Deploy separate glance-api services for OSSN-0090
This patch adopts the recommendation outlined in OSSN-0090 [1], in
which two instances of the glance-api service are deployed:
- A "user facing" glance-api service, accessible via the Public
keystone endpoint.
- An "internal facing only" service, accessible via the Admin and
Internal keystone endpoints.
The user facing instance is configured so it does not report any image
location information. This is achieved by configuring glance-api.conf
with the show_image_direct_url and show_multiple_locations set to False.
The internal service operates on a separate TCP port (defaults to 9293)
with its own glance-api.conf that configures show_image_direct_url and
show_multiple_locations set to True.
In order for cinder and nova to have access to the image location data,
both services are configured to access glance via the internal service.
[1] https://wiki.openstack.org/wiki/OSSN/OSSN-0090
stable/zed:
Backports include I456b4235242cae125f5ad4cd9cc7415f2699462c, which
fixed a typo in the original patch.
Closes-Bug: #1822540
Depends-On: https://review.opendev.org/c/openstack/puppet-tripleo/+/865874
Depends-On: https://review.opendev.org/c/openstack/tripleo-common/+/865873
Change-Id: Id093613f9d410eb3fe5564a724c0f75275eeb4e8
(cherry picked from commit d60969cb55
)
This commit is contained in:
parent
a044fb80b4
commit
0ba612d07d
@ -91,6 +91,7 @@
|
|||||||
- OS::TripleO::Services::ExternalSwiftProxy
|
- OS::TripleO::Services::ExternalSwiftProxy
|
||||||
- OS::TripleO::Services::Frr
|
- OS::TripleO::Services::Frr
|
||||||
- OS::TripleO::Services::GlanceApi
|
- OS::TripleO::Services::GlanceApi
|
||||||
|
- OS::TripleO::Services::GlanceApiInternal
|
||||||
- OS::TripleO::Services::GnocchiApi
|
- OS::TripleO::Services::GnocchiApi
|
||||||
- OS::TripleO::Services::GnocchiMetricd
|
- OS::TripleO::Services::GnocchiMetricd
|
||||||
- OS::TripleO::Services::GnocchiStatsd
|
- OS::TripleO::Services::GnocchiStatsd
|
||||||
|
@ -9,6 +9,7 @@ parameter_defaults:
|
|||||||
- OS::TripleO::Services::Kernel
|
- OS::TripleO::Services::Kernel
|
||||||
- OS::TripleO::Services::Keystone
|
- OS::TripleO::Services::Keystone
|
||||||
- OS::TripleO::Services::GlanceApi
|
- OS::TripleO::Services::GlanceApi
|
||||||
|
- OS::TripleO::Services::GlanceApiInternal
|
||||||
- OS::TripleO::Services::MySQL
|
- OS::TripleO::Services::MySQL
|
||||||
- OS::TripleO::Services::MySQLClient
|
- OS::TripleO::Services::MySQLClient
|
||||||
- OS::TripleO::Services::NeutronApi
|
- OS::TripleO::Services::NeutronApi
|
||||||
|
@ -50,6 +50,7 @@ resource_registry:
|
|||||||
OS::TripleO::Services::Etcd: OS::Heat::None
|
OS::TripleO::Services::Etcd: OS::Heat::None
|
||||||
OS::TripleO::Services::ExternalSwiftProxy: OS::Heat::None
|
OS::TripleO::Services::ExternalSwiftProxy: OS::Heat::None
|
||||||
OS::TripleO::Services::GlanceApi: OS::Heat::None
|
OS::TripleO::Services::GlanceApi: OS::Heat::None
|
||||||
|
OS::TripleO::Services::GlanceApiInternal: OS::Heat::None
|
||||||
OS::TripleO::Services::GnocchiApi: OS::Heat::None
|
OS::TripleO::Services::GnocchiApi: OS::Heat::None
|
||||||
OS::TripleO::Services::GnocchiMetricd: OS::Heat::None
|
OS::TripleO::Services::GnocchiMetricd: OS::Heat::None
|
||||||
OS::TripleO::Services::GnocchiStatsd: OS::Heat::None
|
OS::TripleO::Services::GnocchiStatsd: OS::Heat::None
|
||||||
|
@ -36,6 +36,7 @@ parameter_defaults:
|
|||||||
- OS::TripleO::Services::Keystone
|
- OS::TripleO::Services::Keystone
|
||||||
- OS::TripleO::Services::LoginDefs
|
- OS::TripleO::Services::LoginDefs
|
||||||
- OS::TripleO::Services::GlanceApi
|
- OS::TripleO::Services::GlanceApi
|
||||||
|
- OS::TripleO::Services::GlanceApiInternal
|
||||||
- OS::TripleO::Services::HeatApi
|
- OS::TripleO::Services::HeatApi
|
||||||
- OS::TripleO::Services::HeatApiCfn
|
- OS::TripleO::Services::HeatApiCfn
|
||||||
- OS::TripleO::Services::HeatEngine
|
- OS::TripleO::Services::HeatEngine
|
||||||
|
@ -33,6 +33,7 @@ parameter_defaults:
|
|||||||
- OS::TripleO::Services::Kernel
|
- OS::TripleO::Services::Kernel
|
||||||
- OS::TripleO::Services::Keystone
|
- OS::TripleO::Services::Keystone
|
||||||
- OS::TripleO::Services::GlanceApi
|
- OS::TripleO::Services::GlanceApi
|
||||||
|
- OS::TripleO::Services::GlanceApiInternal
|
||||||
- OS::TripleO::Services::HeatApi
|
- OS::TripleO::Services::HeatApi
|
||||||
- OS::TripleO::Services::HeatApiCfn
|
- OS::TripleO::Services::HeatApiCfn
|
||||||
- OS::TripleO::Services::HeatEngine
|
- OS::TripleO::Services::HeatEngine
|
||||||
|
@ -34,6 +34,7 @@ parameter_defaults:
|
|||||||
- OS::TripleO::Services::Kernel
|
- OS::TripleO::Services::Kernel
|
||||||
- OS::TripleO::Services::Keystone
|
- OS::TripleO::Services::Keystone
|
||||||
- OS::TripleO::Services::GlanceApi
|
- OS::TripleO::Services::GlanceApi
|
||||||
|
- OS::TripleO::Services::GlanceApiInternal
|
||||||
- OS::TripleO::Services::MySQL
|
- OS::TripleO::Services::MySQL
|
||||||
- OS::TripleO::Services::MySQLClient
|
- OS::TripleO::Services::MySQLClient
|
||||||
- OS::TripleO::Services::NeutronApi
|
- OS::TripleO::Services::NeutronApi
|
||||||
|
@ -130,12 +130,6 @@ parameters:
|
|||||||
type: boolean
|
type: boolean
|
||||||
tags:
|
tags:
|
||||||
- role_specific
|
- role_specific
|
||||||
GlanceShowMultipleLocations:
|
|
||||||
default: false
|
|
||||||
description: |
|
|
||||||
Whether to show multiple image locations e.g for copy-on-write support on
|
|
||||||
RBD or Netapp backends. Potential security risk, see glance.conf for more information.
