openstack
/
puppet-swift
Code Issues Proposed changes

Add TLS options for swift memcached client 

This patch specifies a set of options required to build a TLS context
in the swift memcached client.
(see https://review.opendev.org/c/openstack/swift/+/765552)

Change-Id: I4371d49df847236be18f1a33caa8b3f186f5eaf1
(cherry picked from commit 0688c8a576)
This commit is contained in:
Grzegorz Grasza 2021-01-08 14:05:06 +01:00
parent 6121d4ebc5
commit 4f63aa2f10
7 changed files with 139 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
manifests/containerreconciler.pp
View File

@ -48,16 +48,46 @@
# e.g. ['catch_errors', 'proxy-logging', 'cache', 'proxy-server'] # e.g. ['catch_errors', 'proxy-logging', 'cache', 'proxy-server']
# Defaults to ['127.0.0.1:11211'] # Defaults to ['127.0.0.1:11211']
# #
# [*cache_tls_enabled*]
# (Optional) Global toggle for TLS usage when comunicating with
# the caching servers.
# Default to false
#
# [*cache_tls_cafile*]
# (Optional) Path to a file of concatenated CA certificates in PEM
# format necessary to establish the caching server's authenticity.
# If tls_enabled is False, this option is ignored.
# Defaults to undef
#
# [*cache_tls_certfile*]
# (Optional) Path to a single file in PEM format containing the
# client's certificate as well as any number of CA certificates
# needed to establish the certificate's authenticity. This file
# is only required when client side authentication is necessary.
# If tls_enabled is False, this option is ignored.
# Defaults to undef
#
# [*cache_tls_keyfile*]
# (Optional) Path to a single file containing the client's private
# key in. Otherwhise the private key will be taken from the file
# specified in tls_certfile. If tls_enabled is False, this option
# is ignored.
# Defaults to undef
#
class swift::containerreconciler( class swift::containerreconciler(
$manage_service = true, $manage_service = true,
$enabled = true, $enabled = true,
$package_ensure = 'present', $package_ensure = 'present',
$pipeline = ['catch_errors', 'proxy-logging', 'proxy-server'], $pipeline = ['catch_errors', 'proxy-logging', 'proxy-server'],
$interval = 300, $interval = 300,
$reclaim_age = 604800, $reclaim_age = 604800,
$request_tries = 3, $request_tries = 3,
$service_provider = $::swift::params::service_provider, $service_provider = $::swift::params::service_provider,
$memcache_servers = ['127.0.0.1:11211'], $memcache_servers = ['127.0.0.1:11211'],
$cache_tls_enabled = false,
$cache_tls_cafile = $::os_service_default,
$cache_tls_certfile = $::os_service_default,
$cache_tls_keyfile = $::os_service_default,
) inherits ::swift::params { ) inherits ::swift::params {
include swift::deps include swift::deps
@ -69,6 +99,10 @@ class swift::containerreconciler(
swift_container_reconciler_config { swift_container_reconciler_config {
'filter:cache/memcache_servers': value => join(any2array($memcache_servers), ','); 'filter:cache/memcache_servers': value => join(any2array($memcache_servers), ',');
'filter:cache/tls_enabled': value => $cache_tls_enabled;
'filter:cache/tls_cafile': value => $cache_tls_cafile;
'filter:cache/tls_certfile': value => $cache_tls_certfile;
'filter:cache/tls_keyfile': value => $cache_tls_keyfile;
} }
# require the memcached class if it is on the same machine # require the memcached class if it is on the same machine

