Enable keystonemiddleware cache encryption

This patch set enables keystonemiddleware memcache encryption by providing a random string key into the service configuration file, and setting the memcache_security_strategy as ENCRYPT. Change-Id: Ia030f5414308a29096c644bae70047a323eaffde
2017-08-15 18:55:03 -05:00 · 2017-08-15 18:55:03 -05:00 · c35f08c4fa
commit c35f08c4fa
parent b0f53eec2c
18 changed files with 57 additions and 0 deletions
--- a/barbican/templates/configmap-etc.yaml
+++ b/barbican/templates/configmap-etc.yaml
@ -27,6 +27,11 @@ limitations under the License.
 {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}}
 {{- end -}}

+# Set a random string as secret key.
+{{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.memcache_secret_key -}}
+{{- randAlphaNum 64 | set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "memcache_secret_key" | quote | trunc 0 -}}
+{{- end -}}
+
 {{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.region_name -}}
 {{- set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}}
 {{- end -}}
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@ -185,6 +185,7 @@ conf:
        auth_token:
          auth_type: password
          auth_version: v3
+          memcache_security_strategy: ENCRYPT
    database:
      oslo:
        db:
--- a/cinder/templates/configmap-etc.yaml
+++ b/cinder/templates/configmap-etc.yaml
@ -28,6 +28,11 @@ limitations under the License.
 {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}}
 {{- end -}}

+# Set a random string as secret key.
+{{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.memcache_secret_key -}}
+{{- randAlphaNum 64 | set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "memcache_secret_key" | quote | trunc 0 -}}
+{{- end -}}
+
 {{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.region_name -}}
 {{- set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}}
 {{- end -}}
--- a/cinder/values.yaml
+++ b/cinder/values.yaml
@ -217,6 +217,7 @@ conf:
        auth_token:
          auth_version: v3
          auth_type: password
+          memcache_security_strategy: ENCRYPT
    oslo_concurrency:
      oslo:
        concurrency:
--- a/glance/templates/configmap-etc.yaml
+++ b/glance/templates/configmap-etc.yaml
@ -35,6 +35,14 @@ limitations under the License.
 {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}}
 {{- end -}}

+# Set a random string as secret key.
+{{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.memcache_secret_key -}}
+{{- randAlphaNum 64 | set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "memcache_secret_key" | quote | trunc 0 -}}
+{{- end -}}
+{{- if empty .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token.memcache_secret_key -}}
+{{- randAlphaNum 64 | set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "memcache_secret_key" | quote | trunc 0 -}}
+{{- end -}}
+
 {{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.region_name -}}
 {{- set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}}
 {{- end -}}
--- a/glance/values.yaml
+++ b/glance/values.yaml
@ -89,6 +89,7 @@ conf:
        auth_token:
          auth_type: password
          auth_version: v3
+          memcache_security_strategy: ENCRYPT
    glance_store:
      glance:
        store:
@ -118,6 +119,7 @@ conf:
        auth_token:
          auth_type: password
          auth_version: v3
+          memcache_security_strategy: ENCRYPT
    paste_deploy:
      glance:
        registry:
--- a/heat/templates/configmap-etc.yaml
+++ b/heat/templates/configmap-etc.yaml
@ -28,6 +28,10 @@ limitations under the License.
 {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}}
 {{- end -}}

+# Set a random string as secret key.
+{{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.memcache_secret_key -}}
+{{- randAlphaNum 64 | set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "memcache_secret_key" | quote | trunc 0 -}}
+{{- end -}}
 {{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.region_name -}}
 {{- set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}}
 {{- end -}}
--- a/heat/values.yaml
+++ b/heat/values.yaml
@ -58,6 +58,7 @@ conf:
        auth_token:
          auth_type: password
          auth_version: v3
+          memcache_security_strategy: ENCRYPT
    trustee:
      heat:
        common:
--- a/magnum/templates/configmap-etc.yaml
+++ b/magnum/templates/configmap-etc.yaml
@ -28,6 +28,11 @@ limitations under the License.
 {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}}
 {{- end -}}

+# Set a random string as secret key.
+{{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.memcache_secret_key -}}
+{{- randAlphaNum 64 | set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "memcache_secret_key" | quote | trunc 0 -}}
+{{- end -}}
+
 {{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.region_name -}}
 {{- set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}}
 {{- end -}}
--- a/magnum/values.yaml
+++ b/magnum/values.yaml
@ -50,6 +50,7 @@ conf:
        auth_token:
          auth_type: password
          auth_version: v3
+          memcache_security_strategy: ENCRYPT
    api:
      magnum:
        port: 9511
--- a/mistral/templates/configmap-etc.yaml
+++ b/mistral/templates/configmap-etc.yaml
@ -27,6 +27,11 @@ limitations under the License.
 {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}}
 {{- end -}}

+# Set a random string as secret key.
+{{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.memcache_secret_key -}}
+{{- randAlphaNum 64 | set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "memcache_secret_key" | quote | trunc 0 -}}
+{{- end -}}
+
 {{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.region_name -}}
 {{- set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}}
 {{- end -}}
--- a/mistral/values.yaml
+++ b/mistral/values.yaml
@ -237,6 +237,7 @@ conf:
        auth_token:
          auth_type: password
          auth_version: v3
+          memcache_security_strategy: ENCRYPT

 pod:
  affinity:
--- a/neutron/templates/configmap-etc.yaml
+++ b/neutron/templates/configmap-etc.yaml
@ -38,6 +38,11 @@ limitations under the License.
 {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}}
 {{- end }}

+# Set a random string as secret key.
+{{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.memcache_secret_key -}}
+{{- randAlphaNum 64 | set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "memcache_secret_key" | quote | trunc 0 -}}
+{{- end -}}
+
 {{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.project_name -}}
 {{- set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}}
 {{- end -}}
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@ -415,6 +415,7 @@ conf:
        auth_token:
          auth_type: password
          auth_version: v3
+          memcache_security_strategy: ENCRYPT
  ml2_conf:
    override:
    append:
--- a/nova/templates/configmap-etc.yaml
+++ b/nova/templates/configmap-etc.yaml
@ -28,6 +28,11 @@ limitations under the License.
 {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}}
 {{- end -}}

+# Set a random string as secret key.
+{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.memcache_secret_key -}}
+{{- randAlphaNum 64 | set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "memcache_secret_key" | quote | trunc 0 -}}
+{{- end -}}
+
 {{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.region_name -}}
 {{- set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}}
 {{- end -}}
--- a/nova/values.yaml
+++ b/nova/values.yaml
@ -360,6 +360,7 @@ conf:
        auth_token:
          auth_type: password
          auth_version: v3
+          memcache_security_strategy: ENCRYPT

    libvirt:
      nova:
--- a/senlin/templates/configmap-etc.yaml
+++ b/senlin/templates/configmap-etc.yaml
@ -28,6 +28,11 @@ limitations under the License.
 {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}}
 {{- end -}}

+# Set a random string as secret key.
+{{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.memcache_secret_key -}}
+{{- randAlphaNum 64 | set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "memcache_secret_key" | quote | trunc 0 -}}
+{{- end -}}
+
 {{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.region_name -}}
 {{- set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}}
 {{- end -}}
--- a/senlin/values.yaml
+++ b/senlin/values.yaml
@ -50,6 +50,7 @@ conf:
        auth_token:
          auth_type: password
          auth_version: v3
+          memcache_security_strategy: ENCRYPT
    senlin_api:
      senlin:
        config: