From b31a365aea34440c371a3e3446f0b698b9804113 Mon Sep 17 00:00:00 2001 From: Pete Birley Date: Fri, 20 Jan 2017 01:03:19 +0000 Subject: [PATCH 1/3] Fix glance containers entrypoints Also improves glance containers volume specification yaml. --- glance/templates/deployment-api.yaml | 13 ++++++++++--- glance/templates/deployment-registry.yaml | 7 +++++++ 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml index e150aa5a94..34a510eaf8 100644 --- a/glance/templates/deployment-api.yaml +++ b/glance/templates/deployment-api.yaml @@ -34,24 +34,29 @@ spec: image: {{ .Values.images.api }} imagePullPolicy: {{ .Values.images.pull_policy }} command: - - glance-api --config-dir /etc/glance + - glance-api + - --config-file + - /etc/glance/glance-registry.conf ports: - containerPort: {{ .Values.network.port.api }} readinessProbe: tcpSocket: port: {{ .Values.network.port.api }} volumeMounts: + - name: etcglance + mountPath: /etc/glance - name: glanceapiconf mountPath: /etc/glance/glance-api.conf subPath: glance-api.conf + readOnly: true - name: glanceapipaste mountPath: /etc/glance/glance-api-paste.ini subPath: glance-api-paste.ini - - name: etcglance - mountPath: /etc/glance + readOnly: true - name: glancepolicy mountPath: /etc/glance/policy.json subPath: policy.json + readOnly: true {{- if .Values.development.enabled }} - name: glance-data mountPath: /var/lib/glance/images @@ -59,9 +64,11 @@ spec: - name: cephconf mountPath: /etc/ceph/ceph.conf subPath: ceph.conf + readOnly: true - name: cephclientglancekeyring mountPath: /etc/ceph/ceph.client.{{ .Values.ceph.glance_user }}.keyring subPath: ceph.client.{{ .Values.ceph.glance_user }}.keyring + readOnly: true {{- end }} volumes: - name: glanceapiconf diff --git a/glance/templates/deployment-registry.yaml b/glance/templates/deployment-registry.yaml index f8f6c6327e..05615548df 100644 --- a/glance/templates/deployment-registry.yaml +++ b/glance/templates/deployment-registry.yaml @@ -27,16 +27,23 @@ spec: imagePullPolicy: {{ .Values.images.pull_policy }} command: - glance-registry + - --config-file + - /etc/glance/glance-registry.conf ports: - containerPort: {{ .Values.network.port.registry }} readinessProbe: tcpSocket: port: {{ .Values.network.port.registry }} volumeMounts: + - name: etcglance + mountPath: /etc/glance - name: glanceregistryconf mountPath: /etc/glance/glance-registry.conf subPath: glance-registry.conf + readOnly: true volumes: + - name: etcglance + emptyDir: {} - name: glanceregistryconf configMap: name: glance-etc From b1ce9b093b9875a15d5da4978002048671a3711b Mon Sep 17 00:00:00 2001 From: Pete Birley Date: Fri, 20 Jan 2017 01:19:37 +0000 Subject: [PATCH 2/3] Add glance registry config --- glance/templates/configmap-etc.yaml | 2 ++ glance/templates/deployment-api.yaml | 2 +- glance/templates/deployment-registry.yaml | 8 +++++ .../etc/_glance-registry-paste.ini.tpl | 35 +++++++++++++++++++ 4 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 glance/templates/etc/_glance-registry-paste.ini.tpl diff --git a/glance/templates/configmap-etc.yaml b/glance/templates/configmap-etc.yaml index 9b622b1785..ba8b86c42e 100644 --- a/glance/templates/configmap-etc.yaml +++ b/glance/templates/configmap-etc.yaml @@ -13,5 +13,7 @@ data: {{ tuple "etc/_glance-api-paste.ini.tpl" . | include "template" | indent 4 }} glance-registry.conf: |+ {{ tuple "etc/_glance-registry.conf.tpl" . | include "template" | indent 4 }} + glance-registry-paste.ini: |+ +{{ tuple "etc/_glance-registry-paste.ini.tpl" . | include "template" | indent 4 }} policy.json: |+ {{ tuple "etc/_policy.json.tpl" . | include "template" | indent 4 }} diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml index 34a510eaf8..46086de678 100644 --- a/glance/templates/deployment-api.yaml +++ b/glance/templates/deployment-api.yaml @@ -36,7 +36,7 @@ spec: command: - glance-api - --config-file - - /etc/glance/glance-registry.conf + - /etc/glance/glance-api.conf ports: - containerPort: {{ .Values.network.port.api }} readinessProbe: diff --git a/glance/templates/deployment-registry.yaml b/glance/templates/deployment-registry.yaml index 05615548df..51aa3269e9 100644 --- a/glance/templates/deployment-registry.yaml +++ b/glance/templates/deployment-registry.yaml @@ -41,6 +41,14 @@ spec: mountPath: /etc/glance/glance-registry.conf subPath: glance-registry.conf readOnly: true + - name: glanceregistrypaste + mountPath: /etc/glance/glance-registry-paste.ini + subPath: glance-registry-paste.ini + readOnly: true + - name: glancepolicy + mountPath: /etc/glance/policy.json + subPath: policy.json + readOnly: true volumes: - name: etcglance emptyDir: {} diff --git a/glance/templates/etc/_glance-registry-paste.ini.tpl b/glance/templates/etc/_glance-registry-paste.ini.tpl new file mode 100644 index 0000000000..492dbc6f53 --- /dev/null +++ b/glance/templates/etc/_glance-registry-paste.ini.tpl @@ -0,0 +1,35 @@ +# Use this pipeline for no auth - DEFAULT +[pipeline:glance-registry] +pipeline = healthcheck osprofiler unauthenticated-context registryapp + +# Use this pipeline for keystone auth +[pipeline:glance-registry-keystone] +pipeline = healthcheck osprofiler authtoken context registryapp + +# Use this pipeline for authZ only. This means that the registry will treat a +# user as authenticated without making requests to keystone to reauthenticate +# the user. +[pipeline:glance-registry-trusted-auth] +pipeline = healthcheck osprofiler context registryapp + +[app:registryapp] +paste.app_factory = glance.registry.api:API.factory + +[filter:healthcheck] +paste.filter_factory = oslo_middleware:Healthcheck.factory +backends = disable_by_file +disable_by_file_path = /etc/glance/healthcheck_disable + +[filter:context] +paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory + +[filter:unauthenticated-context] +paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory + +[filter:authtoken] +paste.filter_factory = keystonemiddleware.auth_token:filter_factory + +[filter:osprofiler] +paste.filter_factory = osprofiler.web:WsgiMiddleware.factory +hmac_keys = SECRET_KEY #DEPRECATED +enabled = yes #DEPRECATED From 09efab76ca0028494bcbadc77b3f39beaf23d743 Mon Sep 17 00:00:00 2001 From: Pete Birley Date: Fri, 20 Jan 2017 01:21:48 +0000 Subject: [PATCH 3/3] Add glance registry config mounts --- glance/templates/deployment-registry.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/glance/templates/deployment-registry.yaml b/glance/templates/deployment-registry.yaml index 51aa3269e9..e6ab5cd79e 100644 --- a/glance/templates/deployment-registry.yaml +++ b/glance/templates/deployment-registry.yaml @@ -55,3 +55,9 @@ spec: - name: glanceregistryconf configMap: name: glance-etc + - name: glanceregistrypaste + configMap: + name: glance-etc + - name: glancepolicy + configMap: + name: glance-etc