From 3605d45e417a77a1d0f153fbeffcbb283ec85fe6 Mon Sep 17 00:00:00 2001 From: Alan Bishop Date: Thu, 24 Nov 2022 10:06:19 -0800 Subject: [PATCH] Deploy separate glance-api services for OSSN-0090 This patch adopts the recommendation outlined in OSSN-0090 [1], in which two instances of the glance-api service are deployed: - A "user facing" glance-api service, accessible via the Public keystone endpoint. - An "internal facing only" service, accessible via the Admin and Internal keystone endpoints. The user facing instance is configured so it does not report any image location information. This is achieved by configuring glance-api.conf with the show_image_direct_url and show_multiple_locations set to False. The internal service operates on a separate TCP port (defaults to 9293) with its own glance-api.conf that configures show_image_direct_url and show_multiple_locations set to True. In order for cinder and nova to have access to the image location data, both services are configured to access glance via the internal service. [1] https://wiki.openstack.org/wiki/OSSN/OSSN-0090 stable/zed: Backports include I456b4235242cae125f5ad4cd9cc7415f2699462c, which fixed a typo in the original patch. stable/wallaby: Minor conflicts were due to using the hiera() versus lookup() functions. The biggest conflict was due to Ibf2e0d183dd51421c4feb7467c3c01fb416d2965, in which the endpoint map is no longer generated from endpoint_data.yaml (as it is in wallaby). Closes-Bug: #1822540 Depends-On: https://review.opendev.org/c/openstack/puppet-tripleo/+/865884 Depends-On: https://review.opendev.org/c/openstack/tripleo-common/+/865883 Change-Id: Id093613f9d410eb3fe5564a724c0f75275eeb4e8 (cherry picked from commit d60969cb55344e9004721dee04ed1d685d95a39f) (cherry picked from commit 0ba612d07de84e95c0e11ef090bcd22f1da584e7) --- ci/custom_ci_roles_data.yaml | 1 + ci/environments/multinode-containers.yaml | 1 + ci/environments/scenario000-standalone.yaml | 1 + .../scenario001-multinode-containers.yaml | 1 + .../scenario007-multinode-containers.yaml | 1 + .../scenario010-multinode-containers.yaml | 1 + .../glance/glance-api-container-puppet.yaml | 33 ++-- .../glance-api-edge-container-puppet.yaml | 30 +-- .../glance-api-internal-container-puppet.yaml | 183 ++++++++++++++++++ .../haproxy-edge-container-puppet.yaml | 16 +- deployment/nova/nova-base-puppet.yaml | 1 + .../ssl/tls-everywhere-endpoints-dns.yaml | 4 +- network/endpoints/endpoint_data.yaml | 2 + network/endpoints/endpoint_map.yaml | 4 +- overcloud-resource-registry-puppet.j2.yaml | 2 + ...nce-internal-service-86274f56712ffaac.yaml | 26 +++ roles/Controller.yaml | 1 + roles/ControllerAllNovaStandalone.yaml | 1 + roles/ControllerNoCeph.yaml | 1 + roles/ControllerNovaStandalone.yaml | 1 + roles/ControllerOpenstack.yaml | 1 + roles/ControllerSriov.yaml | 1 + roles/ControllerStorageDashboard.yaml | 1 + roles/ControllerStorageNfs.yaml | 1 + roles/Standalone.yaml | 1 + roles_data.yaml | 1 + sample-env-generator/ssl.yaml | 4 +- 27 files changed, 278 insertions(+), 43 deletions(-) create mode 100644 deployment/glance/glance-api-internal-container-puppet.yaml create mode 100644 releasenotes/notes/glance-internal-service-86274f56712ffaac.yaml diff --git a/ci/custom_ci_roles_data.yaml b/ci/custom_ci_roles_data.yaml index 58ccb0d5fd..a204973d7a 100644 --- a/ci/custom_ci_roles_data.yaml +++ b/ci/custom_ci_roles_data.yaml @@ -97,6 +97,7 @@ - OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::Frr - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/ci/environments/multinode-containers.yaml b/ci/environments/multinode-containers.yaml index cfd44ad13e..d199d07f97 100644 --- a/ci/environments/multinode-containers.yaml +++ b/ci/environments/multinode-containers.yaml @@ -8,6 +8,7 @@ parameter_defaults: - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::MySQL - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::NeutronApi diff --git a/ci/environments/scenario000-standalone.yaml b/ci/environments/scenario000-standalone.yaml index 9a09683b37..1b934aa4a4 100644 --- a/ci/environments/scenario000-standalone.yaml +++ b/ci/environments/scenario000-standalone.yaml @@ -51,6 +51,7 @@ resource_registry: OS::TripleO::Services::Etcd: OS::Heat::None OS::TripleO::Services::ExternalSwiftProxy: OS::Heat::None OS::TripleO::Services::GlanceApi: OS::Heat::None + OS::TripleO::Services::GlanceApiInternal: OS::Heat::None OS::TripleO::Services::GnocchiApi: OS::Heat::None OS::TripleO::Services::GnocchiMetricd: OS::Heat::None OS::TripleO::Services::GnocchiStatsd: OS::Heat::None diff --git a/ci/environments/scenario001-multinode-containers.yaml b/ci/environments/scenario001-multinode-containers.yaml index 0a23c1ce7a..86fea64058 100644 --- a/ci/environments/scenario001-multinode-containers.yaml +++ b/ci/environments/scenario001-multinode-containers.yaml @@ -38,6 +38,7 @@ parameter_defaults: - OS::TripleO::Services::Keystone - OS::TripleO::Services::LoginDefs - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::HeatApi - OS::TripleO::Services::HeatApiCfn - OS::TripleO::Services::HeatEngine diff --git a/ci/environments/scenario007-multinode-containers.yaml b/ci/environments/scenario007-multinode-containers.yaml index 5bbd28b132..e4dbecda2b 100644 --- a/ci/environments/scenario007-multinode-containers.yaml +++ b/ci/environments/scenario007-multinode-containers.yaml @@ -33,6 +33,7 @@ parameter_defaults: - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::HeatApi - OS::TripleO::Services::HeatApiCfn - OS::TripleO::Services::HeatEngine diff --git a/ci/environments/scenario010-multinode-containers.yaml b/ci/environments/scenario010-multinode-containers.yaml index d12303c5d9..8df70fae8e 100644 --- a/ci/environments/scenario010-multinode-containers.yaml +++ b/ci/environments/scenario010-multinode-containers.yaml @@ -33,6 +33,7 @@ parameter_defaults: - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::MySQL - OS::TripleO::Services::MySQLClient - OS::TripleO::Services::NeutronApi diff --git a/deployment/glance/glance-api-container-puppet.yaml b/deployment/glance/glance-api-container-puppet.yaml index 877d5e154a..d1b85f6f3a 100644 --- a/deployment/glance/glance-api-container-puppet.yaml +++ b/deployment/glance/glance-api-container-puppet.yaml @@ -134,12 +134,6 @@ parameters: type: boolean tags: - role_specific - GlanceShowMultipleLocations: - default: false - description: | - Whether to show multiple image locations e.g for copy-on-write support on - RBD or Netapp backends. Potential security risk, see glance.conf for more information. - type: boolean # We default import plugins list to 'no_op' (instead of empty list) to discern from the scenario # in which the user purposely disabled all plugins setting it to an empty list. This is useful # to automatically enable image_conversion plugin only when value is left to the default. @@ -380,6 +374,23 @@ parameters: Use the advanced (eventlet safe) memcached client pool. default: true + # DEPRECATED: the following options are deprecated and are currently maintained + # for backwards compatibility. They will be removed in future release. + GlanceShowMultipleLocations: + default: false + description: | + Whether to show multiple image locations e.g for copy-on-write support on + RBD or Netapp backends. Potential security risk, see glance.conf for more information. + type: boolean + +parameter_groups: +- label: deprecated + description: | + The following parameters are deprecated and will be removed. They should not + be relied on for new deployments. + parameters: + - GlanceShowMultipleLocations + conditions: cinder_backend_enabled: or: @@ -503,7 +514,6 @@ outputs: - read_default_file: /etc/my.cnf.d/tripleo.cnf read_default_group: tripleo - glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]} glance::api::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix] } glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } glance::api::enable_v1_api: false @@ -527,8 +537,6 @@ outputs: - {get_param: GlanceCacheEnabled} - 'keystone+cachemanagement' - 'keystone' - glance::api::show_image_direct_url: true - glance::api::show_multiple_locations: {if: [glance_multiple_locations, true, false]} glance::api::os_region_name: {get_param: KeystoneRegion} glance::api::image_member_quota: {get_param: GlanceImageMemberQuota} glance::api::enabled_import_methods: {get_param: GlanceEnabledImportMethods} @@ -561,8 +569,11 @@ outputs: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]} - tripleo::profile::base::glance::api::tls_proxy_port: - get_param: [EndpointMap, GlanceInternal, port] + # Use glance's native port (9292) for tls proxying. The value is + # hardcoded because the ports in the endpoint map are different (the + # public endpoint uses port 13292, and the internal and admin endpoints + # use port 9293). + tripleo::profile::base::glance::api::tls_proxy_port: 9292 # Bind to localhost if internal TLS is enabled, since we put a TLs # proxy in front. glance::api::bind_host: diff --git a/deployment/glance/glance-api-edge-container-puppet.yaml b/deployment/glance/glance-api-edge-container-puppet.yaml index a1aacb08cc..cad195d1bd 100644 --- a/deployment/glance/glance-api-edge-container-puppet.yaml +++ b/deployment/glance/glance-api-edge-container-puppet.yaml @@ -36,21 +36,17 @@ parameters: List of enabled Image Import Methods. Valid values in the list are 'glance-direct', 'web-download', or 'copy-image' type: comma_delimited_list - EnableGlanceApiProxy: - default: true - description: Configure haproxy to forward glance-api requests to glance-api - services running at the edge site. - type: boolean resources: - GlanceApiBase: - type: ./glance-api-container-puppet.yaml + GlanceApiInternal: + type: ./glance-api-internal-container-puppet.yaml properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + EnableInternalTLS: {get_param: EnableInternalTLS} outputs: glance_api_edge_uri: @@ -60,39 +56,33 @@ outputs: - {get_param: EnableInternalTLS} - str_replace: template: - "https://%{hiera('fqdn_NETWORK')}:9292" + "https://%{hiera('fqdn_NETWORK')}:PORT" params: NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]} + PORT: {get_param: [EndpointMap, GlanceInternal, port]} - str_replace: template: - "http://%{hiera('NETWORK_uri')}:9292" + "http://%{hiera('NETWORK_uri')}:PORT" params: NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]} + PORT: {get_param: [EndpointMap, GlanceInternal, port]} role_data: description: Role data for the Glance API role for DCN/Edge. value: map_merge: - - get_attr: [GlanceApiBase, role_data] + - get_attr: [GlanceApiInternal, role_data] - service_name: glance_api_edge - firewall_edge_frontend_rules: - if: - - {get_param: EnableGlanceApiProxy} - - {get_attr: [GlanceApiBase, role_data, firewall_frontend_rules]} - firewall_edge_ssl_frontend_rules: - if: - - {get_param: EnableGlanceApiProxy} - - {get_attr: [GlanceApiBase, role_data, firewall_ssl_frontend_rules]} service_config_settings: map_merge: - - get_attr: [GlanceApiBase, role_data, service_config_settings] + - get_attr: [GlanceApiInternal, role_data, service_config_settings] - cinder_volume: cinder::glance::glance_api_servers: *glance_api_edge_uri nova_compute: nova::glance::endpoint_override: *glance_api_edge_uri config_settings: map_merge: - - get_attr: [GlanceApiBase, role_data, config_settings] + - get_attr: [GlanceApiInternal, role_data, config_settings] - if: - contains: ['glance-direct', {get_param: GlanceEnabledImportMethods}] - glance::api::worker_self_reference_url: *glance_api_edge_uri diff --git a/deployment/glance/glance-api-internal-container-puppet.yaml b/deployment/glance/glance-api-internal-container-puppet.yaml new file mode 100644 index 0000000000..15fab9d145 --- /dev/null +++ b/deployment/glance/glance-api-internal-container-puppet.yaml @@ -0,0 +1,183 @@ +heat_template_version: wallaby + +description: > + OpenStack Glance internal service configured with