Revert "Revert "Keystone Authtoken Cache: allow universal secret key to be set""

This reverts commit 90d070390d. Change-Id: I017c6e9676b872e1aab21f9dc8aa2f93db58d49f
2020-02-21 17:12:38 +00:00 · 2020-02-21 17:12:38 +00:00 · f9dbba7043
parent 8c6269f719
commit f9dbba7043
34 changed files with 168 additions and 0 deletions
--- a/aodh/templates/configmap-etc.yaml
+++ b/aodh/templates/configmap-etc.yaml
@ -53,6 +53,10 @@ limitations under the License.
 {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.aodh.keystone_authtoken "memcached_servers" -}}
 {{- end -}}

+{{- if empty .Values.conf.aodh.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.aodh.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
 {{- if empty .Values.conf.aodh.database.connection -}}
 {{- $_ := tuple "oslo_db" "internal" "aodh" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.aodh.database "connection" -}}
 {{- end -}}
--- a/aodh/values.yaml
+++ b/aodh/values.yaml
@ -468,6 +468,7 @@ conf:
    keystone_authtoken:
      auth_version: v3
      auth_type: password
+      memcache_security_strategy: ENCRYPT
    service_credentials:
      auth_type: password
      interface: internal
--- a/barbican/templates/configmap-etc.yaml
+++ b/barbican/templates/configmap-etc.yaml
@ -47,6 +47,9 @@ limitations under the License.
 {{- if empty .Values.conf.barbican.keystone_authtoken.memcached_servers -}}
 {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.barbican.keystone_authtoken "memcached_servers" -}}
 {{- end -}}
+{{- if empty .Values.conf.barbican.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.barbican.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}

 {{- if empty .Values.conf.barbican.DEFAULT.sql_connection -}}
 {{- $_ := tuple "oslo_db" "internal" "barbican" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.barbican.DEFAULT "sql_connection" -}}
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@ -448,6 +448,8 @@ conf:
    keystone_authtoken:
      auth_type: password
      auth_version: v3
+      memcache_security_strategy: ENCRYPT
+      memcache_secret_key: null
    database:
      max_retries: -1
    barbican_api:
@ -631,6 +633,13 @@ endpoints:
      http:
        default: 15672
  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
    hosts:
      default: memcached
    host_fqdn_override:
--- a/ceilometer/templates/configmap-etc.yaml
+++ b/ceilometer/templates/configmap-etc.yaml
@ -28,6 +28,10 @@ limitations under the License.
 {{- if empty .Values.conf.ceilometer.keystone_authtoken.memcached_servers -}}
 {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.ceilometer.keystone_authtoken "memcached_servers" -}}
 {{- end -}}
+{{- if empty .Values.conf.ceilometer.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.ceilometer.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
 {{- if empty .Values.conf.ceilometer.cache.memcache_servers -}}
 {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.ceilometer.cache "memcache_servers" -}}
 {{- end -}}
--- a/ceilometer/values.yaml
+++ b/ceilometer/values.yaml
@ -1877,6 +1877,13 @@ endpoints:
      mongodb:
        default: 27017
  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
    hosts:
      default: memcached
    host_fqdn_override:
--- a/cinder/templates/configmap-etc.yaml
+++ b/cinder/templates/configmap-etc.yaml
@ -47,6 +47,9 @@ limitations under the License.
 {{- if empty .Values.conf.cinder.keystone_authtoken.memcached_servers -}}
 {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.cinder.keystone_authtoken "memcached_servers" -}}
 {{- end -}}
+{{- if empty .Values.conf.cinder.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.cinder.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}

 {{- if empty .Values.conf.cinder.database.connection -}}
 {{- $_ := tuple "oslo_db" "internal" "cinder" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.cinder.database "connection" -}}
--- a/cinder/values.yaml
+++ b/cinder/values.yaml
@ -856,6 +856,7 @@ conf:
    keystone_authtoken:
      auth_version: v3
      auth_type: password
+      memcache_security_strategy: ENCRYPT
    oslo_policy:
      policy_file: /etc/cinder/policy.yaml
    oslo_concurrency:
@ -1385,6 +1386,13 @@ endpoints:
      http:
        default: 15672
  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
    hosts:
      default: memcached
    host_fqdn_override:
--- a/congress/templates/configmap-etc.yaml
+++ b/congress/templates/configmap-etc.yaml
@ -28,6 +28,9 @@ limitations under the License.
 {{- if empty .Values.conf.congress.keystone_authtoken.memcached_servers -}}
 {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.congress.keystone_authtoken "memcached_servers" -}}
 {{- end -}}
+{{- if empty .Values.conf.congress.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.congress.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}

