Add TLS options to oslo.cache

This patch specifies a set of options required to build a TLS context. The context built from those options can later on be passed to any of the oslo.cache backends that supports TLS connections. Depends-on: https://review.opendev.org/761604 Change-Id: I835641d402e6cbd6650efd0d7a1fb16fb361350e
2020-11-05 14:26:39 +01:00 · 2020-11-05 14:26:39 +01:00 · 7ae8aa377e
commit 7ae8aa377e
parent 3eb8b2bb15
3 changed files with 62 additions and 0 deletions
--- a/manifests/cache.pp
+++ b/manifests/cache.pp
@ -89,6 +89,39 @@
 #   cache_backend, cache_enabled and cache_memcache_servers is set.
 #   Default to $::os_service_default
 #
+# [*tls_enabled*]
+#   (Optional) Global toggle for TLS usage when comunicating with
+#   the caching servers.
+#   Default to $::os_service_default
+#
+# [*tls_cafile*]
+#   (Optional) Path to a file of concatenated CA certificates in PEM
+#   format necessary to establish the caching server's authenticity.
+#   If tls_enabled is False, this option is ignored.
+#   Default to $::os_service_default
+#
+# [*tls_certfile*]
+#   (Optional) Path to a single file in PEM format containing the
+#   client's certificate as well as any number of CA certificates
+#   needed to establish the certificate's authenticity. This file
+#   is only required when client side authentication is necessary.
+#   If tls_enabled is False, this option is ignored.
+#   Default to $::os_service_default
+#
+# [*tls_keyfile*]
+#   (Optional) Path to a single file containing the client's private
+#   key in. Otherwhise the private key will be taken from the file
+#   specified in tls_certfile. If tls_enabled is False, this option
+#   is ignored.
+#   Default to $::os_service_default
+#
+# [*tls_allowed_ciphers*]
+#   (Optional) Set the available ciphers for sockets created with
+#   the TLS context. It should be a string in the OpenSSL cipher
+#   list format. If not specified, all OpenSSL enabled ciphers will
+#   be available.
+#   Default to $::os_service_default
+#
 class keystone::cache(
  $config_prefix                        = $::os_service_default,
  $expiration_time                      = $::os_service_default,
@ -105,6 +138,11 @@ class keystone::cache(
  $memcache_pool_connection_get_timeout = $::os_service_default,
  $manage_backend_package               = true,
  $token_caching                        = $::os_service_default,
+  $tls_enabled                          = $::os_service_default,
+  $tls_cafile                           = $::os_service_default,
+  $tls_certfile                         = $::os_service_default,
+  $tls_keyfile                          = $::os_service_default,
+  $tls_allowed_ciphers                  = $::os_service_default,
 ){

  include keystone::deps
@ -142,6 +180,11 @@ class keystone::cache(
    memcache_pool_unused_timeout         => $memcache_pool_unused_timeout,
    memcache_pool_connection_get_timeout => $memcache_pool_connection_get_timeout,
    manage_backend_package               => $manage_backend_package,
+    tls_enabled                          => $tls_enabled,
+    tls_cafile                           => $tls_cafile,
+    tls_certfile                         => $tls_certfile,
+    tls_keyfile                          => $tls_keyfile,
+    tls_allowed_ciphers                  => $tls_allowed_ciphers,
  }

 }
--- a/releasenotes/notes/add_tls_options-8ed38a82af2f378f.yaml
+++ b/releasenotes/notes/add_tls_options-8ed38a82af2f378f.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Add TLS options to oslo.cache
--- a/spec/classes/keystone_cache_spec.rb
+++ b/spec/classes/keystone_cache_spec.rb
@ -27,6 +27,11 @@ describe 'keystone::cache' do
        is_expected.to contain_keystone_config('cache/memcache_socket_timeout').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_keystone_config('cache/memcache_pool_unused_timeout').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_keystone_config('cache/memcache_servers').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('cache/tls_enabled').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('cache/tls_cafile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('cache/tls_certfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('cache/tls_keyfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('cache/tls_allowed_ciphers').with_value('<SERVICE DEFAULT>')

        is_expected.to contain_oslo__cache('keystone_config').with_manage_backend_package(true)
      end
@ -50,6 +55,11 @@ describe 'keystone::cache' do
          :memcache_pool_connection_get_timeout => '360',
          :manage_backend_package               => false,
          :token_caching                        => 'true',
+          :tls_enabled                          => 'false',
+          :tls_cafile                           => nil,
+          :tls_certfile                         => nil,
+          :tls_keyfile                          => nil,
+          :tls_allowed_ciphers                  => nil,
        }
      end

@ -72,6 +82,11 @@ describe 'keystone::cache' do
        is_expected.to contain_keystone_config('cache/memcache_socket_timeout').with_value('300.0')
        is_expected.to contain_keystone_config('cache/memcache_pool_maxsize').with_value('10')
        is_expected.to contain_keystone_config('cache/memcache_pool_unused_timeout').with_value('120')
+        is_expected.to contain_keystone_config('cache/tls_enabled').with_value('false')
+        is_expected.to contain_keystone_config('cache/tls_cafile').with_value('nil')
+        is_expected.to contain_keystone_config('cache/tls_certfile').with_value('nil')
+        is_expected.to contain_keystone_config('cache/tls_keyfile').with_value('nil')
+        is_expected.to contain_keystone_config('cache/tls_allowed_ciphers').with_value('nil')

        is_expected.to contain_oslo__cache('keystone_config').with_manage_backend_package(false)
      end