From 5a8dc2b7525d58f241cbeea1ae1631d22ce87481 Mon Sep 17 00:00:00 2001 From: Grzegorz Grasza Date: Thu, 5 Nov 2020 14:25:09 +0100 Subject: [PATCH] Add TLS options to oslo.cache This patch specifies a set of options required to build a TLS context. The context built from those options can later on be passed to any of the oslo.cache backends that supports TLS connections. Original oslo.cache change: https://review.opendev.org/c/openstack/oslo.cache/+/725405 Change-Id: I415cfee6045cd904e9675b97750c5de2f1be55d3 --- manifests/cache.pp | 43 +++++++++++++++++++ .../add_tls_options-9010fc5eab23dfe7.yaml | 4 ++ spec/defines/oslo_cache_spec.rb | 15 +++++++ 3 files changed, 62 insertions(+) create mode 100644 releasenotes/notes/add_tls_options-9010fc5eab23dfe7.yaml diff --git a/manifests/cache.pp b/manifests/cache.pp index 38f586c..cbbd348 100644 --- a/manifests/cache.pp +++ b/manifests/cache.pp @@ -113,6 +113,39 @@ # client connection. (integer value) # Defaults to $::os_service_default # +# [*tls_enabled*] +# (Optional) Global toggle for TLS usage when comunicating with +# the caching servers. +# Default to $::os_service_default +# +# [*tls_cafile*] +# (Optional) Path to a file of concatenated CA certificates in PEM +# format necessary to establish the caching server's authenticity. +# If tls_enabled is False, this option is ignored. +# Default to $::os_service_default +# +# [*tls_certfile*] +# (Optional) Path to a single file in PEM format containing the +# client's certificate as well as any number of CA certificates +# needed to establish the certificate's authenticity. This file +# is only required when client side authentication is necessary. +# If tls_enabled is False, this option is ignored. +# Default to $::os_service_default +# +# [*tls_keyfile*] +# (Optional) Path to a single file containing the client's private +# key in. Otherwhise the private key will be taken from the file +# specified in tls_certfile. If tls_enabled is False, this option +# is ignored. +# Default to $::os_service_default +# +# [*tls_allowed_ciphers*] +# (Optional) Set the available ciphers for sockets created with +# the TLS context. It should be a string in the OpenSSL cipher +# list format. If not specified, all OpenSSL enabled ciphers will +# be available. +# Default to $::os_service_default +# # [*manage_backend_package*] # (Optional) Whether to install the backend package. # Defaults to true. @@ -131,6 +164,11 @@ define oslo::cache( $memcache_pool_maxsize = $::os_service_default, $memcache_pool_unused_timeout = $::os_service_default, $memcache_pool_connection_get_timeout = $::os_service_default, + $tls_enabled = $::os_service_default, + $tls_cafile = $::os_service_default, + $tls_certfile = $::os_service_default, + $tls_keyfile = $::os_service_default, + $tls_allowed_ciphers = $::os_service_default, $manage_backend_package = true, ){ @@ -183,6 +221,11 @@ define oslo::cache( 'cache/memcache_pool_maxsize' => { value => $memcache_pool_maxsize }, 'cache/memcache_pool_unused_timeout' => { value => $memcache_pool_unused_timeout }, 'cache/memcache_pool_connection_get_timeout' => { value => $memcache_pool_connection_get_timeout }, + 'cache/tls_enabled' => { value => $tls_enabled }, + 'cache/tls_cafile' => { value => $tls_cafile }, + 'cache/tls_certfile' => { value => $tls_certfile }, + 'cache/tls_keyfile' => { value => $tls_keyfile }, + 'cache/tls_allowed_ciphers' => { value => $tls_allowed_ciphers }, } create_resources($name, $cache_options) diff --git a/releasenotes/notes/add_tls_options-9010fc5eab23dfe7.yaml b/releasenotes/notes/add_tls_options-9010fc5eab23dfe7.yaml new file mode 100644 index 0000000..241146d --- /dev/null +++ b/releasenotes/notes/add_tls_options-9010fc5eab23dfe7.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Add TLS options to oslo.cache diff --git a/spec/defines/oslo_cache_spec.rb b/spec/defines/oslo_cache_spec.rb index f61dba7..dc21dd1 100644 --- a/spec/defines/oslo_cache_spec.rb +++ b/spec/defines/oslo_cache_spec.rb @@ -21,6 +21,11 @@ describe 'oslo::cache' do is_expected.to contain_keystone_config('cache/memcache_pool_maxsize').with_value('') is_expected.to contain_keystone_config('cache/memcache_pool_unused_timeout').with_value('') is_expected.to contain_keystone_config('cache/memcache_pool_connection_get_timeout').with_value('') + is_expected.to contain_keystone_config('cache/tls_enabled').with_value('') + is_expected.to contain_keystone_config('cache/tls_cafile').with_value('') + is_expected.to contain_keystone_config('cache/tls_certfile').with_value('') + is_expected.to contain_keystone_config('cache/tls_keyfile').with_value('') + is_expected.to contain_keystone_config('cache/tls_allowed_ciphers').with_value('') end end @@ -40,6 +45,11 @@ describe 'oslo::cache' do :memcache_pool_maxsize => '10', :memcache_pool_unused_timeout => '60', :memcache_pool_connection_get_timeout => '10', + :tls_enabled => false, + :tls_cafile => nil, + :tls_certfile => nil, + :tls_keyfile => nil, + :tls_allowed_ciphers => nil, } end @@ -57,6 +67,11 @@ describe 'oslo::cache' do is_expected.to contain_keystone_config('cache/memcache_pool_maxsize').with_value('10') is_expected.to contain_keystone_config('cache/memcache_pool_unused_timeout').with_value('60') is_expected.to contain_keystone_config('cache/memcache_pool_connection_get_timeout').with_value('10') + is_expected.to contain_keystone_config('cache/tls_enabled').with_value('false') + is_expected.to contain_keystone_config('cache/tls_cafile').with_value('nil') + is_expected.to contain_keystone_config('cache/tls_certfile').with_value('nil') + is_expected.to contain_keystone_config('cache/tls_keyfile').with_value('nil') + is_expected.to contain_keystone_config('cache/tls_allowed_ciphers').with_value('nil') end end