openstack/puppet-horizon
Code Issues Proposed changes

Merge "Add TLS context creation for Memcached backends"

Browse Source
This commit is contained in:
Zuul
2021-02-01 18:24:19 +00:00
committed by Gerrit Code Review
parent 4a4272f746 b82e20e47f
commit c14fbc28f8
2 changed files with 55 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
manifests/init.pp
View File

@@ -47,6 +47,35 @@
# [*cache_server_port*] # [*cache_server_port*]
# (optional) Memcached port. Defaults to '11211'. # (optional) Memcached port. Defaults to '11211'.
# #
# [*cache_tls_enabled*]
# (optional) Global toggle for TLS usage when comunicating with
# the caching servers. Defaults to false.
#
# [*cache_tls_cafile*]
# (optional) Path to a file of concatenated CA certificates in PEM
# format necessary to establish the caching server's authenticity.
# If tls_enabled is False, this option is ignored.
# Defaults to undef.
#
# [*cache_tls_certfile*]
# (optional) Path to a single file in PEM format containing the
# client's certificate as well as any number of CA certificates
# needed to establish the certificate's authenticity. This file
# is only required when client side authentication is necessary.
# If tls_enabled is False, this option is ignored. Defaults to undef.
#
# [*cache_tls_keyfile*]
# (optional) Path to a single file containing the client's private
# key in. Otherwhise the private key will be taken from the file
# specified in tls_certfile. If tls_enabled is False, this option
# is ignored. Defaults to undef.
#
# [*cache_tls_allowed_ciphers*]
# (optional) Set the available ciphers for sockets created with
# the TLS context. It should be a string in the OpenSSL cipher
# list format. If not specified, all OpenSSL enabled ciphers will
# be available. Defaults to undef.
#
# [*manage_memcache_package*] # [*manage_memcache_package*]
# (optional) Boolean if we should manage the memcache package. # (optional) Boolean if we should manage the memcache package.
# Defaults to true # Defaults to true
@@ -489,6 +518,11 @@ class horizon(
$cache_server_url = undef, $cache_server_url = undef,
$cache_server_ip = undef, $cache_server_ip = undef,
$cache_server_port = '11211', $cache_server_port = '11211',
$cache_tls_enabled = false,
$cache_tls_cafile = undef,
$cache_tls_certfile = undef,
$cache_tls_keyfile = undef,
$cache_tls_allowed_ciphers = undef,
$manage_memcache_package = true, $manage_memcache_package = true,
$horizon_app_links = false, $horizon_app_links = false,
$keystone_url = 'http://127.0.0.1:5000', $keystone_url = 'http://127.0.0.1:5000',

21
templates/local_settings.py.erb
View File

@@ -246,6 +246,27 @@ CACHES = {
} }
} }
<% if @cache_tls_enabled %>
## START TLS context configuration
import ssl
tls_context = ssl.create_default_context(<% if @cache_tls_cafile %>cafile='<%= @cache_tls_cafile %>'<% end %>)
<% if @cache_tls_certfile and @cache_tls_keyfile %>
tls_context.load_cert_chain('<%= @cache_tls_certfile %>', '<%= @cache_tls_keyfile %>')
<% end %>
<% if @cache_tls_certfile and not @cache_tls_keyfile %>
tls_context.load_cert_chain('<%= @cache_tls_certfile %>')
<% end %>
<% if @cache_allowed_ciphers %>
tls_context.set_ciphers('<%= @cache_tls_allowed_ciphers %>')
<% end %>
CACHES['default'].setdefault('OPTIONS', {})['tls_context'] = tls_context
## END TLS context configuration
<% end %>
<% if @django_session_engine %> <% if @django_session_engine %>
SESSION_ENGINE = "<%= @django_session_engine %>" SESSION_ENGINE = "<%= @django_session_engine %>"
<% end %> <% end %>