|
|
||||||
type: boolean
|
|
||||||
# We default import plugins list to 'no_op' (instead of empty list) to discern from the scenario
|
# We default import plugins list to 'no_op' (instead of empty list) to discern from the scenario
|
||||||
# in which the user purposely disabled all plugins setting it to an empty list. This is useful
|
# in which the user purposely disabled all plugins setting it to an empty list. This is useful
|
||||||
# to automatically enable image_conversion plugin only when value is left to the default.
|
# to automatically enable image_conversion plugin only when value is left to the default.
|
||||||
@ -368,6 +362,23 @@ parameters:
|
|||||||
Use the advanced (eventlet safe) memcached client pool.
|
Use the advanced (eventlet safe) memcached client pool.
|
||||||
default: true
|
default: true
|
||||||
|
|
||||||
|
# DEPRECATED: the following options are deprecated and are currently maintained
|
||||||
|
# for backwards compatibility. They will be removed in future release.
|
||||||
|
GlanceShowMultipleLocations:
|
||||||
|
default: false
|
||||||
|
description: |
|
||||||
|
Whether to show multiple image locations e.g for copy-on-write support on
|
||||||
|
RBD or Netapp backends. Potential security risk, see glance.conf for more information.
|
||||||
|
type: boolean
|
||||||
|
|
||||||
|
parameter_groups:
|
||||||
|
- label: deprecated
|
||||||
|
description: |
|
||||||
|
The following parameters are deprecated and will be removed. They should not
|
||||||
|
be relied on for new deployments.
|
||||||
|
parameters:
|
||||||
|
- GlanceShowMultipleLocations
|
||||||
|
|
||||||
conditions:
|
conditions:
|
||||||
cinder_backend_enabled:
|
cinder_backend_enabled:
|
||||||
or:
|
or:
|
||||||
@ -494,7 +505,6 @@ outputs:
|
|||||||
- read_default_file: /etc/my.cnf.d/tripleo.cnf
|
- read_default_file: /etc/my.cnf.d/tripleo.cnf
|
||||||
read_default_group: tripleo
|
read_default_group: tripleo
|
||||||
|
|
||||||
glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]}
|
|
||||||
glance::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
|
glance::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] }
|
||||||
glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
|
||||||
glance::api::enable_v1_api: false
|
glance::api::enable_v1_api: false
|
||||||
@ -518,8 +528,6 @@ outputs:
|
|||||||
- {get_param: GlanceCacheEnabled}
|
- {get_param: GlanceCacheEnabled}
|
||||||
- 'keystone+cachemanagement'
|
- 'keystone+cachemanagement'
|
||||||
- 'keystone'
|
- 'keystone'
|
||||||
glance::api::show_image_direct_url: true
|
|
||||||
glance::api::show_multiple_locations: {if: [glance_multiple_locations, true, false]}
|
|
||||||
glance::api::image_member_quota: {get_param: GlanceImageMemberQuota}
|
glance::api::image_member_quota: {get_param: GlanceImageMemberQuota}
|
||||||
glance::api::enabled_import_methods: {get_param: GlanceEnabledImportMethods}
|
glance::api::enabled_import_methods: {get_param: GlanceEnabledImportMethods}
|
||||||
glance::api::node_staging_uri: {get_param: GlanceNodeStagingUri}
|
glance::api::node_staging_uri: {get_param: GlanceNodeStagingUri}
|
||||||
@ -552,8 +560,11 @@ outputs:
|
|||||||
"%{lookup('fqdn_$NETWORK')}"
|
"%{lookup('fqdn_$NETWORK')}"
|
||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]}
|
||||||
tripleo::profile::base::glance::api::tls_proxy_port:
|
# Use glance's native port (9292) for tls proxying. The value is
|
||||||
get_param: [EndpointMap, GlanceInternal, port]
|
# hardcoded because the ports in the endpoint map are different (the
|
||||||
|
# public endpoint uses port 13292, and the internal and admin endpoints
|
||||||
|
# use port 9293).
|
||||||
|
tripleo::profile::base::glance::api::tls_proxy_port: 9292
|
||||||
# Bind to localhost if internal TLS is enabled, since we put a TLs
|
# Bind to localhost if internal TLS is enabled, since we put a TLs
|
||||||
# proxy in front.
|
# proxy in front.
|
||||||
glance::api::bind_host:
|
glance::api::bind_host:
|
||||||
|
@ -36,21 +36,17 @@ parameters:
|
|||||||
List of enabled Image Import Methods. Valid values in the list are
|
List of enabled Image Import Methods. Valid values in the list are
|
||||||
'glance-direct', 'web-download', or 'copy-image'
|
'glance-direct', 'web-download', or 'copy-image'
|
||||||
type: comma_delimited_list
|
type: comma_delimited_list
|
||||||
EnableGlanceApiProxy:
|
|
||||||
default: true
|
|
||||||
description: Configure haproxy to forward glance-api requests to glance-api
|
|
||||||
services running at the edge site.
