diff --git a/manifests/profile/base/aodh/authtoken.pp b/manifests/profile/base/aodh/authtoken.pp index 93c11f17a..034d889ae 100644 --- a/manifests/profile/base/aodh/authtoken.pp +++ b/manifests/profile/base/aodh/authtoken.pp @@ -25,9 +25,25 @@ # (Optional) Array of ipv4 or ipv6 addresses for memcache. # Defaults to hiera('memcached_node_ips') # +# [*memcached_port*] +# (Optional) Memcached port to use. +# Defaults to hiera('memcached_authtoken_port', 11211) +# +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::aodh::authtoken ( $step = Integer(hiera('step')), - $memcached_ips = hiera('memcached_node_ips'), + $memcached_ips = hiera('memcached_node_ips', []), + $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -37,8 +53,16 @@ class tripleo::profile::base::aodh::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+aodh") + } else { + $hashed_secret_key = undef + } + class { '::aodh::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/barbican/authtoken.pp b/manifests/profile/base/barbican/authtoken.pp index 7c7b03808..a9e7f0d1f 100644 --- a/manifests/profile/base/barbican/authtoken.pp +++ b/manifests/profile/base/barbican/authtoken.pp @@ -25,9 +25,25 @@ # (Optional) Array of ipv4 or ipv6 addresses for memcache. # Defaults to hiera('memcached_node_ips') # +# [*memcached_port*] +# (Optional) Memcached port to use. +# Defaults to hiera('memcached_authtoken_port', []) +# +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::barbican::authtoken ( $step = Integer(hiera('step')), - $memcached_ips = hiera('memcached_node_ips'), + $memcached_ips = hiera('memcached_node_ips', []), + $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -37,8 +53,16 @@ class tripleo::profile::base::barbican::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+barbican") + } else { + $hashed_secret_key = undef + } + class { '::barbican::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/cinder/authtoken.pp b/manifests/profile/base/cinder/authtoken.pp index 2f1612c0c..b4575d18c 100644 --- a/manifests/profile/base/cinder/authtoken.pp +++ b/manifests/profile/base/cinder/authtoken.pp @@ -25,9 +25,25 @@ # (Optional) Array of ipv4 or ipv6 addresses for memcache. # Defaults to hiera('memcached_node_ips') # +# [*memcached_port*] +# (Optional) Memcached port to use. +# Defaults to hiera('memcached_authtoken_port', 11211) +# +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::cinder::authtoken ( $step = Integer(hiera('step')), - $memcached_ips = hiera('memcached_node_ips'), + $memcached_ips = hiera('memcached_node_ips', []), + $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -37,8 +53,16 @@ class tripleo::profile::base::cinder::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+cinder") + } else { + $hashed_secret_key = undef + } + class { '::cinder::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/designate/authtoken.pp b/manifests/profile/base/designate/authtoken.pp index 94b538adf..7779a9ead 100644 --- a/manifests/profile/base/designate/authtoken.pp +++ b/manifests/profile/base/designate/authtoken.pp @@ -25,9 +25,25 @@ # (Optional) Array of ipv4 or ipv6 addresses for memcache. # Defaults to hiera('memcached_node_ips') # +# [*memcached_port*] +# (Optional) Memcached port to use. +# Defaults to hiera('memcached_authtoken_port', 11211) +# +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::designate::authtoken ( $step = Integer(hiera('step')), - $memcached_ips = hiera('memcached_node_ips'), + $memcached_ips = hiera('memcached_node_ips', []), + $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -37,8 +53,16 @@ class tripleo::profile::base::designate::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+designate") + } else { + $hashed_secret_key = undef + } + class { '::designate::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/glance/authtoken.pp b/manifests/profile/base/glance/authtoken.pp index 46c3add97..bfefba08e 100644 --- a/manifests/profile/base/glance/authtoken.pp +++ b/manifests/profile/base/glance/authtoken.pp @@ -25,9 +25,25 @@ # (Optional) Array of ipv4 or ipv6 addresses for memcache. # Defaults to hiera('memcached_node_ips') # +# [*memcached_port*] +# (Optional) Memcached port to use. +# Defaults to hiera('memcached_authtoken_port', 11211) +# +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::glance::authtoken ( $step = Integer(hiera('step')), - $memcached_ips = hiera('memcached_node_ips'), + $memcached_ips = hiera('memcached_node_ips', []), + $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -37,8 +53,16 @@ class tripleo::profile::base::glance::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+glance") + } else { + $hashed_secret_key = undef + } + class { '::glance::api::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/gnocchi/authtoken.pp