From b3be1dc18c8284852905797d91b67d2dcd6a1a10 Mon Sep 17 00:00:00 2001
From: Alan Bishop <abishop@redhat.com>
Date: Mon, 31 Oct 2022 07:08:19 -0700
Subject: [PATCH] Support deploying additional internal glance-api service

OSSN-0090 [1] recommends deploying two instances of the glance-api
service: a "user facing" service, plus an "internal" service that is
accessible via keystone's internal endpoint.

To support this, the tripleo::profile::base::glance::api class is
enhanced to allow overriding certain associated glance::api parameters.
This makes it possible to override parameters when including the
glance::api class in order to facilitate configuring two different
instances of the glance-api service, each with their own configuration.

The tripleo::haproxy class is enhanced to provide HA support for running
the internal glance-api service on its own TCP port (defaults to 9293).

[1] https://wiki.openstack.org/wiki/OSSN/OSSN-0090

Change-Id: Ideb5a951d538d9e2c7cca11dfe0e8b99520de959
---
 manifests/haproxy.pp                 | 33 ++++++++++++++++++++++
 manifests/profile/base/glance/api.pp | 42 +++++++++++++++++++++++++---
 2 files changed, 71 insertions(+), 4 deletions(-)

diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 2ca12f6a4..ca78efe2f 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -199,6 +199,10 @@
 #  (optional) Enable or not Glance API binding
 #  Defaults to lookup('glance_api_enabled', undef, undef, false)
 #
+# [*glance_api_internal*]
+#  (optional) Enable or not Glance API (internal) binding
+#  Defaults to lookup('glance_api_internal_enabled', undef, undef, false)
+#
 # [*nova_osapi*]
 #  (optional) Enable or not Nova API binding
 #  Defaults to lookup('nova_api_enabled', undef, undef, false)
@@ -475,6 +479,7 @@
 #    'docker_registry_port' (Defaults to 8787)
 #    'docker_registry_ssl_port' (Defaults to 13787)
 #    'glance_api_port' (Defaults to 9292)
+#    'glance_api_internal_port' (Defaults to 9293)
 #    'glance_api_ssl_port' (Defaults to 13292)
 #    'gnocchi_api_port' (Defaults to 8041)
 #    'gnocchi_api_ssl_port' (Defaults to 13041)
@@ -561,6 +566,7 @@ class tripleo::haproxy (
   $cinder                        = lookup('cinder_api_enabled', undef, undef, false),
   $manila                        = lookup('manila_api_enabled', undef, undef, false),
   $glance_api                    = lookup('glance_api_enabled', undef, undef, false),
+  $glance_api_internal           = lookup('glance_api_internal_enabled', undef, undef, false),
   $nova_osapi                    = lookup('nova_api_enabled', undef, undef, false),
   $placement                     = lookup('placement_enabled', undef, undef, false),
   $nova_metadata                 = lookup('nova_metadata_enabled', undef, undef, false),
@@ -647,6 +653,7 @@ class tripleo::haproxy (
     docker_registry_ssl_port => 13787,
     etcd_port => 2379,
     glance_api_port => 9292,
+    glance_api_internal_port => 9293,
     glance_api_ssl_port => 13292,
     gnocchi_api_port => 8041,
     gnocchi_api_ssl_port => 13041,
@@ -963,6 +970,32 @@ class tripleo::haproxy (
     }
   }
 
+  if $glance_api_internal {
+    $glance_internal_frontend_opts = {
+      'option' => [ 'httplog', 'forwardfor' ],
+    }
+    $glance_internal_backend_opts = {
+      'option' => [ 'httpchk GET /healthcheck' ],
+    }
+    $glance_internal_listen_opts = merge_hash_values($glance_internal_frontend_opts,
+                                                      $glance_internal_backend_opts)
+
+    # The glance_api_internal service uses the same network and internal VIP as the
+    # glance_api service. There is no public VIP (that's handled by the glance_api service).
+    ::tripleo::haproxy::endpoint { 'glance_api_internal':
+      internal_ip      => lookup('glance_api_vip', undef, undef, $controller_virtual_ip),
+      service_port     => $ports[glance_api_internal_port],
+      ip_addresses     => lookup('glance_api_internal_node_ips', undef, undef, $controller_hosts_real),
+      server_names     => lookup('glance_api_internal_node_names', undef, undef, $controller_hosts_names_real),
+      mode             => 'http',
+      listen_options   => merge($default_listen_options, $glance_internal_listen_opts),
+      frontend_options => merge($default_frontend_options, $glance_internal_frontend_opts),
+      backend_options  => merge($default_backend_options, $glance_internal_backend_opts),
+      service_network  => $glance_api_network,
+      member_options   => union($haproxy_member_options, $internal_tls_member_options),
+    }
+  }
+
   if $ceph_grafana {
     if $enable_internal_tls {
       $ceph_grafana_tls_member_options = ['ssl check verify none']
diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp
index 157b4da92..c43fff4f7 100644
--- a/manifests/profile/base/glance/api.pp
+++ b/manifests/profile/base/glance/api.pp
@@ -51,6 +51,29 @@
 #   This is set by t-h-t.
 #   Defaults to lookup('glance_api_network', undef, undef, undef)
 #
+# [*bind_port*]
+#   (optional) The port the server should bind to.
+#   Default: 9292
+#
+# [*log_dir*]
+#   (Optional) Directory where logs should be stored.
+#   If set to $::os_service_default, it will not log to any directory.
+#   Defaults to '/var/log/glance'.
+#
+# [*log_file*]
+#   (Optional) File where logs should be stored.
+#   If set to $::os_service_default, it will not log to any file.
+#   Defaults to '/var/log/glance/api.log'.
+#
+# [*show_image_direct_url*]
+#   (optional) Expose image location to trusted clients.
+#   Defaults to false
+#
+# [*show_multiple_locations*]
+#   (optional) Whether to include the backend image locations in image
+#    properties.
+#   Defaults to false
+#
 # [*multistore_config*]
 #   (Optional) Hash of settings for configuring additional glance-api backends.
 #   Defaults to {}
@@ -148,6 +171,11 @@ class tripleo::profile::base::glance::api (
   $glance_backend          = downcase(lookup('glance_backend', undef, undef, 'swift')),
   $glance_backend_id       = 'default_backend',
   $glance_network          = lookup('glance_api_network', undef, undef, undef),
+  $bind_port               = 9292,
+  $log_dir                 = '/var/log/glance',
+  $log_file                = '/var/log/glance/api.log',
+  $show_image_direct_url   = false,
+  $show_multiple_locations = false,
   $multistore_config       = {},
   $step                    = Integer(lookup('step')),
   $oslomsg_rpc_proto       = lookup('oslo_messaging_rpc_scheme', undef, undef, 'rabbit'),
@@ -219,11 +247,17 @@ class tripleo::profile::base::glance::api (
     include glance::config
     include glance::healthcheck
     include glance::api::db
-    include glance::api::logging
+    class { 'glance::api::logging':
+      log_dir  => $log_dir,
+      log_file => $log_file,
+    }
     class { 'glance::api':
-      enabled_backends => $enabled_backends,
-      default_backend  => $glance_backend_id,
-      sync_db          => $sync_db,
+      bind_port               => $bind_port,
+      enabled_backends        => $enabled_backends,
+      default_backend         => $glance_backend_id,
+      show_image_direct_url   => $show_image_direct_url,
+      show_multiple_locations => $show_multiple_locations,
+      sync_db                 => $sync_db,
     }
     include glance::key_manager
     include glance::key_manager::barbican