|
|
||||||
type: boolean
|
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
GlanceApiBase:
|
GlanceApiInternal:
|
||||||
type: ./glance-api-container-puppet.yaml
|
type: ./glance-api-internal-container-puppet.yaml
|
||||||
properties:
|
properties:
|
||||||
ServiceData: {get_param: ServiceData}
|
ServiceData: {get_param: ServiceData}
|
||||||
ServiceNetMap: {get_param: ServiceNetMap}
|
ServiceNetMap: {get_param: ServiceNetMap}
|
||||||
EndpointMap: {get_param: EndpointMap}
|
EndpointMap: {get_param: EndpointMap}
|
||||||
RoleName: {get_param: RoleName}
|
RoleName: {get_param: RoleName}
|
||||||
RoleParameters: {get_param: RoleParameters}
|
RoleParameters: {get_param: RoleParameters}
|
||||||
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
||||||
|
|
||||||
outputs:
|
outputs:
|
||||||
glance_api_edge_uri:
|
glance_api_edge_uri:
|
||||||
@ -60,39 +56,33 @@ outputs:
|
|||||||
- {get_param: EnableInternalTLS}
|
- {get_param: EnableInternalTLS}
|
||||||
- str_replace:
|
- str_replace:
|
||||||
template:
|
template:
|
||||||
"https://%{lookup('fqdn_NETWORK')}:9292"
|
"https://%{lookup('fqdn_NETWORK')}:PORT"
|
||||||
params:
|
params:
|
||||||
NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]}
|
NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]}
|
||||||
|
PORT: {get_param: [EndpointMap, GlanceInternal, port]}
|
||||||
- str_replace:
|
- str_replace:
|
||||||
template:
|
template:
|
||||||
"http://%{lookup('NETWORK_uri')}:9292"
|
"http://%{lookup('NETWORK_uri')}:PORT"
|
||||||
params:
|
params:
|
||||||
NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]}
|
NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]}
|
||||||
|
PORT: {get_param: [EndpointMap, GlanceInternal, port]}
|
||||||
|
|
||||||
role_data:
|
role_data:
|
||||||
description: Role data for the Glance API role for DCN/Edge.
|
description: Role data for the Glance API role for DCN/Edge.
|
||||||
value:
|
value:
|
||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [GlanceApiBase, role_data]
|
- get_attr: [GlanceApiInternal, role_data]
|
||||||
- service_name: glance_api_edge
|
- service_name: glance_api_edge
|
||||||
firewall_edge_frontend_rules:
|
|
||||||
if:
|
|
||||||
- {get_param: EnableGlanceApiProxy}
|
|
||||||
- {get_attr: [GlanceApiBase, role_data, firewall_frontend_rules]}
|
|
||||||
firewall_edge_ssl_frontend_rules:
|
|
||||||
if:
|
|
||||||
- {get_param: EnableGlanceApiProxy}
|
|
||||||
- {get_attr: [GlanceApiBase, role_data, firewall_ssl_frontend_rules]}
|
|
||||||
service_config_settings:
|
service_config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [GlanceApiBase, role_data, service_config_settings]
|
- get_attr: [GlanceApiInternal, role_data, service_config_settings]
|
||||||
- cinder_volume:
|
- cinder_volume:
|
||||||
cinder::glance::glance_api_servers: *glance_api_edge_uri
|
cinder::glance::glance_api_servers: *glance_api_edge_uri
|
||||||
nova_compute:
|
nova_compute:
|
||||||
nova::glance::endpoint_override: *glance_api_edge_uri
|
nova::glance::endpoint_override: *glance_api_edge_uri
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [GlanceApiBase, role_data, config_settings]
|
- get_attr: [GlanceApiInternal, role_data, config_settings]
|
||||||
- if:
|
- if:
|
||||||
- contains: ['glance-direct', {get_param: GlanceEnabledImportMethods}]
|
- contains: ['glance-direct', {get_param: GlanceEnabledImportMethods}]
|
||||||
- glance::api::worker_self_reference_url: *glance_api_edge_uri
|
- glance::api::worker_self_reference_url: *glance_api_edge_uri
|
||||||
|
183
deployment/glance/glance-api-internal-container-puppet.yaml
Normal file
183
deployment/glance/glance-api-internal-container-puppet.yaml
Normal file
@ -0,0 +1,183 @@
|
|||||||
|
heat_template_version: wallaby
|
||||||
|
|
||||||
|
description: >
|
||||||
|
OpenStack Glance internal service configured with Puppet
|
||||||
|
|
||||||
|
parameters:
|
||||||
|
ServiceData:
|
||||||
|
default: {}
|
||||||
|
description: Dictionary packing service data
|
||||||
|
type: json
|
||||||
|
ServiceNetMap:
|
||||||
|
default: {}
|
||||||
|
description: Mapping of service_name -> network name. Typically set
|
||||||
|
via parameter_defaults in the resource registry. Use
|
||||||
|
parameter_merge_strategies to merge it with the defaults.
|
||||||
|
type: json
|
||||||
|
RoleName:
|
||||||
|
default: ''
|
||||||
|
description: Role name on which the service is applied
|
||||||
|
type: string
|
||||||
|
RoleParameters:
|
||||||
|
default: {}
|
||||||
|
description: Parameters specific to the role
|
||||||
|
type: json
|
||||||
|
EndpointMap:
|
||||||
|
default: {}
|
||||||
|
description: Mapping of service endpoint -> protocol. Typically set
|
||||||
|
via parameter_defaults in the resource registry.
