Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / refs/heads/stable/zed / . / charts / glance / templates / deployment-api.yaml
blob: d88856ff8f3eb19c337dc8f55c04f1b3f9080a6e [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1{{/*
2Licensed under the Apache License, Version 2.0 (the "License");
3you may not use this file except in compliance with the License.
4You may obtain a copy of the License at
5
6 http://www.apache.org/licenses/LICENSE-2.0
7
8Unless required by applicable law or agreed to in writing, software
9distributed under the License is distributed on an "AS IS" BASIS,
10WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11See the License for the specific language governing permissions and
12limitations under the License.
13*/}}
14
okozachenko12035aa48492023-09-05 19:47:07 +1000[diff] [blame]15{{- define "readinessProbeTemplate" }}
16{{- if .Values.manifests.certificates }}
17exec:
18 command:
19 - python
20 - -c
21 - "import requests; requests.get('http://127.0.0.1:{{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
22{{- else }}
23httpGet:
24 scheme: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
25 path: /
26 port: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
27{{- end }}
28{{- end }}
29
30{{- define "livenessProbeTemplate" }}
31{{- if .Values.manifests.certificates }}
32exec:
33 command:
34 - python
35 - -c
36 - "import requests; requests.get('http://127.0.0.1:{{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
37{{- else }}
38httpGet:
39 scheme: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
40 path: /
41 port: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
42{{- end }}
43{{- end }}
44
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]45{{- if .Values.manifests.deployment_api }}
46{{- $envAll := . }}
47
48{{- $mounts_glance_api := .Values.pod.mounts.glance_api.glance_api }}
49{{- $mounts_glance_api_init := .Values.pod.mounts.glance_api.init_container }}
50
51{{- $serviceAccountName := "glance-api" }}
52{{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
53---
54apiVersion: apps/v1
55kind: Deployment
56metadata:
57 name: glance-api
58 annotations:
59 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
60 labels:
61{{ tuple $envAll "glance" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
62spec:
63 replicas: {{ .Values.pod.replicas.api }}
64 selector:
65 matchLabels:
66{{ tuple $envAll "glance" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
67{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
68 template:
69 metadata:
70 labels:
71{{ tuple $envAll "glance" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
72 annotations:
73{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
74 configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
75 configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
76{{ dict "envAll" $envAll "podName" "glance-api" "containerNames" ( list "glance-perms" "glance-api" "init" "nginx" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
77 spec:
78 serviceAccountName: {{ $serviceAccountName }}
79{{ dict "envAll" $envAll "application" "glance" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
80 affinity:
81{{ tuple $envAll "glance" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
82{{ if $envAll.Values.pod.tolerations.glance.enabled }}
83{{ tuple $envAll "glance" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
84{{ end }}
85 nodeSelector:
86 {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
87 terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
88{{- if .Values.pod.useHostNetwork.api }}
89 hostNetwork: true
90 dnsPolicy: ClusterFirstWithHostNet
91{{- end }}
92{{- if eq .Values.storage "cinder" }}
93 hostIPC: true
94{{- end }}
95 initContainers:
96{{ tuple $envAll "api" $mounts_glance_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
97 - name: glance-perms
98{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
99{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
100{{ dict "envAll" $envAll "application" "glance" "container" "glance_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
101 command:
102 - chown
103 - -R
104 - "glance:"
105 - {{ .Values.conf.glance.glance_store.filesystem_store_datadir }}
106 volumeMounts:
107 - name: pod-tmp
108 mountPath: /tmp
109 - name: glance-images
110 mountPath: {{ .Values.conf.glance.glance_store.filesystem_store_datadir }}
111 {{ if eq .Values.storage "rbd" }}
112 - name: ceph-keyring-placement
113{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
114{{ dict "envAll" $envAll "application" "glance" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
115 env:
116 - name: RBD_STORE_USER
117 value: {{ .Values.conf.glance.glance_store.rbd_store_user | quote }}
118 command:
119 - /tmp/ceph-keyring.sh
120 volumeMounts:
121 - name: pod-tmp
122 mountPath: /tmp
123 - name: etcceph
124 mountPath: /etc/ceph
125 - name: glance-bin
126 mountPath: /tmp/ceph-keyring.sh
127 subPath: ceph-keyring.sh
128 readOnly: true
129 - name: ceph-keyring
130 mountPath: /tmp/client-keyring
131 subPath: key
132 readOnly: true
133 {{ end }}
134 containers:
135 {{- if $envAll.Values.manifests.certificates }}
136 - name: nginx
137{{ tuple $envAll "nginx" | include "helm-toolkit.snippets.image" | indent 10 }}
138{{ tuple $envAll $envAll.Values.pod.resources.nginx | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
139{{ dict "envAll" $envAll "application" "glance" "container" "nginx" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
140 ports:
141 - name: g-api
142 containerPort: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
143 env:
144 - name: PORT
145 value: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
146 - name: POD_IP
147 valueFrom:
148 fieldRef:
149 fieldPath: status.podIP
150 - name: SHORTNAME
151 value: {{ tuple "image" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
152 readinessProbe:
153 tcpSocket:
154 port: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
155 command:
156 - /tmp/nginx.sh
157 - start
158 lifecycle:
159 preStop:
160 exec:
161 command:
162 - /tmp/nginx.sh
163 - stop
164 volumeMounts:
165 - name: glance-bin
166 mountPath: /tmp/nginx.sh
167 subPath: nginx.sh
168 readOnly: true
169 - name: glance-etc
170 mountPath: /etc/nginx/nginx.conf
171 subPath: nginx.conf
172 readOnly: true
173{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal "path" "/etc/nginx/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
174 {{- end }}
175 - name: glance-api
176{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
177{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
178{{ dict "envAll" $envAll "application" "glance" "container" "glance_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
okozachenko12035aa48492023-09-05 19:47:07 +1000[diff] [blame]179{{ dict "envAll" $envAll "component" "api" "container" "glance-api" "type" "readiness" "probeTemplate" (include "readinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
180{{ dict "envAll" $envAll "component" "api" "container" "glance-api" "type" "liveness" "probeTemplate" (include "livenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]181 command:
182 - /tmp/glance-api.sh
183 - start
184{{- if or .Values.manifests.certificates .Values.tls.identity }}
185 env:
186 - name: REQUESTS_CA_BUNDLE
187 value: "/etc/glance/certs/ca.crt"
188{{- end }}
189 lifecycle:
190 preStop:
191 exec:
192 command:
193 - /tmp/glance-api.sh
194 - stop
okozachenko12035aa48492023-09-05 19:47:07 +1000[diff] [blame]195 {{- if not $envAll.Values.manifests.certificates }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]196 ports:
197 - name: g-api
198 containerPort: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]199 {{- end }}
200 volumeMounts:
201 - name: pod-tmp
202 mountPath: /tmp
203 - name: glance-tmp
204 mountPath: /var/lib/glance/tmp
205 - name: etcglance
206 mountPath: /etc/glance
207 - name: glance-bin
208 mountPath: /tmp/glance-api.sh
209 subPath: glance-api.sh
210 readOnly: true
211 - name: glance-etc
212 mountPath: /etc/glance/glance-api.conf
213 subPath: glance-api.conf
214 readOnly: true
Oleksandr Kozachenko469612f2023-10-04 17:34:40 +0200[diff] [blame]215 - name: glance-etc
216 mountPath: /etc/glance/glance-api-uwsgi.ini
217 subPath: glance-api-uwsgi.ini
218 readOnly: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]219 {{- if .Values.conf.glance.DEFAULT.log_config_append }}
220 - name: glance-etc
221 mountPath: {{ .Values.conf.glance.DEFAULT.log_config_append }}
222 subPath: {{ base .Values.conf.glance.DEFAULT.log_config_append }}
223 readOnly: true
224 {{- end }}
225 - name: glance-etc
226 mountPath: /etc/glance/glance-api-paste.ini
227 subPath: glance-api-paste.ini
228 readOnly: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]229 - name: glance-etc
230 mountPath: /etc/glance/policy.yaml
231 subPath: policy.yaml
232 readOnly: true
233 - name: glance-etc
234 mountPath: /etc/glance/api_audit_map.conf
235 subPath: api_audit_map.conf
236 readOnly: true
237 - name: glance-etc
238 # NOTE (Portdirect): We mount here to override Kollas
239 # custom sudoers file when using Kolla images, this
240 # location will also work fine for other images.
241 mountPath: /etc/sudoers.d/kolla_glance_sudoers
242 subPath: glance_sudoers
243 readOnly: true
244 - name: glance-etc
245 mountPath: /etc/glance/rootwrap.conf
246 subPath: rootwrap.conf
247 readOnly: true
248 {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
249 {{- if ( has "api" $value.pods ) }}
250 {{- $filePrefix := replace "_" "-" $key }}
251 {{- $rootwrapFile := printf "/etc/glance/rootwrap.d/%s.filters" $filePrefix }}
252 - name: glance-etc
253 mountPath: {{ $rootwrapFile }}
254 subPath: {{ base $rootwrapFile }}
255 readOnly: true
256 {{- end }}
257 {{- end }}
258 - name: glance-etc
259 mountPath: {{ .Values.conf.glance.glance_store.swift_store_config_file }}
260 subPath: swift-store.conf
261 readOnly: true
262 - name: glance-images
263 mountPath: {{ .Values.conf.glance.glance_store.filesystem_store_datadir }}
264{{- if eq .Values.storage "cinder" }}
265 - name: host-rootfs
266 mountPath: /mnt/host-rootfs
267 {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
268 mountPropagation: HostToContainer
269 {{- end }}
270 - name: host-dev
271 mountPath: /dev
272 {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
273 mountPropagation: HostToContainer
274 {{- end }}
275 - name: runlock
276 mountPath: /run/lock
277 - name: etciscsi
278 mountPath: /etc/iscsi
279 {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
280 mountPropagation: HostToContainer
281 {{- end }}
282 - name: usrlocalsbin
283 mountPath: /usr/local/sbin
284 - name: glance-bin
285 mountPath: /usr/local/sbin/iscsiadm
286 subPath: iscsiadm
287 - name: glance-bin
288 mountPath: /usr/local/sbin/multipath
289 subPath: multipath
290 - name: glance-bin
291 mountPath: /usr/local/sbin/multipathd
292 subPath: multipathd
293 - name: etcmultipath
294 mountPath: /etc/multipath
295 {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
296 mountPropagation: Bidirectional
297 {{- end }}
298 - name: sys
299 mountPath: /sys
300 {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
301 mountPropagation: HostToContainer
302 {{- end }}
303{{- end }}
304{{- if eq .Values.storage "rbd" }}
305 - name: etcceph
306 mountPath: /etc/ceph
307 - name: ceph-etc
308 mountPath: /etc/ceph/ceph.conf
309 subPath: ceph.conf
310 readOnly: true
311 - name: ceph-keyring
312 mountPath: /tmp/client-keyring
313 subPath: key
314 readOnly: true
315{{- end }}
316{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
317{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" $envAll.Values.secrets.tls.image.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
318{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
319{{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }}
320 volumes:
321 - name: pod-tmp
322 emptyDir: {}
323 - name: glance-tmp
324 emptyDir: {}
325 - name: etcglance
326 emptyDir: {}
327 - name: glance-bin
328 configMap:
329 name: glance-bin
330 defaultMode: 0555
331 - name: glance-etc
332 secret:
333 secretName: glance-etc
334 defaultMode: 0444
335{{- if eq .Values.storage "pvc" }}
336 - name: glance-images
337 persistentVolumeClaim:
338 claimName: glance-images
339{{ else }}
340 - name: glance-images
341 emptyDir: {}
342{{- end }}
343{{- if eq .Values.storage "rbd" }}
344 - name: etcceph
345 emptyDir: {}
346 - name: ceph-etc
347 configMap:
348 name: {{ .Values.ceph_client.configmap }}
349 defaultMode: 0444
350 - name: ceph-keyring
351 secret:
352 secretName: {{ .Values.secrets.rbd | quote }}
353{{- end }}
354{{- if eq .Values.storage "cinder" }}
355 - name: host-rootfs
356 hostPath:
357 path: /
358 - name: host-dev
359 hostPath:
360 path: /dev
361 - name: runlock
362 hostPath:
363 path: /run/lock
364 - name: etciscsi
365 hostPath:
366 path: /etc/iscsi
367 - name: usrlocalsbin
368 emptyDir: {}
369 - name: etcmultipath
370 hostPath:
371 path: /etc/multipath
372 - name: sys
373 hostPath:
374 path: /sys
375{{- end }}
376{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
377{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" $envAll.Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
378{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
379{{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }}
380{{- end }}