Merge pull request att-comdev#127 from portdirect/glance/command

Fix glance containers entrypoints
mattmceuen · Jan 20, 2017 · 206215c · 206215c
2 parents fc81612 + 09efab7
commit 206215c
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 3 deletions.
diff --git a/glance/templates/configmap-etc.yaml b/glance/templates/configmap-etc.yaml
@@ -13,5 +13,7 @@ data:
 {{ tuple "etc/_glance-api-paste.ini.tpl" . | include "template" | indent 4 }}
   glance-registry.conf: |+
 {{ tuple "etc/_glance-registry.conf.tpl" . | include "template" | indent 4 }}
+  glance-registry-paste.ini: |+
+{{ tuple "etc/_glance-registry-paste.ini.tpl" . | include "template" | indent 4 }}
   policy.json: |+
 {{ tuple "etc/_policy.json.tpl" . | include "template" | indent 4 }}
diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml
@@ -34,34 +34,41 @@ spec:
           image: {{ .Values.images.api }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
           command:
-          - glance-api --config-dir /etc/glance
+          - glance-api
+          - --config-file
+          - /etc/glance/glance-api.conf
           ports:
             - containerPort: {{ .Values.network.port.api }}
           readinessProbe:
             tcpSocket:
               port: {{ .Values.network.port.api }}
           volumeMounts:
+            - name: etcglance
+              mountPath: /etc/glance
             - name: glanceapiconf
               mountPath: /etc/glance/glance-api.conf
               subPath: glance-api.conf
+              readOnly: true
             - name: glanceapipaste
               mountPath: /etc/glance/glance-api-paste.ini
               subPath: glance-api-paste.ini
-            - name: etcglance
-              mountPath: /etc/glance
+              readOnly: true
             - name: glancepolicy
               mountPath: /etc/glance/policy.json
               subPath: policy.json
+              readOnly: true
 {{- if .Values.development.enabled }}
             - name: glance-data
               mountPath: /var/lib/glance/images
 {{- else }}
             - name: cephconf
               mountPath: /etc/ceph/ceph.conf
               subPath: ceph.conf
+              readOnly: true
             - name: cephclientglancekeyring
               mountPath: /etc/ceph/ceph.client.{{ .Values.ceph.glance_user }}.keyring
               subPath: ceph.client.{{ .Values.ceph.glance_user }}.keyring
+              readOnly: true
 {{- end }}
       volumes:
         - name: glanceapiconf

diff --git a/glance/templates/deployment-registry.yaml b/glance/templates/deployment-registry.yaml
@@ -27,16 +27,37 @@ spec:
           imagePullPolicy: {{ .Values.images.pull_policy }}
           command:
           - glance-registry
+          - --config-file
+          - /etc/glance/glance-registry.conf
           ports:
             - containerPort: {{ .Values.network.port.registry }}
           readinessProbe:
             tcpSocket:
               port: {{ .Values.network.port.registry }}
           volumeMounts:
+            - name: etcglance
+              mountPath: /etc/glance
             - name: glanceregistryconf
               mountPath: /etc/glance/glance-registry.conf
               subPath: glance-registry.conf
+              readOnly: true
+            - name: glanceregistrypaste
+              mountPath: /etc/glance/glance-registry-paste.ini
+              subPath: glance-registry-paste.ini
+              readOnly: true
+            - name: glancepolicy
+              mountPath: /etc/glance/policy.json
+              subPath: policy.json
+              readOnly: true
       volumes:
+        - name: etcglance
+          emptyDir: {}
         - name: glanceregistryconf
           configMap:
             name: glance-etc
+        - name: glanceregistrypaste
+          configMap:
+            name: glance-etc
+        - name: glancepolicy
+          configMap:
+            name: glance-etc
diff --git a/glance/templates/etc/_glance-registry-paste.ini.tpl b/glance/templates/etc/_glance-registry-paste.ini.tpl
@@ -0,0 +1,35 @@
+# Use this pipeline for no auth - DEFAULT
+[pipeline:glance-registry]
+pipeline = healthcheck osprofiler unauthenticated-context registryapp
+
+# Use this pipeline for keystone auth
+[pipeline:glance-registry-keystone]
+pipeline = healthcheck osprofiler authtoken context registryapp
+
+# Use this pipeline for authZ only. This means that the registry will treat a
+# user as authenticated without making requests to keystone to reauthenticate
+# the user.
+[pipeline:glance-registry-trusted-auth]
+pipeline = healthcheck osprofiler context registryapp
+
+[app:registryapp]
+paste.app_factory = glance.registry.api:API.factory
+
+[filter:healthcheck]
+paste.filter_factory = oslo_middleware:Healthcheck.factory
+backends = disable_by_file
+disable_by_file_path = /etc/glance/healthcheck_disable
+
+[filter:context]
+paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory
+
+[filter:unauthenticated-context]
+paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory
+
+[filter:authtoken]
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+[filter:osprofiler]
+paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
+hmac_keys = SECRET_KEY  #DEPRECATED
+enabled = yes  #DEPRECATED