diff --git a/manifests/containerreconciler.pp b/manifests/containerreconciler.pp index 2e23ec9f..1b103e80 100644 --- a/manifests/containerreconciler.pp +++ b/manifests/containerreconciler.pp @@ -48,16 +48,46 @@ # e.g. ['catch_errors', 'proxy-logging', 'cache', 'proxy-server'] # Defaults to ['127.0.0.1:11211'] # +# [*cache_tls_enabled*] +# (Optional) Global toggle for TLS usage when comunicating with +# the caching servers. +# Default to false +# +# [*cache_tls_cafile*] +# (Optional) Path to a file of concatenated CA certificates in PEM +# format necessary to establish the caching server's authenticity. +# If tls_enabled is False, this option is ignored. +# Defaults to undef +# +# [*cache_tls_certfile*] +# (Optional) Path to a single file in PEM format containing the +# client's certificate as well as any number of CA certificates +# needed to establish the certificate's authenticity. This file +# is only required when client side authentication is necessary. +# If tls_enabled is False, this option is ignored. +# Defaults to undef +# +# [*cache_tls_keyfile*] +# (Optional) Path to a single file containing the client's private +# key in. Otherwhise the private key will be taken from the file +# specified in tls_certfile. If tls_enabled is False, this option +# is ignored. +# Defaults to undef +# class swift::containerreconciler( - $manage_service = true, - $enabled = true, - $package_ensure = 'present', - $pipeline = ['catch_errors', 'proxy-logging', 'proxy-server'], - $interval = 300, - $reclaim_age = 604800, - $request_tries = 3, - $service_provider = $::swift::params::service_provider, - $memcache_servers = ['127.0.0.1:11211'], + $manage_service = true, + $enabled = true, + $package_ensure = 'present', + $pipeline = ['catch_errors', 'proxy-logging', 'proxy-server'], + $interval = 300, + $reclaim_age = 604800, + $request_tries = 3, + $service_provider = $::swift::params::service_provider, + $memcache_servers = ['127.0.0.1:11211'], + $cache_tls_enabled = false, + $cache_tls_cafile = $::os_service_default, + $cache_tls_certfile = $::os_service_default, + $cache_tls_keyfile = $::os_service_default, ) inherits ::swift::params { include ::swift::deps @@ -69,6 +99,10 @@ class swift::containerreconciler( swift_container_reconciler_config { 'filter:cache/memcache_servers': value => join(any2array($memcache_servers), ','); + 'filter:cache/tls_enabled': value => $cache_tls_enabled; + 'filter:cache/tls_cafile': value => $cache_tls_cafile; + 'filter:cache/tls_certfile': value => $cache_tls_certfile; + 'filter:cache/tls_keyfile': value => $cache_tls_keyfile; } # require the memcached class if it is on the same machine diff --git a/manifests/objectexpirer.pp b/manifests/objectexpirer.pp index 821c82a2..6dd73e27 100644 --- a/manifests/objectexpirer.pp +++ b/manifests/objectexpirer.pp @@ -71,6 +71,32 @@ # pipeline, e.g. ['catch_errors', 'cache', 'proxy-server'] # Defaults to ['127.0.0.1:11211'] # +# [*cache_tls_enabled*] +# (Optional) Global toggle for TLS usage when comunicating with +# the caching servers. +# Default to false +# +# [*cache_tls_cafile*] +# (Optional) Path to a file of concatenated CA certificates in PEM +# format necessary to establish the caching server's authenticity. +# If tls_enabled is False, this option is ignored. +# Defaults to undef +# +# [*cache_tls_certfile*] +# (Optional) Path to a single file in PEM format containing the +# client's certificate as well as any number of CA certificates +# needed to establish the certificate's authenticity. This file +# is only required when client side authentication is necessary. +# If tls_enabled is False, this option is ignored. +# Defaults to undef +# +# [*cache_tls_keyfile*] +# (Optional) Path to a single file containing the client's private +# key in. Otherwhise the private key will be taken from the file +# specified in tls_certfile. If tls_enabled is False, this option +# is ignored. +# Defaults to undef +# # [*log_level*] # (optional) Log level. # Defaults to 'INFO'. @@ -95,6 +121,10 @@ class swift::objectexpirer( $report_interval = 300, $service_provider = $::swift::params::service_provider, $memcache_servers = ['127.0.0.1:11211'], + $cache_tls_enabled = false, + $cache_tls_cafile = undef, + $cache_tls_certfile = undef, + $cache_tls_keyfile = undef, $log_level = 'INFO', $log_facility = 'LOG_LOCAL2', ) inherits ::swift::params { @@ -118,6 +148,10 @@ class swift::objectexpirer( swift_object_expirer_config { 'filter:cache/memcache_servers': value => join(any2array($memcache_servers), ','); + 'filter:cache/tls_enabled': value => $cache_tls_enabled; + 'filter:cache/tls_cafile': value => $cache_tls_cafile; + 'filter:cache/tls_certfile': value => $cache_tls_certfile; + 'filter:cache/tls_keyfile': value => $cache_tls_keyfile; } # require the memcached class if it is on the same machine diff --git a/manifests/proxy/cache.pp b/manifests/proxy/cache.pp index 8dac5eca..475cbb64 100644 --- a/manifests/proxy/cache.pp +++ b/manifests/proxy/cache.pp @@ -4,6 +4,32 @@ # [*memcache_servers*] A