From 63e5ff3718de5fdb80b7dd74f9cf823923876b93 Mon Sep 17 00:00:00 2001 From: Thiago Miranda Date: Fri, 28 Nov 2025 12:18:49 -0300 Subject: [PATCH] Enable Glance configuration for Cinder store type Enable Glance support for the Cinder store backend by adding the required authentication and endpoint configuration, allowing Glance to access Cinder services through Keystone. This change adds the python-cinderclient package along with its dependency os-brick, which are required for proper interaction with Cinder when used as a Glance image store. It also introduces a new helper function in openstack-helm, _get_service_public_endpoint, to generically resolve public service endpoints, improving reuse and avoiding service-specific endpoint logic. TEST PLAN: PASS - build-pkgs -a -l openstack PASS - build stx-openstack tarball PASS - application upload, apply and remove PASS - Ceph applied as the highest priority backend: bootstrapped; configured as default; other backends applied if available. PASS - Cinder applied as the highest priority backend: bootstrapped; configured as default; other backends applied if available. NOTE - Image creation using Cinder store could not be tested due to a known bug[1]: when stx-openstack is deployed with Glance configured to use Cinder, every image creation fails. Story: 2011281 Task: 53511 [1] https://bugs.launchpad.net/starlingx/+bug/2137271 Change-Id: I556e5f2e9c63354a14145b17757ebdeee3e1bb01 Signed-off-by: Thiago Miranda --- .../k8sapp_openstack/common/constants.py | 6 ++- .../k8sapp_openstack/helm/glance.py | 38 +++++++++++++++++-- .../k8sapp_openstack/helm/openstack.py | 25 +++++++++++- .../tests/helm/test_glance.py | 3 +- .../debian/stx-glance.stable_docker_image | 2 + 5 files changed, 68 insertions(+), 6 deletions(-) diff --git a/python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/common/constants.py b/python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/common/constants.py index 1bce571f..bfd0b141 100644 --- a/python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/common/constants.py +++ b/python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/common/constants.py @@ -1,5 +1,5 @@ # -# Copyright (c) 2019-2025 Wind River Systems, Inc. +# Copyright (c) 2019-2026 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # @@ -139,6 +139,9 @@ ROOK_CEPH_POOL_CINDER_BACKUP_CHUNK_SIZE = 0 ROOK_CEPH_POOL_GLANCE_CHUNK_SIZE = 0 ROOK_CEPH_POOL_NOVA_RBD_CHUNK_SIZE = 0 +# Keystone version used as the default value when getting service name and type +KEYSTONE_CURRENT_VERSION = 'v3' + # Cinder version used as the default value when getting service name and type CINDER_CURRENT_VERSION = 'v3' @@ -204,6 +207,7 @@ NETAPP_FC_BACKUP_DRIVER = "cinder.backup.drivers.posix.PosixBackupDriver" GLANCE_BACKEND_RBD = 'rbd' GLANCE_BACKEND_PVC = 'pvc' GLANCE_BACKEND_CINDER = 'cinder' +GLANCE_CINDER_CATALOG_INFO = 'volumev3:cinderv3:publicURL' GLANCE_DEFAULT_BACKEND = GLANCE_BACKEND_CINDER GLANCE_IMAGE_STORE_RBD = 'rbd' GLANCE_IMAGE_STORE_FILE = 'file' diff --git a/python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/glance.py b/python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/glance.py index 38a43df0..afc75ba3 100644 --- a/python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/glance.py +++ b/python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/glance.py @@ -1,5 +1,5 @@ # -# Copyright (c) 2019-2025 Wind River Systems, Inc. +# Copyright (c) 2019-2026 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # @@ -115,12 +115,27 @@ class GlanceHelm(openstack.OpenstackBaseHelm): if ceph_backend: replicas_count = self._num_provisioned_controllers() - return { + overrides = { 'replicas': { 'api': replicas_count, - } + }, } + if self._image_store == app_constants.GLANCE_IMAGE_STORE_CINDER: + overrides['security_context'] = { + 'glance': { + 'container': { + 'glance_api': { + 'readOnlyRootFilesystem': False, + 'privileged': True, + 'allowPrivilegeEscalation': True, + }, + }, + }, + } + + return overrides + def _get_endpoints_overrides(self): return { 'image': { @@ -209,6 +224,23 @@ class GlanceHelm(openstack.OpenstackBaseHelm): 'show_multiple_locations': False, 'enabled_backends': f"{self._image_store}:{self._image_store}" }, + 'cinder': { + 'cinder_api_insecure': not self._is_openstack_https_ready(self.SERVICE_NAME), + 'cinder_catalog_info': app_constants.GLANCE_CINDER_CATALOG_INFO, + 'cinder_store_auth_address': self._get_service_public_endpoint( + app_constants.HELM_CHART_KEYSTONE, + path="v3" + ), + 'cinder_store_user_name': self._get_admin_user_name(), + 'cinder_store_password': self._get_identity_password( + app_constants.HELM_CHART_KEYSTONE, + self._get_admin_user_name() + ), + 'cinder_store_project_name': self._get_admin_project_name(), + 'cinder_store_user_domain_name': self._get_admin_user_domain(), + 'cinder_store_project_domain_name': self._get_admin_project_domain(), + 'cinder_volume_type': '__DEFAULT__' + }, 'file': { 'filesystem_store_datadir': constants.GLANCE_IMAGE_PATH, }, diff --git a/python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/openstack.py b/python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/openstack.py index 56d7e8e0..f0b6575e 100644 --- a/python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/openstack.py +++ b/python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/openstack.py @@ -1,5 +1,5 @@ # -# Copyright (c) 2019-2025 Wind River Systems, Inc. +# Copyright (c) 2019-2026 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # @@ -555,6 +555,29 @@ class OpenstackBaseHelm(FluxCDBaseHelm): return "{}.{}.svc.{}".format(service, common.HELM_NS_OPENSTACK, constants.DEFAULT_DNS_SERVICE_DOMAIN) + def _get_service_public_endpoint(self, service, path=None): + """ + Return the public endpoint URL for an OpenStack service. + + Args: + service (str): Helm chart name of the service. + path (str, optional): Optional path to append to the endpoint. + + Returns: + str: The service public endpoint URL. + + Example: + _get_service_public_endpoint( + app_constants.HELM_CHART_KEYSTONE, + path="v3" + ) + # http://keystone.openstack.svc.cluster.local/v3 + """ + protocol = self._get_public_protocol() + host = self._get_service_default_dns_name(service) + url = f"{protocol}://{host}" + return f"{url}/{path.lstrip('/')}" if path else url + def _get_mount_uefi_overrides(self): # This path depends on OVMF packages and for starlingx diff --git a/python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/tests/helm/test_glance.py b/python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/tests/helm/test_glance.py index 5153aeed..df545973 100644 --- a/python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/tests/helm/test_glance.py +++ b/python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/tests/helm/test_glance.py @@ -1,5 +1,5 @@ # -# Copyright (c) 2020-2025 Wind River Systems, Inc. +# Copyright (c) 2020-2026 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # @@ -96,6 +96,7 @@ class GlanceGetOverrideTest(GlanceHelmTestCase, 'glance_store': { 'https_ca_certificates_file': glance.GlanceHelm.get_ca_file(), }, + 'cinder': mock.ANY, 'file': { 'filesystem_store_datadir': mock.ANY, }, diff --git a/upstream/openstack/python-glance/debian/stx-glance.stable_docker_image b/upstream/openstack/python-glance/debian/stx-glance.stable_docker_image index 79629c69..d3cf48a6 100644 --- a/upstream/openstack/python-glance/debian/stx-glance.stable_docker_image +++ b/upstream/openstack/python-glance/debian/stx-glance.stable_docker_image @@ -7,7 +7,9 @@ DIST_REPOS="OS" UPDATE_SYSTEM_ACCOUNT="yes" NON_UNIQUE_SYSTEM_ACCOUNT="yes" PIP_PACKAGES="\ + os-brick \ pycryptodomex \ + python-cinderclient \ python-swiftclient \ psutil "