Enable memcached backend for mod_auth_openidc

Change-Id: Ie87a7488dad369464793b47c3d2db67d7dc1694e
2021-06-03 15:49:57 +01:00 · 2021-06-03 15:49:57 +01:00 · 3ca805041b
commit 3ca805041b
parent 008ada9062
3 changed files with 13 additions and 0 deletions
--- a/ansible/roles/keystone/defaults/main.yml
+++ b/ansible/roles/keystone/defaults/main.yml
@ -201,3 +201,6 @@ keystone_enable_federation_openid: "{{ enable_keystone_federation | bool and key
 keystone_should_remove_attribute_mappings: False
 keystone_should_remove_identity_providers: False
 keystone_federation_oidc_scopes: "openid email profile"
+
+# OIDC caching
+keystone_oidc_enable_memcached: "{{ enable_memcached }}"
--- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
+++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
@ -64,6 +64,10 @@ LogLevel info
 {% endif %}
    OIDCCryptoPassphrase {{ keystone_federation_openid_crypto_password }}
    OIDCRedirectURI {{ keystone_public_url }}/redirect_uri
+{% if enable_memcached | bool and keystone_oidc_enable_memcached | bool %}
+    OIDCCacheType memcache
+    OIDCMemCacheServers "{% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}"
+{% endif %}

    <Location ~ "/redirect_uri">
      Require valid-user
--- a/releasenotes/notes/oidc-memcache-backend-198e27c5168a3d4e.yaml
+++ b/releasenotes/notes/oidc-memcache-backend-198e27c5168a3d4e.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Keystone OIDC integration now uses memcached for the caching backend if
+    ``enable_memcached`` is ``True``. This can be disabled by setting
+    ``keystone_oidc_enable_memcached`` to ``False``.