From 0ba612d07de84e95c0e11ef090bcd22f1da584e7 Mon Sep 17 00:00:00 2001 From: Alan Bishop Date: Thu, 24 Nov 2022 10:06:19 -0800 Subject: [PATCH] Deploy separate glance-api services for OSSN-0090 This patch adopts the recommendation outlined in OSSN-0090 [1], in which two instances of the glance-api service are deployed: - A "user facing" glance-api service, accessible via the Public keystone endpoint. - An "internal facing only" service, accessible via the Admin and Internal keystone endpoints. The user facing instance is configured so it does not report any image location information. This is achieved by configuring glance-api.conf with the show_image_direct_url and show_multiple_locations set to False. The internal service operates on a separate TCP port (defaults to 9293) with its own glance-api.conf that configures show_image_direct_url and show_multiple_locations set to True. In order for cinder and nova to have access to the image location data, both services are configured to access glance via the internal service. [1] https://wiki.openstack.org/wiki/OSSN/OSSN-0090 stable/zed: Backports include I456b4235242cae125f5ad4cd9cc7415f2699462c, which fixed a typo in the original patch. Closes-Bug: #1822540 Depends-On: https://review.opendev.org/c/openstack/puppet-tripleo/+/865874 Depends-On: https://review.opendev.org/c/openstack/tripleo-common/+/865873 Change-Id: Id093613f9d410eb3fe5564a724c0f75275eeb4e8 (cherry picked from commit d60969cb55344e9004721dee04ed1d685d95a39f) --- ci/custom_ci_roles_data.yaml | 1 + ci/environments/multinode-containers.yaml | 1 + ci/environments/scenario000-standalone.yaml | 1 + .../scenario001-multinode-containers.yaml | 1 + .../scenario007-multinode-containers.yaml | 1 + .../scenario010-multinode-containers.yaml | 1 + .../glance/glance-api-container-puppet.yaml | 33 ++-- .../glance-api-edge-container-puppet.yaml | 30 +-- .../glance-api-internal-container-puppet.yaml | 183 ++++++++++++++++++ .../haproxy-edge-container-puppet.yaml | 16 +- deployment/nova/nova-base-puppet.yaml | 1 + .../ssl/tls-everywhere-endpoints-dns.yaml | 4 +- overcloud-resource-registry-puppet.j2.yaml | 6 +- ...nce-internal-service-86274f56712ffaac.yaml | 26 +++ roles/Controller.yaml | 1 + roles/ControllerAllNovaStandalone.yaml | 1 + roles/ControllerNoCeph.yaml | 1 + roles/ControllerNovaStandalone.yaml | 1 + roles/ControllerOpenstack.yaml | 1 + roles/ControllerSriov.yaml | 1 + roles/ControllerStorageDashboard.yaml | 1 + roles/ControllerStorageNfs.yaml | 1 + roles/Standalone.yaml | 1 + roles_data.yaml | 1 + sample-env-generator/ssl.yaml | 4 +- 25 files changed, 276 insertions(+), 43 deletions(-) create mode 100644 deployment/glance/glance-api-internal-container-puppet.yaml create mode 100644 releasenotes/notes/glance-internal-service-86274f56712ffaac.yaml diff --git a/ci/custom_ci_roles_data.yaml b/ci/custom_ci_roles_data.yaml index 7155bcf9d4..b1bc8a745e 100644 --- a/ci/custom_ci_roles_data.yaml +++ b/ci/custom_ci_roles_data.yaml @@ -91,6 +91,7 @@ - OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::Frr - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/ci/environments/multinode-containers.yaml b/ci/environments/multinode-containers.yaml index 158e7bb193..5ce898501f 100644 --- a/ci/environments/multinode-containers.yaml +++ b/ci/environments/multinode-containers.yaml @@ -9,6 +9,7 @@ parameter_defaults: - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::MySQL - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::NeutronApi diff --git a/ci/environments/scenario000-standalone.yaml b/ci/environments/scenario000-standalone.yaml index e3a3657b32..9fe40142aa 100644 --- a/ci/environments/scenario000-standalone.yaml +++ b/ci/environments/scenario000-standalone.yaml @@ -50,6 +50,7 @@ resource_registry: OS::TripleO::Services::Etcd: OS::Heat::None OS::TripleO::Services::ExternalSwiftProxy: OS::Heat::None OS::TripleO::Services::GlanceApi: OS::Heat::None + OS::TripleO::Services::GlanceApiInternal: OS::Heat::None OS::TripleO::Services::GnocchiApi: OS::Heat::None OS::TripleO::Services::GnocchiMetricd: OS::Heat::None OS::TripleO::Services::GnocchiStatsd: OS::Heat::None diff --git a/ci/environments/scenario001-multinode-containers.yaml b/ci/environments/scenario001-multinode-containers.yaml index 30d1288206..fb7578e47f 100644 --- a/ci/environments/scenario001-multinode-containers.yaml +++ b/ci/environments/scenario001-multinode-containers.yaml @@ -36,6 +36,7 @@ parameter_defaults: - OS::TripleO::Services::Keystone - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::HeatApi - OS::TripleO::Services::HeatApiCfn - OS::TripleO::Services::HeatEngine diff --git a/ci/environments/scenario007-multinode-containers.yaml b/ci/environments/scenario007-multinode-containers.yaml index b688156726..b65f5f7e49 100644 --- a/ci/environments/scenario007-multinode-containers.yaml +++ b/ci/environments/scenario007-multinode-containers.yaml @@ -33,6 +33,7 @@ parameter_defaults: - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::HeatApi - OS::TripleO::Services::HeatApiCfn - OS::TripleO::Services::HeatEngine diff --git a/ci/environments/scenario010-multinode-containers.yaml b/ci/environments/scenario010-multinode-containers.yaml index fd364c7da9..016877c08e 100644 --- a/ci/environments/scenario010-multinode-containers.yaml +++ b/ci/environments/scenario010-multinode-containers.yaml @@ -34,6 +34,7 @@ parameter_defaults: - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::MySQL - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::NeutronApi diff --git a/deployment/glance/glance-api-container-puppet.yaml b/deployment/glance/glance-api-container-puppet.yaml index a031f85ea4..8b460ad9ed 100644 --- a/deployment/glance/glance-api-container-puppet.yaml +++ b/deployment/glance/glance-api-container-puppet.yaml @@ -130,12 +130,6 @@ parameters: type: boolean tags: - role_specific - GlanceShowMultipleLocations: - default: false - description: | - Whether to show multiple image locations e.g for copy-on-write support on - RBD or Netapp backends. Potential security risk, see glance.conf for more information. - type: boolean # We default import plugins list to 'no_op' (instead of empty list) to discern from the scenario # in which the user purposely disabled all plugins setting it to an empty list. This is useful # to automatically enable image_conversion plugin only when value is left to the default. @@ -368,6 +362,23 @@ parameters: Use the advanced (eventlet safe) memcached client pool. default: true + # DEPRECATED: the following options are deprecated and are currently maintained + # for backwards compatibility. They will be removed in future release. + GlanceShowMultipleLocations: + default: false + description: | + Whether to show multiple image locations e.g for copy-on-write support on + RBD or Netapp backends. Potential security risk, see glance.conf for more information. + type: boolean + +parameter_groups: +- label: deprecated + description: | + The following parameters are deprecated and will be removed. They should not + be relied on for new deployments. + parameters: + - GlanceShowMultipleLocations + conditions: cinder_backend_enabled: or: @@ -494,7 +505,6 @@ outputs: - read_default_file: /etc/my.cnf.d/tripleo.cnf read_default_group: tripleo - glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]} glance::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] } glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } glance::api::enable_v1_api: false @@ -518,8 +528,6 @@ outputs: - {get_param: GlanceCacheEnabled} - 'keystone+cachemanagement' - 'keystone' - glance::api::show_image_direct_url: true - glance::api::show_multiple_locations: {if: [glance_multiple_locations, true, false]} glance::api::image_member_quota: {get_param: GlanceImageMemberQuota} glance::api::enabled_import_methods: {get_param: GlanceEnabledImportMethods} glance::api::node_staging_uri: {get_param: GlanceNodeStagingUri} @@ -552,8 +560,11 @@ outputs: "%{lookup('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]} - tripleo::profile::base::glance::api::tls_proxy_port: - get_param: [EndpointMap, GlanceInternal, port] + # Use glance's native port (9292) for tls proxying. The value is + # hardcoded because the ports in the endpoint map are different (the + # public endpoint uses port 13292, and the internal and admin endpoints + # use port 9293). + tripleo::profile::base::glance::api::tls_proxy_port: 9292 # Bind to localhost if internal TLS is enabled, since we put a TLs # proxy in front. glance::api::bind_host: diff --git a/deployment/glance/glance-api-edge-container-puppet.yaml b/deployment/glance/glance-api-edge-container-puppet.yaml index eeaa34022b..0c2ad3dbb3 100644 --- a/deployment/glance/glance-api-edge-container-puppet.yaml +++ b/deployment/glance/glance-api-edge-container-puppet.yaml @@ -36,21 +36,17 @@ parameters: List of enabled Image Import Methods. Valid values in the list are 'glance-direct', 'web-download', or 'copy-image' type: comma_delimited_list - EnableGlanceApiProxy: - default: true - description: Configure haproxy to forward glance-api requests to glance-api - services running at the edge site. - type: boolean resources: - GlanceApiBase: - type: ./glance-api-container-puppet.yaml + GlanceApiInternal: + type: ./glance-api-internal-container-puppet.yaml properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + EnableInternalTLS: {get_param: EnableInternalTLS} outputs: glance_api_edge_uri: @@ -60,39 +56,33 @@ outputs: - {get_param: EnableInternalTLS} - str_replace: template: - "https://%{lookup('fqdn_NETWORK')}:9292" + "https://%{lookup('fqdn_NETWORK')}:PORT" params: NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]} + PORT: {get_param: [EndpointMap, GlanceInternal, port]} - str_replace: template: - "http://%{lookup('NETWORK_uri')}:9292" + "http://%{lookup('NETWORK_uri')}:PORT" params: NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]} + PORT: {get_param: [EndpointMap, GlanceInternal, port]} role_data: description: Role data for the Glance API role for DCN/Edge. value: map_merge: - - get_attr: [GlanceApiBase, role_data] + - get_attr: [GlanceApiInternal, role_data] - service_name: glance_api_edge - firewall_edge_frontend_rules: - if: - - {get_param: EnableGlanceApiProxy} - - {get_attr: [GlanceApiBase, role_data, firewall_frontend_rules]} - firewall_edge_ssl_frontend_rules: - if: - - {get_param: EnableGlanceApiProxy} - - {get_attr: [GlanceApiBase, role_data, firewall_ssl_frontend_rules]} service_config_settings: map_merge: - - get_attr: [GlanceApiBase, role_data, service_config_settings] + - get_attr: [GlanceApiInternal, role_data, service_config_settings] - cinder_volume: cinder::glance::glance_api_servers: *glance_api_edge_uri nova_compute: nova::glance::endpoint_override: *glance_api_edge_uri config_settings: map_merge: - - get_attr: [GlanceApiBase, role_data, config_settings] + - get_attr: [GlanceApiInternal, role_data, config_settings] - if: - contains: ['glance-direct', {get_param: GlanceEnabledImportMethods}] - glance::api::worker_self_reference_url: *glance_api_edge_uri diff --git a/deployment/glance/glance-api-internal-container-puppet.yaml b/deployment/glance/glance-api-internal-container-puppet.yaml new file mode 100644 index 0000000000..15fab9d145 --- /dev/null +++ b/deployment/glance/glance-api-internal-container-puppet.yaml @@ -0,0 +1,183 @@ +heat_template_version: wallaby + +description: > + OpenStack Glance internal service configured with Puppet + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. Use + parameter_merge_strategies