Browse Source

Add TLS options for swift memcached client

This patch specifies a set of options required to build a TLS context
in the swift memcached client.
(see https://review.opendev.org/c/openstack/swift/+/765552)

Change-Id: I4371d49df847236be18f1a33caa8b3f186f5eaf1
(cherry picked from commit 0688c8a576)
changes/07/775607/1
Grzegorz Grasza 3 months ago
parent
commit
4f63aa2f10
7 changed files with 139 additions and 19 deletions
  1. +43
    -9
      manifests/containerreconciler.pp
  2. +34
    -0
      manifests/objectexpirer.pp
  3. +35
    -1
      manifests/proxy/cache.pp
  4. +4
    -0
      releasenotes/notes/add-tls-options-cfc659d2a0ad42bc.yaml
  5. +10
    -8
      spec/classes/swift_containerreconciler_spec.rb
  6. +3
    -1
      spec/classes/swift_objectexpirer_spec.rb
  7. +10
    -0
      spec/classes/swift_proxy_cache_spec.rb

+ 43
- 9
manifests/containerreconciler.pp View File

@ -48,16 +48,46 @@
# e.g. ['catch_errors', 'proxy-logging', 'cache', 'proxy-server']
# Defaults to ['127.0.0.1:11211']
#
# [*cache_tls_enabled*]
# (Optional) Global toggle for TLS usage when comunicating with
# the caching servers.
# Default to false
#
# [*cache_tls_cafile*]
# (Optional) Path to a file of concatenated CA certificates in PEM
# format necessary to establish the caching server's authenticity.
# If tls_enabled is False, this option is ignored.
# Defaults to undef
#
# [*cache_tls_certfile*]
# (Optional) Path to a single file in PEM format containing the
# client's certificate as well as any number of CA certificates
# needed to establish the certificate's authenticity. This file
# is only required when client side authentication is necessary.
# If tls_enabled is False, this option is ignored.
# Defaults to undef
#
# [*cache_tls_keyfile*]
# (Optional) Path to a single file containing the client's private
# key in. Otherwhise the private key will be taken from the file
# specified in tls_certfile. If tls_enabled is False, this option
# is ignored.
# Defaults to undef
#
class swift::containerreconciler(
$manage_service = true,
$enabled = true,
$package_ensure = 'present',
$pipeline = ['catch_errors', 'proxy-logging', 'proxy-server'],
$interval = 300,
$reclaim_age = 604800,
$request_tries = 3,
$service_provider = $::swift::params::service_provider,
$memcache_servers = ['127.0.0.1:11211'],
$manage_service = true,
$enabled = true,
$package_ensure = 'present',
$pipeline = ['catch_errors', 'proxy-logging', 'proxy-server'],
$interval = 300,
$reclaim_age = 604800,
$request_tries = 3,
$service_provider = $::swift::params::service_provider,
$memcache_servers = ['127.0.0.1:11211'],
$cache_tls_enabled = false,
$cache_tls_cafile = $::os_service_default,
$cache_tls_certfile = $::os_service_default,
$cache_tls_keyfile = $::os_service_default,
) inherits ::swift::params {
include swift::deps
@ -69,6 +99,10 @@ class swift::containerreconciler(
swift_container_reconciler_config {
'filter:cache/memcache_servers': value => join(any2array($memcache_servers), ',');
'filter:cache/tls_enabled': value => $cache_tls_enabled;
'filter:cache/tls_cafile': value => $cache_tls_cafile;
'filter:cache/tls_certfile': value => $cache_tls_certfile;
'filter:cache/tls_keyfile': value => $cache_tls_keyfile;
}
# require the memcached class if it is on the same machine


+ 34
- 0
manifests/objectexpirer.pp View File

@ -71,6 +71,32 @@
# pipeline, e.g. ['catch_errors', 'cache', 'proxy-server']
# Defaults to ['127.0.0.1:11211']
#
# [*cache_tls_enabled*]
# (Optional) Global toggle for TLS usage when comunicating with
# the caching servers.
# Default to false
#
# [*cache_tls_cafile*]
# (Optional) Path to a file of concatenated CA certificates in PEM
# format necessary to establish the caching server's authenticity.
# If tls_enabled is False, this option is ignored.
# Defaults to undef
#
# [*cache_tls_certfile*]
# (Optional) Path to a single file in PEM format containing the
# client's certificate as well as any number of CA certificates
# needed to establish the certificate's authenticity. This file
# is only required when client side authentication is necessary.
# If tls_enabled is False, this option is ignored.
# Defaults to undef
#
# [*cache_tls_keyfile*]
# (Optional) Path to a single file containing the client's private
# key in. Otherwhise the private key will be taken from the file
# specified in tls_certfile. If tls_enabled is False, this option
# is ignored.
# Defaults to undef
#
# [*log_level*]
# (optional) Log level.
# Defaults to 'INFO'.
@ -95,6 +121,10 @@ class swift::objectexpirer(
$report_interval = 300,
$service_provider = $::swift::params::service_provider,
$memcache_servers = ['127.0.0.1:11211'],
$cache_tls_enabled = false,
$cache_tls_cafile = undef,
$cache_tls_certfile = undef,
$cache_tls_keyfile = undef,
$log_level = 'INFO',
$log_facility = 'LOG_LOCAL2',
) inherits ::swift::params {
@ -118,6 +148,10 @@ class swift::objectexpirer(
swift_object_expirer_config {
'filter:cache/memcache_servers': value => join(any2array($memcache_servers), ',');
'filter:cache/tls_enabled': value => $cache_tls_enabled;
'filter:cache/tls_cafile': value => $cache_tls_cafile;
'filter:cache/tls_certfile': value => $cache_tls_certfile;
'filter:cache/tls_keyfile': value => $cache_tls_keyfile;
}
# require the memcached class if it is on the same machine