34
manifests/objectexpirer.pp
View File

@ -71,6 +71,32 @@
# pipeline, e.g. ['catch_errors', 'cache', 'proxy-server'] # pipeline, e.g. ['catch_errors', 'cache', 'proxy-server']
# Defaults to ['127.0.0.1:11211'] # Defaults to ['127.0.0.1:11211']
# #
# [*cache_tls_enabled*]
# (Optional) Global toggle for TLS usage when comunicating with
# the caching servers.
# Default to false
#
# [*cache_tls_cafile*]
# (Optional) Path to a file of concatenated CA certificates in PEM
# format necessary to establish the caching server's authenticity.
# If tls_enabled is False, this option is ignored.
# Defaults to undef
#
# [*cache_tls_certfile*]
# (Optional) Path to a single file in PEM format containing the
# client's certificate as well as any number of CA certificates
# needed to establish the certificate's authenticity. This file
# is only required when client side authentication is necessary.
# If tls_enabled is False, this option is ignored.
# Defaults to undef
#
# [*cache_tls_keyfile*]
# (Optional) Path to a single file containing the client's private
# key in. Otherwhise the private key will be taken from the file
# specified in tls_certfile. If tls_enabled is False, this option
# is ignored.
# Defaults to undef
#
# [*log_level*] # [*log_level*]
# (optional) Log level. # (optional) Log level.
# Defaults to 'INFO'. # Defaults to 'INFO'.
@ -95,6 +121,10 @@ class swift::objectexpirer(
$report_interval = 300, $report_interval = 300,
$service_provider = $::swift::params::service_provider, $service_provider = $::swift::params::service_provider,
$memcache_servers = ['127.0.0.1:11211'], $memcache_servers = ['127.0.0.1:11211'],
$cache_tls_enabled = false,
$cache_tls_cafile = undef,
$cache_tls_certfile = undef,
$cache_tls_keyfile = undef,
$log_level = 'INFO', $log_level = 'INFO',
$log_facility = 'LOG_LOCAL2', $log_facility = 'LOG_LOCAL2',
) inherits ::swift::params { ) inherits ::swift::params {
@ -118,6 +148,10 @@ class swift::objectexpirer(
swift_object_expirer_config { swift_object_expirer_config {
'filter:cache/memcache_servers': value => join(any2array($memcache_servers), ','); 'filter:cache/memcache_servers': value => join(any2array($memcache_servers), ',');
'filter:cache/tls_enabled': value => $cache_tls_enabled;
'filter:cache/tls_cafile': value => $cache_tls_cafile;
'filter:cache/tls_certfile': value => $cache_tls_certfile;
'filter:cache/tls_keyfile': value => $cache_tls_keyfile;
} }
# require the memcached class if it is on the same machine # require the memcached class if it is on the same machine

36
manifests/proxy/cache.pp
View File

@ -4,6 +4,32 @@
# [*memcache_servers*] A list of the memcache servers to be used. Entries # [*memcache_servers*] A list of the memcache servers to be used. Entries
# should be in the form host:port. # should be in the form host:port.
# #
# [*tls_enabled*]
# (Optional) Global toggle for TLS usage when comunicating with
# the caching servers.
# Default to false
#
# [*tls_cafile*]
# (Optional) Path to a file of concatenated CA certificates in PEM
# format necessary to establish the caching server's authenticity.
# If tls_enabled is False, this option is ignored.
# Defaults to undef
#
# [*tls_certfile*]
# (Optional) Path to a single file in PEM format containing the
# client's certificate as well as any number of CA certificates
# needed to establish the certificate's authenticity. This file
# is only required when client side authentication is necessary.
# If tls_enabled is False, this option is ignored.
# Defaults to undef
#
# [*tls_keyfile*]
# (Optional) Path to a single file containing the client's private
# key in. Otherwhise the private key will be taken from the file
# specified in tls_certfile. If tls_enabled is False, this option
# is ignored.
# Defaults to undef
#
# [*memcache_max_connections*] Sets the maximum number of connections to # [*memcache_max_connections*] Sets the maximum number of connections to
# each memcached server per worker # each memcached server per worker
# #
@ -22,7 +48,11 @@
# Copyright 2011 Puppetlabs Inc, unless otherwise noted. # Copyright 2011 Puppetlabs Inc, unless otherwise noted.
# #
class swift::proxy::cache( class swift::proxy::cache(
$memcache_servers = ['127.0.0.1:11211'], $memcache_servers = ['127.0.0.1:11211'],
$tls_enabled = false,
$tls_cafile = undef,
$tls_certfile = undef,
$tls_keyfile = undef,
$memcache_max_connections = '2' $memcache_max_connections = '2'
) { ) {
@ -36,6 +66,10 @@ class swift::proxy::cache(
swift_proxy_config { swift_proxy_config {
'filter:cache/use': value => 'egg:swift#memcache'; 'filter:cache/use': value => 'egg:swift#memcache';
'filter:cache/memcache_servers': value => join(any2array($memcache_servers), ','); 'filter:cache/memcache_servers': value => join(any2array($memcache_servers), ',');
'filter:cache/tls_enabled': value => $tls_enabled;
'filter:cache/tls_cafile': value => $tls_cafile;
'filter:cache/tls_certfile': value => $tls_certfile;
'filter:cache/tls_keyfile': value => $tls_keyfile;
'filter:cache/memcache_max_connections': value => $memcache_max_connections; 'filter:cache/memcache_max_connections': value => $memcache_max_connections;
} }

