Add TLS options for swift memcached client

This patch specifies a set of options required to build a TLS context in the swift memcached client. (see https://review.opendev.org/c/openstack/swift/+/765552) Change-Id: I4371d49df847236be18f1a33caa8b3f186f5eaf1 (cherry picked from commit 0688c8a576)
2021-01-08 14:05:06 +01:00 · 2021-01-08 14:05:06 +01:00 · fbc7e6211e
parent 2a0f3db4be
commit fbc7e6211e
7 changed files with 139 additions and 19 deletions
--- a/manifests/containerreconciler.pp
+++ b/manifests/containerreconciler.pp
@ -48,16 +48,46 @@
 #    e.g. ['catch_errors', 'proxy-logging', 'cache', 'proxy-server']
 #    Defaults to ['127.0.0.1:11211']
 #
+# [*cache_tls_enabled*]
+#   (Optional) Global toggle for TLS usage when comunicating with
+#   the caching servers.
+#   Default to false
+#
+# [*cache_tls_cafile*]
+#   (Optional) Path to a file of concatenated CA certificates in PEM
+#   format necessary to establish the caching server's authenticity.
+#   If tls_enabled is False, this option is ignored.
+#   Defaults to undef
+#
+# [*cache_tls_certfile*]
+#   (Optional) Path to a single file in PEM format containing the
+#   client's certificate as well as any number of CA certificates
+#   needed to establish the certificate's authenticity. This file
+#   is only required when client side authentication is necessary.
+#   If tls_enabled is False, this option is ignored.
+#   Defaults to undef
+#
+# [*cache_tls_keyfile*]
+#   (Optional) Path to a single file containing the client's private
+#   key in. Otherwhise the private key will be taken from the file
+#   specified in tls_certfile. If tls_enabled is False, this option
+#   is ignored.
+#   Defaults to undef
+#
 class swift::containerreconciler(
-  $manage_service   = true,
-  $enabled          = true,
-  $package_ensure   = 'present',
-  $pipeline         = ['catch_errors', 'proxy-logging', 'proxy-server'],
-  $interval         = 300,
-  $reclaim_age      = 604800,
-  $request_tries    = 3,
-  $service_provider = $::swift::params::service_provider,
-  $memcache_servers = ['127.0.0.1:11211'],
+  $manage_service     = true,
+  $enabled            = true,
+  $package_ensure     = 'present',
+  $pipeline           = ['catch_errors', 'proxy-logging', 'proxy-server'],
+  $interval           = 300,
+  $reclaim_age        = 604800,
+  $request_tries      = 3,
+  $service_provider   = $::swift::params::service_provider,
+  $memcache_servers   = ['127.0.0.1:11211'],
+  $cache_tls_enabled  = false,
+  $cache_tls_cafile   = $::os_service_default,
+  $cache_tls_certfile = $::os_service_default,
+  $cache_tls_keyfile  = $::os_service_default,
 ) inherits ::swift::params {

  include swift::deps
@ -69,6 +99,10 @@ class swift::containerreconciler(

    swift_container_reconciler_config {
      'filter:cache/memcache_servers': value => join(any2array($memcache_servers), ',');
+      'filter:cache/tls_enabled':      value => $cache_tls_enabled;
+      'filter:cache/tls_cafile':       value => $cache_tls_cafile;
+      'filter:cache/tls_certfile':     value => $cache_tls_certfile;
+      'filter:cache/tls_keyfile':      value => $cache_tls_keyfile;
    }