+ 35
- 1
manifests/proxy/cache.pp View File

@ -4,6 +4,32 @@
# [*memcache_servers*] A list of the memcache servers to be used. Entries
# should be in the form host:port.
#
# [*tls_enabled*]
# (Optional) Global toggle for TLS usage when comunicating with
# the caching servers.
# Default to false
#
# [*tls_cafile*]
# (Optional) Path to a file of concatenated CA certificates in PEM
# format necessary to establish the caching server's authenticity.
# If tls_enabled is False, this option is ignored.
# Defaults to undef
#
# [*tls_certfile*]
# (Optional) Path to a single file in PEM format containing the
# client's certificate as well as any number of CA certificates
# needed to establish the certificate's authenticity. This file
# is only required when client side authentication is necessary.
# If tls_enabled is False, this option is ignored.
# Defaults to undef
#
# [*tls_keyfile*]
# (Optional) Path to a single file containing the client's private
# key in. Otherwhise the private key will be taken from the file
# specified in tls_certfile. If tls_enabled is False, this option
# is ignored.
# Defaults to undef
#
# [*memcache_max_connections*] Sets the maximum number of connections to
# each memcached server per worker
#
@ -22,7 +48,11 @@
# Copyright 2011 Puppetlabs Inc, unless otherwise noted.
#
class swift::proxy::cache(
$memcache_servers = ['127.0.0.1:11211'],
$memcache_servers = ['127.0.0.1:11211'],
$tls_enabled = false,
$tls_cafile = undef,
$tls_certfile = undef,
$tls_keyfile = undef,
$memcache_max_connections = '2'
) {
@ -36,6 +66,10 @@ class swift::proxy::cache(
swift_proxy_config {
'filter:cache/use': value => 'egg:swift#memcache';
'filter:cache/memcache_servers': value => join(any2array($memcache_servers), ',');
'filter:cache/tls_enabled': value => $tls_enabled;
'filter:cache/tls_cafile': value => $tls_cafile;
'filter:cache/tls_certfile': value => $tls_certfile;
'filter:cache/tls_keyfile': value => $tls_keyfile;
'filter:cache/memcache_max_connections': value => $memcache_max_connections;
}


+ 4
- 0
releasenotes/notes/add-tls-options-cfc659d2a0ad42bc.yaml View File

@ -0,0 +1,4 @@
---
features:
- |
Add TLS options for Memcached TLS connections.

+ 10
- 8
spec/classes/swift_containerreconciler_spec.rb View File

@ -3,14 +3,16 @@ require 'spec_helper'
describe 'swift::containerreconciler' do
let :default_params do
{ :manage_service => true,
:enabled => true,
:package_ensure => 'present',
:pipeline => ['catch_errors', 'proxy-logging', 'proxy-server'],
:interval => 300,
:reclaim_age => 604800,
:request_tries => 3,
:memcache_servers => ['127.0.0.1:11211'] }
{ :manage_service => true,
:enabled => true,
:package_ensure => 'present',
:pipeline => ['catch_errors', 'proxy-logging', 'proxy-server'],
:interval => 300,
:reclaim_age => 604800,
:request_tries => 3,
:memcache_servers => ['127.0.0.1:11211'],
:cache_tls_enabled => false,
}
end
let :params do


+ 3
- 1
spec/classes/swift_objectexpirer_spec.rb View File

@ -18,7 +18,9 @@ describe 'swift::objectexpirer' do
:report_interval => 300,
:log_facility => 'LOG_LOCAL2',
:log_level => 'INFO',
:memcache_servers => ['127.0.0.1:11211'] }
:memcache_servers => ['127.0.0.1:11211'],
:cache_tls_enabled => false,
}
end
let :params do


+ 10
- 0
spec/classes/swift_proxy_cache_spec.rb View File

@ -22,6 +22,7 @@ describe 'swift::proxy::cache' do
it { is_expected.to contain_swift_proxy_config('filter:cache/use').with_value('egg:swift#memcache') }
it { is_expected.to contain_swift_proxy_config('filter:cache/memcache_servers').with_value('127.0.0.1:11211') }
it { is_expected.to contain_swift_proxy_config('filter:cache/tls_enabled').with_value(false) }
it { is_expected.to contain_swift_proxy_config('filter:cache/memcache_max_connections').with_value(2) }
end
@ -43,6 +44,15 @@ describe 'swift::proxy::cache' do
it { is_expected.to contain_swift_proxy_config('filter:cache/memcache_servers').with_value('10.0.0.1:1,10.0.0.2:2') }
end
describe 'with overridden cache TLS enabled' do
let :params do
{:tls_enabled => true}
end
it { is_expected.to contain_swift_proxy_config('filter:cache/use').with_value('egg:swift#memcache') }
it { is_expected.to contain_swift_proxy_config('filter:cache/tls_enabled').with_value(true) }
end
describe 'with overridden memcache max connections' do
let :params do
{:memcache_max_connections => 4}


Loading…
Cancel
Save