openstack
/
kolla-kubernetes
Code Issues Proposed changes

Glance bootstrap to create service/project/role 

This PS adds steps to Glance bootstrap process to:
create glance-service-and-endpoint-admin
create glance-service-and-endpoint-internal
create glance-service-and-endpoint-public
create glance-user-project-role

It also uses per service secrets so no password gets exposed
even on the rendering server.

Change-Id: Ibfa747cdd86f1cd09a43e7d121704414a47efbcf
Partially-Fixes: #1605693
PartiallyImplements: blueprint glance-kubernetes
This commit is contained in:
Serguei Bezverkhi 2016-07-22 15:06:39 -04:00
parent 5800b04729
commit b3f7e9e6cd
3 changed files with 175 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
etc/kolla-kubernetes/kolla-kubernetes.yml
View File

@ -8,6 +8,9 @@
# For now, set kolla_internal_vip_address in /etc/kolla/globals.yml to use as
# the ip address for all the services.
# kolla_internal_vip_address: "10.10.10.254"
# This address is used in ALL public endpoints and it serves as an entry point
# into kolla kubernetes cluster, needs to be changed by the operator.
kolla_kubernetes_external_vip: "10.57.120.254"
########################
# Kubernetes Cluster
@ -87,3 +90,12 @@ storage_ceph:
# Persistent volumes sizes in GB
################################
#glance_volume_size: ""
keystone_auth_url: "http://keystone-admin:35357"
########################
# Glance variables
########################
openstack_glance_auth: "{'auth_url':'{{ keystone_auth_url }}','username':'{{ openstack_auth.username }}','password':'$KEYSTONE_ADMIN_PASSWORD','project_name':'{{ openstack_auth.project_name }}','domain_name':'default'}"
glance_admin_endpoint: "http://glance-api:{{ glance_api_port }}"
glance_public_endpoint: "http://{{ kolla_kubernetes_external_vip }}:{{ glance_api_port }}"
glance_internal_endpoint: "http://glance-api:{{ glance_api_port }}"

1
services/glance/glance-api-pod.yml.j2
View File

@ -1,3 +1,4 @@
{%- set resourceName = kolla_kubernetes.cli.args.service_name %}
apiVersion: v1
kind: ReplicationController
spec:

182
services/glance/glance-bootstrap-job.yml.j2
View File

@ -1,3 +1,4 @@
{%- set resourceName = kolla_kubernetes.cli.args.service_name %}
apiVersion: batch/v1
kind: Job
metadata:
@ -11,12 +12,14 @@ spec:
containers:
- image: "{{ kolla_toolbox_image_full }}"
name: creating-glance-database
#TODO: Assign the IP to be mariadb's serivce ip exposed by Kubernetes
command: ["usr/bin/ansible", "localhost", "-vvvv", "-m", "mysql_db",
"-a", "login_host='mariadb'
login_user='{{ database_user }}'
login_password='{{ database_password }}'
name='{{ glance_database_name }}'"]
command: ["sh", "-c"]
args:
- ansible localhost -m mysql_db -a
"login_host=mariadb
login_port='{{ mariadb_port }}'
login_user='{{ database_user }}'
login_password='$DATABASE_PASSWORD'
name='{{ glance_database_name }}'"
volumeMounts:
- mountPath: /dev
name: dev
@ -29,19 +32,25 @@ spec:
value: "1"
- name: ANSIBLE_LIBRARY
value: "/usr/share/ansible"
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: database-password
key: password
- image: "{{ kolla_toolbox_image_full }}"
name: creating-glance-user-and-permissions
#TODO: Assign the IP to be mariadb's serivce ip exposed by Kubernetes
command: ["/usr/bin/ansible", "localhost", "-vvvv", "-m", "mysql_user",
"-a", "login_host='mariadb'
login_user='{{ database_user }}'
login_password='{{ database_password }}'
name='{{ glance_database_name }}'
password='{{ glance_database_password }}'
host='%'
priv='{{ glance_database_name }}.*:ALL'
append_privs='yes'"]
command: ["sh", "-c"]
args:
- ansible localhost -m mysql_user -a
"login_host=mariadb
login_port='{{ mariadb_port }}'
login_user='{{ database_user }}'
login_password='$DATABASE_PASSWORD'
name='{{ glance_database_name }}'
password='$GLANCE_DATABASE_PASSWORD'
host='%'
priv='{{ glance_database_name }}.*:ALL'
append_privs='yes'"
volumeMounts:
- mountPath: /dev
name: dev
@ -54,7 +63,16 @@ spec:
value: "1"
- name: ANSIBLE_LIBRARY
value: "/usr/share/ansible"
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: database-password
key: password
- name: GLANCE_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: glance-database-password
key: password
- image: "{{ glance_api_image_full }}"
name: glance-api-config
env:
@ -66,15 +84,139 @@ spec:
- mountPath: {{ container_config_directory }}
name: glance-api-config
readOnly: true
- mountPath: /var/lib/glance/
name: glance-persistent-storage
- mountPath: /var/log/kolla
name: kolla-logs
- image: "{{ kolla_toolbox_image_full }}"
name: creating-glance-service-and-endpoint-admin
command: ["sh", "-c"]
args:
- ansible localhost -m kolla_keystone_service -a
"service_name=glance
service_type=image
description='Openstack Image'
endpoint_region={{ openstack_region_name }}
url='{{ glance_admin_endpoint }}'
interface=admin
region_name={{ openstack_region_name }}
auth={{ '{{' }} openstack_glance_auth {{ '}}' }}"
"-e" "{'openstack_glance_auth':{{ openstack_glance_auth }}}"
volumeMounts:
- mountPath: /dev
name: dev
- mountPath: /run
name: run
- mountPath: /var/log/kolla
name: kolla-logs
env:
- name: ANSIBLE_NOCOLOR
value: "1"
- name: ANSIBLE_LIBRARY
value: "/usr/share/ansible"
- name: KEYSTONE_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: keystone-admin-password
key: password
- image: "{{ kolla_toolbox_image_full }}"
name: creating-glance-service-and-endpoint-internal
command: ["sh", "-c"]
args:
- ansible localhost -m kolla_keystone_service -a
"service_name=glance
service_type=image
description='Openstack Image'
endpoint_region={{ openstack_region_name }}
url='{{ glance_internal_endpoint }}'
interface=internal
region_name={{ openstack_region_name }}
auth={{ '{{' }} openstack_glance_auth {{ '}}' }}"
"-e" "{'openstack_glance_auth':{{ openstack_glance_auth }}}"
volumeMounts:
- mountPath: /dev
name: dev
- mountPath: /run
name: run
- mountPath: /var/log/kolla
name: kolla-logs
env:
- name: ANSIBLE_NOCOLOR
value: "1"
- name: ANSIBLE_LIBRARY
value: "/usr/share/ansible"
- name: KEYSTONE_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: keystone-admin-password
key: password
- image: "{{ kolla_toolbox_image_full }}"
name: creating-glance-service-and-endpoint-public
command: ["sh", "-c"]
args:
- ansible localhost -m kolla_keystone_service -a
"service_name=glance
service_type=image
description='Openstack Image'
endpoint_region={{ openstack_region_name }}
url='{{ glance_public_endpoint }}'
interface=public
region_name={{ openstack_region_name }}
auth={{ '{{' }} openstack_glance_auth {{ '}}' }}"
"-e" "{'openstack_glance_auth':{{ openstack_glance_auth }}}"
volumeMounts:
- mountPath: /dev
name: dev
- mountPath: /run
name: run
- mountPath: /var/log/kolla
name: kolla-logs
env:
- name: ANSIBLE_NOCOLOR
value: "1"
- name: ANSIBLE_LIBRARY
value: "/usr/share/ansible"
- name: KEYSTONE_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: keystone-admin-password
key: password
- image: "{{ kolla_toolbox_image_full }}"
name: creating-glance-user-project-role
command: ["sh", "-c"]
args:
- ansible localhost -m kolla_keystone_user -a
"project=service
user=glance
password={{ glance_keystone_password }}
role=admin
region_name={{ openstack_region_name }}
auth={{ '{{' }} openstack_glance_auth {{ '}}' }}"
"-e" "{'openstack_glance_auth':{{ openstack_glance_auth }}}"
volumeMounts:
- mountPath: /dev
name: dev
- mountPath: /run
name: run
- mountPath: /var/log/kolla
name: kolla-logs
env:
- name: ANSIBLE_NOCOLOR
value: "1"
- name: ANSIBLE_LIBRARY
value: "/usr/share/ansible"
- name: KEYSTONE_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: keystone-admin-password
key: password
volumes:
- name: glance-api-config
configMap:
name: glance-api-configmap
- name: glance-persistent-storage
hostPath:
path: /var/lib/glance
persistentVolumeClaim:
claimName: {{ resourceName }}
- name: dev
hostPath:
path: /dev