list of the memcache servers to be used. Entries # should be in the form host:port. # +# [*tls_enabled*] +# (Optional) Global toggle for TLS usage when comunicating with +# the caching servers. +# Default to false +# +# [*tls_cafile*] +# (Optional) Path to a file of concatenated CA certificates in PEM +# format necessary to establish the caching server's authenticity. +# If tls_enabled is False, this option is ignored. +# Defaults to undef +# +# [*tls_certfile*] +# (Optional) Path to a single file in PEM format containing the +# client's certificate as well as any number of CA certificates +# needed to establish the certificate's authenticity. This file +# is only required when client side authentication is necessary. +# If tls_enabled is False, this option is ignored. +# Defaults to undef +# +# [*tls_keyfile*] +# (Optional) Path to a single file containing the client's private +# key in. Otherwhise the private key will be taken from the file +# specified in tls_certfile. If tls_enabled is False, this option +# is ignored. +# Defaults to undef +# # [*memcache_max_connections*] Sets the maximum number of connections to # each memcached server per worker # @@ -22,7 +48,11 @@ # Copyright 2011 Puppetlabs Inc, unless otherwise noted. # class swift::proxy::cache( - $memcache_servers = ['127.0.0.1:11211'], + $memcache_servers = ['127.0.0.1:11211'], + $tls_enabled = false, + $tls_cafile = undef, + $tls_certfile = undef, + $tls_keyfile = undef, $memcache_max_connections = '2' ) { @@ -36,6 +66,10 @@ class swift::proxy::cache( swift_proxy_config { 'filter:cache/use': value => 'egg:swift#memcache'; 'filter:cache/memcache_servers': value => join(any2array($memcache_servers), ','); + 'filter:cache/tls_enabled': value => $tls_enabled; + 'filter:cache/tls_cafile': value => $tls_cafile; + 'filter:cache/tls_certfile': value => $tls_certfile; + 'filter:cache/tls_keyfile': value => $tls_keyfile; 'filter:cache/memcache_max_connections': value => $memcache_max_connections; } diff --git a/releasenotes/notes/add-tls-options-cfc659d2a0ad42bc.yaml b/releasenotes/notes/add-tls-options-cfc659d2a0ad42bc.yaml new file mode 100644 index 00000000..75adc3c9 --- /dev/null +++ b/releasenotes/notes/add-tls-options-cfc659d2a0ad42bc.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Add TLS options for Memcached TLS connections. diff --git a/spec/classes/swift_containerreconciler_spec.rb b/spec/classes/swift_containerreconciler_spec.rb index 5a080c54..559cbce6 100644 --- a/spec/classes/swift_containerreconciler_spec.rb +++ b/spec/classes/swift_containerreconciler_spec.rb @@ -3,14 +3,16 @@ require 'spec_helper' describe 'swift::containerreconciler' do let :default_params do - { :manage_service => true, - :enabled => true, - :package_ensure => 'present', - :pipeline => ['catch_errors', 'proxy-logging', 'proxy-server'], - :interval => 300, - :reclaim_age => 604800, - :request_tries => 3, - :memcache_servers => ['127.0.0.1:11211'] } + { :manage_service => true, + :enabled => true, + :package_ensure => 'present', + :pipeline => ['catch_errors', 'proxy-logging', 'proxy-server'], + :interval => 300, + :reclaim_age => 604800, + :request_tries => 3, + :memcache_servers => ['127.0.0.1:11211'], + :cache_tls_enabled => false, + } end let :params do diff --git a/spec/classes/swift_objectexpirer_spec.rb b/spec/classes/swift_objectexpirer_spec.rb index 36f9d943..aa945327 100644 --- a/spec/classes/swift_objectexpirer_spec.rb +++ b/spec/classes/swift_objectexpirer_spec.rb @@ -18,7 +18,9 @@ describe 'swift::objectexpirer' do :report_interval => 300, :log_facility => 'LOG_LOCAL2', :log_level => 'INFO', - :memcache_servers => ['127.0.0.1:11211'] } + :memcache_servers => ['127.0.0.1:11211'], + :cache_tls_enabled => false, + } end let :params do diff --git a/spec/classes/swift_proxy_cache_spec.rb b/spec/classes/swift_proxy_cache_spec.rb index 6d836745..595155c2 100644 --- a/spec/classes/swift_proxy_cache_spec.rb +++ b/spec/classes/swift_proxy_cache_spec.rb @@ -22,6 +22,7 @@ describe 'swift::proxy::cache' do it { is_expected.to contain_swift_proxy_config('filter:cache/use').with_value('egg:swift#memcache') } it { is_expected.to contain_swift_proxy_config('filter:cache/memcache_servers').with_value('127.0.0.1:11211') } + it { is_expected.to contain_swift_proxy_config('filter:cache/tls_enabled').with_value(false) } it { is_expected.to contain_swift_proxy_config('filter:cache/memcache_max_connections').with_value(2) } end @@ -43,6 +44,15 @@ describe 'swift::proxy::cache' do it { is_expected.to contain_swift_proxy_config('filter:cache/memcache_servers').with_value('10.0.0.1:1,10.0.0.2:2') } end + describe 'with overridden cache TLS enabled' do + let :params do + {:tls_enabled => true} + end + + it { is_expected.to contain_swift_proxy_config('filter:cache/use').with_value('egg:swift#memcache') } + it { is_expected.to contain_swift_proxy_config('filter:cache/tls_enabled').with_value(true) } + end + describe 'with overridden memcache max connections' do let :params do {:memcache_max_connections => 4}