From 44fc5d25c1c9418ed4d82a48380fe6ab8362aee5 Mon Sep 17 00:00:00 2001
From: Grzegorz Grasza <xek@redhat.com>
Date: Wed, 2 Dec 2020 11:34:36 +0100
Subject: [PATCH] Add TLS options for oslo.cache

This patch specifies a set of options required to build a TLS context.
The context built from those options can later on be passed to any of
the oslo.cache backends that supports TLS connections.

Depends-on: https://review.opendev.org/761604
Change-Id: I66df247543f28b4343c15f4e151231c0e100d00a
---
 manifests/init.pp                             | 43 +++++++++++++++++++
 .../add_tls_options-c9970ada14354891.yaml     |  4 ++
 spec/classes/ceilometer_init_spec.rb          |  7 +++
 3 files changed, 54 insertions(+)
 create mode 100644 releasenotes/notes/add_tls_options-c9970ada14354891.yaml

diff --git a/manifests/init.pp b/manifests/init.pp
index 7736ba14..079b4ab7 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -133,6 +133,39 @@
 #   (Optional) A list of memcached server(s) to use for caching. (list value)
 #   Defaults to $::os_service_default
 #
+# [*cache_tls_enabled*]
+#   (Optional) Global toggle for TLS usage when comunicating with
+#   the caching servers.
+#   Default to $::os_service_default
+#
+# [*cache_tls_cafile*]
+#   (Optional) Path to a file of concatenated CA certificates in PEM
+#   format necessary to establish the caching server's authenticity.
+#   If tls_enabled is False, this option is ignored.
+#   Default to $::os_service_default
+#
+# [*cache_tls_certfile*]
+#   (Optional) Path to a single file in PEM format containing the
+#   client's certificate as well as any number of CA certificates
+#   needed to establish the certificate's authenticity. This file
+#   is only required when client side authentication is necessary.
+#   If tls_enabled is False, this option is ignored.
+#   Default to $::os_service_default
+#
+# [*cache_tls_keyfile*]
+#   (Optional) Path to a single file containing the client's private
+#   key in. Otherwhise the private key will be taken from the file
+#   specified in tls_certfile. If tls_enabled is False, this option
+#   is ignored.
+#   Default to $::os_service_default
+#
+# [*cache_tls_allowed_ciphers*]
+#   (Optional) Set the available ciphers for sockets created with
+#   the TLS context. It should be a string in the OpenSSL cipher
+#   list format. If not specified, all OpenSSL enabled ciphers will
+#   be available.
+#   Default to $::os_service_default
+#
 # [*manage_backend_package*]
 #   (Optional) If we should install the cache backend package.
 #   Defaults to true
@@ -256,6 +289,11 @@ class ceilometer(
   $kombu_compression                  = $::os_service_default,
   $cache_backend                      = $::os_service_default,
   $memcache_servers                   = $::os_service_default,
+  $cache_tls_enabled                  = $::os_service_default,
+  $cache_tls_cafile                   = $::os_service_default,
+  $cache_tls_certfile                 = $::os_service_default,
+  $cache_tls_keyfile                  = $::os_service_default,
+  $cache_tls_allowed_ciphers          = $::os_service_default,
   $manage_backend_package             = true,
   $amqp_server_request_prefix         = $::os_service_default,
   $amqp_broadcast_prefix              = $::os_service_default,
@@ -376,6 +414,11 @@ will be removed in a future release.')
   oslo::cache { 'ceilometer_config':
     backend                => $cache_backend,
     memcache_servers       => $memcache_servers,
+    tls_enabled            => $cache_tls_enabled,
+    tls_cafile             => $cache_tls_cafile,
+    tls_certfile           => $cache_tls_certfile,
+    tls_keyfile            => $cache_tls_keyfile,
+    tls_allowed_ciphers    => $cache_tls_allowed_ciphers,
     manage_backend_package => $manage_backend_package,
   }
 }
diff --git a/releasenotes/notes/add_tls_options-c9970ada14354891.yaml b/releasenotes/notes/add_tls_options-c9970ada14354891.yaml
new file mode 100644
index 00000000..8e7e8568
--- /dev/null
+++ b/releasenotes/notes/add_tls_options-c9970ada14354891.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Add TLS options for oslo.cache
diff --git a/spec/classes/ceilometer_init_spec.rb b/spec/classes/ceilometer_init_spec.rb
index c5e89856..e51a7a96 100644
--- a/spec/classes/ceilometer_init_spec.rb
+++ b/spec/classes/ceilometer_init_spec.rb
@@ -126,6 +126,11 @@ describe 'ceilometer' do
       is_expected.to contain_oslo__cache('ceilometer_config').with(
         :backend                => '<SERVICE DEFAULT>',
         :memcache_servers       => '<SERVICE DEFAULT>',
+        :tls_enabled            => '<SERVICE DEFAULT>',
+        :tls_cafile             => '<SERVICE DEFAULT>',
+        :tls_certfile           => '<SERVICE DEFAULT>',
+        :tls_keyfile            => '<SERVICE DEFAULT>',
+        :tls_allowed_ciphers    => '<SERVICE DEFAULT>',
         :manage_backend_package => true,
       )
     end
@@ -158,6 +163,7 @@ describe 'ceilometer' do
         params.merge!(
           :cache_backend          => 'memcache',
           :memcache_servers       => 'host1:11211,host2:11211',
+          :cache_tls_enabled      => true,
           :manage_backend_package => false,
         )
       }
@@ -166,6 +172,7 @@ describe 'ceilometer' do
         is_expected.to contain_oslo__cache('ceilometer_config').with(
           :backend                => 'memcache',
           :memcache_servers       => 'host1:11211,host2:11211',
+          :tls_enabled            => true,
           :manage_backend_package => false,
         )
       end