4
releasenotes/notes/add-tls-options-cfc659d2a0ad42bc.yaml Normal file
View File

@ -0,0 +1,4 @@
---
features:
- |
Add TLS options for Memcached TLS connections.

18
spec/classes/swift_containerreconciler_spec.rb
View File

@ -3,14 +3,16 @@ require 'spec_helper'
describe 'swift::containerreconciler' do describe 'swift::containerreconciler' do
let :default_params do let :default_params do
{ :manage_service => true, { :manage_service => true,
:enabled => true, :enabled => true,
:package_ensure => 'present', :package_ensure => 'present',
:pipeline => ['catch_errors', 'proxy-logging', 'proxy-server'], :pipeline => ['catch_errors', 'proxy-logging', 'proxy-server'],
:interval => 300, :interval => 300,
:reclaim_age => 604800, :reclaim_age => 604800,
:request_tries => 3, :request_tries => 3,
:memcache_servers => ['127.0.0.1:11211'] } :memcache_servers => ['127.0.0.1:11211'],
:cache_tls_enabled => false,
}
end end
let :params do let :params do

4
spec/classes/swift_objectexpirer_spec.rb
View File

@ -18,7 +18,9 @@ describe 'swift::objectexpirer' do
:report_interval => 300, :report_interval => 300,
:log_facility => 'LOG_LOCAL2', :log_facility => 'LOG_LOCAL2',
:log_level => 'INFO', :log_level => 'INFO',
:memcache_servers => ['127.0.0.1:11211'] } :memcache_servers => ['127.0.0.1:11211'],
:cache_tls_enabled => false,
}
end end
let :params do let :params do

10
spec/classes/swift_proxy_cache_spec.rb
View File

@ -22,6 +22,7 @@ describe 'swift::proxy::cache' do
it { is_expected.to contain_swift_proxy_config('filter:cache/use').with_value('egg:swift#memcache') } it { is_expected.to contain_swift_proxy_config('filter:cache/use').with_value('egg:swift#memcache') }
it { is_expected.to contain_swift_proxy_config('filter:cache/memcache_servers').with_value('127.0.0.1:11211') } it { is_expected.to contain_swift_proxy_config('filter:cache/memcache_servers').with_value('127.0.0.1:11211') }
it { is_expected.to contain_swift_proxy_config('filter:cache/tls_enabled').with_value(false) }
it { is_expected.to contain_swift_proxy_config('filter:cache/memcache_max_connections').with_value(2) } it { is_expected.to contain_swift_proxy_config('filter:cache/memcache_max_connections').with_value(2) }
end end
@ -43,6 +44,15 @@ describe 'swift::proxy::cache' do
it { is_expected.to contain_swift_proxy_config('filter:cache/memcache_servers').with_value('10.0.0.1:1,10.0.0.2:2') } it { is_expected.to contain_swift_proxy_config('filter:cache/memcache_servers').with_value('10.0.0.1:1,10.0.0.2:2') }
end end
describe 'with overridden cache TLS enabled' do
let :params do
{:tls_enabled => true}
end
it { is_expected.to contain_swift_proxy_config('filter:cache/use').with_value('egg:swift#memcache') }
it { is_expected.to contain_swift_proxy_config('filter:cache/tls_enabled').with_value(true) }
end
describe 'with overridden memcache max connections' do describe 'with overridden memcache max connections' do
let :params do let :params do
{:memcache_max_connections => 4} {:memcache_max_connections => 4}