Puppet + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. Use + parameter_merge_strategies to merge it with the defaults. + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + GlanceApiInternalLoggingSource: + type: json + default: + tag: openstack.glance.api + file: /var/log/containers/glance/api_internal.log + EnableInternalTLS: + type: boolean + default: false + GlanceNetappNfsEnabled: + default: false + description: > + When using GlanceBackend 'file', Netapp mount NFS share for image storage. + type: boolean + ContainerGlanceApiImage: + description: image + type: string + tags: + - role_specific + ContainerGlanceApiInternalConfigImage: + description: The container image to use for the glance_api_internal config_volume + type: string + tags: + - role_specific +resources: + GlanceApi: + type: ./glance-api-container-puppet.yaml + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + EnableInternalTLS: {get_param: EnableInternalTLS} + + MySQLClient: + type: ../database/mysql-client.yaml + + GlanceLogging: + type: OS::TripleO::Services::Logging::GlanceApi + + RoleParametersValue: + type: OS::Heat::Value + properties: + type: json + value: + map_replace: + - map_replace: + - ContainerGlanceApiImage: ContainerGlanceApiImage + ContainerGlanceApiInternalConfigImage: ContainerGlanceApiInternalConfigImage + - values: {get_param: [RoleParameters]} + - values: + ContainerGlanceApiImage: {get_param: ContainerGlanceApiImage} + ContainerGlanceApiInternalConfigImage: {get_param: ContainerGlanceApiInternalConfigImage} + +outputs: + role_data: + description: Role data for the internal Glance API. + value: + map_merge: + - get_attr: [GlanceApi, role_data] + - service_name: glance_api_internal + firewall_rules: + '112 glance_api_internal': + dport: + - {get_param: [EndpointMap, GlanceInternal, port]} + firewall_frontend_rules: + '100 glance_api_internal_haproxy_frontend': + dport: + - {get_param: [EndpointMap, GlanceInternal, port]} + + # GlanceApi creates the keystone resources + keystone_resources: {} + + config_settings: {get_attr: [GlanceApi, role_data, config_settings]} + + service_config_settings: + map_merge: + - get_attr: [GlanceApi, role_data, service_config_settings] + - rsyslog: + tripleo_logging_sources_glance_api_internal: + - {get_param: GlanceApiInternalLoggingSource} + + puppet_config: + config_volume: glance_api_internal + puppet_tags: glance_api_config,glance_api_paste_ini,glance_swift_config,glance_cache_config,glance_image_import_config + step_config: + list_join: + - "\n" + - - + str_replace: + template: | + class { 'tripleo::profile::base::glance::api': + bind_port => PORT, + tls_proxy_port => PORT, + log_file => '/var/log/glance/api_internal.log', + show_image_direct_url => true, + show_multiple_locations => true, + } + params: + PORT: {get_param: [EndpointMap, GlanceInternal, port]} + - if: + - {get_param: GlanceNetappNfsEnabled} + - include tripleo::profile::base::glance::netapp + - {get_attr: [MySQLClient, role_data, step_config]} + config_image: {get_attr: [RoleParametersValue, value, ContainerGlanceApiInternalConfigImage]} + + kolla_config: + # The kolla_config are essentially the same as the GlanceApi service. + # The only difference is the json file names. + /var/lib/kolla/config_files/glance_api_internal.json: + {get_attr: [GlanceApi, role_data, kolla_config, /var/lib/kolla/config_files/glance_api.json]} + /var/lib/kolla/config_files/glance_api_internal_tls_proxy.json: + {get_attr: [GlanceApi, role_data, kolla_config, /var/lib/kolla/config_files/glance_api_tls_proxy.json]} + + docker_config: + step_2: + get_attr: [GlanceLogging, docker_config, step_2] + step_4: + # The internal services share the same GlanceApi docker configs, + # except we swap in the internal service's config_volume. + glance_api_internal: + map_merge: + - get_attr: [GlanceApi, role_data, docker_config, step_4, glance_api] + - volumes: + yaql: + expression: $.data.vols.select($.replace('puppet-generated/glance_api', 'puppet-generated/glance_api_internal')) + data: + vols: {get_attr: [GlanceApi, role_data, docker_config, step_4, glance_api, volumes]} + glance_api_internal_tls_proxy: + if: + - {get_param: EnableInternalTLS} + - map_merge: + - get_attr: [GlanceApi, role_data, docker_config, step_4, glance_api_tls_proxy] + - volumes: + yaql: + expression: $.data.vols.select($.replace('puppet-generated/glance_api', 'puppet-generated/glance_api_internal')) + data: + vols: {get_attr: [GlanceApi, role_data, docker_config, step_4, glance_api_tls_proxy, volumes]} + + external_upgrade_tasks: + - when: + - step|int == 1 + tags: + - never + - system_upgrade_transfer_data + - system_upgrade_stop_services + block: + - name: Stop glance api internal container + import_role: + name: tripleo_container_stop + vars: + tripleo_containers_to_stop: + - glance_api_internal + tripleo_delegate_to: "{{ groups['glance_api_internal'] | default([]) }}" diff --git a/deployment/haproxy/haproxy-edge-container-puppet.yaml b/deployment/haproxy/haproxy-edge-container-puppet.yaml index 62b33d1ab5..37e6c0cfb5 100644 --- a/deployment/haproxy/haproxy-edge-container-puppet.yaml +++ b/deployment/haproxy/haproxy-edge-container-puppet.yaml @@ -45,6 +45,7 @@ resources: EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + EnableInternalTLS: {get_param: EnableInternalTLS} outputs: glance_api_edge_uri: @@ -54,14 +55,16 @@ outputs: - {get_param: EnableInternalTLS} - str_replace: template: - "https://%{hiera('fqdn_NETWORK')}:9292" + "https://%{hiera('fqdn_NETWORK')}:PORT" params: NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]} + PORT: {get_param: [EndpointMap, GlanceInternal, port]} - str_replace: template: - "http://%{hiera('NETWORK_uri')}:9292" + "http://%{hiera('NETWORK_uri')}:PORT" params: NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]} + PORT: {get_param: [EndpointMap, GlanceInternal, port]} role_data: description: Role data for the HAproxy role for DCN/Edge. @@ -87,18 +90,19 @@ outputs: tripleo::haproxy::ec2_api: false tripleo::haproxy::ec2_api_metadata: false tripleo::haproxy::etcd: false + tripleo::haproxy::glance_api: false - if: - {get_param: EnableGlanceApiProxy} - - tripleo::haproxy::glance_api: true + - tripleo::haproxy::glance_api_internal: true glance_api_vip: str_replace: template: "%{hiera('NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, GlanceApiEdgeNetwork]} - glance_api_node_ips: "%{alias('glance_api_edge_node_ips')}" - glance_api_node_names: "%{alias('glance_api_edge_node_names')}" - - tripleo::haproxy::glance_api: false + glance_api_internal_node_ips: "%{alias('glance_api_edge_node_ips')}" + glance_api_internal_node_names: "%{alias('glance_api_edge_node_names')}" + - tripleo::haproxy::glance_api_internal: false - tripleo::haproxy::gnocchi: false tripleo::haproxy::heat_api: false tripleo::haproxy::heat_cfn: false diff --git a/deployment/nova/nova-base-puppet.yaml b/deployment/nova/nova-base-puppet.yaml index bfb2657104..126919c4b4 100644 --- a/deployment/nova/nova-base-puppet.yaml +++ b/deployment/nova/nova-base-puppet.yaml @@ -179,6 +179,7 @@ outputs: nova::network::neutron::password: {get_param: NeutronPassword} nova::network::neutron::auth_url: {get_param: [EndpointMap, KeystoneV3Internal, uri]} nova::network::neutron::valid_interfaces: 'internal' + nova::glance::valid_interfaces: 'internal' nova::rabbit_heartbeat_timeout_threshold: 60 nova::cinder_catalog_info: 'volumev3:cinderv3:internalURL' nova::host: "%{hiera('fqdn_canonical')}" diff --git a/environments/ssl/tls-everywhere-endpoints-dns.yaml b/environments/ssl/tls-everywhere-endpoints-dns.yaml index 46f03b175d..66736e7310 100644 --- a/environments/ssl/tls-everywhere-endpoints-dns.yaml +++ b/environments/ssl/tls-everywhere-endpoints-dns.yaml @@ -31,8 +31,8 @@ parameter_defaults: DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'} DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'} GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'} - GlanceAdmin: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} - GlanceInternal: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} + GlanceAdmin: {protocol: 'https', port: '9293', host: 'CLOUDNAME'} + GlanceInternal: {protocol: 'https', port: '9293', host: 'CLOUDNAME'} GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'} GnocchiAdmin: {protocol: 'https', port: '8041', host: 'CLOUDNAME'} GnocchiInternal: {protocol: 'https', port: '8041', host: 'CLOUDNAME'} diff --git a/network/endpoints/endpoint_data.yaml b/network/endpoints/endpoint_data.yaml index 4adf96b782..9353e7aca0 100644 --- a/network/endpoints/endpoint_data.yaml +++ b/network/endpoints/endpoint_data.yaml @@ -67,10 +67,12 @@ Cinder: Glance: Internal: net_param: GlanceApi + port: 9293 Public: net_param: Public Admin: net_param: GlanceApi + port: 9293 port: 9292 Mysql: diff --git a/network/endpoints/endpoint_map.yaml b/network/endpoints/endpoint_map.yaml index d1419cf6ee..0726aad102 100644 --- a/network/endpoints/endpoint_map.yaml +++ b/network/endpoints/endpoint_map.yaml @@ -97,11 +97,11 @@ parameters: host: IP_ADDRESS GlanceAdmin: protocol: http - port: '9292' + port: '9293' host: IP_ADDRESS GlanceInternal: protocol: http - port: '9292' + port: '9293' host: IP_ADDRESS GlancePublic: protocol: http diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 7862c2b884..7bfa288292 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -125,6 +125,7 @@ resource_registry: OS::TripleO::Services::BlockStorageCinderVolume: deployment/cinder/cinder-volume-container-puppet.yaml OS::TripleO::Services::Keystone: deployment/keystone/keystone-container-puppet.yaml OS::TripleO::Services::GlanceApi: deployment/glance/glance-api-container-puppet.yaml + OS::TripleO::Services::GlanceApiInternal: deployment/glance/glance-api-internal-container-puppet.yaml OS::TripleO::Services::HeatApi: deployment/heat/heat-api-container-puppet.yaml OS::TripleO::Services::HeatApiCfn: deployment/heat/heat-api-cfn-container-puppet.yaml OS::TripleO::Services::HeatApiCloudwatch: deployment/heat/heat-api-cloudwatch-disabled-puppet.yaml @@ -380,6 +381,7 @@ parameter_defaults: CinderIscsiNetwork: {{ _service_nets.get('storage', 'ctlplane') }} GlanceApiNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }} GlanceApiEdgeNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }} + GlanceApiInternalNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }} IronicApiNetwork: ctlplane IronicNetwork: ctlplane IronicInspectorNetwork: ctlplane diff --git a/releasenotes/notes/glance-internal-service-86274f56712ffaac.yaml b/releasenotes/notes/glance-internal-service-86274f56712ffaac.yaml new file mode 100644 index 0000000000..d01f8d0abf --- /dev/null +++ b/releasenotes/notes/glance-internal-service-86274f56712ffaac.yaml @@ -0,0 +1,26 @@ +--- +features: + - | + Two instances of the glance-api service are now deployed per the + recommendations outlined in `OSSN-0090 `_. + The user facing service does not provide access to image location data, + whereas a new internal glance-api service provides location data to + administrators and services that need it (e.g. cinder and nova), and is + accessible via the admin and internal keystone endpoints. +upgrade: + - | + A new OS::TripleO::Services::GlanceApiInternal service is introduced to + handle deploying the internal instance of the glance-api service. When + upgrading an overcloud deployed with a custom roles file, the new + GlanceApiInternal service must be added to every role that includes the + GlanceApi service. Roles that include the GlanceApiEdge service should not + include the new GlanceApiInternal service. + + Deployment of the new internal glance-api service is generally transparent, + and includes updating glance's endpoints in the keystone catalog. + In a Distributed Compute Node (DCN) deployment, the control plane and + all DCN sites need to be updated in order to fully deploy the new internal + glance-api service. +deprecations: + - | + The GlanceShowMultipleLocations parameter is deprecated. diff --git a/roles/Controller.yaml b/roles/Controller.yaml index 8ac4745814..fadf9f9f95 100644 --- a/roles/Controller.yaml +++ b/roles/Controller.yaml @@ -95,6 +95,7 @@ - OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::Frr - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/roles/ControllerAllNovaStandalone.yaml b/roles/ControllerAllNovaStandalone.yaml index 54a2646b9e..5da9c61695 100644 --- a/roles/ControllerAllNovaStandalone.yaml +++ b/roles/ControllerAllNovaStandalone.yaml @@ -64,6 +64,7 @@ - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/roles/ControllerNoCeph.yaml b/roles/ControllerNoCeph.yaml index 5a8c7b241c..8bed861af1 100644 --- a/roles/ControllerNoCeph.yaml +++ b/roles/ControllerNoCeph.yaml @@ -82,6 +82,7 @@ - OS::TripleO::Services::Frr - OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/roles/ControllerNovaStandalone.yaml b/roles/ControllerNovaStandalone.yaml index 6e3b6ea42b..4c7012059a 100644 --- a/roles/ControllerNovaStandalone.yaml +++ b/roles/ControllerNovaStandalone.yaml @@ -82,6 +82,7 @@ - OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::Frr - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/roles/ControllerOpenstack.yaml b/roles/ControllerOpenstack.yaml index 283c95b3a1..9c22453865 100644 --- a/roles/ControllerOpenstack.yaml +++ b/roles/ControllerOpenstack.yaml @@ -69,6 +69,7 @@ - OS::TripleO::Services::IpaClient - OS::TripleO::Services::Ipsec - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/roles/ControllerSriov.yaml b/roles/ControllerSriov.yaml index 8904f42f20..ba3eb457ac 100644 --- a/roles/ControllerSriov.yaml +++ b/roles/ControllerSriov.yaml @@ -92,6 +92,7 @@ - OS::TripleO::Services::Frr - OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/roles/ControllerStorageDashboard.yaml b/roles/ControllerStorageDashboard.yaml index 2ccad0b8d0..d75c25cb25 100644 --- a/roles/ControllerStorageDashboard.yaml +++ b/roles/ControllerStorageDashboard.yaml @@ -93,6 +93,7 @@ - OS::TripleO::Services::Frr - OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/roles/ControllerStorageNfs.yaml b/roles/ControllerStorageNfs.yaml index d1d03d4c18..4928aa308a 100644 --- a/roles/ControllerStorageNfs.yaml +++ b/roles/ControllerStorageNfs.yaml @@ -93,6 +93,7 @@ - OS::TripleO::Services::Frr - OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/roles/Standalone.yaml b/roles/Standalone.yaml index 074e6e4fb9..c24949ff40 100644 --- a/roles/Standalone.yaml +++ b/roles/Standalone.yaml @@ -90,6 +90,7 @@ - OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::Frr - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/roles_data.yaml b/roles_data.yaml index 684802662d..bd924cdc46 100644 --- a/roles_data.yaml +++ b/roles_data.yaml @@ -98,6 +98,7 @@ - OS::TripleO::Services::ExternalSwiftProxy - OS::TripleO::Services::Frr - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceApiInternal - OS::TripleO::Services::GnocchiApi - OS::TripleO::Services::GnocchiMetricd - OS::TripleO::Services::GnocchiStatsd diff --git a/sample-env-generator/ssl.yaml b/sample-env-generator/ssl.yaml index 40d59742c5..313fabfd76 100644 --- a/sample-env-generator/ssl.yaml +++ b/sample-env-generator/ssl.yaml @@ -314,8 +314,8 @@ environments: DesignatePublic: {protocol: 'https', port: '13001', host: 'CLOUDNAME'} DockerRegistryInternal: {protocol: 'https', port: '8787', host: 'CLOUDNAME'} GaneshaInternal: {protocol: 'nfs', port: '2049', host: 'IP_ADDRESS'} - GlanceAdmin: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} - GlanceInternal: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} + GlanceAdmin: {protocol: 'https', port: '9293', host: 'CLOUDNAME'} + GlanceInternal: {protocol: 'https', port: '9293', host: 'CLOUDNAME'} GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'} GnocchiAdmin: {protocol: 'https', port: '8041', host: 'CLOUDNAME'} GnocchiInternal: {protocol: 'https', port: '8041', host: 'CLOUDNAME'}