    # require the memcached class if it is on the same machine
--- a/manifests/objectexpirer.pp
+++ b/manifests/objectexpirer.pp
@ -71,6 +71,32 @@
 #    pipeline, e.g. ['catch_errors', 'cache', 'proxy-server']
 #    Defaults to ['127.0.0.1:11211']
 #
+# [*cache_tls_enabled*]
+#   (Optional) Global toggle for TLS usage when comunicating with
+#   the caching servers.
+#   Default to false
+#
+# [*cache_tls_cafile*]
+#   (Optional) Path to a file of concatenated CA certificates in PEM
+#   format necessary to establish the caching server's authenticity.
+#   If tls_enabled is False, this option is ignored.
+#   Defaults to undef
+#
+# [*cache_tls_certfile*]
+#   (Optional) Path to a single file in PEM format containing the
+#   client's certificate as well as any number of CA certificates
+#   needed to establish the certificate's authenticity. This file
+#   is only required when client side authentication is necessary.
+#   If tls_enabled is False, this option is ignored.
+#   Defaults to undef
+#
+# [*cache_tls_keyfile*]
+#   (Optional) Path to a single file containing the client's private
+#   key in. Otherwhise the private key will be taken from the file
+#   specified in tls_certfile. If tls_enabled is False, this option
+#   is ignored.
+#   Defaults to undef
+#
 #  [*log_level*]
 #    (optional) Log level.
 #    Defaults to 'INFO'.
@ -95,6 +121,10 @@ class swift::objectexpirer(
  $report_interval               = 300,
  $service_provider              = $::swift::params::service_provider,
  $memcache_servers              = ['127.0.0.1:11211'],
+  $cache_tls_enabled             = false,
+  $cache_tls_cafile              = undef,
+  $cache_tls_certfile            = undef,
+  $cache_tls_keyfile             = undef,
  $log_level                     = 'INFO',
  $log_facility                  = 'LOG_LOCAL2',
 ) inherits ::swift::params {
@ -118,6 +148,10 @@ class swift::objectexpirer(

    swift_object_expirer_config {
      'filter:cache/memcache_servers': value => join(any2array($memcache_servers), ',');
+      'filter:cache/tls_enabled':      value => $cache_tls_enabled;
+      'filter:cache/tls_cafile':       value => $cache_tls_cafile;
+      'filter:cache/tls_certfile':     value => $cache_tls_certfile;
+      'filter:cache/tls_keyfile':      value => $cache_tls_keyfile;
    }

    # require the memcached class if it is on the same machine
--- a/manifests/proxy/cache.pp
+++ b/manifests/proxy/cache.pp
@ -4,6 +4,32 @@
 # [*memcache_servers*] A list of the memcache servers to be used. Entries
 #  should be in the form host:port.
 #
+# [*tls_enabled*]
+#   (Optional) Global toggle for TLS usage when comunicating with
+#   the caching servers.
+#   Default to false
+#
+# [*tls_cafile*]
+#   (Optional) Path to a file of concatenated CA certificates in PEM
+#   format necessary to establish the caching server's authenticity.
+#   If tls_enabled is False, this option is ignored.
+#   Defaults to undef
+#
+# [*tls_certfile*]
+#   (Optional) Path to a single file in PEM format containing the
+#   client's certificate as well as any number of CA certificates
+#   needed to establish the certificate's authenticity. This file
+#   is only required when client side authentication is necessary.
+#   If tls_enabled is False, this option is ignored.
+#   Defaults to undef
+#
+# [*tls_keyfile*]
+#   (Optional) Path to a single file containing the client's private
+#   key in. Otherwhise the private key will be taken from the file
+#   specified in tls_certfile. If tls_enabled is False, this option
+#   is ignored.
+#   Defaults to undef
+#
 # [*memcache_max_connections*] Sets the maximum number of connections to
 #  each memcached server per worker
 #
@ -22,7 +48,11 @@
 # Copyright 2011 Puppetlabs Inc, unless otherwise noted.
 #
 class swift::proxy::cache(
-  $memcache_servers = ['127.0.0.1:11211'],
+  $memcache_servers         = ['127.0.0.1:11211'],
+  $tls_enabled              = false,
+  $tls_cafile               = undef,
+  $tls_certfile             = undef,
+  $tls_keyfile              = undef,
  $memcache_max_connections = '2'
 ) {