to merge it with the defaults. + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + GlanceApiInternalLoggingSource: + type: json + default: + tag: openstack.glance.api + file: /var/log/containers/glance/api_internal.log + EnableInternalTLS: + type: boolean + default: false + GlanceNetappNfsEnabled: + default: false + description: > + When using GlanceBackend 'file', Netapp mount NFS share for image storage. + type: boolean + ContainerGlanceApiImage: + description: image + type: string + tags: + - role_specific + ContainerGlanceApiInternalConfigImage: + description: The container image to use for the glance_api_internal config_volume + type: string + tags: + - role_specific +resources: + GlanceApi: + type: ./glance-api-container-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + EnableInternalTLS: {get_param: EnableInternalTLS} + + MySQLClient: + type: ../database/mysql-client.yaml + + GlanceLogging: + type: OS::TripleO::Services::Logging::GlanceApi + + RoleParametersValue: + type: OS::Heat::Value + properties: + type: json + value: + map_replace: + - map_replace: + - ContainerGlanceApiImage: ContainerGlanceApiImage + ContainerGlanceApiInternalConfigImage: ContainerGlanceApiInternalConfigImage + - values: {get_param: [RoleParameters]} + - values: + ContainerGlanceApiImage: {get_param: ContainerGlanceApiImage} + ContainerGlanceApiInternalConfigImage: {get_param: ContainerGlanceApiInternalConfigImage} + +outputs: + role_data: + description: Role data for the internal Glance API. + value: + map_merge: + - get_attr: [GlanceApi, role_data] + - service_name: glance_api_internal + firewall_rules: + '112 glance_api_internal': + dport: + - {get_param: [EndpointMap, GlanceInternal, port]} + firewall_frontend_rules: + '100 glance_api_internal_haproxy_frontend': + dport: + - {get_param: [EndpointMap, GlanceInternal, port]} + + # GlanceApi creates the keystone resources + keystone_resources: {} + + config_settings: {get_attr: [GlanceApi, role_data, config_settings]} + + service_config_settings: + map_merge: + - get_attr: [GlanceApi, role_data, service_config_settings] + - rsyslog: + tripleo_logging_sources_glance_api_internal: + - {get_param: GlanceApiInternalLoggingSource} + + puppet_config: + config_volume: glance_api_internal + puppet_tags: glance_api_config,glance_api_paste_ini,glance_swift_config,glance_cache_config,glance_image_import_config + step_config: + list_join: + - "\n" + - - + str_replace: + template: | + class { 'tripleo::profile::base::glance::api': + bind_port => PORT, + tls_proxy_port => PORT, + log_file => '/var/log/glance/api_internal.log', + show_image_direct_url => true, + show_multiple_locations => true, + } + params: + PORT: {get_param: [EndpointMap, GlanceInternal, port]} + - if: + - {get_param: GlanceNetappNfsEnabled} + - include tripleo::profile::base::glance::netapp + - {get_attr: [MySQLClient, role_data, step_config]} + config_image: {get_attr: [RoleParametersValue, value, ContainerGlanceApiInternalConfigImage]} + + kolla_config: + # The kolla_config are essentially the same as the GlanceApi service. + # The only difference is the json file names. + /var/lib/kolla/config_files/glance_api_internal.json: + {get_attr: [GlanceApi, role_data, kolla_config, /var/lib/kolla/config_files/glance_api.json]} + /var/lib/kolla/config_files/glance_api_internal_tls_proxy.json: + {get_attr: [GlanceApi, role_data, kolla_config, /var/lib/kolla/config_files/glance_api_tls_proxy.json]} + + docker_config: + step_2: + get_attr: [GlanceLogging, docker_config, step_2] + step_4: + # The internal services share the same GlanceApi docker configs, + # except we swap in the internal service's config_volume. + glance_api_internal: + map_merge: + - get_attr: [GlanceApi, role_data, docker_config, step_4, glance_api] + - volumes: + yaql: + expression: $.data.vols.select($.replace('puppet-generated/glance_api', 'puppet-generated/glance_api_internal')) + data: + vols: {get_attr: [GlanceApi, role_data, docker_config, step_4, glance_api, volumes]} + glance_api_internal_tls_proxy: + if: + - {get_param: EnableInternalTLS} + - map_merge: + - get_attr: [GlanceApi, role_data, docker_config, step_4, glance_api_tls_proxy] + - volumes: + yaql: + expression: $.data.vols.select($.replace('puppet-generated/glance_api', 'puppet-generated/glance_api_internal')) + data: + vols: {get_attr: [GlanceApi, role_data, docker_config, step_4, glance_api_tls_proxy, volumes]} + + external_upgrade_tasks: + - when: + - step|int == 1 + tags: + - never + - system_upgrade_transfer_data + - system_upgrade_stop_services + block: + - name: Stop glance api internal container + import_role: + name: tripleo_container_stop + vars: + tripleo_containers_to_stop: + - glance_api_internal + tripleo_delegate_to: "{{ groups['glance_api_internal'] | default([]) }}" diff --git a/deployment/haproxy/haproxy-edge-container-puppet.yaml b/deployment/haproxy/haproxy-edge-container-puppet.yaml index 1ef21705e8..061c3bef97 100644 --- a/deployment/haproxy/haproxy-edge-container-puppet.yaml +++ b/deployment/haproxy/haproxy-edge-container-puppet.yaml @@ -45,6 +45,7 @@ resources: EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + EnableInternalTLS: {get_param: EnableInternalTLS} outputs: glance_api_edge_uri: @@ -54,14 +55,16 @@ outputs: - {get_param: EnableInternalTLS} - str_replace: template: - "https://%{lookup('fqdn_NETWORK')}:9292" + "https://%{lookup('fqdn_NETWORK')}:PORT" params: NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]} + PORT: {get_param: [EndpointMap, GlanceInternal, port]} - str_replace: template: - "http://%{lookup('NETWORK_uri')}:9292" + "http://%{lookup('NETWORK_uri')}:PORT" params: NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]} + PORT: {get_param: [EndpointMap, GlanceInternal, port]} role_data: description: Role data for the HAproxy role for DCN/Edge. @@ -85,18 +88,19 @@ outputs: tripleo::haproxy::designate: false tripleo::haproxy::docker_registry: false tripleo::haproxy::etcd: false + tripleo::haproxy::glance_api: false - if: - {get_param: EnableGlanceApiProxy} - - tripleo::haproxy::glance_api: true + - tripleo::haproxy::glance_api_internal: true glance_api_vip: str_replace: template: "%{lookup('NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]} - glance_api_node_ips: "%{alias('glance_api_edge_node_ips')}" - glance_api_node_names: "%{alias('glance_api_edge_node_names')}" - - tripleo::haproxy::glance_api: false + glance_api_internal_node_ips: "%{alias('glance_api_edge_node_ips')}" + glance_api_internal_node_names: "%{alias('glance_api_edge_node_names')}" + - tripleo::haproxy::glance_api_internal: false - tripleo::haproxy::gnocchi: false tripleo::haproxy::heat_api: false tripleo::haproxy::heat_cfn: false diff --git a/deployment/nova/nova-base-puppet.yaml b/deployment/nova/nova-base-puppet.yaml index 188f1980ba..c3010d16a6 100644 --- a/deployment/nova/nova-base-puppet.yaml +++ b/deployment/nova/nova-base-puppet.yaml @@ -235,6 +235,7 @@ outputs: nova::network::neutron::password: {get_param: NeutronPassword} nova::network::neutron::auth_url: {get_param: [EndpointMap, KeystoneV3Internal, uri]} nova::network::neutron::valid_interfaces: 'internal' + nova::glance::valid_interfaces: 'internal' nova::rabbit_heartbeat_timeout_threshold: 60 nova::cinder::catalog_info: 'volumev3:cinderv3:internalURL' # NOTE(tkajinam): Make sure the default (services) is overridden diff --git a/environments/ssl/tls-everywhere-endpoints-dns.yaml b/environments/ssl/tls-everywhere-endpoints-dns.yaml index 42e67d7d11..9ae1baa81d 100644 --- a/environments/ssl/tls-everywhere-endpoints-dns.yaml +++ b/environments/ssl/tls-everywhere-endpoints-dns.yaml @@ -31,8 +31,8 @@ parameter_defaults: DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'} DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'} GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'} - GlanceAdmin: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} - GlanceInternal: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} + GlanceAdmin: {protocol: 'https', port: '9293', host: 'CLOUDNAME'} + GlanceInternal: {protocol: 'https', port: '9293', host: 'CLOUDNAME'} GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'} GnocchiAdmin: {protocol: 'https', port: '8041', host: 'CLOUDNAME'} GnocchiInternal: {protocol: 'https', port: '8041', host: 'CLOUDNAME'} diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index be43c722e9..fe892c33e9 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -117,6 +117,7 @@ resource_registry: OS::TripleO::Services::BlockStorageCinderVolume: deployment/cinder/cinder-volume-container-puppet.yaml OS::TripleO::Services::Keystone: deployment/keystone/keystone-container-puppet.yaml OS::TripleO::Services::GlanceApi: deployment/glance/glance-api-container-puppet.yaml + OS::TripleO::Services::GlanceApiInternal: deployment/glance/glance-api-internal-container-puppet.yaml OS::TripleO::Services::HeatApi: deployment/heat/heat-api-container-puppet.yaml OS::TripleO::Services::HeatApiCfn: deployment/heat/heat-api-cfn-container-puppet.yaml OS::TripleO::Services::HeatEngine: deployment/heat/heat-engine-container-puppet.yaml @@ -358,6 +359,7 @@ parameter_defaults: CinderIscsiNetwork: {{ _service_nets.get('storage', 'ctlplane') }} GlanceApiNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }} GlanceApiEdgeNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }} + GlanceApiInternalNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }} IronicApiNetwork: ctlplane IronicNetwork: ctlplane IronicInspectorNetwork: ctlplane @@ -449,8 +451,8 @@ parameter_defaults: DesignatePublic: {protocol: 'http', port: '9001', host: IP_ADDRESS} DockerRegistryInternal: {protocol: http, port: '8787', host: IP_ADDRESS} GaneshaInternal: {protocol: nfs, port: '2049', host: IP_ADDRESS} - GlanceAdmin: {protocol: http, port: '9292', host: IP_ADDRESS} - GlanceInternal: {protocol: http, port: '9292', host: IP_ADDRESS} + GlanceAdmin: {protocol: http, port: '9293', host: IP_ADDRESS} + GlanceInternal: {protocol: http, port: '9293', host: IP_ADDRESS} GlancePublic: {protocol: http, port: '9292', host: IP_ADDRESS} GnocchiAdmin: {protocol: http, port: '8041', host: IP_ADDRESS} GnocchiInternal: {protocol: http, port: '8041', host: IP_ADDRESS} diff --git a/releasenotes/notes/glance-internal-service-86274f56712ffaac.yaml b/releasenotes/notes/glance-internal-service-86274f56712ffaac.yaml new file mode 100644 index 0000000000..d01f8d0abf --- /dev/null +++ b/releasenotes/notes/glance-internal-service-86274f56712ffaac.yaml @@ -0,0 +1,26 @@ +--- +features: + - | + Two instances of the glance-api service are now deployed per the + recommendations outlined in `OSSN-0090 `_. + The user facing service does not provide access to image location data, + whereas a new internal glance-api service provides location data to + administrators and services that need it (e.g. cinder and nova), and is + accessible via the admin and internal keystone endpoints. +upgrade: + - | + A new OS::TripleO::Services::GlanceApiInternal service is introduced to + handle deploying the internal instance of the glance-api service. When + upgrading an overcloud deployed with a custom roles file, the new + GlanceApiInternal service must be added to every role that includes the + GlanceApi service. Roles that include the GlanceApiEdge service should not + include the new GlanceApiInternal service. + + Deployment of the new internal glance-api service is generally transparent, + and includes updating glance's endpoints in the keystone catalog. + In a Distributed Compute Node (DCN) deployment, the control plane and + all DCN sites need to be updated in order to fully deploy the new internal + glance-api service. +deprecations: + - | + The GlanceShowMultipleLocations parameter is deprecated. diff --git a/roles/Controller.yaml b/roles/Controller.yaml index af2f4cc926..7856e02dc4 100644 --- a/roles/Controller.yaml +++ b/roles/Controller.yaml @@ -90,6 +90,7 @@ - OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::Frr - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/roles/ControllerAllNovaStandalone.yaml b/roles/ControllerAllNovaStandalone.yaml index ca1ab12b94..9ab991c56a 100644 --- a/roles/ControllerAllNovaStandalone.yaml +++ b/roles/ControllerAllNovaStandalone.yaml @@ -63,6 +63,7 @@ - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/roles/ControllerNoCeph.yaml b/roles/ControllerNoCeph.yaml index b02c4ff3df..625fcf86fb 100644 --- a/roles/ControllerNoCeph.yaml +++ b/roles/ControllerNoCeph.yaml @@ -78,6 +78,7 @@ - OS::TripleO::Services::Frr - OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/roles/ControllerNovaStandalone.yaml b/roles/ControllerNovaStandalone.yaml index 6651249fc7..38bf58491e 100644 --- a/roles/ControllerNovaStandalone.yaml +++ b/roles/ControllerNovaStandalone.yaml @@ -80,6 +80,7 @@ - OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::Frr - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/roles/ControllerOpenstack.yaml b/roles/ControllerOpenstack.yaml index 6568932a67..792f62137d 100644 --- a/roles/ControllerOpenstack.yaml +++ b/roles/ControllerOpenstack.yaml @@ -69,6 +69,7 @@ - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/roles/ControllerSriov.yaml b/roles/ControllerSriov.yaml index d6f413d779..111e13735f 100644 --- a/roles/ControllerSriov.yaml +++ b/roles/ControllerSriov.yaml @@ -87,6 +87,7 @@ - OS::TripleO::Services::Frr - OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/roles/ControllerStorageDashboard.yaml b/roles/ControllerStorageDashboard.yaml index b0c59acae0..4aaee923c7 100644 --- a/roles/ControllerStorageDashboard.yaml +++ b/roles/ControllerStorageDashboard.yaml @@ -89,6 +89,7 @@ - OS::TripleO::Services::Frr - OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/roles/ControllerStorageNfs.yaml b/roles/ControllerStorageNfs.yaml index 6ccf63fd90..1befa69473 100644 --- a/roles/ControllerStorageNfs.yaml +++ b/roles/ControllerStorageNfs.yaml @@ -89,6 +89,7 @@ - OS::TripleO::Services::Frr - OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/roles/Standalone.yaml b/roles/Standalone.yaml index 450eeec7a3..123dddf6bb 100644 --- a/roles/Standalone.yaml +++ b/roles/Standalone.yaml @@ -88,6 +88,7 @@ - OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::Frr - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/roles_data.yaml b/roles_data.yaml index ed47fd4fba..e172a74eae 100644 --- a/roles_data.yaml +++ b/roles_data.yaml @@ -93,6 +93,7 @@ - OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::Frr - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/sample-env-generator/ssl.yaml b/sample-env-generator/ssl.yaml index 578ebecd66..c07ba1c693 100644 --- a/sample-env-generator/ssl.yaml +++ b/sample-env-generator/ssl.yaml @@ -232,8 +232,8 @@ environments: DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'} DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'} GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'} - GlanceAdmin: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} - GlanceInternal: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} + GlanceAdmin: {protocol: 'https', port: '9293', host: 'CLOUDNAME'} + GlanceInternal: {protocol: 'https', port: '9293', host: 'CLOUDNAME'} GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'} GnocchiAdmin: {protocol: 'https', port: '8041', host: 'CLOUDNAME'} GnocchiInternal: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}