Skip to content

Deploy Glance

OpenStack Glance is the image service within the OpenStack ecosystem, responsible for discovering, registering, and retrieving virtual machine images. Glance provides a centralized repository where users can store and manage a wide variety of VM images, ranging from standard operating system snapshots to custom machine images tailored for specific workloads. This service plays a crucial role in enabling rapid provisioning of instances by providing readily accessible, pre-configured images that can be deployed across the cloud. In this document, we will outline the deployment of OpenStack Glance using Genestack. The deployment process is streamlined, ensuring Glance is robustly integrated with other OpenStack services to deliver seamless image management and retrieval.

Create secrets

Information about the secretes used

Manual secret generation is only required if you haven't run the create-secrets.sh script located in /opt/genestack/bin.

Example secret generation 
kubectl --namespace openstack \
        create secret generic glance-rabbitmq-password \
        --type Opaque \
        --from-literal=username="glance" \
        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-64};echo;)"
kubectl --namespace openstack \
        create secret generic glance-db-password \
        --type Opaque \
        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"
kubectl --namespace openstack \
        create secret generic glance-admin \
        --type Opaque \
        --from-literal=password="$(< /dev/urandom tr -dc _A-Za-z0-9 | head -c${1:-32};echo;)"

Info

Before running the Glance deployment you should configure the backend which is defined in the helm-configs/glance/glance-helm-overrides.yaml file. The default is a making the assumption we're running with Ceph deployed by Rook so the backend is configured to be cephfs with multi-attach functionality. While this works great, you should consider all of the available storage backends and make the right decision for your environment.

Run the package deployment

Run the Glance deployment Script bin/install-glance.sh

#!/bin/bash
pushd /opt/genestack/submodules/openstack-helm || exit
    helm upgrade --install glance ./glance \
        --namespace=openstack \
        --timeout 120m \
        -f /opt/genestack/base-helm-configs/glance/glance-helm-overrides.yaml \
        -f /etc/genestack/helm-configs/glance/glance-helm-overrides.yaml \
        --set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \
        --set endpoints.identity.auth.glance.password="$(kubectl --namespace openstack get secret glance-admin -o jsonpath='{.data.password}' | base64 -d)" \
        --set endpoints.oslo_db.auth.admin.password="$(kubectl --namespace openstack get secret mariadb -o jsonpath='{.data.root-password}' | base64 -d)" \
        --set endpoints.oslo_db.auth.glance.password="$(kubectl --namespace openstack get secret glance-db-password -o jsonpath='{.data.password}' | base64 -d)" \
        --set endpoints.oslo_cache.auth.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \
        --set conf.glance.keystone_authtoken.memcache_secret_key="$(kubectl --namespace openstack get secret os-memcached -o jsonpath='{.data.memcache_secret_key}' | base64 -d)" \
        --set conf.glance.database.slave_connection="mysql+pymysql://glance:$(kubectl --namespace openstack get secret glance-db-password -o jsonpath='{.data.password}' | base64 -d)@mariadb-cluster-secondary.openstack.svc.cluster.local:3306/glance" \
        --set endpoints.oslo_messaging.auth.admin.password="$(kubectl --namespace openstack get secret rabbitmq-default-user -o jsonpath='{.data.password}' | base64 -d)" \
        --set endpoints.oslo_messaging.auth.glance.password="$(kubectl --namespace openstack get secret glance-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \
        --post-renderer /etc/genestack/kustomize/kustomize.sh \
        --post-renderer-args glance/overlay "$@"
popd || exit

Tip

You may need to provide custom values to configure your openstack services, for a simple single region or lab deployment you can supply an additional overrides flag using the example found at base-helm-configs/aio-example-openstack-overrides.yaml. In other cases such as a multi-region deployment you may want to view the Multi-Region Support guide to for a workflow solution.

Note

The defaults disable storage_init because we're using pvc as the image backend type. In production this should be changed to swift.

Validate functionality

kubectl --namespace openstack exec -ti openstack-admin-client -- openstack image list

Custom Listeners

This step is not needed if all listeners were applied when the Gateway API was deployed

Example listener patch file found in /opt/genestack/etc/gateway-api/listeners 
[
    {
        "op": "add",
        "path": "/spec/listeners/-",
        "value": {
            "name": "glance-https",
            "port": 443,
            "protocol": "HTTPS",
            "hostname": "glance.your.domain.tld",
            "allowedRoutes": {
                "namespaces": {
                    "from": "All"
                }
            },
            "tls": {
                "certificateRefs": [
                    {
                        "group": "",
                        "kind": "Secret",
                        "name": "glance-gw-tls-secret"
                    }
                ],
                "mode": "Terminate"
            }
        }
    }
]

Modify the Listener Patch

This example changes the placeholder domain to <YOUR_DOMAIN>. Review the gateway listener documentation for more information on listener types.

mkdir -p /etc/genestack/gateway-api/listeners
sed 's/your.domain.tld/<YOUR_DOMAIN>/g' \
    /opt/genestack/etc/gateway-api/listeners/glance-https.json \
    > /etc/genestack/gateway-api/listeners/glance-https.json

Apply the Listener Patch

kubectl patch -n nginx-gateway gateway flex-gateway \
              --type='json' \
              --patch-file /etc/genestack/gateway-api/listeners/glance-https.json

Custom Routes

This step is not needed if all routes were applied when the Gateway API was deployed

A custom gateway route can be used when setting up the service. The custom route make it possible to for a domain like your.domain.tld to be used for the service.

Example routes file found in /opt/genestack/etc/gateway-api/routes 
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: custom-glance-gateway-route
  namespace: openstack
  labels:
    application: gateway-api
    service: HTTPRoute
    route: glance
spec:
  parentRefs:
  - name: flex-gateway
    sectionName: glance-https
    namespace: nginx-gateway
  hostnames:
  - "glance.your.domain.tld"
  rules:
    - backendRefs:
      - name: glance-api
        port: 9292

Modify the Route

This example changes the placeholder domain to <YOUR_DOMAIN>. Review the gateway route documentation for more information on route types.

mkdir -p /etc/genestack/gateway-api/routes
sed 's/your.domain.tld/<YOUR_DOMAIN>/g' \
    /opt/genestack/etc/gateway-api/routes/custom-glance-gateway-route.yaml \
    > /etc/genestack/gateway-api/routes/custom-glance-gateway-route.yaml

Apply the Route

kubectl --namespace openstack apply -f /etc/genestack/gateway-api/routes/custom-glance-gateway-route.yaml

Demo

asciicast