@ -36,6 +66,10 @@ class swift::proxy::cache(
  swift_proxy_config {
    'filter:cache/use':                      value => 'egg:swift#memcache';
    'filter:cache/memcache_servers':         value => join(any2array($memcache_servers), ',');
+    'filter:cache/tls_enabled':              value => $tls_enabled;
+    'filter:cache/tls_cafile':               value => $tls_cafile;
+    'filter:cache/tls_certfile':             value => $tls_certfile;
+    'filter:cache/tls_keyfile':              value => $tls_keyfile;
    'filter:cache/memcache_max_connections': value => $memcache_max_connections;
  }

--- a/releasenotes/notes/add-tls-options-cfc659d2a0ad42bc.yaml
+++ b/releasenotes/notes/add-tls-options-cfc659d2a0ad42bc.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Add TLS options for Memcached TLS connections.
--- a/spec/classes/swift_containerreconciler_spec.rb
+++ b/spec/classes/swift_containerreconciler_spec.rb
@ -3,14 +3,16 @@ require 'spec_helper'
 describe 'swift::containerreconciler' do

  let :default_params do
-    { :manage_service   => true,
-      :enabled          => true,
-      :package_ensure   => 'present',
-      :pipeline         => ['catch_errors', 'proxy-logging', 'proxy-server'],
-      :interval         => 300,
-      :reclaim_age      => 604800,
-      :request_tries    => 3,
-      :memcache_servers => ['127.0.0.1:11211'] }
+    { :manage_service    => true,
+      :enabled           => true,
+      :package_ensure    => 'present',
+      :pipeline          => ['catch_errors', 'proxy-logging', 'proxy-server'],
+      :interval          => 300,
+      :reclaim_age       => 604800,
+      :request_tries     => 3,
+      :memcache_servers  => ['127.0.0.1:11211'],
+      :cache_tls_enabled => false,
+    }
  end

  let :params do
--- a/spec/classes/swift_objectexpirer_spec.rb
+++ b/spec/classes/swift_objectexpirer_spec.rb
@ -18,7 +18,9 @@ describe 'swift::objectexpirer' do
      :report_interval               => 300,
      :log_facility                  => 'LOG_LOCAL2',
      :log_level                     => 'INFO',
-      :memcache_servers              => ['127.0.0.1:11211'] }
+      :memcache_servers              => ['127.0.0.1:11211'],
+      :cache_tls_enabled             => false,
+    }
  end

  let :params do
--- a/spec/classes/swift_proxy_cache_spec.rb
+++ b/spec/classes/swift_proxy_cache_spec.rb
@ -22,6 +22,7 @@ describe 'swift::proxy::cache' do

        it { is_expected.to contain_swift_proxy_config('filter:cache/use').with_value('egg:swift#memcache') }
        it { is_expected.to contain_swift_proxy_config('filter:cache/memcache_servers').with_value('127.0.0.1:11211') }
+        it { is_expected.to contain_swift_proxy_config('filter:cache/tls_enabled').with_value(false) }
        it { is_expected.to contain_swift_proxy_config('filter:cache/memcache_max_connections').with_value(2) }
      end

@ -43,6 +44,15 @@ describe 'swift::proxy::cache' do
        it { is_expected.to contain_swift_proxy_config('filter:cache/memcache_servers').with_value('10.0.0.1:1,10.0.0.2:2') }
      end

+      describe 'with overridden cache TLS enabled' do
+        let :params do
+          {:tls_enabled => true}
+        end
+
+        it { is_expected.to contain_swift_proxy_config('filter:cache/use').with_value('egg:swift#memcache') }
+        it { is_expected.to contain_swift_proxy_config('filter:cache/tls_enabled').with_value(true) }
+      end
+
      describe 'with overridden memcache max connections' do
        let :params do
          {:memcache_max_connections => 4}