 {{- if empty .Values.conf.congress.keystone_authtoken.auth_url -}}
 {{- $_ := tuple "identity" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.congress.keystone_authtoken "auth_url" -}}
--- a/congress/values.yaml
+++ b/congress/values.yaml
@ -284,6 +284,13 @@ endpoints:
      mysql:
        default: 3306
  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
    hosts:
      default: memcached
    host_fqdn_override:
--- a/designate/templates/configmap-etc.yaml
+++ b/designate/templates/configmap-etc.yaml
@ -51,6 +51,10 @@
 {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.designate.keystone_authtoken "memcached_servers" -}}
 {{- end -}}

+{{- if empty .Values.conf.designate.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.designate.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
 {{- if empty (index .Values.conf.designate "storage:sqlalchemy").connection -}}
 {{- $_ := tuple "oslo_db" "internal" "user" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set (index .Values.conf.designate "storage:sqlalchemy") "connection" -}}
 {{- $_ := tuple "oslo_db" "internal" "user" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.designate.database "connection" -}}
--- a/designate/values.yaml
+++ b/designate/values.yaml
@ -570,6 +570,7 @@ conf:
    keystone_authtoken:
      auth_version: v3
      auth_type: password
+      memcache_security_strategy: ENCRYPT
  logging:
    loggers:
      keys:
--- a/glance/templates/configmap-etc.yaml
+++ b/glance/templates/configmap-etc.yaml
@ -75,6 +75,12 @@ limitations under the License.
 {{- if empty .Values.conf.glance_registry.keystone_authtoken.memcached_servers -}}
 {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.glance_registry.keystone_authtoken "memcached_servers" -}}
 {{- end -}}
+{{- if empty .Values.conf.glance.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.glance.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+{{- if empty .Values.conf.glance_registry.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.glance_registry.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}

 {{- if empty .Values.conf.glance.database.connection -}}
 {{- $_ := tuple "oslo_db" "internal" "glance" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.glance.database "connection" -}}
--- a/glance/values.yaml
+++ b/glance/values.yaml
@ -253,6 +253,7 @@ conf:
    keystone_authtoken:
      auth_type: password
      auth_version: v3
+      memcache_security_strategy: ENCRYPT
    glance_store:
      rbd_store_chunk_size: 8
      rbd_store_replication: 3
@ -381,6 +382,7 @@ conf:
    keystone_authtoken:
      auth_type: password
      auth_version: v3
+      memcache_security_strategy: ENCRYPT
    paste_deploy:
      flavor: keystone
    database:
@ -681,6 +683,13 @@ endpoints:
      mysql:
        default: 3306
  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
    hosts:
      default: memcached
    host_fqdn_override:
--- a/heat/templates/configmap-etc.yaml
+++ b/heat/templates/configmap-etc.yaml
@ -70,6 +70,9 @@ limitations under the License.
 {{- if empty .Values.conf.heat.keystone_authtoken.memcached_servers -}}
 {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.heat.keystone_authtoken "memcached_servers" -}}
 {{- end -}}
+{{- if empty .Values.conf.heat.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.heat.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}

 {{- if empty .Values.conf.heat.database.connection -}}
 {{- $_ := tuple "oslo_db" "internal" "heat" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.heat.database "connection" -}}
--- a/heat/values.yaml
+++ b/heat/values.yaml
@ -439,6 +439,7 @@ conf:
    keystone_authtoken:
      auth_type: password
      auth_version: v3
+      memcache_security_strategy: ENCRYPT
    database:
      max_retries: -1
    trustee:
@ -950,6 +951,13 @@ endpoints:
      mysql:
        default: 3306
  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
    hosts:
      default: memcached
    host_fqdn_override:
--- a/ironic/templates/configmap-etc.yaml
+++ b/ironic/templates/configmap-etc.yaml
@ -45,6 +45,9 @@ limitations under the License.
 {{- if empty .Values.conf.ironic.keystone_authtoken.memcached_servers -}}
 {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.ironic.keystone_authtoken "memcached_servers" -}}
 {{- end -}}
+{{- if empty .Values.conf.ironic.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.ironic.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}

 {{- if empty .Values.conf.ironic.database.connection -}}
 {{- $_ := tuple "oslo_db" "internal" "ironic" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.ironic.database "connection" -}}
--- a/ironic/values.yaml
+++ b/ironic/values.yaml
@ -457,6 +457,13 @@ endpoints:
      mysql:
        default: 3306
  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
    hosts:
      default: memcached
    host_fqdn_override:
--- a/magnum/templates/configmap-etc.yaml
+++ b/magnum/templates/configmap-etc.yaml
@ -47,6 +47,9 @@ limitations under the License.
 {{- if empty .Values.conf.magnum.keystone_authtoken.memcached_servers -}}
 {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.magnum.keystone_authtoken "memcached_servers" -}}
 {{- end -}}
+{{- if empty .Values.conf.magnum.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.magnum.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}

