b277b10df6
Migrate Glance client to Keystonesuth to make it consistent with Cinder and Neutron clients. Note: We still use the api_servers variable, rather than fetching endpoints from the service catalog. This change is needed to enable the use of service token with Glance client. Related to blueprint use-service-tokens-pike Change-Id: I02be31bbe2de54c69210934b234ed380daca4fda Co-Authored-By: Pushkar Umaranikar <pushkar.umaranikar@intel.com>
158 lines
5.8 KiB
Python
158 lines
5.8 KiB
Python
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from keystoneauth1 import loading as ks_loading
|
|
from oslo_config import cfg
|
|
|
|
glance_group = cfg.OptGroup(
|
|
'glance',
|
|
title='Glance Options',
|
|
help='Configuration options for the Image service')
|
|
|
|
glance_opts = [
|
|
# NOTE(sdague): there is intentionally no default here. This
|
|
# requires configuration. Eventually this will come from the
|
|
# service catalog, however we don't have a good path there atm.
|
|
# TODO(raj_singh): Add "required=True" flag to this option.
|
|
cfg.ListOpt('api_servers',
|
|
help="""
|
|
List of glance api servers endpoints available to nova.
|
|
|
|
https is used for ssl-based glance api servers.
|
|
|
|
Possible values:
|
|
|
|
* A list of any fully qualified url of the form "scheme://hostname:port[/path]"
|
|
(i.e. "http://10.0.1.0:9292" or "https://my.glance.server/image").
|
|
"""),
|
|
cfg.IntOpt('num_retries',
|
|
default=0,
|
|
min=0,
|
|
help="""
|
|
Enable glance operation retries.
|
|
|
|
Specifies the number of retries when uploading / downloading
|
|
an image to / from glance. 0 means no retries.
|
|
"""),
|
|
cfg.ListOpt('allowed_direct_url_schemes',
|
|
default=[],
|
|
help="""
|
|
List of url schemes that can be directly accessed.
|
|
|
|
This option specifies a list of url schemes that can be downloaded
|
|
directly via the direct_url. This direct_URL can be fetched from
|
|
Image metadata which can be used by nova to get the
|
|
image more efficiently. nova-compute could benefit from this by
|
|
invoking a copy when it has access to the same file system as glance.
|
|
|
|
Possible values:
|
|
|
|
* [file], Empty list (default)
|
|
"""),
|
|
cfg.BoolOpt('verify_glance_signatures',
|
|
default=False,
|
|
help="""
|
|
Enable image signature verification.
|
|
|
|
nova uses the image signature metadata from glance and verifies the signature
|
|
of a signed image while downloading that image. If the image signature cannot
|
|
be verified or if the image signature metadata is either incomplete or
|
|
unavailable, then nova will not boot the image and instead will place the
|
|
instance into an error state. This provides end users with stronger assurances
|
|
of the integrity of the image data they are using to create servers.
|
|
|
|
Related options:
|
|
|
|
* The options in the `key_manager` group, as the key_manager is used
|
|
for the signature validation.
|
|
* Both enable_certificate_validation and default_trusted_certificate_ids
|
|
below depend on this option being enabled.
|
|
"""),
|
|
cfg.BoolOpt('enable_certificate_validation',
|
|
default=False,
|
|
deprecated_for_removal=True,
|
|
deprecated_since='16.0.0',
|
|
deprecated_reason="""
|
|
This option is intended to ease the transition for deployments leveraging
|
|
image signature verification. The intended state long-term is for signature
|
|
verification and certificate validation to always happen together.
|
|
""",
|
|
help="""
|
|
Enable certificate validation for image signature verification.
|
|
|
|
During image signature verification nova will first verify the validity of the
|
|
image's signing certificate using the set of trusted certificates associated
|
|
with the instance. If certificate validation fails, signature verification
|
|
will not be performed and the image will be placed into an error state. This
|
|
provides end users with stronger assurances that the image data is unmodified
|
|
and trustworthy. If left disabled, image signature verification can still
|
|
occur but the end user will not have any assurance that the signing
|
|
certificate used to generate the image signature is still trustworthy.
|
|
|
|
Related options:
|
|
|
|
* This option only takes effect if verify_glance_signatures is enabled.
|
|
* The value of default_trusted_certificate_ids may be used when this option
|
|
is enabled.
|
|
"""),
|
|
cfg.ListOpt('default_trusted_certificate_ids',
|
|
default=[],
|
|
help="""
|
|
List of certificate IDs for certificates that should be trusted.
|
|
|
|
May be used as a default list of trusted certificate IDs for certificate
|
|
validation. The value of this option will be ignored if the user provides a
|
|
list of trusted certificate IDs with an instance API request. The value of
|
|
this option will be persisted with the instance data if signature verification
|
|
and certificate validation are enabled and if the user did not provide an
|
|
alternative list. If left empty when certificate validation is enabled the
|
|
user must provide a list of trusted certificate IDs otherwise certificate
|
|
validation will fail.
|
|
|
|
Related options:
|
|
|
|
* The value of this option may be used if both verify_glance_signatures and
|
|
enable_certificate_validation are enabled.
|
|
"""),
|
|
cfg.BoolOpt('debug',
|
|
default=False,
|
|
help='Enable or disable debug logging with glanceclient.')
|
|
]
|
|
|
|
|
|
def register_opts(conf):
|
|
conf.register_group(glance_group)
|
|
conf.register_opts(glance_opts, group=glance_group)
|
|
|
|
deprecated = {
|
|
'insecure': [cfg.DeprecatedOpt('api_insecure',
|
|
group=glance_group.name)],
|
|
'cafile': [cfg.DeprecatedOpt('ca_file',
|
|
group="ssl")],
|
|
'certfile': [cfg.DeprecatedOpt('cert_file',
|
|
group="ssl")],
|
|
'keyfile': [cfg.DeprecatedOpt('key_file',
|
|
group="ssl")],
|
|
}
|
|
ks_loading.register_session_conf_options(conf, glance_group.name,
|
|
deprecated)
|
|
|
|
|
|
def list_opts():
|
|
return {
|
|
glance_group: (
|
|
glance_opts +
|
|
ks_loading.get_session_conf_options())
|
|
}
|