Merge "Add TLS context creation for Memcached backends"

2021-02-01 18:24:19 +00:00 · 2021-02-01 18:24:19 +00:00 · c14fbc28f8
commit c14fbc28f8
parent 4a4272f746 b82e20e47f
2 changed files with 55 additions and 0 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -47,6 +47,35 @@
 #  [*cache_server_port*]
 #    (optional) Memcached port. Defaults to '11211'.
 #
+#  [*cache_tls_enabled*]
+#    (optional) Global toggle for TLS usage when comunicating with
+#    the caching servers. Defaults to false.
+#
+#  [*cache_tls_cafile*]
+#    (optional) Path to a file of concatenated CA certificates in PEM
+#    format necessary to establish the caching server's authenticity.
+#    If tls_enabled is False, this option is ignored.
+#    Defaults to undef.
+#
+#  [*cache_tls_certfile*]
+#    (optional) Path to a single file in PEM format containing the
+#    client's certificate as well as any number of CA certificates
+#    needed to establish the certificate's authenticity. This file
+#    is only required when client side authentication is necessary.
+#    If tls_enabled is False, this option is ignored. Defaults to undef.
+#
+#  [*cache_tls_keyfile*]
+#    (optional) Path to a single file containing the client's private
+#    key in. Otherwhise the private key will be taken from the file
+#    specified in tls_certfile. If tls_enabled is False, this option
+#    is ignored. Defaults to undef.
+#
+#  [*cache_tls_allowed_ciphers*]
+#    (optional) Set the available ciphers for sockets created with
+#    the TLS context. It should be a string in the OpenSSL cipher
+#    list format. If not specified, all OpenSSL enabled ciphers will
+#    be available. Defaults to undef.
+#
 #  [*manage_memcache_package*]
 #    (optional) Boolean if we should manage the memcache package.
 #    Defaults to true
@ -489,6 +518,11 @@ class horizon(
  $cache_server_url                    = undef,
  $cache_server_ip                     = undef,
  $cache_server_port                   = '11211',
+  $cache_tls_enabled                   = false,
+  $cache_tls_cafile                    = undef,
+  $cache_tls_certfile                  = undef,
+  $cache_tls_keyfile                   = undef,
+  $cache_tls_allowed_ciphers           = undef,
  $manage_memcache_package             = true,
  $horizon_app_links                   = false,
  $keystone_url                        = 'http://127.0.0.1:5000',
--- a/templates/local_settings.py.erb
+++ b/templates/local_settings.py.erb
@ -246,6 +246,27 @@ CACHES = {
    }
 }

+<% if @cache_tls_enabled %>
+
+## START TLS context configuration
+import ssl
+
+tls_context = ssl.create_default_context(<% if @cache_tls_cafile %>cafile='<%= @cache_tls_cafile %>'<% end %>)
+<% if @cache_tls_certfile and @cache_tls_keyfile %>
+tls_context.load_cert_chain('<%= @cache_tls_certfile %>', '<%= @cache_tls_keyfile %>')
+<% end %>
+<% if @cache_tls_certfile and not @cache_tls_keyfile %>
+tls_context.load_cert_chain('<%= @cache_tls_certfile %>')
+<% end %>
+<% if @cache_allowed_ciphers %>
+tls_context.set_ciphers('<%= @cache_tls_allowed_ciphers %>')
+<% end %>
+
+CACHES['default'].setdefault('OPTIONS', {})['tls_context'] = tls_context
+
+## END TLS context configuration
+<% end %>
+
 <% if @django_session_engine %>
 SESSION_ENGINE = "<%= @django_session_engine %>"
 <% end %>