 {{- if empty .Values.conf.magnum.database.connection -}}
 {{- $_ := tuple "oslo_db" "internal" "magnum" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.magnum.database "connection" -}}
--- a/magnum/values.yaml
+++ b/magnum/values.yaml
@ -129,6 +129,7 @@ conf:
    keystone_authtoken:
      auth_type: password
      auth_version: v3
+      memcache_security_strategy: ENCRYPT
    api:
      # NOTE(portdirect): the bind port should not be defined, and is manipulated
      # via the endpoints section.
@ -428,6 +429,13 @@ endpoints:
      mysql:
        default: 3306
  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
    hosts:
      default: memcached
    host_fqdn_override:
--- a/mistral/templates/configmap-etc.yaml
+++ b/mistral/templates/configmap-etc.yaml
@ -47,6 +47,9 @@ limitations under the License.
 {{- if empty .Values.conf.mistral.keystone_authtoken.memcached_servers -}}
 {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.mistral.keystone_authtoken "memcached_servers" -}}
 {{- end -}}
+{{- if empty .Values.conf.mistral.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.mistral.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}

 {{- if empty .Values.conf.mistral.database.connection -}}
 {{- $_ := tuple "oslo_db" "internal" "mistral" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.mistral.database "connection" -}}
--- a/mistral/values.yaml
+++ b/mistral/values.yaml
@ -303,6 +303,13 @@ endpoints:
      http:
        default: 15672
  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
    hosts:
      default: memcached
    host_fqdn_override:
@ -461,6 +468,7 @@ conf:
    keystone_authtoken:
      auth_type: password
      auth_version: v3
+      memcache_security_strategy: ENCRYPT
  logging:
    loggers:
      keys:
--- a/neutron/templates/configmap-etc.yaml
+++ b/neutron/templates/configmap-etc.yaml
@ -49,6 +49,9 @@ limitations under the License.
 {{- if empty $envAll.Values.conf.neutron.keystone_authtoken.memcached_servers -}}
 {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set $envAll.Values.conf.neutron.keystone_authtoken "memcached_servers" -}}
 {{- end }}
+{{- if empty .Values.conf.neutron.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.neutron.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}

 {{- if empty $envAll.Values.conf.neutron.database.connection -}}
 {{- $_ := tuple "oslo_db" "internal" "neutron" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set $envAll.Values.conf.neutron.database "connection" -}}
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@ -1847,6 +1847,7 @@ conf:
    ironic:
      endpoint_type: internal
    keystone_authtoken:
+      memcache_security_strategy: ENCRYPT
      auth_type: password
      auth_version: v3
    octavia:
@ -2169,6 +2170,13 @@ endpoints:
      http:
        default: 15672
  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
    hosts:
      default: memcached
    host_fqdn_override:
--- a/nova/templates/configmap-etc.yaml
+++ b/nova/templates/configmap-etc.yaml
@ -48,6 +48,9 @@ limitations under the License.
 {{- if empty .Values.conf.nova.keystone_authtoken.memcached_servers -}}
 {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.nova.keystone_authtoken "memcached_servers" -}}
 {{- end -}}
+{{- if empty .Values.conf.nova.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.nova.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}

 {{- if .Values.conf.nova.service_user.send_service_user_token -}}

@ -211,6 +214,10 @@ limitations under the License.
 {{- $_ := set .Values.conf.nova.ironic "auth_version" .Values.endpoints.identity.auth.ironic.auth_version -}}
 {{- end -}}

+{{- if empty .Values.conf.nova.ironic.memcache_secret_key -}}
+{{- $_ := (default (randAlphaNum 64) .Values.endpoints.oslo_cache.auth.memcache_secret_key) | set .Values.conf.nova.ironic "memcache_secret_key" -}}
+{{- end -}}
+
 {{- if empty .Values.conf.nova.ironic.memcache_servers -}}
 {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.nova.ironic "memcache_servers" -}}
 {{- end -}}
--- a/nova/values.yaml
+++ b/nova/values.yaml
@ -1727,6 +1727,7 @@ conf:
    keystone_authtoken:
      auth_type: password
      auth_version: v3
+      memcache_security_strategy: ENCRYPT
    service_user:
      auth_type: password
      send_service_user_token: false
@ -1949,6 +1950,13 @@ endpoints:
      http:
        default: 15672
  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
    hosts:
      default: memcached
    host_fqdn_override:
--- a/octavia/templates/configmap-etc.yaml
+++ b/octavia/templates/configmap-etc.yaml
@ -49,6 +49,9 @@ limitations under the License.
 {{- if empty .Values.conf.octavia.keystone_authtoken.memcached_servers -}}
 {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.octavia.keystone_authtoken "memcached_servers" -}}
 {{- end -}}
+{{- if empty .Values.conf.octavia.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.octavia.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}

