From 469d432195d1f5b5e15ce72ce1624d4ed4447e4e Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Thu, 19 Sep 2019 09:03:24 +0900
Subject: [PATCH] Add support to configure token caching in keystone

Add support to configure token caching in keystone[1] using
memcached, so that we can improve performance about token
validation.

[1] https://docs.openstack.org/keystone/latest/admin/configuration.html#caching-layer

Change-Id: I351eb64ff1df652b0a284d8cd3d835cec58a310f
---
 manifests/profile/base/keystone.pp            | 22 +++++++++--
 ...ystone-token-caching-9b65cb169fe65f01.yaml |  4 ++
 .../tripleo_profile_base_keystone_spec.rb     | 37 +++++++++++++++++--
 3 files changed, 56 insertions(+), 7 deletions(-)
 create mode 100644 releasenotes/notes/keystone-token-caching-9b65cb169fe65f01.yaml

diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index 066381b75..fe3eda4c2 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -158,6 +158,14 @@
 #   (Optional) Array of ipv4 or ipv6 addresses for memcache.
 #   Defaults to hiera('memcached_node_ips')
 #
+# [*enable_token_caching*]
+#   (Optional) Enable token caching using memcached
+#   Defaults to false
+#
+# [*cache_backend*]
+#   (Optional) Backend implementation to store cache
+#   Defaults to 'oslo_cache.memcache_pool'
+#
 class tripleo::profile::base::keystone (
   $admin_endpoint_network         = hiera('keystone_admin_api_network', undef),
   $bootstrap_node                 = hiera('keystone_short_bootstrap_node_name', undef),
@@ -190,7 +198,9 @@ class tripleo::profile::base::keystone (
   $keystone_enable_member         = hiera('keystone_enable_member', false),
   $keystone_federation_enabled    = hiera('keystone_federation_enabled', false),
   $keystone_openidc_enabled       = hiera('keystone_openidc_enabled', false),
-  $memcached_ips                  = hiera('memcached_node_ips', [])
+  $memcached_ips                  = hiera('memcached_node_ips', []),
+  $enable_token_caching           = false,
+  $cache_backend                  = 'oslo_cache.memcache_pool',
 ) {
   if $::hostname == downcase($bootstrap_node) {
     $sync_db = true
@@ -222,6 +232,8 @@ class tripleo::profile::base::keystone (
   if $step >= 4 or ( $step >= 3 and $sync_db ) {
     $oslomsg_rpc_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_rpc_use_ssl)))
     $oslomsg_notify_use_ssl_real = sprintf('%s', bool2num(str2bool($oslomsg_notify_use_ssl)))
+    $memcached_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
+
     class { '::keystone':
       sync_db                    => $sync_db,
       enable_bootstrap           => $sync_db,
@@ -243,7 +255,11 @@ class tripleo::profile::base::keystone (
       }),
       notification_topics        => union($ceilometer_notification_topics,
                                           $barbican_notification_topics,
-                                          $extra_notification_topics)
+                                          $extra_notification_topics),
+      cache_enabled              => $enable_token_caching,
+      cache_memcache_servers     => $memcached_servers,
+      cache_backend              => $cache_backend,
+      token_caching              => $enable_token_caching
     }
 
     if 'amqp' in [$oslomsg_rpc_proto, $oslomsg_notify_proto]{
@@ -278,8 +294,6 @@ class tripleo::profile::base::keystone (
     }
 
     if $keystone_openidc_enabled {
-      $memcached_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
-
       class { '::keystone::federation::openidc':
         memcached_servers => $memcached_servers,
       }
diff --git a/releasenotes/notes/keystone-token-caching-9b65cb169fe65f01.yaml b/releasenotes/notes/keystone-token-caching-9b65cb169fe65f01.yaml
new file mode 100644
index 000000000..6dfedddf0
--- /dev/null
+++ b/releasenotes/notes/keystone-token-caching-9b65cb169fe65f01.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Adds support to configure keystone token caching using memcached
diff --git a/spec/classes/tripleo_profile_base_keystone_spec.rb b/spec/classes/tripleo_profile_base_keystone_spec.rb
index 649cddca7..8d9260f13 100644
--- a/spec/classes/tripleo_profile_base_keystone_spec.rb
+++ b/spec/classes/tripleo_profile_base_keystone_spec.rb
@@ -30,6 +30,7 @@ describe 'tripleo::profile::base::keystone' do
       :oslomsg_notify_username => 'keystone2',
       :oslomsg_notify_password => 'baa',
       :oslomsg_notify_port     => '5678',
+      :memcached_ips           => [ '192.168.0.3', '192.168.0.4', '192.168.0.5' ]
     }
   end
 
@@ -62,7 +63,11 @@ describe 'tripleo::profile::base::keystone' do
       it 'should trigger complete configuration' do
         is_expected.to contain_class('keystone').with(
           :default_transport_url => 'rabbit://keystone1:foo@192.168.0.1:1234/?ssl=0',
-          :notification_transport_url => 'rabbit://keystone2:baa@192.168.0.2:5678/?ssl=0'
+          :notification_transport_url => 'rabbit://keystone2:baa@192.168.0.2:5678/?ssl=0',
+          :cache_enabled => false,
+          :cache_memcache_servers => [ '192.168.0.3:11211', '192.168.0.4:11211', '192.168.0.5:11211' ],
+          :cache_backend => 'oslo_cache.memcache_pool',
+          :token_caching => false
         )
         is_expected.to contain_class('keystone::config')
         is_expected.to contain_class('keystone::logging')
@@ -108,7 +113,11 @@ describe 'tripleo::profile::base::keystone' do
       it 'should trigger keystone configuration' do
         is_expected.to contain_class('keystone').with(
           :default_transport_url => 'rabbit://keystone1:foo@192.168.0.1:1234/?ssl=0',
-          :notification_transport_url => 'rabbit://keystone2:baa@192.168.0.2:5678/?ssl=0'
+          :notification_transport_url => 'rabbit://keystone2:baa@192.168.0.2:5678/?ssl=0',
+          :cache_enabled => false,
+          :cache_memcache_servers => [ '192.168.0.3:11211', '192.168.0.4:11211', '192.168.0.5:11211' ],
+          :cache_backend => 'oslo_cache.memcache_pool',
+          :token_caching => false
         )
         is_expected.to contain_class('keystone::config')
         is_expected.to contain_class('keystone::logging')
@@ -134,7 +143,11 @@ describe 'tripleo::profile::base::keystone' do
       it 'should trigger keystone configuration' do
         is_expected.to contain_class('keystone').with(
           :default_transport_url => 'rabbit://keystone1:foo@192.168.0.1:1234/?ssl=0',
-          :notification_transport_url => 'rabbit://keystone2:baa@192.168.0.2:5678/?ssl=0'
+          :notification_transport_url => 'rabbit://keystone2:baa@192.168.0.2:5678/?ssl=0',
+          :cache_enabled => false,
+          :cache_memcache_servers => [ '192.168.0.3:11211', '192.168.0.4:11211', '192.168.0.5:11211' ],
+          :cache_backend => 'oslo_cache.memcache_pool',
+          :token_caching => false
         )
         is_expected.to contain_class('keystone::config')
         is_expected.to contain_class('keystone::logging')
@@ -148,6 +161,24 @@ describe 'tripleo::profile::base::keystone' do
       end
     end
 
+    context 'with step 4 and token_caching eabled' do
+      before do
+        params.merge!(
+          { :step                 => 4,
+            :bootstrap_node       => 'other.example.com',
+            :enable_token_caching => true
+          }
+        )
+      end
+
+      it 'should trigger token_caching configuration' do
+        is_expected.to contain_class('keystone').with(
+          :cache_enabled => true,
+          :token_caching => true
+        )
+      end
+    end
+
     context 'with step less than 4 and db_purge enabled' do
       before do
         params.merge!(