name: glance-perms {{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "glance" "container" "glance_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - chown - -R - "glance:" - {{ .Values.conf.glance.glance_store.filesystem_store_datadir }} volumeMounts: - name: pod-tmp mountPath: /tmp - name: glance-images mountPath: {{ .Values.conf.glance.glance_store.filesystem_store_datadir }} {{ if eq .Values.storage "rbd" }} - name: ceph-keyring-placement {{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ dict "envAll" $envAll "application" "glance" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: RBD_STORE_USER value: {{ .Values.conf.glance.glance_store.rbd_store_user | quote }} command: - /tmp/ceph-keyring.sh volumeMounts: - name: pod-tmp mountPath: /tmp - name: etcceph mountPath: /etc/ceph - name: glance-bin mountPath: /tmp/ceph-keyring.sh subPath: ceph-keyring.sh readOnly: true - name: ceph-keyring mountPath: /tmp/client-keyring subPath: key readOnly: true {{ end }} containers: {{- if $envAll.Values.manifests.certificates }} - name: nginx {{ tuple $envAll "nginx" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.nginx | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "glance" "container" "nginx" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} ports: - name: g-api containerPort: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} env: - name: PORT value: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} - name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SHORTNAME value: {{ tuple "image" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }} readinessProbe: tcpSocket: port: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} command: - /tmp/nginx.sh - start lifecycle: preStop: exec: command: - /tmp/nginx.sh - stop volumeMounts: - name: glance-bin mountPath: /tmp/nginx.sh subPath: nginx.sh readOnly: true - name: glance-etc mountPath: /etc/nginx/nginx.conf subPath: nginx.conf readOnly: true {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal "path" "/etc/nginx/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- end }} - name: glance-api {{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "glance" "container" "glance_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/glance-api.sh - start {{- if or .Values.manifests.certificates .Values.tls.identity }} env: - name: REQUESTS_CA_BUNDLE value: "/etc/glance/certs/ca.crt" {{- end }} lifecycle: preStop: exec: command: - /tmp/glance-api.sh - stop {{- if $envAll.Values.manifests.certificates }} readinessProbe: exec: command: - python - -c - "import requests; requests.get('{{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')" livenessProbe: exec: command: - python - -c - "import requests; requests.get('{{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')" initialDelaySeconds: 30 {{- else }} ports: - name: g-api containerPort: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} readinessProbe: httpGet: scheme: HTTP path: / port: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} livenessProbe: httpGet: scheme: HTTP path: / port: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} {{- end }} volumeMounts: - name: pod-tmp mountPath: /tmp - name: glance-tmp mountPath: /var/lib/glance/tmp - name: etcglance mountPath: /etc/glance - name: glance-bin mountPath: /tmp/glance-api.sh subPath: glance-api.sh readOnly: true - name: glance-etc mountPath: /etc/glance/glance-api.conf subPath: glance-api.conf readOnly: true {{- if .Values.conf.glance.DEFAULT.log_config_append }} - name: glance-etc mountPath: {{ .Values.conf.glance.DEFAULT.log_config_append }} subPath: {{ base .Values.conf.glance.DEFAULT.log_config_append }} readOnly: true {{- end }} - name: glance-etc mountPath: /etc/glance/glance-api-paste.ini subPath: glance-api-paste.ini readOnly: true - name: glance-etc mountPath: /etc/glance/policy.yaml subPath: policy.yaml readOnly: true - name: glance-etc mountPath: /etc/glance/api_audit_map.conf subPath: api_audit_map.conf readOnly: true - name: glance-etc # NOTE (Portdirect): We mount here to override Kollas # custom sudoers file when using Kolla images, this # location will also work fine for other images. mountPath: /etc/sudoers.d/kolla_glance_sudoers subPath: glance_sudoers readOnly: true - name: glance-etc mountPath: /etc/glance/rootwrap.conf subPath: rootwrap.conf readOnly: true {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} {{- if ( has "api" $value.pods ) }} {{- $filePrefix := replace "_" "-" $key }} {{- $rootwrapFile := printf "/etc/glance/rootwrap.d/%s.filters" $filePrefix }} - name: glance-etc mountPath: {{ $rootwrapFile }} subPath: {{ base $rootwrapFile }} readOnly: true {{- end }} {{- end }} - name: glance-etc mountPath: {{ .Values.conf.glance.glance_store.swift_store_config_file }} subPath: swift-store.conf readOnly: true - name: glance-images mountPath: {{ .Values.conf.glance.glance_store.filesystem_store_datadir }} {{- if eq .Values.storage "cinder" }} - name: host-rootfs mountPath: /mnt/host-rootfs {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }} mountPropagation: HostToContainer {{- end }} - name: host-dev mountPath: /dev {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }} mountPropagation: HostToContainer {{- end }} - name: runlock mountPath: /run/lock - name: etciscsi mountPath: /etc/iscsi {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }} mountPropagation: HostToContainer {{- end }} - name: usrlocalsbin mountPath: /usr/local/sbin - name: glance-bin mountPath: /usr/local/sbin/iscsiadm subPath: iscsiadm - name: glance-bin mountPath: /usr/local/sbin/multipath subPath: multipath - name: glance-bin mountPath: /usr/local/sbin/multipathd subPath: multipathd - name: etcmultipath mountPath: /etc/multipath {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }} mountPropagation: Bidirectional {{- end }} - name: sys mountPath: /sys {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }} mountPropagation: HostToContainer {{- end }} {{- end }} {{- if eq .Values.storage "rbd" }} - name: etcceph mountPath: /etc/ceph - name: ceph-etc mountPath: /etc/ceph/ceph.conf subPath: ceph.conf readOnly: true - name: ceph-keyring mountPath: /tmp/client-keyring subPath: key readOnly: true {{- end }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" $envAll.Values.secrets.tls.image.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp emptyDir: {} - name: glance-tmp emptyDir: {} - name: etcglance emptyDir: {} - name: glance-bin configMap: name: glance-bin defaultMode: 0555 - name: glance-etc secret: secretName: glance-etc defaultMode: 0444 {{- if eq .Values.storage "pvc" }} - name: glance-images persistentVolumeClaim: claimName: glance-images {{ else }} - name: glance-images emptyDir: {} {{- end }} {{- if eq .Values.storage "rbd" }} - name: etcceph emptyDir: {} - name: ceph-etc configMap: name: {{ .Values.ceph_client.configmap }} defaultMode: 0444 - name: ceph-keyring secret: secretName: {{ .Values.secrets.rbd | quote }} {{- end }} {{- if eq .Values.storage "cinder" }} - name: host-rootfs hostPath: path: / - name: host-dev hostPath: path: /dev - name: runlock hostPath: path: /run/lock - name: etciscsi hostPath: path: /etc/iscsi - name: usrlocalsbin emptyDir: {} - name: etcmultipath hostPath: path: /etc/multipath - name: sys hostPath: path: /sys {{- end }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" $envAll.Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }} {{- end }}