 {{- if empty .Values.conf.octavia.service_auth.auth_url -}}
 {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.octavia.service_auth "auth_url" -}}
@ -73,6 +76,9 @@ limitations under the License.
 {{- if empty .Values.conf.octavia.service_auth.memcached_servers -}}
 {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.octavia.service_auth "memcached_servers" -}}
 {{- end -}}
+{{- if empty .Values.conf.octavia.service_auth.memcache_secret_key -}}
+{{- $_ := set .Values.conf.octavia.service_auth "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}

 {{- if empty .Values.conf.octavia.database.connection -}}
 {{- $_ := tuple "oslo_db" "internal" "octavia" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.octavia.database "connection" -}}
--- a/octavia/values.yaml
+++ b/octavia/values.yaml
@ -220,6 +220,7 @@ conf:
    keystone_authtoken:
      auth_type: password
      auth_version: v3
+      memcache_security_strategy: ENCRYPT
    certificates:
      ca_private_key_passphrase: foobar
      ca_private_key: /etc/octavia/certs/private/cakey.pem
@ -259,6 +260,7 @@ conf:
      auth_type: password
      cafile: ""
      auth_version: v3
+      memcache_security_strategy: ENCRYPT
  logging:
    loggers:
      keys:
--- a/panko/templates/configmap-etc.yaml
+++ b/panko/templates/configmap-etc.yaml
@ -53,6 +53,10 @@ limitations under the License.
 {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.panko.keystone_authtoken "memcached_servers" -}}
 {{- end -}}

+{{- if empty .Values.conf.panko.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.panko.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}
+
 {{- if empty .Values.conf.panko.database.connection -}}
 {{- $_ := tuple "oslo_db" "internal" "panko" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.panko.database "connection" -}}
 {{- end -}}
--- a/panko/values.yaml
+++ b/panko/values.yaml
@ -258,6 +258,7 @@ conf:
    keystone_authtoken:
      auth_version: v3
      auth_type: password
+      memcache_security_strategy: ENCRYPT
  logging:
    loggers:
      keys:
--- a/rally/templates/configmap-etc.yaml
+++ b/rally/templates/configmap-etc.yaml
@ -44,6 +44,9 @@ limitations under the License.
 {{- if empty .Values.conf.rally.keystone_authtoken.memcached_servers -}}
 {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.rally.keystone_authtoken "memcached_servers" -}}
 {{- end -}}
+{{- if empty .Values.conf.rally.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.rally.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}

 {{- if empty .Values.conf.rally.database.connection -}}
 {{- $_ := tuple "oslo_db" "internal" "rally" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.rally.database "connection" -}}
--- a/rally/values.yaml
+++ b/rally/values.yaml
@ -280,6 +280,9 @@ endpoints:
      mysql:
        default: 3306
  oslo_cache:
+    auth:
+      keystone_authtoken:
+        secret_key: null
    hosts:
      default: memcached
    host_fqdn_override:
--- a/senlin/templates/configmap-etc.yaml
+++ b/senlin/templates/configmap-etc.yaml
@ -48,6 +48,9 @@ limitations under the License.
 {{- if empty .Values.conf.senlin.keystone_authtoken.memcached_servers -}}
 {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.senlin.keystone_authtoken "memcached_servers" -}}
 {{- end -}}
+{{- if empty .Values.conf.senlin.keystone_authtoken.memcache_secret_key -}}
+{{- $_ := set .Values.conf.senlin.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
+{{- end -}}

 {{- if empty .Values.conf.senlin.database.connection -}}
 {{- $_ := tuple "oslo_db" "internal" "senlin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.senlin.database "connection" -}}
--- a/senlin/values.yaml
+++ b/senlin/values.yaml
@ -175,6 +175,7 @@ conf:
    keystone_authtoken:
      auth_type: password
      auth_version: v3
+      memcache_security_strategy: ENCRYPT
    senlin_api:
      # NOTE(portdirect): the bind port should not be defined, and is manipulated
      # via the endpoints section.
@ -447,6 +448,13 @@ endpoints:
      mysql:
        default: 3306
  oslo_cache:
+    auth:
+      # NOTE(portdirect): this is used to define the value for keystone
+      # authtoken cache encryption key, if not set it will be populated
+      # automatically with a random value, but to take advantage of
+      # this feature all services should be set to use the same key,
+      # and memcache service.
+      memcache_secret_key: null
    hosts:
      default: memcached
    host_fqdn_override: