diff --git a/manifests/profile/base/aodh/authtoken.pp b/manifests/profile/base/aodh/authtoken.pp index 785d55422..cd6a4b097 100644 --- a/manifests/profile/base/aodh/authtoken.pp +++ b/manifests/profile/base/aodh/authtoken.pp @@ -29,10 +29,21 @@ # (Optional) Memcached port to use. # Defaults to hiera('memcached_authtoken_port', 11211) # +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::aodh::authtoken ( $step = Integer(hiera('step')), $memcached_ips = hiera('memcached_node_ips', []), $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -42,8 +53,16 @@ class tripleo::profile::base::aodh::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}") } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+aodh") + } else { + $hashed_secret_key = undef + } + class { 'aodh::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/barbican/authtoken.pp b/manifests/profile/base/barbican/authtoken.pp index 95af9d6c8..1e8e82b8c 100644 --- a/manifests/profile/base/barbican/authtoken.pp +++ b/manifests/profile/base/barbican/authtoken.pp @@ -29,10 +29,21 @@ # (Optional) Memcached port to use. # Defaults to hiera('memcached_authtoken_port', []) # +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::barbican::authtoken ( $step = Integer(hiera('step')), $memcached_ips = hiera('memcached_node_ips', []), $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -42,8 +53,16 @@ class tripleo::profile::base::barbican::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}") } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+barbican") + } else { + $hashed_secret_key = undef + } + class { 'barbican::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/cinder/authtoken.pp b/manifests/profile/base/cinder/authtoken.pp index c4edf001e..1ead22b25 100644 --- a/manifests/profile/base/cinder/authtoken.pp +++ b/manifests/profile/base/cinder/authtoken.pp @@ -29,10 +29,21 @@ # (Optional) Memcached port to use. # Defaults to hiera('memcached_authtoken_port', 11211) # +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::cinder::authtoken ( $step = Integer(hiera('step')), $memcached_ips = hiera('memcached_node_ips', []), $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -42,8 +53,16 @@ class tripleo::profile::base::cinder::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}") } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+cinder") + } else { + $hashed_secret_key = undef + } + class { 'cinder::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/designate/authtoken.pp b/manifests/profile/base/designate/authtoken.pp index d5856c2cc..526f869ef 100644 --- a/manifests/profile/base/designate/authtoken.pp +++ b/manifests/profile/base/designate/authtoken.pp @@ -29,10 +29,21 @@ # (Optional) Memcached port to use. # Defaults to hiera('memcached_authtoken_port', 11211) # +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::designate::authtoken ( $step = Integer(hiera('step')), $memcached_ips = hiera('memcached_node_ips', []), $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -42,8 +53,16 @@ class tripleo::profile::base::designate::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}") } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+designate") + } else { + $hashed_secret_key = undef + } + class { 'designate::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/glance/authtoken.pp b/manifests/profile/base/glance/authtoken.pp index 0ab02f2c8..cf39e0189 100644 --- a/manifests/profile/base/glance/authtoken.pp +++ b/manifests/profile/base/glance/authtoken.pp @@ -29,10 +29,21 @@ # (Optional) Memcached port to use. # Defaults to hiera('memcached_authtoken_port', 11211) # +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::glance::authtoken ( $step = Integer(hiera('step')), $memcached_ips = hiera('memcached_node_ips', []), $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -42,8 +53,16 @@ class tripleo::profile::base::glance::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}") } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+glance") + } else { + $hashed_secret_key = undef + } + class { 'glance::api::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/gnocchi/authtoken.pp b/manifests/profile/base/gnocchi/authtoken.pp index 40f106b75..c23993a1f 100644 --- a/manifests/profile/base/gnocchi/authtoken.pp +++ b/manifests/profile/base/gnocchi/authtoken.pp @@ -29,10 +29,21 @@ # (Optional) Memcached port to use. # Defaults to hiera('memcached_authtoken_port', 11211) # +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::gnocchi::authtoken ( $step = Integer(hiera('step')), $memcached_ips = hiera('memcached_node_ips', []), $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -42,8 +53,16 @@ class tripleo::profile::base::gnocchi::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}") } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+gnocchi") + } else { + $hashed_secret_key = undef + } + class { 'gnocchi::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/heat/authtoken.pp b/manifests/profile/base/heat/authtoken.pp index 1a1419688..b1b20bfff 100644 --- a/manifests/profile/base/heat/authtoken.pp +++ b/manifests/profile/base/heat/authtoken.pp @@ -29,10 +29,21 @@ # (Optional) Memcached port to use. # Defaults to hiera('memcached_authtoken_port', 11211) # +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::heat::authtoken ( $step = Integer(hiera('step')), $memcached_ips = hiera('memcached_node_ips', []), $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -42,8 +53,16 @@ class tripleo::profile::base::heat::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}") } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+heat") + } else { + $hashed_secret_key = undef + } + class { 'heat::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/ironic/authtoken.pp b/manifests/profile/base/ironic/authtoken.pp index 0c861afe6..a62a54213 100644 --- a/manifests/profile/base/ironic/authtoken.pp +++ b/manifests/profile/base/ironic/authtoken.pp @@ -29,10 +29,21 @@ # (Optional) Memcached port to use. # Defaults to hiera('memcached_authtoken_port', 11211) # +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::ironic::authtoken ( $step = Integer(hiera('step')), $memcached_ips = hiera('memcached_node_ips', []), $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -42,8 +53,16 @@ class tripleo::profile::base::ironic::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}") } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+ironic") + } else { + $hashed_secret_key = undef + } + class { 'ironic::api::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/ironic_inspector/authtoken.pp b/manifests/profile/base/ironic_inspector/authtoken.pp index 85ee9a4f7..5edf8b4f3 100644 --- a/manifests/profile/base/ironic_inspector/authtoken.pp +++ b/manifests/profile/base/ironic_inspector/authtoken.pp @@ -29,10 +29,21 @@ # (Optional) Memcached port to use. # Defaults to hiera('memcached_authtoken_port', 11211) # +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::ironic_inspector::authtoken ( $step = Integer(hiera('step')), $memcached_ips = hiera('memcached_node_ips', []), $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -42,8 +53,16 @@ class tripleo::profile::base::ironic_inspector::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}") } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+ironic_inspector") + } else { + $hashed_secret_key = undef + } + class { 'ironic::inspector::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/manila/authtoken.pp b/manifests/profile/base/manila/authtoken.pp index 9fa8c0173..96f3bd185 100644 --- a/manifests/profile/base/manila/authtoken.pp +++ b/manifests/profile/base/manila/authtoken.pp @@ -29,10 +29,21 @@ # (Optional) Memcached port to use. # Defaults to hiera('memcached_authtoken_port', 11211) # +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::manila::authtoken ( $step = Integer(hiera('step')), $memcached_ips = hiera('memcached_node_ips', []), $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -42,8 +53,16 @@ class tripleo::profile::base::manila::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}") } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+manila") + } else { + $hashed_secret_key = undef + } + class { 'manila::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/mistral/authtoken.pp b/manifests/profile/base/mistral/authtoken.pp index 19d50d483..a77f55578 100644 --- a/manifests/profile/base/mistral/authtoken.pp +++ b/manifests/profile/base/mistral/authtoken.pp @@ -29,10 +29,21 @@ # (Optional) Memcached port to use. # Defaults to hiera('memcached_authtoken_port', 11211) # +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::mistral::authtoken ( $step = Integer(hiera('step')), $memcached_ips = hiera('memcached_node_ips', []), $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -42,8 +53,16 @@ class tripleo::profile::base::mistral::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}") } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+mistral") + } else { + $hashed_secret_key = undef + } + class { 'mistral::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/neutron/authtoken.pp b/manifests/profile/base/neutron/authtoken.pp index 1308cf121..34b8ef4c9 100644 --- a/manifests/profile/base/neutron/authtoken.pp +++ b/manifests/profile/base/neutron/authtoken.pp @@ -29,10 +29,21 @@ # (Optional) Memcached port to use. # Defaults to hiera('memcached_authtoken_port', 11211) # +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::neutron::authtoken ( $step = Integer(hiera('step')), $memcached_ips = hiera('memcached_node_ips', []), $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -42,8 +53,16 @@ class tripleo::profile::base::neutron::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}") } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+neutron") + } else { + $hashed_secret_key = undef + } + class { 'neutron::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/nova/authtoken.pp b/manifests/profile/base/nova/authtoken.pp index 6d311f0ba..011fa828a 100644 --- a/manifests/profile/base/nova/authtoken.pp +++ b/manifests/profile/base/nova/authtoken.pp @@ -29,10 +29,21 @@ # (Optional) Memcached port to use. # Defaults to hiera('memcached_authtoken_port', 11211) # +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::nova::authtoken ( $step = Integer(hiera('step')), $memcached_ips = hiera('memcached_node_ips', []), $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -42,8 +53,16 @@ class tripleo::profile::base::nova::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}") } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+nova") + } else { + $hashed_secret_key = undef + } + class { 'nova::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/novajoin/authtoken.pp b/manifests/profile/base/novajoin/authtoken.pp index 095fc17d0..6d8304451 100644 --- a/manifests/profile/base/novajoin/authtoken.pp +++ b/manifests/profile/base/novajoin/authtoken.pp @@ -29,10 +29,21 @@ # (Optional) Memcached port to use. # Defaults to hiera('memcached_authtoken_port', 11211) # +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::novajoin::authtoken ( $step = Integer(hiera('step')), $memcached_ips = hiera('memcached_node_ips', []), $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -42,8 +53,16 @@ class tripleo::profile::base::novajoin::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}") } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+novajoin") + } else { + $hashed_secret_key = undef + } + class { 'nova::metadata::novajoin::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/octavia/authtoken.pp b/manifests/profile/base/octavia/authtoken.pp index f06764753..ae8f42885 100644 --- a/manifests/profile/base/octavia/authtoken.pp +++ b/manifests/profile/base/octavia/authtoken.pp @@ -29,10 +29,21 @@ # (Optional) Memcached port to use. # Defaults to hiera('memcached_authtoken_port', 11211) # +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::octavia::authtoken ( $step = Integer(hiera('step')), $memcached_ips = hiera('memcached_node_ips', []), $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -42,8 +53,16 @@ class tripleo::profile::base::octavia::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}") } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+octavia") + } else { + $hashed_secret_key = undef + } + class { 'octavia::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/placement/authtoken.pp b/manifests/profile/base/placement/authtoken.pp index c9806946c..412ec8b44 100644 --- a/manifests/profile/base/placement/authtoken.pp +++ b/manifests/profile/base/placement/authtoken.pp @@ -29,10 +29,21 @@ # (Optional) Memcached port to use. # Defaults to hiera('memcached_authtoken_port', 11211) # +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::placement::authtoken ( $step = Integer(hiera('step')), $memcached_ips = hiera('memcached_node_ips', []), $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -42,8 +53,16 @@ class tripleo::profile::base::placement::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}") } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+placement") + } else { + $hashed_secret_key = undef + } + class { 'placement::keystone::authtoken': - memcached_servers => $memcache_servers, + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/zaqar/authtoken.pp b/manifests/profile/base/zaqar/authtoken.pp index f3e95d804..ab44e21bb 100644 --- a/manifests/profile/base/zaqar/authtoken.pp +++ b/manifests/profile/base/zaqar/authtoken.pp @@ -29,10 +29,21 @@ # (Optional) Memcached port to use. # Defaults to hiera('memcached_authtoken_port', 11211) # +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::zaqar::authtoken ( $step = Integer(hiera('step')), $memcached_ips = hiera('memcached_node_ips', []), $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -42,8 +53,16 @@ class tripleo::profile::base::zaqar::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}") } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+zaqar") + } else { + $hashed_secret_key = undef + } + class { 'zaqar::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/releasenotes/notes/add-memcache-security-92060c4fe540774c.yaml b/releasenotes/notes/add-memcache-security-92060c4fe540774c.yaml new file mode 100644 index 000000000..68ccbab9e --- /dev/null +++ b/releasenotes/notes/add-memcache-security-92060c4fe540774c.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Add ability to specify the memcache_security_strategy and + memcache_secret_key for keystone authtoken middleware. The keys + used by individual services are hashed with a salt (the service + name), to isolate them.