Enable Glance configuration for Cinder store type

Enable Glance support for the Cinder store backend by adding the required
authentication and endpoint configuration, allowing Glance to access
Cinder services through Keystone.

This change adds the python-cinderclient package along with its
dependency os-brick, which are required for proper interaction with
Cinder when used as a Glance image store.

It also introduces a new helper function in openstack-helm,
_get_service_public_endpoint, to generically resolve public service
endpoints, improving reuse and avoiding service-specific endpoint logic.

TEST PLAN:
PASS - build-pkgs -a -l openstack
PASS - build stx-openstack tarball
PASS - application upload, apply and remove
PASS - Ceph applied as the highest priority backend: bootstrapped;
       configured as default; other backends applied if available.
PASS - Cinder applied as the highest priority backend: bootstrapped;
       configured as default; other backends applied if available.
NOTE - Image creation using Cinder store could not be tested due to a
       known bug[1]: when stx-openstack is deployed with Glance configured
       to use Cinder, every image creation fails.

Story: 2011281
Task: 53511

[1] https://bugs.launchpad.net/starlingx/+bug/2137271

Change-Id: I556e5f2e9c63354a14145b17757ebdeee3e1bb01
Signed-off-by: Thiago Miranda <tmarques@windriver.com>

python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/common/constants.py

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2019-2025 Wind River Systems, Inc.
+# Copyright (c) 2019-2026 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -139,6 +139,9 @@ ROOK_CEPH_POOL_CINDER_BACKUP_CHUNK_SIZE = 0
 ROOK_CEPH_POOL_GLANCE_CHUNK_SIZE = 0
 ROOK_CEPH_POOL_NOVA_RBD_CHUNK_SIZE = 0
 
+# Keystone version used as the default value when getting service name and type
+KEYSTONE_CURRENT_VERSION = 'v3'
+
 # Cinder version used as the default value when getting service name and type
 CINDER_CURRENT_VERSION = 'v3'
 
@@ -204,6 +207,7 @@ NETAPP_FC_BACKUP_DRIVER = "cinder.backup.drivers.posix.PosixBackupDriver"
 GLANCE_BACKEND_RBD = 'rbd'
 GLANCE_BACKEND_PVC = 'pvc'
 GLANCE_BACKEND_CINDER = 'cinder'
+GLANCE_CINDER_CATALOG_INFO = 'volumev3:cinderv3:publicURL'
 GLANCE_DEFAULT_BACKEND = GLANCE_BACKEND_CINDER
 GLANCE_IMAGE_STORE_RBD = 'rbd'
 GLANCE_IMAGE_STORE_FILE = 'file'

python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/glance.py

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2019-2025 Wind River Systems, Inc.
+# Copyright (c) 2019-2026 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -115,12 +115,27 @@ class GlanceHelm(openstack.OpenstackBaseHelm):
         if ceph_backend:
             replicas_count = self._num_provisioned_controllers()
 
-        return {
+        overrides = {
             'replicas': {
                 'api': replicas_count,
-            }
+            },
         }
 
+        if self._image_store == app_constants.GLANCE_IMAGE_STORE_CINDER:
+            overrides['security_context'] = {
+                'glance': {
+                    'container': {
+                        'glance_api': {
+                            'readOnlyRootFilesystem': False,
+                            'privileged': True,
+                            'allowPrivilegeEscalation': True,
+                        },
+                    },
+                },
+            }
+
+        return overrides
+
     def _get_endpoints_overrides(self):
         return {
             'image': {
@@ -209,6 +224,23 @@ class GlanceHelm(openstack.OpenstackBaseHelm):
                     'show_multiple_locations': False,
                     'enabled_backends': f"{self._image_store}:{self._image_store}"
                 },
+                'cinder': {
+                    'cinder_api_insecure': not self._is_openstack_https_ready(self.SERVICE_NAME),
+                    'cinder_catalog_info': app_constants.GLANCE_CINDER_CATALOG_INFO,
+                    'cinder_store_auth_address': self._get_service_public_endpoint(
+                        app_constants.HELM_CHART_KEYSTONE,
+                        path="v3"
+                    ),
+                    'cinder_store_user_name': self._get_admin_user_name(),
+                    'cinder_store_password': self._get_identity_password(
+                        app_constants.HELM_CHART_KEYSTONE,
+                        self._get_admin_user_name()
+                    ),
+                    'cinder_store_project_name': self._get_admin_project_name(),
+                    'cinder_store_user_domain_name': self._get_admin_user_domain(),
+                    'cinder_store_project_domain_name': self._get_admin_project_domain(),
+                    'cinder_volume_type': '__DEFAULT__'
+                },
                 'file': {
                     'filesystem_store_datadir': constants.GLANCE_IMAGE_PATH,
                 },

python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/openstack.py

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2019-2025 Wind River Systems, Inc.
+# Copyright (c) 2019-2026 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -555,6 +555,29 @@ class OpenstackBaseHelm(FluxCDBaseHelm):
         return "{}.{}.svc.{}".format(service, common.HELM_NS_OPENSTACK,
                                      constants.DEFAULT_DNS_SERVICE_DOMAIN)
 
+    def _get_service_public_endpoint(self, service, path=None):
+        """
+        Return the public endpoint URL for an OpenStack service.
+
+        Args:
+            service (str): Helm chart name of the service.
+            path (str, optional): Optional path to append to the endpoint.
+
+        Returns:
+            str: The service public endpoint URL.
+
+        Example:
+            _get_service_public_endpoint(
+                app_constants.HELM_CHART_KEYSTONE,
+                path="v3"
+            )
+            # http://keystone.openstack.svc.cluster.local/v3
+        """
+        protocol = self._get_public_protocol()
+        host = self._get_service_default_dns_name(service)
+        url = f"{protocol}://{host}"
+        return f"{url}/{path.lstrip('/')}" if path else url
+
     def _get_mount_uefi_overrides(self):
 
         # This path depends on OVMF packages and for starlingx

python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/tests/helm/test_glance.py

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2020-2025 Wind River Systems, Inc.
+# Copyright (c) 2020-2026 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -96,6 +96,7 @@ class GlanceGetOverrideTest(GlanceHelmTestCase,
                     'glance_store': {
                         'https_ca_certificates_file': glance.GlanceHelm.get_ca_file(),
                     },
+                    'cinder': mock.ANY,
                     'file': {
                         'filesystem_store_datadir': mock.ANY,
                     },

upstream/openstack/python-glance/debian/stx-glance.stable_docker_image

@@ -7,7 +7,9 @@ DIST_REPOS="OS"
 UPDATE_SYSTEM_ACCOUNT="yes"
 NON_UNIQUE_SYSTEM_ACCOUNT="yes"
 PIP_PACKAGES="\
+  os-brick \
   pycryptodomex \
+  python-cinderclient \
   python-swiftclient \
   psutil
 "