From c35f08c4fa96354dee0c4d05e1f04a07b73ef1a5 Mon Sep 17 00:00:00 2001 From: Tin Lam Date: Tue, 15 Aug 2017 18:55:03 -0500 Subject: [PATCH] Enable keystonemiddleware cache encryption This patch set enables keystonemiddleware memcache encryption by providing a random string key into the service configuration file, and setting the memcache_security_strategy as ENCRYPT. Change-Id: Ia030f5414308a29096c644bae70047a323eaffde --- barbican/templates/configmap-etc.yaml | 5 +++++ barbican/values.yaml | 1 + cinder/templates/configmap-etc.yaml | 5 +++++ cinder/values.yaml | 1 + glance/templates/configmap-etc.yaml | 8 ++++++++ glance/values.yaml | 2 ++ heat/templates/configmap-etc.yaml | 4 ++++ heat/values.yaml | 1 + magnum/templates/configmap-etc.yaml | 5 +++++ magnum/values.yaml | 1 + mistral/templates/configmap-etc.yaml | 5 +++++ mistral/values.yaml | 1 + neutron/templates/configmap-etc.yaml | 5 +++++ neutron/values.yaml | 1 + nova/templates/configmap-etc.yaml | 5 +++++ nova/values.yaml | 1 + senlin/templates/configmap-etc.yaml | 5 +++++ senlin/values.yaml | 1 + 18 files changed, 57 insertions(+) diff --git a/barbican/templates/configmap-etc.yaml b/barbican/templates/configmap-etc.yaml index 484cdc2af3..7a18ff23a0 100644 --- a/barbican/templates/configmap-etc.yaml +++ b/barbican/templates/configmap-etc.yaml @@ -27,6 +27,11 @@ limitations under the License. {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +# Set a random string as secret key. +{{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.memcache_secret_key -}} +{{- randAlphaNum 64 | set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "memcache_secret_key" | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} {{- set .Values.conf.barbican.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} {{- end -}} diff --git a/barbican/values.yaml b/barbican/values.yaml index 9cef050b8a..4c991120af 100644 --- a/barbican/values.yaml +++ b/barbican/values.yaml @@ -185,6 +185,7 @@ conf: auth_token: auth_type: password auth_version: v3 + memcache_security_strategy: ENCRYPT database: oslo: db: diff --git a/cinder/templates/configmap-etc.yaml b/cinder/templates/configmap-etc.yaml index b8d3da074d..6b170026c7 100644 --- a/cinder/templates/configmap-etc.yaml +++ b/cinder/templates/configmap-etc.yaml @@ -28,6 +28,11 @@ limitations under the License. {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +# Set a random string as secret key. +{{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.memcache_secret_key -}} +{{- randAlphaNum 64 | set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "memcache_secret_key" | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} {{- set .Values.conf.cinder.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} {{- end -}} diff --git a/cinder/values.yaml b/cinder/values.yaml index 5983784b73..bca8c3f7da 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -217,6 +217,7 @@ conf: auth_token: auth_version: v3 auth_type: password + memcache_security_strategy: ENCRYPT oslo_concurrency: oslo: concurrency: diff --git a/glance/templates/configmap-etc.yaml b/glance/templates/configmap-etc.yaml index 22c214aa43..7995d98ff8 100644 --- a/glance/templates/configmap-etc.yaml +++ b/glance/templates/configmap-etc.yaml @@ -35,6 +35,14 @@ limitations under the License. {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +# Set a random string as secret key. +{{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.memcache_secret_key -}} +{{- randAlphaNum 64 | set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "memcache_secret_key" | quote | trunc 0 -}} +{{- end -}} +{{- if empty .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token.memcache_secret_key -}} +{{- randAlphaNum 64 | set .Values.conf.glance_registry.keystone_authtoken.keystonemiddleware.auth_token "memcache_secret_key" | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} {{- set .Values.conf.glance.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} {{- end -}} diff --git a/glance/values.yaml b/glance/values.yaml index 2ca5cac4b3..075b9d925e 100644 --- a/glance/values.yaml +++ b/glance/values.yaml @@ -89,6 +89,7 @@ conf: auth_token: auth_type: password auth_version: v3 + memcache_security_strategy: ENCRYPT glance_store: glance: store: @@ -118,6 +119,7 @@ conf: auth_token: auth_type: password auth_version: v3 + memcache_security_strategy: ENCRYPT paste_deploy: glance: registry: diff --git a/heat/templates/configmap-etc.yaml b/heat/templates/configmap-etc.yaml index f94ceb2f20..d06a6a367f 100644 --- a/heat/templates/configmap-etc.yaml +++ b/heat/templates/configmap-etc.yaml @@ -28,6 +28,10 @@ limitations under the License. {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +# Set a random string as secret key. +{{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.memcache_secret_key -}} +{{- randAlphaNum 64 | set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "memcache_secret_key" | quote | trunc 0 -}} +{{- end -}} {{- if empty .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} {{- set .Values.conf.heat.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} {{- end -}} diff --git a/heat/values.yaml b/heat/values.yaml index 0fc275ec88..2f565bb346 100644 --- a/heat/values.yaml +++ b/heat/values.yaml @@ -58,6 +58,7 @@ conf: auth_token: auth_type: password auth_version: v3 + memcache_security_strategy: ENCRYPT trustee: heat: common: diff --git a/magnum/templates/configmap-etc.yaml b/magnum/templates/configmap-etc.yaml index 598b6cd717..16bf9be626 100644 --- a/magnum/templates/configmap-etc.yaml +++ b/magnum/templates/configmap-etc.yaml @@ -28,6 +28,11 @@ limitations under the License. {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +# Set a random string as secret key. +{{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.memcache_secret_key -}} +{{- randAlphaNum 64 | set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "memcache_secret_key" | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} {{- set .Values.conf.magnum.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} {{- end -}} diff --git a/magnum/values.yaml b/magnum/values.yaml index 7cc875407a..a13333c73e 100644 --- a/magnum/values.yaml +++ b/magnum/values.yaml @@ -50,6 +50,7 @@ conf: auth_token: auth_type: password auth_version: v3 + memcache_security_strategy: ENCRYPT api: magnum: port: 9511 diff --git a/mistral/templates/configmap-etc.yaml b/mistral/templates/configmap-etc.yaml index cf01782b23..9e80ecac3a 100644 --- a/mistral/templates/configmap-etc.yaml +++ b/mistral/templates/configmap-etc.yaml @@ -27,6 +27,11 @@ limitations under the License. {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +# Set a random string as secret key. +{{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.memcache_secret_key -}} +{{- randAlphaNum 64 | set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "memcache_secret_key" | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} {{- set .Values.conf.mistral.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} {{- end -}} diff --git a/mistral/values.yaml b/mistral/values.yaml index bae6795e93..ed514067f9 100644 --- a/mistral/values.yaml +++ b/mistral/values.yaml @@ -237,6 +237,7 @@ conf: auth_token: auth_type: password auth_version: v3 + memcache_security_strategy: ENCRYPT pod: affinity: diff --git a/neutron/templates/configmap-etc.yaml b/neutron/templates/configmap-etc.yaml index c1b98af7f1..3878d3ec33 100644 --- a/neutron/templates/configmap-etc.yaml +++ b/neutron/templates/configmap-etc.yaml @@ -38,6 +38,11 @@ limitations under the License. {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end }} +# Set a random string as secret key. +{{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.memcache_secret_key -}} +{{- randAlphaNum 64 | set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "memcache_secret_key" | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token.project_name -}} {{- set .Values.conf.neutron.keystone_authtoken.keystonemiddleware.auth_token "project_name" .Values.endpoints.identity.auth.user.project_name | quote | trunc 0 -}} {{- end -}} diff --git a/neutron/values.yaml b/neutron/values.yaml index 6890e371ea..49833dc543 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -415,6 +415,7 @@ conf: auth_token: auth_type: password auth_version: v3 + memcache_security_strategy: ENCRYPT ml2_conf: override: append: diff --git a/nova/templates/configmap-etc.yaml b/nova/templates/configmap-etc.yaml index 659836e9e7..9e97e5a362 100644 --- a/nova/templates/configmap-etc.yaml +++ b/nova/templates/configmap-etc.yaml @@ -28,6 +28,11 @@ limitations under the License. {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +# Set a random string as secret key. +{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.memcache_secret_key -}} +{{- randAlphaNum 64 | set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "memcache_secret_key" | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} {{- set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} {{- end -}} diff --git a/nova/values.yaml b/nova/values.yaml index 032b07c8c3..61737c9537 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -360,6 +360,7 @@ conf: auth_token: auth_type: password auth_version: v3 + memcache_security_strategy: ENCRYPT libvirt: nova: diff --git a/senlin/templates/configmap-etc.yaml b/senlin/templates/configmap-etc.yaml index 42aad551cb..dfa09c5aa7 100644 --- a/senlin/templates/configmap-etc.yaml +++ b/senlin/templates/configmap-etc.yaml @@ -28,6 +28,11 @@ limitations under the License. {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}} {{- end -}} +# Set a random string as secret key. +{{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.memcache_secret_key -}} +{{- randAlphaNum 64 | set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "memcache_secret_key" | quote | trunc 0 -}} +{{- end -}} + {{- if empty .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token.region_name -}} {{- set .Values.conf.senlin.keystone_authtoken.keystonemiddleware.auth_token "region_name" .Values.endpoints.identity.auth.user.region_name | quote | trunc 0 -}} {{- end -}} diff --git a/senlin/values.yaml b/senlin/values.yaml index 44fe92fe56..1208e69a9f 100644 --- a/senlin/values.yaml +++ b/senlin/values.yaml @@ -50,6 +50,7 @@ conf: auth_token: auth_type: password auth_version: v3 + memcache_security_strategy: ENCRYPT senlin_api: senlin: config: