Add TLS options to oslo.cache

This patch specifies a set of options required to build a TLS context. The context built from those options can later on be passed to any of the oslo.cache backends that supports TLS connections. Depends-on: https://review.opendev.org/761604 Change-Id: I712f03bd1dc33bd61bedf9ddea1a4ccffbedd53d
2020-11-30 15:29:06 +01:00 · 2020-11-30 15:29:06 +01:00 · d385ca8272
commit d385ca8272
parent 18be6c394e
3 changed files with 64 additions and 0 deletions
--- a/manifests/cache.pp
+++ b/manifests/cache.pp
@ -85,6 +85,39 @@
 #   (Optional) (Optional) Whether to install the backend package for the cache.
 #   Defaults to true
 #
+# [*tls_enabled*]
+#   (Optional) Global toggle for TLS usage when comunicating with
+#   the caching servers.
+#   Default to $::os_service_default
+#
+# [*tls_cafile*]
+#   (Optional) Path to a file of concatenated CA certificates in PEM
+#   format necessary to establish the caching server's authenticity.
+#   If tls_enabled is False, this option is ignored.
+#   Default to $::os_service_default
+#
+# [*tls_certfile*]
+#   (Optional) Path to a single file in PEM format containing the
+#   client's certificate as well as any number of CA certificates
+#   needed to establish the certificate's authenticity. This file
+#   is only required when client side authentication is necessary.
+#   If tls_enabled is False, this option is ignored.
+#   Default to $::os_service_default
+#
+# [*tls_keyfile*]
+#   (Optional) Path to a single file containing the client's private
+#   key in. Otherwhise the private key will be taken from the file
+#   specified in tls_certfile. If tls_enabled is False, this option
+#   is ignored.
+#   Default to $::os_service_default
+#
+# [*tls_allowed_ciphers*]
+#   (Optional) Set the available ciphers for sockets created with
+#   the TLS context. It should be a string in the OpenSSL cipher
+#   list format. If not specified, all OpenSSL enabled ciphers will
+#   be available.
+#   Default to $::os_service_default
+#
 class nova::cache (
  $config_prefix                        = $::os_service_default,
  $expiration_time                      = $::os_service_default,
@ -100,6 +133,11 @@ class nova::cache (
  $memcache_pool_unused_timeout         = $::os_service_default,
  $memcache_pool_connection_get_timeout = $::os_service_default,
  $manage_backend_package               = true,
+  $tls_enabled                          = $::os_service_default,
+  $tls_cafile                           = $::os_service_default,
+  $tls_certfile                         = $::os_service_default,
+  $tls_keyfile                          = $::os_service_default,
+  $tls_allowed_ciphers                  = $::os_service_default,
 ) {

  include nova::deps
@ -119,5 +157,10 @@ class nova::cache (
    memcache_pool_unused_timeout         => $memcache_pool_unused_timeout,
    memcache_pool_connection_get_timeout => $memcache_pool_connection_get_timeout,
    manage_backend_package               => $manage_backend_package,
+    tls_enabled                          => $tls_enabled,
+    tls_cafile                           => $tls_cafile,
+    tls_certfile                         => $tls_certfile,
+    tls_keyfile                          => $tls_keyfile,
+    tls_allowed_ciphers                  => $tls_allowed_ciphers,
  }
 }
--- a/releasenotes/notes/add_tls_options-9f4cd19db6a76a76.yaml
+++ b/releasenotes/notes/add_tls_options-9f4cd19db6a76a76.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Add TLS options to oslo.cache
--- a/spec/classes/nova_cache_spec.rb
+++ b/spec/classes/nova_cache_spec.rb
@ -23,6 +23,12 @@ describe 'nova::cache' do
        is_expected.to contain_nova_config('cache/memcache_pool_maxsize').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_nova_config('cache/memcache_pool_unused_timeout').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_nova_config('cache/memcache_pool_connection_get_timeout').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('cache/tls_enabled').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('cache/tls_cafile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('cache/tls_certfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('cache/tls_keyfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('cache/tls_allowed_ciphers').with_value('<SERVICE DEFAULT>')
+
        is_expected.to contain_oslo__cache('nova_config').with_manage_backend_package(true)
      end
    end
@ -43,6 +49,11 @@ describe 'nova::cache' do
          :memcache_pool_unused_timeout         => '120',
          :memcache_pool_connection_get_timeout => '360',
          :manage_backend_package               => false,
+          :tls_enabled                          => false,
+          :tls_cafile                           => nil,
+          :tls_certfile                         => nil,
+          :tls_keyfile                          => nil,
+          :tls_allowed_ciphers                  => nil,
        }
      end

@ -60,6 +71,12 @@ describe 'nova::cache' do
        is_expected.to contain_nova_config('cache/memcache_pool_maxsize').with_value('10')
        is_expected.to contain_nova_config('cache/memcache_pool_unused_timeout').with_value('120')
        is_expected.to contain_nova_config('cache/memcache_pool_connection_get_timeout').with_value('360')
+        is_expected.to contain_nova_config('cache/tls_enabled').with_value('false')
+        is_expected.to contain_nova_config('cache/tls_cafile').with_value('nil')
+        is_expected.to contain_nova_config('cache/tls_certfile').with_value('nil')
+        is_expected.to contain_nova_config('cache/tls_keyfile').with_value('nil')
+        is_expected.to contain_nova_config('cache/tls_allowed_ciphers').with_value('nil')
+
        is_expected.to contain_oslo__cache('nova_config').with_manage_backend_package(false)
      end
    end