|
||||||
|
type: json
|
||||||
|
GlanceApiInternalLoggingSource:
|
||||||
|
type: json
|
||||||
|
default:
|
||||||
|
tag: openstack.glance.api
|
||||||
|
file: /var/log/containers/glance/api_internal.log
|
||||||
|
EnableInternalTLS:
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
GlanceNetappNfsEnabled:
|
||||||
|
default: false
|
||||||
|
description: >
|
||||||
|
When using GlanceBackend 'file', Netapp mount NFS share for image storage.
|
||||||
|
type: boolean
|
||||||
|
ContainerGlanceApiImage:
|
||||||
|
description: image
|
||||||
|
type: string
|
||||||
|
tags:
|
||||||
|
- role_specific
|
||||||
|
ContainerGlanceApiInternalConfigImage:
|
||||||
|
description: The container image to use for the glance_api_internal config_volume
|
||||||
|
type: string
|
||||||
|
tags:
|
||||||
|
- role_specific
|
||||||
|
resources:
|
||||||
|
GlanceApi:
|
||||||
|
type: ./glance-api-container-puppet.yaml
|
||||||
|
properties:
|
||||||
|
ServiceData: {get_param: ServiceData}
|
||||||
|
ServiceNetMap: {get_param: ServiceNetMap}
|
||||||
|
EndpointMap: {get_param: EndpointMap}
|
||||||
|
RoleName: {get_param: RoleName}
|
||||||
|
RoleParameters: {get_param: RoleParameters}
|
||||||
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
||||||
|
|
||||||
|
MySQLClient:
|
||||||
|
type: ../database/mysql-client.yaml
|
||||||
|
|
||||||
|
GlanceLogging:
|
||||||
|
type: OS::TripleO::Services::Logging::GlanceApi
|
||||||
|
|
||||||
|
RoleParametersValue:
|
||||||
|
type: OS::Heat::Value
|
||||||
|
properties:
|
||||||
|
type: json
|
||||||
|
value:
|
||||||
|
map_replace:
|
||||||
|
- map_replace:
|
||||||
|
- ContainerGlanceApiImage: ContainerGlanceApiImage
|
||||||
|
ContainerGlanceApiInternalConfigImage: ContainerGlanceApiInternalConfigImage
|
||||||
|
- values: {get_param: [RoleParameters]}
|
||||||
|
- values:
|
||||||
|
ContainerGlanceApiImage: {get_param: ContainerGlanceApiImage}
|
||||||
|
ContainerGlanceApiInternalConfigImage: {get_param: ContainerGlanceApiInternalConfigImage}
|
||||||
|
|
||||||
|
outputs:
|
||||||
|
role_data:
|
||||||
|
description: Role data for the internal Glance API.
|
||||||
|
value:
|
||||||
|
map_merge:
|
||||||
|
- get_attr: [GlanceApi, role_data]
|
||||||
|
- service_name: glance_api_internal
|
||||||
|
firewall_rules:
|
||||||
|
'112 glance_api_internal':
|
||||||
|
dport:
|
||||||
|
- {get_param: [EndpointMap, GlanceInternal, port]}
|
||||||
|
firewall_frontend_rules:
|
||||||
|
'100 glance_api_internal_haproxy_frontend':
|
||||||
|
dport:
|
||||||
|
- {get_param: [EndpointMap, GlanceInternal, port]}
|
||||||
|
|
||||||
|
# GlanceApi creates the keystone resources
|
||||||
|
keystone_resources: {}
|
||||||
|
|
||||||
|
config_settings: {get_attr: [GlanceApi, role_data, config_settings]}
|
||||||
|
|
||||||
|
service_config_settings:
|
||||||
|
map_merge:
|
||||||
|
- get_attr: [GlanceApi, role_data, service_config_settings]
|
||||||
|
- rsyslog:
|
||||||
|
tripleo_logging_sources_glance_api_internal:
|
||||||
|
- {get_param: GlanceApiInternalLoggingSource}
|
||||||
|
|
||||||
|
puppet_config:
|
||||||
|
config_volume: glance_api_internal
|
||||||
|
puppet_tags: glance_api_config,glance_api_paste_ini,glance_swift_config,glance_cache_config,glance_image_import_config
|
||||||
|
step_config:
|
||||||
|
list_join:
|
||||||
|
- "\n"
|
||||||
|
- -
|
||||||
|
str_replace:
|
||||||
|
template: |
|
||||||
|
class { 'tripleo::profile::base::glance::api':
|
||||||
|
bind_port => PORT,
|
||||||
|
tls_proxy_port => PORT,
|
||||||
|
log_file => '/var/log/glance/api_internal.log',
|
||||||
|
show_image_direct_url => true,
|
||||||
|
show_multiple_locations => true,
|
||||||
|
}
|
||||||
|
params:
|
||||||
|
PORT: {get_param: [EndpointMap, GlanceInternal, port]}
|
||||||
|
- if:
|
||||||
|
- {get_param: GlanceNetappNfsEnabled}
|
||||||
|
- include tripleo::profile::base::glance::netapp
|
||||||
|
- {get_attr: [MySQLClient, role_data, step_config]}
|
||||||
|
config_image: {get_attr: [RoleParametersValue, value, ContainerGlanceApiInternalConfigImage]}
|
||||||
|
|
||||||
|
kolla_config:
|
||||||
|
# The kolla_config are essentially the same as the GlanceApi service.
|
||||||
|
# The only difference is the json file names.
|
||||||
|
/var/lib/kolla/config_files/glance_api_internal.json:
|
||||||
|
{get_attr: [GlanceApi, role_data, kolla_config, /var/lib/kolla/config_files/glance_api.json]}
|
||||||
|
/var/lib/kolla/config_files/glance_api_internal_tls_proxy.json:
|
||||||
|
{get_attr: [GlanceApi, role_data, kolla_config, /var/lib/kolla/config_files/glance_api_tls_proxy.json]}
|
||||||
|
|
||||||
|
docker_config:
|
||||||
|
step_2:
|
||||||
|
get_attr: [GlanceLogging, docker_config, step_2]
|
||||||
|
step_4:
|
||||||
|
# The internal services share the same GlanceApi docker configs,
|
||||||
|
# except we swap in the internal service's config_volume.
|
||||||
|
glance_api_internal:
|
||||||
|
map_merge:
|
||||||
|
- get_attr: [GlanceApi, role_data, docker_config, step_4, glance_api]
|
||||||
|
- volumes:
|
||||||
|
yaql:
|
||||||
|
expression: $.data.vols.select($.replace('puppet-generated/glance_api', 'puppet-generated/glance_api_internal'))
|
||||||
|
data:
|
||||||
|
vols: {get_attr: [GlanceApi, role_data, docker_config, step_4, glance_api, volumes]}
|
||||||
|
glance_api_internal_tls_proxy:
|
||||||
|
if:
|
||||||
|
- {get_param: EnableInternalTLS}
|
||||||
|
- map_merge:
|
||||||
|
- get_attr: [GlanceApi, role_data, docker_config, step_4, glance_api_tls_proxy]
|
||||||
|
- volumes:
|
||||||
|
yaql:
|
||||||
|
expression: $.data.vols.select($.replace('puppet-generated/glance_api', 'puppet-generated/glance_api_internal'))
|
||||||
|
data:
|
||||||
|
vols: {get_attr: [GlanceApi, role_data, docker_config, step_4, glance_api_tls_proxy, volumes]}
|
||||||
|
|
||||||
|
external_upgrade_tasks:
|
||||||
|
- when:
|
||||||
|
- step|int == 1
|
||||||
|
tags:
|
||||||
|
- never
|
||||||
|
- system_upgrade_transfer_data
|
||||||
|
- system_upgrade_stop_services
|
||||||
|
block:
|
||||||
|
- name: Stop glance api internal container
|
||||||
|
import_role:
|
||||||
|
name: tripleo_container_stop
|
||||||
|
vars:
|
||||||
|
tripleo_containers_to_stop:
|
||||||
|
- glance_api_internal
|
||||||
|
tripleo_delegate_to: "{{ groups['glance_api_internal'] | default([]) }}"
|
@ -45,6 +45,7 @@ resources:
|
|||||||
EndpointMap: {get_param: EndpointMap}
|
EndpointMap: {get_param: EndpointMap}
|
||||||
RoleName: {get_param: RoleName}
|
RoleName: {get_param: RoleName}
|
||||||
RoleParameters: {get_param: RoleParameters}
|
RoleParameters: {get_param: RoleParameters}
|
||||||
|
EnableInternalTLS: {get_param: EnableInternalTLS}
|
||||||
|
|
||||||
outputs:
|
outputs:
|
||||||
glance_api_edge_uri:
|
glance_api_edge_uri:
|
||||||
@ -54,14 +55,16 @@ outputs:
|
|||||||
- {get_param: EnableInternalTLS}
|
- {get_param: EnableInternalTLS}
|
||||||
- str_replace:
|
- str_replace:
|
||||||
template:
|
template:
|
||||||
"https://%{lookup('fqdn_NETWORK')}:9292"
|
"https://%{lookup('fqdn_NETWORK')}:PORT"
|
||||||
params:
|
params:
|
||||||
NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]}
|
NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]}
|
||||||
|
PORT: {get_param: [EndpointMap, GlanceInternal, port]}
|
||||||
- str_replace:
|
- str_replace:
|
||||||
template:
|
template:
|
||||||
"http://%{lookup('NETWORK_uri')}:9292"
|
"http://%{lookup('NETWORK_uri')}:PORT"
|
||||||
params:
|
params:
|
||||||
NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]}
|
NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]}
|
||||||
|
PORT: {get_param: [EndpointMap, GlanceInternal, port]}
|
||||||
|
|
||||||
role_data:
|
role_data:
|
||||||
description: Role data for the HAproxy role for DCN/Edge.
|
description: Role data for the HAproxy role for DCN/Edge.
