[Train only] Update the authtoken class for undercloud services

These classes were recently backported[1] and skipped during the following two backports. 17fdf05bad Add authtoken security options f7d0ff5f5b Add ability to specify memcached port This change manually applies the change which should have done in these backports. [1] https://review.opendev.org/c/openstack/puppet-tripleo/+/805324 Change-Id: Ie9c21146bea41dbbf1115534aeeff14810e369a0
2021-08-20 12:29:16 +09:00 · 2021-08-20 12:29:16 +09:00 · cec416f76b
parent a4c7f21654
commit cec416f76b
3 changed files with 84 additions and 12 deletions
--- a/manifests/profile/base/mistral/authtoken.pp
+++ b/manifests/profile/base/mistral/authtoken.pp
@ -23,22 +23,46 @@
 #
 # [*memcached_ips*]
 #   (Optional) Array of ipv4 or ipv6 addresses for memcache.
-#   Defaults to hiera('memcached_node_ips')
+#   Defaults to hiera('memcached_node_ips', [])
+#
+# [*memcached_port*]
+#   (Optional) Memcached port to use.
+#   Defaults to hiera('memcached_authtoken_port', 11211)
+#
+# [*security_strategy*]
+#   (Optional) Memcached (authtoken) security strategy.
+#   Defaults to hiera('memcached_authtoken_security_strategy', undef)
+#
+# [*secret_key*]
+#   (Optional) Memcached (authtoken) secret key, used with security_strategy.
+#   The key is hashed with a salt, to isolate services.
+#   Defaults to hiera('memcached_authtoken_secret_key', undef)
 #
 class tripleo::profile::base::mistral::authtoken (
  $step                = Integer(hiera('step')),
  $memcached_ips       = hiera('memcached_node_ips', []),
+  $memcached_port      = hiera('memcached_authtoken_port', 11211),
+  $security_strategy   = hiera('memcached_authtoken_security_strategy', undef),
+  $secret_key          = hiera('memcached_authtoken_secret_key', undef),
 ) {

  if $step >= 3 {
    if is_ipv6_address($memcached_ips[0]) {
-      $memcache_servers = prefix(suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211'), 'inet6:')
+      $memcache_servers = prefix(suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}"), 'inet6:')
    } else {
-      $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
+      $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}")
+    }
+
+    if $secret_key {
+      $hashed_secret_key = sha256("${secret_key}+mistral")
+    } else {
+      $hashed_secret_key = undef
    }

    class { '::mistral::keystone::authtoken':
-      memcached_servers => $memcache_servers
+      memcached_servers          => $memcache_servers,
+      memcache_security_strategy => $security_strategy,
+      memcache_secret_key        => $hashed_secret_key,
    }
  }
 }
--- a/manifests/profile/base/novajoin/authtoken.pp
+++ b/manifests/profile/base/novajoin/authtoken.pp
@ -23,22 +23,46 @@
 #
 # [*memcached_ips*]
 #   (Optional) Array of ipv4 or ipv6 addresses for memcache.
-#   Defaults to hiera('memcached_node_ips')
+#   Defaults to hiera('memcached_node_ips', [])
+#
+# [*memcached_port*]
+#   (Optional) Memcached port to use.
+#   Defaults to hiera('memcached_authtoken_port', 11211)
+#
+# [*security_strategy*]
+#   (Optional) Memcached (authtoken) security strategy.
+#   Defaults to hiera('memcached_authtoken_security_strategy', undef)
+#
+# [*secret_key*]
+#   (Optional) Memcached (authtoken) secret key, used with security_strategy.
+#   The key is hashed with a salt, to isolate services.
+#   Defaults to hiera('memcached_authtoken_secret_key', undef)
 #
 class tripleo::profile::base::novajoin::authtoken (
  $step                = Integer(hiera('step')),
  $memcached_ips       = hiera('memcached_node_ips', []),
+  $memcached_port      = hiera('memcached_authtoken_port', 11211),
+  $security_strategy   = hiera('memcached_authtoken_security_strategy', undef),
+  $secret_key          = hiera('memcached_authtoken_secret_key', undef),
 ) {

  if $step >= 3 {
    if is_ipv6_address($memcached_ips[0]) {
-      $memcache_servers = prefix(suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211'), 'inet6:')
+      $memcache_servers = prefix(suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}"), 'inet6:')
    } else {
-      $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
+      $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}")
+    }
+
+    if $secret_key {
+      $hashed_secret_key = sha256("${secret_key}+novajoin")
+    } else {
+      $hashed_secret_key = undef
    }

    class { '::nova::metadata::novajoin::authtoken':
-      memcached_servers => $memcache_servers
+      memcached_servers          => $memcache_servers,
+      memcache_security_strategy => $security_strategy,
+      memcache_secret_key        => $hashed_secret_key,
    }
  }
 }
--- a/manifests/profile/base/zaqar/authtoken.pp
+++ b/manifests/profile/base/zaqar/authtoken.pp
@ -23,22 +23,46 @@
 #
 # [*memcached_ips*]
 #   (Optional) Array of ipv4 or ipv6 addresses for memcache.
-#   Defaults to hiera('memcached_node_ips')
+#   Defaults to hiera('memcached_node_ips', [])
+#
+# [*memcached_port*]
+#   (Optional) Memcached port to use.
+#   Defaults to hiera('memcached_authtoken_port', 11211)
+#
+# [*security_strategy*]
+#   (Optional) Memcached (authtoken) security strategy.
+#   Defaults to hiera('memcached_authtoken_security_strategy', undef)
+#
+# [*secret_key*]
+#   (Optional) Memcached (authtoken) secret key, used with security_strategy.
+#   The key is hashed with a salt, to isolate services.
+#   Defaults to hiera('memcached_authtoken_secret_key', undef)
 #
 class tripleo::profile::base::zaqar::authtoken (
  $step                = Integer(hiera('step')),
  $memcached_ips       = hiera('memcached_node_ips', []),
+  $memcached_port      = hiera('memcached_authtoken_port', 11211),
+  $security_strategy   = hiera('memcached_authtoken_security_strategy', undef),
+  $secret_key          = hiera('memcached_authtoken_secret_key', undef),
 ) {

  if $step >= 3 {
    if is_ipv6_address($memcached_ips[0]) {
-      $memcache_servers = prefix(suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211'), 'inet6:')
+      $memcache_servers = prefix(suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}"), 'inet6:')
    } else {
-      $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211')
+      $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ":${memcached_port}")
+    }
+
+    if $secret_key {
+      $hashed_secret_key = sha256("${secret_key}+zaqar")
+    } else {
+      $hashed_secret_key = undef
    }

    class { '::zaqar::keystone::authtoken':
-      memcached_servers => $memcache_servers
+      memcached_servers          => $memcache_servers,
+      memcache_security_strategy => $security_strategy,
+      memcache_secret_key        => $hashed_secret_key,
    }
  }
 }