Add support for configuring caching in mod_auth_openidc

Allow operator to configure cache type and parameters for mod_auth_openidc.
A shared cache (like memcache or redis) is necessary to support multiple
endpoints without sticky sessions.

Change-Id: I9ff976854b93cdf9ca3175d1fd39c2b268b9f7fa
changes/20/577420/14
Lars Kellogg-Stedman 4 years ago
parent 6b5c050e0b
commit 1b5c8d658c
  1. 63
      manifests/federation/openidc.pp
  2. 25
      templates/openidc.conf.erb

@ -35,8 +35,41 @@
# (Optional) String value.
# Defaults to 'id_token'
#
# [*openidc_cache_type*]
# (Optional) mod_auth_openidc cache type. Can be any cache type
# supported by mod_auth_openidc (shm, file, memcache, redis).
# Defaults to undef.
#
# [*openidc_cache_shm_max*]
# (Optional) The maximum number of name/value pair entries that can
# be cached when using the 'shm' cache type. Defaults to undef.
#
# [*openidc_cache_shm_entry_size*]
# (Optional) The maximum size for a single shm cache entry in bytes
# with a minimum of 8464 bytes. Defaults to undef.
#
# [*openidc_cache_dir*]
# (Optional) # Directory that holds cache files; must be writable
# for the Apache process/user. Defaults to undef.
#
# [*openidc_cache_clean_interval*]
# (Optional) # Cache file clean interval in seconds (only triggered
# on writes). Defaults to undef.
#
# [*memcached_servers*]
# (Optional) A list of memcache servers. Defaults to undef.
#
# [*redis_server*]
# (Optional) Specifies the Redis server used for caching as
# <hostname>[:<port>]. Defaults to undef.
#
# [*redis_password*]
# (Optional) Password to be used if the Redis server requires
# authentication. When not specified, no authentication is
# performed. Defaults to undef.
#
# [*remote_id_attribute*]
# (optional) Value to be used to obtain the entity ID of the Identity
# (Optional) Value to be used to obtain the entity ID of the Identity
# Provider from the environment.
#
# [*template_order*]
@ -50,7 +83,7 @@
# (Optional) Defaults to 331.
#
# [*package_ensure*]
# (optional) Desired ensure state of packages.
# (Optional) Desired ensure state of packages.
# accepts latest or specific versions.
# Defaults to present.
#
@ -75,15 +108,23 @@ class keystone::federation::openidc (
$openidc_provider_metadata_url,
$openidc_client_id,
$openidc_client_secret,
$openidc_crypto_passphrase = 'openstack',
$openidc_response_type = 'id_token',
$remote_id_attribute = undef,
$template_order = 331,
$package_ensure = present,
$keystone_url = undef,
$openidc_crypto_passphrase = 'openstack',
$openidc_response_type = 'id_token',
$openidc_cache_type = undef,
$openidc_cache_shm_max = undef,
$openidc_cache_shm_entry_size = undef,
$openidc_cache_dir = undef,
$openidc_cache_clean_interval = undef,
$memcached_servers = undef,
$redis_server = undef,
$redis_password = undef,
$remote_id_attribute = undef,
$template_order = 331,
$package_ensure = present,
$keystone_url = undef,
# DEPRECATED
$admin_port = undef,
$main_port = undef,
$admin_port = undef,
$main_port = undef,
) {
include ::apache
@ -103,6 +144,8 @@ class keystone::federation::openidc (
warning('keystone::federation::openidc::admin_port and main_port are deprecated and have no effect')
}
$memcached_servers_real = join(any2array($memcached_servers), ' ')
# Note: if puppet-apache modify these values, this needs to be updated
if $template_order <= 330 or $template_order >= 999 {
fail('The template order should be greater than 330 and less than 999.')

@ -7,6 +7,31 @@
OIDCClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
OIDCCryptoPassphrase "<%= scope['keystone::federation::openidc::openidc_crypto_passphrase']-%>"
<%- if scope['::keystone::federation::openidc::openidc_cache_type'] != nil -%>
OIDCCacheType <%= scope['::keystone::federation::openidc::openidc_cache_type'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_shm_max'] != nil -%>
OIDCCacheShmMax scope['::keystone::federation::openidc::openidc_cache_shm_max'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_shm_entry_size'] != nil -%>
OIDCCacheShmEntrySize scope['::keystone::federation::openidc::openidc_cache_shm_entry_size'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_dir'] != nil -%>
OIDCCacheDir scope['::keystone::federation::openidc::openidc_cache_dir'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_clean_interval'] != nil -%>
OIDCCacheFileCleanInterval scope['::keystone::federation::openidc::openidc_cache_clean_interval'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::memcached_servers_real'] -%>
OIDCMemCacheServers "<%= scope['::keystone::federation::openidc::_memcached_servers'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::redis_server'] != nil -%>
OIDCRedisCacheServer scope['::keystone::federation::openidc::redis_server'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::redis_password'] != nil -%>
OIDCRedisCachecPassword scope['::keystone::federation::openidc::redis_password'] %>
<%- end -%>
# The following directives are required to support openidc from the command
# line
<Location ~ "/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth">

Loading…
Cancel
Save