|
||||||
@ -85,18 +88,19 @@ outputs:
|
|||||||
tripleo::haproxy::designate: false
|
tripleo::haproxy::designate: false
|
||||||
tripleo::haproxy::docker_registry: false
|
tripleo::haproxy::docker_registry: false
|
||||||
tripleo::haproxy::etcd: false
|
tripleo::haproxy::etcd: false
|
||||||
|
tripleo::haproxy::glance_api: false
|
||||||
- if:
|
- if:
|
||||||
- {get_param: EnableGlanceApiProxy}
|
- {get_param: EnableGlanceApiProxy}
|
||||||
- tripleo::haproxy::glance_api: true
|
- tripleo::haproxy::glance_api_internal: true
|
||||||
glance_api_vip:
|
glance_api_vip:
|
||||||
str_replace:
|
str_replace:
|
||||||
template:
|
template:
|
||||||
"%{lookup('NETWORK')}"
|
"%{lookup('NETWORK')}"
|
||||||
params:
|
params:
|
||||||
NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]}
|
NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]}
|
||||||
glance_api_node_ips: "%{alias('glance_api_edge_node_ips')}"
|
glance_api_internal_node_ips: "%{alias('glance_api_edge_node_ips')}"
|
||||||
glance_api_node_names: "%{alias('glance_api_edge_node_names')}"
|
glance_api_internal_node_names: "%{alias('glance_api_edge_node_names')}"
|
||||||
- tripleo::haproxy::glance_api: false
|
- tripleo::haproxy::glance_api_internal: false
|
||||||
- tripleo::haproxy::gnocchi: false
|
- tripleo::haproxy::gnocchi: false
|
||||||
tripleo::haproxy::heat_api: false
|
tripleo::haproxy::heat_api: false
|
||||||
tripleo::haproxy::heat_cfn: false
|
tripleo::haproxy::heat_cfn: false
|
||||||
|
@ -235,6 +235,7 @@ outputs:
|
|||||||
nova::network::neutron::password: {get_param: NeutronPassword}
|
nova::network::neutron::password: {get_param: NeutronPassword}
|
||||||
nova::network::neutron::auth_url: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
|
nova::network::neutron::auth_url: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
|
||||||
nova::network::neutron::valid_interfaces: 'internal'
|
nova::network::neutron::valid_interfaces: 'internal'
|
||||||
|
nova::glance::valid_interfaces: 'internal'
|
||||||
nova::rabbit_heartbeat_timeout_threshold: 60
|
nova::rabbit_heartbeat_timeout_threshold: 60
|
||||||
nova::cinder::catalog_info: 'volumev3:cinderv3:internalURL'
|
nova::cinder::catalog_info: 'volumev3:cinderv3:internalURL'
|
||||||
# NOTE(tkajinam): Make sure the default (services) is overridden
|
# NOTE(tkajinam): Make sure the default (services) is overridden
|
||||||
|
@ -31,8 +31,8 @@ parameter_defaults:
|
|||||||
DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'}
|
DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'}
|
||||||
DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'}
|
DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'}
|
||||||
GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'}
|
GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'}
|
||||||
GlanceAdmin: {protocol: 'https', port: '9292', host: 'CLOUDNAME'}
|
GlanceAdmin: {protocol: 'https', port: '9293', host: 'CLOUDNAME'}
|
||||||
GlanceInternal: {protocol: 'https', port: '9292', host: 'CLOUDNAME'}
|
GlanceInternal: {protocol: 'https', port: '9293', host: 'CLOUDNAME'}
|
||||||
GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'}
|
GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'}
|
||||||
GnocchiAdmin: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
|
GnocchiAdmin: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
|
||||||
GnocchiInternal: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
|
GnocchiInternal: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
|
||||||
|
@ -117,6 +117,7 @@ resource_registry:
|
|||||||
OS::TripleO::Services::BlockStorageCinderVolume: deployment/cinder/cinder-volume-container-puppet.yaml
|
OS::TripleO::Services::BlockStorageCinderVolume: deployment/cinder/cinder-volume-container-puppet.yaml
|
||||||
OS::TripleO::Services::Keystone: deployment/keystone/keystone-container-puppet.yaml
|
OS::TripleO::Services::Keystone: deployment/keystone/keystone-container-puppet.yaml
|
||||||
OS::TripleO::Services::GlanceApi: deployment/glance/glance-api-container-puppet.yaml
|
OS::TripleO::Services::GlanceApi: deployment/glance/glance-api-container-puppet.yaml
|
||||||
|
OS::TripleO::Services::GlanceApiInternal: deployment/glance/glance-api-internal-container-puppet.yaml
|
||||||
OS::TripleO::Services::HeatApi: deployment/heat/heat-api-container-puppet.yaml
|
OS::TripleO::Services::HeatApi: deployment/heat/heat-api-container-puppet.yaml
|
||||||
OS::TripleO::Services::HeatApiCfn: deployment/heat/heat-api-cfn-container-puppet.yaml
|
OS::TripleO::Services::HeatApiCfn: deployment/heat/heat-api-cfn-container-puppet.yaml
|
||||||
OS::TripleO::Services::HeatEngine: deployment/heat/heat-engine-container-puppet.yaml
|
OS::TripleO::Services::HeatEngine: deployment/heat/heat-engine-container-puppet.yaml
|
||||||
@ -358,6 +359,7 @@ parameter_defaults:
|
|||||||
CinderIscsiNetwork: {{ _service_nets.get('storage', 'ctlplane') }}
|
CinderIscsiNetwork: {{ _service_nets.get('storage', 'ctlplane') }}
|
||||||
GlanceApiNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }}
|
GlanceApiNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }}
|
||||||
GlanceApiEdgeNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }}
|
GlanceApiEdgeNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }}
|
||||||
|
GlanceApiInternalNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }}
|
||||||
IronicApiNetwork: ctlplane
|
IronicApiNetwork: ctlplane
|
||||||
IronicNetwork: ctlplane
|
IronicNetwork: ctlplane
|
||||||
IronicInspectorNetwork: ctlplane
|
IronicInspectorNetwork: ctlplane
|
||||||
@ -449,8 +451,8 @@ parameter_defaults:
|
|||||||
DesignatePublic: {protocol: 'http', port: '9001', host: IP_ADDRESS}
|
DesignatePublic: {protocol: 'http', port: '9001', host: IP_ADDRESS}
|
||||||
DockerRegistryInternal: {protocol: http, port: '8787', host: IP_ADDRESS}
|
DockerRegistryInternal: {protocol: http, port: '8787', host: IP_ADDRESS}
|
||||||
GaneshaInternal: {protocol: nfs, port: '2049', host: IP_ADDRESS}
|
GaneshaInternal: {protocol: nfs, port: '2049', host: IP_ADDRESS}
|
||||||
GlanceAdmin: {protocol: http, port: '9292', host: IP_ADDRESS}
|
GlanceAdmin: {protocol: http, port: '9293', host: IP_ADDRESS}
|
||||||
GlanceInternal: {protocol: http, port: '9292', host: IP_ADDRESS}
|
GlanceInternal: {protocol: http, port: '9293', host: IP_ADDRESS}
|
||||||
GlancePublic: {protocol: http, port: '9292', host: IP_ADDRESS}
|
GlancePublic: {protocol: http, port: '9292', host: IP_ADDRESS}
|
||||||
GnocchiAdmin: {protocol: http, port: '8041', host: IP_ADDRESS}
|
GnocchiAdmin: {protocol: http, port: '8041', host: IP_ADDRESS}
|
||||||
GnocchiInternal: {protocol: http, port: '8041', host: IP_ADDRESS}
|
GnocchiInternal: {protocol: http, port: '8041', host: IP_ADDRESS}
|
||||||
|
@ -0,0 +1,26 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Two instances of the glance-api service are now deployed per the
|
||||||
|
recommendations outlined in `OSSN-0090 <https://wiki.openstack.org/wiki/OSSN/OSSN-0090>`_.
