Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-2503

Support custom API policy

XMLWordPrintable

    • Support custom API policy
    • False
    • Hide

      None

      Show
      None
    • False
    • Committed
    • No Docs Impact
    • To Do
    • RHOSSTRAT-270 - Red Hat OpenStack 18.0 Greenfield Deployment
    • nova-operator-container-1.0.0-14 placement-operator-container-1.0.0-11
    • Committed
    • Committed
    • 0% To Do, 0% In Progress, 100% Done
    • Release Note Not Required
    • Automated
    • 2024Q1
    • Approved

      While our product does not support customizing API policy without a support exception we still need a way to support passing a policy.yaml file to nova-api and placement-api services via our operators.

      We have `DefaultConfigOverwrite` in our service CRDs[1][2] but it was never verified that it works properly.

      The selected solution also needs to support api-paste.ini for the nova-api service and provider.yaml for ironic computes.

      Alternatives:

      • A) Use the DefaultConfigOverwrite field, make sure it is working and tested.
        • Pros:
          • The CRD field already exists
          • The CRD field defintion is simple 
            map[string]string
          • Already used by other operators (keystone, horizon, barbican, designate, telemetry, octavia, ironic, heat, neutron)
        • Cons:
          • It is simple: It does not support mounting data from CMs / Secrets and it only support direct propagation.
      • B) Introduce ExtraMounts logic.
        • Pros:
          • Supports mounting data from CMs and Secrets.
          • Support conditional propagation to sub CRs.
          • Already used by other operators (cinder, glance, manila, neutron, dataplane, ansibleee)
        • Cons:
          • It has a big definition, 756 lines of schema for each field using the type.

      Implementation details (assuming option A)

      While the CRD fields for DefaultConfigOverwrite is in place and properly propagated from OpenStackControlPlane to e.g. NovaAPI CR and to the generated config Secret mounted in the pod, the kolla config in the container ignores the extra files from the config Secret.
      We want to define (and validate with a webhook) a list of file we allow to pass through:

      • for NovaAPI: api-paste.ini and policy.yaml
      • for NovaMetadata: api-paste.ini
      • for NovaCompute: provider*.yaml

      We need to modify kolla config for these services to move these extra files in place.

      We need to make sure that the nova.conf has the proper values to pick up the passed thorough config files:

      • [wsgi]api_paste_config
      • [oslo_policy]policy_file
      • [compute]provider_config_location

      We need to tighten up the validation of the file name anyhow as today the field allows any keys but as we use that key as a key in a Secret we can only allow certain keys. E.g.

            message: 'Service config create error occurred Secret "nova-api-config-data"
        is invalid: data[foo/api-paste.ini]: Invalid value: "foo/api-paste.ini": a
        valid config key must consist of alphanumeric characters, ''-'', ''_'' or
        ''.'' (e.g. ''key.name'',  or ''KEY_NAME'',  or ''key-name'', regex used for
        validation is ''[-._a-zA-Z0-9]+'')'

      Documentation

      api-paste.ini:

      • NovaAPI: OpenStackControlPlane.spec.nova.template.apiServiceTemplate.defaultConfigOverwrite
      • NovaMetadata:
        • top level: OpenStackControlPlane.spec.nova.template.metadataServiceTemplate.defaultConfigOverwrite
        • per cell: OpenStackControlPlane.spec.nova.template.cellTemplates[<cellname>].metadataServiceTemplate.defaultConfigOverwrite 
          defaultConfigOverwrite:
    api-paste.ini: |
        [pipeline:oscomputeversion_v2]
        pipeline = cors compute_req_id faultwrap request_log http_proxy_to_wsgi oscomputeversionapp_v2
        <...>

      policy.yaml:

      • NovaAPI: OpenStackControlPlane.spec.nova.template.apiServiceTemplate.defaultConfigOverwrite 
        defaultConfigOverwrite:
    policy.yaml: |
        "os_compute_api:os-flavor-manage:create": "rule:project_member_or_admin"
        <...>

      provider*.yaml:

      • NovaCompute (ironic): OpenStackControlPlane.spec.nova.template.cellTemplates[<cellname>].novaComputeTemplates[<compute name>].defaultConfigOverwrite 
        defaultConfigOverwrite:
    provider1.yaml: |
        providers:
            - identification:
              uuid: '$COMPUTE_NODE'
        <...>
    provider2.yaml: |
        providers:
            - identification:
              name: 'EXAMPLE_RESOURCE_PROVIDER'
        <...>

        Note: This only applies to ironic computes. EDPM computes will need a bit different configuration

      [1] https://github.com/openstack-k8s-operators/nova-operator/blob/3d19fcc042878f923f745f9a9addec07a9dabd6f/api/v1beta1/common_types.go#L68-L71
      [2] https://github.com/openstack-k8s-operators/placement-operator/blob/4daf37ecb2bb584e1f3a98b7f1660b81519f8ff1/api/v1beta1/placementapi_types.go#L100-L104

              rh-ee-bgibizer Balazs Gibizer
              rh-ee-bgibizer Balazs Gibizer
              Sree Kovili Sree Kovili
              rhos-dfg-compute
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: