Enable glance role to copy extra configuration

Glance role copies glance-image-import.conf when enabled to allow configuration of glance interoperable image import. Property protection can be enabled and file is copied. Change-Id: I5106675da5228a5d7e630871f0882269603e6571 Closesl-Bug: #1889272 Signed-off-by: nikparasyr <nik.parasyr@protonmail.com>
2020-07-28 18:11:40 +02:00 · 2020-07-28 18:11:40 +02:00 · 6033b71d5e
commit 6033b71d5e
parent 54d8c92c7b
7 changed files with 85 additions and 0 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -823,6 +823,8 @@ enable_glance_image_cache: "no"
 glance_backend_swift: "{{ enable_swift | bool }}"
 glance_file_datadir_volume: "glance"
 glance_enable_rolling_upgrade: "no"
+glance_enable_property_protection: "no"
+glance_enable_interoperable_image_import: "no"
 glance_api_hosts: "{{ [groups['glance-api']|first] if glance_backend_file | bool and glance_file_datadir_volume == 'glance' else groups['glance-api'] }}"

 #######################
--- a/ansible/roles/glance/tasks/config.yml
+++ b/ansible/roles/glance/tasks/config.yml
@ -123,6 +123,36 @@
  notify:
    - Restart glance-api container

+- name: Copying over glance-image-import.conf
+  vars:
+    glance_api: "{{ glance_services['glance-api'] }}"
+  copy:
+    src: "{{ node_custom_config }}/glance/glance-image-import.conf"
+    dest: "{{ node_config_directory }}/glance-api/glance-image-import.conf"
+    mode: "0660"
+  become: true
+  when:
+    - glance_api.enabled | bool
+    - inventory_hostname in groups[glance_api.group]
+    - glance_enable_interoperable_image_import | bool
+  notify:
+    - Restart glance-api container
+
+- name: Copying over property-protections-rules.conf
+  vars:
+    glance_api: "{{ glance_services['glance-api'] }}"
+  copy:
+    src: "{{ node_custom_config }}/glance/property-protections-rules.conf"
+    dest: "{{ node_config_directory }}/glance-api/property-protections-rules.conf"
+    mode: "0660"
+  become: true
+  when:
+    - glance_api.enabled | bool
+    - inventory_hostname in groups[glance_api.group]
+    - glance_enable_property_protection | bool
+  notify:
+    - Restart glance-api container
+
 - name: Copying over existing policy file
  vars:
    glance_api: "{{ glance_services['glance-api'] }}"
--- a/ansible/roles/glance/templates/glance-api.conf.j2
+++ b/ansible/roles/glance/templates/glance-api.conf.j2
@ -21,6 +21,10 @@ enabled_backends = {% for key in glance_store_backends %}{{ key.name }}:{{ key.t
 show_multiple_locations = True
 {% endif %}

+{% if glance_enable_property_protection | bool %}
+property_protection_file = /etc/glance/property-protections-rules.conf
+{% endif %}
+
 cinder_catalog_info = volume:cinder:internalURL

 transport_url = {{ rpc_transport_url }}
--- a/ansible/roles/glance/templates/glance-api.json.j2
+++ b/ansible/roles/glance/templates/glance-api.json.j2
@ -36,6 +36,18 @@
            "dest": "/etc/glance/glance-cache.conf",
            "owner": "glance",
            "perm": "0600"
+        }{% endif %}{% if glance_enable_interoperable_image_import | bool %},
+        {
+            "source": "{{ container_config_directory }}/glance-image-import.conf",
+            "dest": "/etc/glance/glance.conf.d/glance-image-import.conf",
+            "owner": "glance",
+            "perm": "0600"
+        }{% endif %}{% if glance_enable_property_protection | bool %},
+        {
+            "source": "{{ container_config_directory }}/property-protections-rules.conf",
+            "dest": "/etc/glance/property-protections-rules.conf",
+            "owner": "glance",
+            "perm": "0600"
        }{% endif %}
    ],
    "permissions": [
--- a/doc/source/reference/shared-services/glance-guide.rst
+++ b/doc/source/reference/shared-services/glance-guide.rst
@ -146,3 +146,32 @@ Glance caches are not cleaned up automatically, the glance team recommends to
 use a cron service to regularly clean cached images. In the future kolla will
 deploy a cron container to manage such clean ups.  Please refer to
 :glance-doc:`Glance image cache <admin/cache.html>`.
+
+Property protection
+~~~~~~~~~~~~~~~~~~~
+
+`Property protection <https://docs.openstack.org/glance/latest/admin/property-protections.html>`_
+is disabled by default, it can be enabled by:
+
+.. code-block:: yaml
+
+   glance_enable_property_protection: "yes"
+
+
+and defining ``property-protections-rules.conf`` under
+``{{ node_custom_config }}/glance/``. The default
+``property_protection_rule_format`` is ``roles`` but it can be overwritten.
+
+
+Interoperable image import
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The `interoperable image import <https://docs.openstack.org/glance/latest/admin/interoperable-image-import.html>`_
+is disabled by default, it can be enabled by:
+
+.. code-block:: yaml
+
+  glance_enable_interoperable_image_import: "yes"
+
+and defining ``glance-image-import.conf`` under
+``{{ node_custom_config }}/glance/``.
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@ -430,6 +430,8 @@
 #glance_backend_swift: "no"
 #glance_backend_vmware: "no"
 #enable_glance_image_cache: "no"
+#glance_enable_property_protection: "no"
+#glance_enable_interoperable_image_import: "no"
 # Configure glance upgrade option.
 # Due to this feature being experimental in glance,
 # the default value is "no".
--- a/releasenotes/notes/bug-1889272-c929d21a94d657fa.yaml
+++ b/releasenotes/notes/bug-1889272-c929d21a94d657fa.yaml
@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Add functionality to the glance role to add extra config file for image
+    property protection and interoperable image import
+    `LP#1889272 <https://launchpad.net/bugs/1889272>`__