|
||||||
|
The user facing service does not provide access to image location data,
|
||||||
|
whereas a new internal glance-api service provides location data to
|
||||||
|
administrators and services that need it (e.g. cinder and nova), and is
|
||||||
|
accessible via the admin and internal keystone endpoints.
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
A new OS::TripleO::Services::GlanceApiInternal service is introduced to
|
||||||
|
handle deploying the internal instance of the glance-api service. When
|
||||||
|
upgrading an overcloud deployed with a custom roles file, the new
|
||||||
|
GlanceApiInternal service must be added to every role that includes the
|
||||||
|
GlanceApi service. Roles that include the GlanceApiEdge service should not
|
||||||
|
include the new GlanceApiInternal service.
|
||||||
|
|
||||||
|
Deployment of the new internal glance-api service is generally transparent,
|
||||||
|
and includes updating glance's endpoints in the keystone catalog.
|
||||||
|
In a Distributed Compute Node (DCN) deployment, the control plane and
|
||||||
|
all DCN sites need to be updated in order to fully deploy the new internal
|
||||||
|
glance-api service.
|
||||||
|
deprecations:
|
||||||
|
- |
|
||||||
|
The GlanceShowMultipleLocations parameter is deprecated.
|
@ -90,6 +90,7 @@
|
|||||||
- OS::TripleO::Services::ExternalSwiftProxy
|
- OS::TripleO::Services::ExternalSwiftProxy
|
||||||
- OS::TripleO::Services::Frr
|
- OS::TripleO::Services::Frr
|
||||||
- OS::TripleO::Services::GlanceApi
|
- OS::TripleO::Services::GlanceApi
|
||||||
|
- OS::TripleO::Services::GlanceApiInternal
|
||||||
- OS::TripleO::Services::GnocchiApi
|
- OS::TripleO::Services::GnocchiApi
|
||||||
- OS::TripleO::Services::GnocchiMetricd
|
- OS::TripleO::Services::GnocchiMetricd
|
||||||
- OS::TripleO::Services::GnocchiStatsd
|
- OS::TripleO::Services::GnocchiStatsd
|
||||||
|
@ -63,6 +63,7 @@
|
|||||||
- OS::TripleO::Services::IpaClient
|
- OS::TripleO::Services::IpaClient
|
||||||
- OS::TripleO::Services::Ipsec
|
- OS::TripleO::Services::Ipsec
|
||||||
- OS::TripleO::Services::GlanceApi
|
- OS::TripleO::Services::GlanceApi
|
||||||
|
- OS::TripleO::Services::GlanceApiInternal
|
||||||
- OS::TripleO::Services::GnocchiApi
|
- OS::TripleO::Services::GnocchiApi
|
||||||
- OS::TripleO::Services::GnocchiMetricd
|
- OS::TripleO::Services::GnocchiMetricd
|
||||||
- OS::TripleO::Services::GnocchiStatsd
|
- OS::TripleO::Services::GnocchiStatsd
|
||||||
|
@ -78,6 +78,7 @@
|
|||||||
- OS::TripleO::Services::Frr
|
- OS::TripleO::Services::Frr
|
||||||
- OS::TripleO::Services::ExternalSwiftProxy
|
- OS::TripleO::Services::ExternalSwiftProxy
|
||||||
- OS::TripleO::Services::GlanceApi
|
- OS::TripleO::Services::GlanceApi
|
||||||
|
- OS::TripleO::Services::GlanceApiInternal
|
||||||
- OS::TripleO::Services::GnocchiApi
|
- OS::TripleO::Services::GnocchiApi
|
||||||
- OS::TripleO::Services::GnocchiMetricd
|
- OS::TripleO::Services::GnocchiMetricd
|
||||||
- OS::TripleO::Services::GnocchiStatsd
|
- OS::TripleO::Services::GnocchiStatsd
|
||||||
|
@ -80,6 +80,7 @@
|
|||||||
- OS::TripleO::Services::ExternalSwiftProxy
|
- OS::TripleO::Services::ExternalSwiftProxy
|
||||||
- OS::TripleO::Services::Frr
|
- OS::TripleO::Services::Frr
|
||||||
- OS::TripleO::Services::GlanceApi
|
- OS::TripleO::Services::GlanceApi
|
||||||
|
- OS::TripleO::Services::GlanceApiInternal
|
||||||
- OS::TripleO::Services::GnocchiApi
|
- OS::TripleO::Services::GnocchiApi
|
||||||
- OS::TripleO::Services::GnocchiMetricd
|
- OS::TripleO::Services::GnocchiMetricd
|
||||||
- OS::TripleO::Services::GnocchiStatsd
|
- OS::TripleO::Services::GnocchiStatsd
|
||||||
|
@ -69,6 +69,7 @@
|
|||||||
- OS::TripleO::Services::IpaClient
|
- OS::TripleO::Services::IpaClient
|
||||||
- OS::TripleO::Services::Ipsec
|
- OS::TripleO::Services::Ipsec
|
||||||
- OS::TripleO::Services::GlanceApi
|
- OS::TripleO::Services::GlanceApi
|
||||||
|
- OS::TripleO::Services::GlanceApiInternal
|
||||||
- OS::TripleO::Services::GnocchiApi
|
- OS::TripleO::Services::GnocchiApi
|
||||||
- OS::TripleO::Services::GnocchiMetricd
|
- OS::TripleO::Services::GnocchiMetricd
|
||||||
- OS::TripleO::Services::GnocchiStatsd
|
