Add TLS options to oslo.cache

This patch specifies a set of options required to build a TLS context.
The context built from those options can later on be passed to any of
the oslo.cache backends that supports TLS connections.

Depends-on: https://review.opendev.org/761604
Change-Id: I835641d402e6cbd6650efd0d7a1fb16fb361350e

manifests/cache.pp

@@ -89,6 +89,39 @@
 #   cache_backend, cache_enabled and cache_memcache_servers is set.
 #   Default to $::os_service_default
 #
+# [*tls_enabled*]
+#   (Optional) Global toggle for TLS usage when comunicating with
+#   the caching servers.
+#   Default to $::os_service_default
+#
+# [*tls_cafile*]
+#   (Optional) Path to a file of concatenated CA certificates in PEM
+#   format necessary to establish the caching server's authenticity.
+#   If tls_enabled is False, this option is ignored.
+#   Default to $::os_service_default
+#
+# [*tls_certfile*]
+#   (Optional) Path to a single file in PEM format containing the
+#   client's certificate as well as any number of CA certificates
+#   needed to establish the certificate's authenticity. This file
+#   is only required when client side authentication is necessary.
+#   If tls_enabled is False, this option is ignored.
+#   Default to $::os_service_default
+#
+# [*tls_keyfile*]
+#   (Optional) Path to a single file containing the client's private
+#   key in. Otherwhise the private key will be taken from the file
+#   specified in tls_certfile. If tls_enabled is False, this option
+#   is ignored.
+#   Default to $::os_service_default
+#
+# [*tls_allowed_ciphers*]
+#   (Optional) Set the available ciphers for sockets created with
+#   the TLS context. It should be a string in the OpenSSL cipher
+#   list format. If not specified, all OpenSSL enabled ciphers will
+#   be available.
+#   Default to $::os_service_default
+#
 class keystone::cache(
   $config_prefix                        = $::os_service_default,
   $expiration_time                      = $::os_service_default,
@@ -105,6 +138,11 @@ class keystone::cache(
   $memcache_pool_connection_get_timeout = $::os_service_default,
   $manage_backend_package               = true,
   $token_caching                        = $::os_service_default,
+  $tls_enabled                          = $::os_service_default,
+  $tls_cafile                           = $::os_service_default,
+  $tls_certfile                         = $::os_service_default,
+  $tls_keyfile                          = $::os_service_default,
+  $tls_allowed_ciphers                  = $::os_service_default,
 ){
 
   include keystone::deps
@@ -142,6 +180,11 @@ class keystone::cache(
     memcache_pool_unused_timeout         => $memcache_pool_unused_timeout,
     memcache_pool_connection_get_timeout => $memcache_pool_connection_get_timeout,
     manage_backend_package               => $manage_backend_package,
+    tls_enabled                          => $tls_enabled,
+    tls_cafile                           => $tls_cafile,
+    tls_certfile                         => $tls_certfile,
+    tls_keyfile                          => $tls_keyfile,
+    tls_allowed_ciphers                  => $tls_allowed_ciphers,
   }
 
 }

releasenotes/notes/add_tls_options-8ed38a82af2f378f.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Add TLS options to oslo.cache

spec/classes/keystone_cache_spec.rb

@@ -27,6 +27,11 @@ describe 'keystone::cache' do
         is_expected.to contain_keystone_config('cache/memcache_socket_timeout').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('cache/memcache_pool_unused_timeout').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('cache/memcache_servers').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('cache/tls_enabled').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('cache/tls_cafile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('cache/tls_certfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('cache/tls_keyfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('cache/tls_allowed_ciphers').with_value('<SERVICE DEFAULT>')
 
         is_expected.to contain_oslo__cache('keystone_config').with_manage_backend_package(true)
       end
@@ -50,6 +55,11 @@ describe 'keystone::cache' do
           :memcache_pool_connection_get_timeout => '360',
           :manage_backend_package               => false,
           :token_caching                        => 'true',
+          :tls_enabled                          => 'false',
+          :tls_cafile                           => nil,
+          :tls_certfile                         => nil,
+          :tls_keyfile                          => nil,
+          :tls_allowed_ciphers                  => nil,
         }
       end
 
@@ -72,6 +82,11 @@ describe 'keystone::cache' do
         is_expected.to contain_keystone_config('cache/memcache_socket_timeout').with_value('300.0')
         is_expected.to contain_keystone_config('cache/memcache_pool_maxsize').with_value('10')
         is_expected.to contain_keystone_config('cache/memcache_pool_unused_timeout').with_value('120')
+        is_expected.to contain_keystone_config('cache/tls_enabled').with_value('false')
+        is_expected.to contain_keystone_config('cache/tls_cafile').with_value('nil')
+        is_expected.to contain_keystone_config('cache/tls_certfile').with_value('nil')
+        is_expected.to contain_keystone_config('cache/tls_keyfile').with_value('nil')
+        is_expected.to contain_keystone_config('cache/tls_allowed_ciphers').with_value('nil')
 
         is_expected.to contain_oslo__cache('keystone_config').with_manage_backend_package(false)
       end