Merge "feat(glance): add support for cinder"

This commit is contained in:
Zuul 2022-09-22 22:10:58 +00:00 committed by Gerrit Code Review
commit 6348b93bed
9 changed files with 225 additions and 1 deletions

View File

@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Glance
name: glance
version: 0.3.11
version: 0.3.12
home: https://docs.openstack.org/glance/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png
sources:

View File

@ -0,0 +1,20 @@
#!/bin/bash
{{/*
Copyright 2020 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \
iscsiadm "${@:1}"

View File

@ -0,0 +1,18 @@
#!/bin/bash
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \
multipath "${@:1}"

View File

@ -0,0 +1,18 @@
#!/bin/bash
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
chroot /mnt/host-rootfs /usr/bin/env -i PATH="/sbin:/bin:/usr/bin" \
multipathd "${@:1}"

View File

@ -21,6 +21,14 @@ kind: ConfigMap
metadata:
name: glance-bin
data:
{{- if eq .Values.storage "cinder" }}
iscsiadm: |
{{ tuple "bin/_iscsiadm.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
multipath: |
{{ tuple "bin/_multipath.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
multipathd: |
{{ tuple "bin/_multipathd.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}
{{- if .Values.bootstrap.enabled }}
bootstrap.sh: |
{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}

View File

@ -145,6 +145,12 @@ data:
glance-api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
glance_sudoers: {{ $envAll.Values.conf.glance_sudoers | b64enc }}
rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
{{- $filePrefix := replace "_" "-" $key }}
{{ printf "%s.filters" $filePrefix }}: {{ $value.content | b64enc }}
{{- end }}
{{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.swift_store "key" "swift-store.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.nginx "key" "nginx.conf" "format" "Secret" ) | indent 2 }}
{{- end }}

View File

@ -55,6 +55,13 @@ spec:
nodeSelector:
{{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
{{- if .Values.pod.useHostNetwork.api }}
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
{{- end }}
{{- if eq .Values.storage "cinder" }}
hostIPC: true
{{- end }}
initContainers:
{{ tuple $envAll "api" $mounts_glance_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
- name: glance-perms
@ -185,6 +192,8 @@ spec:
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: glance-tmp
mountPath: /var/lib/glance/tmp
- name: etcglance
mountPath: /etc/glance
- name: glance-bin
@ -213,12 +222,73 @@ spec:
mountPath: /etc/glance/api_audit_map.conf
subPath: api_audit_map.conf
readOnly: true
- name: glance-etc
# NOTE (Portdirect): We mount here to override Kollas
# custom sudoers file when using Kolla images, this
# location will also work fine for other images.
mountPath: /etc/sudoers.d/kolla_glance_sudoers
subPath: glance_sudoers
readOnly: true
- name: glance-etc
mountPath: /etc/glance/rootwrap.conf
subPath: rootwrap.conf
readOnly: true
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
{{- if ( has "api" $value.pods ) }}
{{- $filePrefix := replace "_" "-" $key }}
{{- $rootwrapFile := printf "/etc/glance/rootwrap.d/%s.filters" $filePrefix }}
- name: glance-etc
mountPath: {{ $rootwrapFile }}
subPath: {{ base $rootwrapFile }}
readOnly: true
{{- end }}
{{- end }}
- name: glance-etc
mountPath: {{ .Values.conf.glance.glance_store.swift_store_config_file }}
subPath: swift-store.conf
readOnly: true
- name: glance-images
mountPath: {{ .Values.conf.glance.glance_store.filesystem_store_datadir }}
{{- if eq .Values.storage "cinder" }}
- name: host-rootfs
mountPath: /mnt/host-rootfs
{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
mountPropagation: HostToContainer
{{- end }}
- name: host-dev
mountPath: /dev
{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
mountPropagation: HostToContainer
{{- end }}
- name: runlock
mountPath: /run/lock
- name: etciscsi
mountPath: /etc/iscsi
{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
mountPropagation: HostToContainer
{{- end }}
- name: usrlocalsbin
mountPath: /usr/local/sbin
- name: glance-bin
mountPath: /usr/local/sbin/iscsiadm
subPath: iscsiadm
- name: glance-bin
mountPath: /usr/local/sbin/multipath
subPath: multipath
- name: glance-bin
mountPath: /usr/local/sbin/multipathd
subPath: multipathd
- name: etcmultipath
mountPath: /etc/multipath
{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
mountPropagation: Bidirectional
{{- end }}
- name: sys
mountPath: /sys
{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
mountPropagation: HostToContainer
{{- end }}
{{- end }}
{{- if eq .Values.storage "rbd" }}
- name: etcceph
mountPath: /etc/ceph
@ -238,6 +308,8 @@ spec:
volumes:
- name: pod-tmp
emptyDir: {}
- name: glance-tmp
emptyDir: {}
- name: etcglance
emptyDir: {}
- name: glance-bin
@ -267,6 +339,28 @@ spec:
secret:
secretName: {{ .Values.secrets.rbd | quote }}
{{- end }}
{{- if eq .Values.storage "cinder" }}
- name: host-rootfs
hostPath:
path: /
- name: host-dev
hostPath:
path: /dev
- name: runlock
hostPath:
path: /run/lock
- name: etciscsi
hostPath:
path: /etc/iscsi
- name: usrlocalsbin
emptyDir: {}
- name: etcmultipath
hostPath:
path: /etc/multipath
- name: sys
hostPath:
path: /sys
{{- end }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" $envAll.Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}

View File

@ -244,6 +244,60 @@ conf:
add_metadef_tags: rule:metadef_admin
delete_metadef_tag: rule:metadef_admin
delete_metadef_tags: rule:metadef_admin
glance_sudoers: |
# This sudoers file supports rootwrap for both Kolla and LOCI Images.
Defaults !requiretty
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
glance ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/glance-rootwrap /etc/glance/rootwrap.conf *, /var/lib/openstack/bin/glance-rootwrap /etc/glance/rootwrap.conf *
rootwrap: |
# Configuration for glance-rootwrap
# This file should be owned by (and only-writable by) the root user
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path=/etc/glance/rootwrap.d,/usr/share/glance/rootwrap
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
# Enable logging to syslog
# Default value is False
use_syslog=False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility=syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level=ERROR
rootwrap_filters:
glance_cinder_store:
pods:
- api
content: |
# glance-rootwrap command filters for glance cinder store
# This file should be owned by (and only-writable by) the root user
[Filters]
# cinder store driver
disk_chown: RegExpFilter, chown, root, chown, \d+, /dev/(?!.*/\.\.).*
# os-brick library commands
# os_brick.privileged.run_as_root oslo.privsep context
# This line ties the superuser privs with the config files, context name,
# and (implicitly) the actual python code invoked.
privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
chown: CommandFilter, chown, root
mount: CommandFilter, mount, root
umount: CommandFilter, umount, root
glance:
DEFAULT:
log_config_append: /etc/glance/logging.conf
@ -259,6 +313,7 @@ conf:
auth_version: v3
memcache_security_strategy: ENCRYPT
glance_store:
cinder_catalog_info: volumev3::internalURL
rbd_store_chunk_size: 8
rbd_store_replication: 3
rbd_store_crush_rule: replicated_rule
@ -275,6 +330,8 @@ conf:
flavor: keystone
database:
max_retries: -1
oslo_concurrency:
lock_path: "/var/lib/glance/tmp"
oslo_messaging_notifications:
driver: messagingv2
oslo_messaging_rabbit:
@ -837,6 +894,8 @@ pod:
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
useHostNetwork:
api: false
mounts:
glance_api:
init_container: null

View File

@ -32,4 +32,5 @@ glance:
- 0.3.9 Support TLS endpoints
- 0.3.10 Distinguish between port number of internal endpoint and binding port number
- 0.3.11 Use HTTP probe instead of TCP probe
- 0.3.12 Add support for using Cinder as backend
...