- OS::TripleO::Services::GnocchiStatsd
|
||||||
|
@ -87,6 +87,7 @@
|
|||||||
- OS::TripleO::Services::Frr
|
- OS::TripleO::Services::Frr
|
||||||
- OS::TripleO::Services::ExternalSwiftProxy
|
- OS::TripleO::Services::ExternalSwiftProxy
|
||||||
- OS::TripleO::Services::GlanceApi
|
- OS::TripleO::Services::GlanceApi
|
||||||
|
- OS::TripleO::Services::GlanceApiInternal
|
||||||
- OS::TripleO::Services::GnocchiApi
|
- OS::TripleO::Services::GnocchiApi
|
||||||
- OS::TripleO::Services::GnocchiMetricd
|
- OS::TripleO::Services::GnocchiMetricd
|
||||||
- OS::TripleO::Services::GnocchiStatsd
|
- OS::TripleO::Services::GnocchiStatsd
|
||||||
|
@ -89,6 +89,7 @@
|
|||||||
- OS::TripleO::Services::Frr
|
- OS::TripleO::Services::Frr
|
||||||
- OS::TripleO::Services::ExternalSwiftProxy
|
- OS::TripleO::Services::ExternalSwiftProxy
|
||||||
- OS::TripleO::Services::GlanceApi
|
- OS::TripleO::Services::GlanceApi
|
||||||
|
- OS::TripleO::Services::GlanceApiInternal
|
||||||
- OS::TripleO::Services::GnocchiApi
|
- OS::TripleO::Services::GnocchiApi
|
||||||
- OS::TripleO::Services::GnocchiMetricd
|
- OS::TripleO::Services::GnocchiMetricd
|
||||||
- OS::TripleO::Services::GnocchiStatsd
|
- OS::TripleO::Services::GnocchiStatsd
|
||||||
|
@ -89,6 +89,7 @@
|
|||||||
- OS::TripleO::Services::Frr
|
- OS::TripleO::Services::Frr
|
||||||
- OS::TripleO::Services::ExternalSwiftProxy
|
- OS::TripleO::Services::ExternalSwiftProxy
|
||||||
- OS::TripleO::Services::GlanceApi
|
- OS::TripleO::Services::GlanceApi
|
||||||
|
- OS::TripleO::Services::GlanceApiInternal
|
||||||
- OS::TripleO::Services::GnocchiApi
|
- OS::TripleO::Services::GnocchiApi
|
||||||
- OS::TripleO::Services::GnocchiMetricd
|
- OS::TripleO::Services::GnocchiMetricd
|
||||||
- OS::TripleO::Services::GnocchiStatsd
|
- OS::TripleO::Services::GnocchiStatsd
|
||||||
|
@ -88,6 +88,7 @@
|
|||||||
- OS::TripleO::Services::ExternalSwiftProxy
|
- OS::TripleO::Services::ExternalSwiftProxy
|
||||||
- OS::TripleO::Services::Frr
|
- OS::TripleO::Services::Frr
|
||||||
- OS::TripleO::Services::GlanceApi
|
- OS::TripleO::Services::GlanceApi
|
||||||
|
- OS::TripleO::Services::GlanceApiInternal
|
||||||
- OS::TripleO::Services::GnocchiApi
|
- OS::TripleO::Services::GnocchiApi
|
||||||
- OS::TripleO::Services::GnocchiMetricd
|
- OS::TripleO::Services::GnocchiMetricd
|
||||||
- OS::TripleO::Services::GnocchiStatsd
|
- OS::TripleO::Services::GnocchiStatsd
|
||||||
|
@ -93,6 +93,7 @@
|
|||||||
- OS::TripleO::Services::ExternalSwiftProxy
|
- OS::TripleO::Services::ExternalSwiftProxy
|
||||||
- OS::TripleO::Services::Frr
|
- OS::TripleO::Services::Frr
|
||||||
- OS::TripleO::Services::GlanceApi
|
- OS::TripleO::Services::GlanceApi
|
||||||
|
- OS::TripleO::Services::GlanceApiInternal
|
||||||
- OS::TripleO::Services::GnocchiApi
|
- OS::TripleO::Services::GnocchiApi
|
||||||
- OS::TripleO::Services::GnocchiMetricd
|
- OS::TripleO::Services::GnocchiMetricd
|
||||||
- OS::TripleO::Services::GnocchiStatsd
|
- OS::TripleO::Services::GnocchiStatsd
|
||||||
|
@ -232,8 +232,8 @@ environments:
|
|||||||
DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'}
|
DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'}
|
||||||
DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'}
|
DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'}
|
||||||
GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'}
|
GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'}
|
||||||
GlanceAdmin: {protocol: 'https', port: '9292', host: 'CLOUDNAME'}
|
GlanceAdmin: {protocol: 'https', port: '9293', host: 'CLOUDNAME'}
|
||||||
GlanceInternal: {protocol: 'https', port: '9292', host: 'CLOUDNAME'}
|
GlanceInternal: {protocol: 'https', port: '9293', host: 'CLOUDNAME'}
|
||||||
GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'}
|
GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'}
|
||||||
GnocchiAdmin: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
|
GnocchiAdmin: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
|
||||||
GnocchiInternal: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
|
GnocchiInternal: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}
|
||||||
|
Loading…
Reference in New Issue
Block a user