.yaml
+++ b/glance/templates/configmap-etc.yaml
@ -13,5 +13,7 @@ data:
 {{ tuple "etc/_glance-api-paste.ini.tpl" . | include "template" | indent 4 }}
  glance-registry.conf: |+
 {{ tuple "etc/_glance-registry.conf.tpl" . | include "template" | indent 4 }}
+  glance-registry-paste.ini: |+
+{{ tuple "etc/_glance-registry-paste.ini.tpl" . | include "template" | indent 4 }}
  policy.json: |+
 {{ tuple "etc/_policy.json.tpl" . | include "template" | indent 4 }}
--- a/glance/templates/deployment-api.yaml
+++ b/glance/templates/deployment-api.yaml
@ -34,24 +34,29 @@ spec:
          image: {{ .Values.images.api }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
          command:
-          - glance-api --config-dir /etc/glance
+          - glance-api
+          - --config-file
+          - /etc/glance/glance-api.conf
          ports:
            - containerPort: {{ .Values.network.port.api }}
          readinessProbe:
            tcpSocket:
              port: {{ .Values.network.port.api }}
          volumeMounts:
+            - name: etcglance
+              mountPath: /etc/glance
            - name: glanceapiconf
              mountPath: /etc/glance/glance-api.conf
              subPath: glance-api.conf
+              readOnly: true
            - name: glanceapipaste
              mountPath: /etc/glance/glance-api-paste.ini
              subPath: glance-api-paste.ini
-            - name: etcglance
-              mountPath: /etc/glance
+              readOnly: true
            - name: glancepolicy
              mountPath: /etc/glance/policy.json
              subPath: policy.json
+              readOnly: true
 {{- if .Values.development.enabled }}
            - name: glance-data
              mountPath: /var/lib/glance/images
@ -59,9 +64,11 @@ spec:
            - name: cephconf
              mountPath: /etc/ceph/ceph.conf
              subPath: ceph.conf
+              readOnly: true
            - name: cephclientglancekeyring
              mountPath: /etc/ceph/ceph.client.{{ .Values.ceph.glance_user }}.keyring
              subPath: ceph.client.{{ .Values.ceph.glance_user }}.keyring
+              readOnly: true
 {{- end }}
      volumes:
        - name: glanceapiconf
--- a/glance/templates/deployment-registry.yaml
+++ b/glance/templates/deployment-registry.yaml
@ -27,16 +27,37 @@ spec:
          imagePullPolicy: {{ .Values.images.pull_policy }}
          command:
          - glance-registry
+          - --config-file
+          - /etc/glance/glance-registry.conf
          ports:
            - containerPort: {{ .Values.network.port.registry }}
          readinessProbe:
            tcpSocket:
              port: {{ .Values.network.port.registry }}
          volumeMounts:
+            - name: etcglance
+              mountPath: /etc/glance
            - name: glanceregistryconf
              mountPath: /etc/glance/glance-registry.conf
              subPath: glance-registry.conf
+              readOnly: true
+            - name: glanceregistrypaste
+              mountPath: /etc/glance/glance-registry-paste.ini
+              subPath: glance-registry-paste.ini
+              readOnly: true
+            - name: glancepolicy
+              mountPath: /etc/glance/policy.json
+              subPath: policy.json
+              readOnly: true
      volumes:
+        - name: etcglance
+          emptyDir: {}
        - name: glanceregistryconf
          configMap:
            name: glance-etc
+        - name: glanceregistrypaste
+          configMap:
+            name: glance-etc
+        - name: glancepolicy
+          configMap:
+            name: glance-etc
--- a/glance/templates/etc/_glance-registry-paste.ini.tpl
+++ b/glance/templates/etc/_glance-registry-paste.ini.tpl
@ -0,0 +1,35 @@
+# Use this pipeline for no auth - DEFAULT
+[pipeline:glance-registry]
+pipeline = healthcheck osprofiler unauthenticated-context registryapp
+
+# Use this pipeline for keystone auth
+[pipeline:glance-registry-keystone]
+pipeline = healthcheck osprofiler authtoken context registryapp
+
+# Use this pipeline for authZ only. This means that the registry will treat a
+# user as authenticated without making requests to keystone to reauthenticate
+# the user.
+[pipeline:glance-registry-trusted-auth]
+pipeline = healthcheck osprofiler context registryapp
+
+[app:registryapp]
+paste.app_factory = glance.registry.api:API.factory
+
+[filter:healthcheck]
+paste.filter_factory = oslo_middleware:Healthcheck.factory
+backends = disable_by_file
+disable_by_file_path = /etc/glance/healthcheck_disable
+
+[filter:context]
+paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory
+
+[filter:unauthenticated-context]
+paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory
+
+[filter:authtoken]
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+[filter:osprofiler]
+paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
+hmac_keys = SECRET_KEY  #DEPRECATED
+enabled = yes  #DEPRECATED