b/manifests/profile/base/gnocchi/authtoken.pp index d5219e82e..2b8d5e866 100644 --- a/manifests/profile/base/gnocchi/authtoken.pp +++ b/manifests/profile/base/gnocchi/authtoken.pp @@ -25,9 +25,25 @@ # (Optional) Array of ipv4 or ipv6 addresses for memcache. # Defaults to hiera('memcached_node_ips') # +# [*memcached_port*] +# (Optional) Memcached port to use. +# Defaults to hiera('memcached_authtoken_port', 11211) +# +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::gnocchi::authtoken ( $step = Integer(hiera('step')), - $memcached_ips = hiera('memcached_node_ips'), + $memcached_ips = hiera('memcached_node_ips', []), + $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -37,8 +53,16 @@ class tripleo::profile::base::gnocchi::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+gnocchi") + } else { + $hashed_secret_key = undef + } + class { '::gnocchi::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/heat/authtoken.pp b/manifests/profile/base/heat/authtoken.pp index 5acf39c68..2b7845012 100644 --- a/manifests/profile/base/heat/authtoken.pp +++ b/manifests/profile/base/heat/authtoken.pp @@ -25,9 +25,25 @@ # (Optional) Array of ipv4 or ipv6 addresses for memcache. # Defaults to hiera('memcached_node_ips') # +# [*memcached_port*] +# (Optional) Memcached port to use. +# Defaults to hiera('memcached_authtoken_port', 11211) +# +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::heat::authtoken ( $step = Integer(hiera('step')), - $memcached_ips = hiera('memcached_node_ips'), + $memcached_ips = hiera('memcached_node_ips', []), + $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -37,8 +53,16 @@ class tripleo::profile::base::heat::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+heat") + } else { + $hashed_secret_key = undef + } + class { '::heat::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/ironic/authtoken.pp b/manifests/profile/base/ironic/authtoken.pp index fe743244a..a9f070acf 100644 --- a/manifests/profile/base/ironic/authtoken.pp +++ b/manifests/profile/base/ironic/authtoken.pp @@ -25,9 +25,25 @@ # (Optional) Array of ipv4 or ipv6 addresses for memcache. # Defaults to hiera('memcached_node_ips') # +# [*memcached_port*] +# (Optional) Memcached port to use. +# Defaults to hiera('memcached_authtoken_port', 11211) +# +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::ironic::authtoken ( $step = Integer(hiera('step')), - $memcached_ips = hiera('memcached_node_ips'), + $memcached_ips = hiera('memcached_node_ips', []), + $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -37,8 +53,16 @@ class tripleo::profile::base::ironic::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+ironic") + } else { + $hashed_secret_key = undef + } + class { '::ironic::api::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/ironic_inspector/authtoken.pp b/manifests/profile/base/ironic_inspector/authtoken.pp index 0d39b6978..9a353104a 100644 --- a/manifests/profile/base/ironic_inspector/authtoken.pp +++ b/manifests/profile/base/ironic_inspector/authtoken.pp @@ -25,9 +25,25 @@ # (Optional) Array of ipv4 or ipv6 addresses for memcache. # Defaults to hiera('memcached_node_ips') # +# [*memcached_port*] +# (Optional) Memcached port to use. +# Defaults to hiera('memcached_authtoken_port', 11211) +# +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::ironic_inspector::authtoken ( $step = Integer(hiera('step')), - $memcached_ips = hiera('memcached_node_ips'), + $memcached_ips = hiera('memcached_node_ips', []), + $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -37,8 +53,16 @@ class tripleo::profile::base::ironic_inspector::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+ironic_inspector") + } else { + $hashed_secret_key = undef + } + class { '::ironic::inspector::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/manila/authtoken.pp b/manifests/profile/base/manila/authtoken.pp index 427856fe6..58dc4e3d3 100644 --- a/manifests/profile/base/manila/authtoken.pp +++ b/manifests/profile/base/manila/authtoken.pp @@ -25,9 +25,25 @@ # (Optional) Array of ipv4 or ipv6 addresses for memcache. # Defaults to hiera('memcached_node_ips') # +# [*memcached_port*] +# (Optional) Memcached port to use. +# Defaults to hiera('memcached_authtoken_port', 11211) +# +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::manila::authtoken ( $step = Integer(hiera('step')), - $memcached_ips = hiera('memcached_node_ips'), + $memcached_ips = hiera('memcached_node_ips', []), + $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -37,8 +53,16 @@ class tripleo::profile::base::manila::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+manila") + } else { + $hashed_secret_key = undef + } + class { '::manila::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/neutron/authtoken.pp b/manifests/profile/base/neutron/authtoken.pp index f60e63783..9b2dc084c 100644 --- a/manifests/profile/base/neutron/authtoken.pp +++ b/manifests/profile/base/neutron/authtoken.pp @@ -25,9 +25,25 @@ # (Optional) Array of ipv4 or ipv6 addresses for memcache. # Defaults to hiera('memcached_node_ips') # +# [*memcached_port*] +# (Optional) Memcached port to use. +# Defaults to hiera('memcached_authtoken_port', 11211) +# +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::neutron::authtoken ( $step = Integer(hiera('step')), - $memcached_ips = hiera('memcached_node_ips'), + $memcached_ips = hiera('memcached_node_ips', []), + $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -37,8 +53,16 @@ class tripleo::profile::base::neutron::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+neutron") + } else { + $hashed_secret_key = undef + } + class { '::neutron::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/nova/authtoken.pp b/manifests/profile/base/nova/authtoken.pp index 7eb37bcb1..e51ef2af5 100644 --- a/manifests/profile/base/nova/authtoken.pp +++ b/manifests/profile/base/nova/authtoken.pp @@ -25,9 +25,25 @@ # (Optional) Array of ipv4 or ipv6 addresses for memcache. # Defaults to hiera('memcached_node_ips') # +# [*memcached_port*] +# (Optional) Memcached port to use. +# Defaults to hiera('memcached_authtoken_port', 11211) +# +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::nova::authtoken ( $step = Integer(hiera('step')), - $memcached_ips = hiera('memcached_node_ips'), + $memcached_ips = hiera('memcached_node_ips', []), + $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -37,8 +53,16 @@ class tripleo::profile::base::nova::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+nova") + } else { + $hashed_secret_key = undef + } + class { '::nova::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/octavia/authtoken.pp b/manifests/profile/base/octavia/authtoken.pp index e7ec876cb..bc96a1f44 100644 --- a/manifests/profile/base/octavia/authtoken.pp +++ b/manifests/profile/base/octavia/authtoken.pp @@ -25,9 +25,25 @@ # (Optional) Array of ipv4 or ipv6 addresses for memcache. # Defaults to hiera('memcached_node_ips') # +# [*memcached_port*] +# (Optional) Memcached port to use. +# Defaults to hiera('memcached_authtoken_port', 11211) +# +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::octavia::authtoken ( $step = Integer(hiera('step')), - $memcached_ips = hiera('memcached_node_ips'), + $memcached_ips = hiera('memcached_node_ips', []), + $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -37,8 +53,16 @@ class tripleo::profile::base::octavia::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+octavia") + } else { + $hashed_secret_key = undef + } + class { '::octavia::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/panko/authtoken.pp b/manifests/profile/base/panko/authtoken.pp index 4b9ce6f74..ad2f2da65 100644 --- a/manifests/profile/base/panko/authtoken.pp +++ b/manifests/profile/base/panko/authtoken.pp @@ -25,9 +25,25 @@ # (Optional) Array of ipv4 or ipv6 addresses for memcache. # Defaults to hiera('memcached_node_ips') # +# [*memcached_port*] +# (Optional) Memcached port to use. +# Defaults to hiera('memcached_authtoken_port', 11211) +# +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::panko::authtoken ( $step = Integer(hiera('step')), - $memcached_ips = hiera('memcached_node_ips'), + $memcached_ips = hiera('memcached_node_ips', []), + $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -37,8 +53,16 @@ class tripleo::profile::base::panko::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+zaqar") + } else { + $hashed_secret_key = undef + } + class { '::panko::keystone::authtoken': - memcached_servers => $memcache_servers + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/manifests/profile/base/placement/authtoken.pp b/manifests/profile/base/placement/authtoken.pp index 969105a0d..5eb707d1e 100644 --- a/manifests/profile/base/placement/authtoken.pp +++ b/manifests/profile/base/placement/authtoken.pp @@ -25,9 +25,25 @@ # (Optional) Array of ipv4 or ipv6 addresses for memcache. # Defaults to hiera('memcached_node_ips') # +# [*memcached_port*] +# (Optional) Memcached port to use. +# Defaults to hiera('memcached_authtoken_port', 11211) +# +# [*security_strategy*] +# (Optional) Memcached (authtoken) security strategy. +# Defaults to hiera('memcached_authtoken_security_strategy', undef) +# +# [*secret_key*] +# (Optional) Memcached (authtoken) secret key, used with security_strategy. +# The key is hashed with a salt, to isolate services. +# Defaults to hiera('memcached_authtoken_secret_key', undef) +# class tripleo::profile::base::placement::authtoken ( $step = Integer(hiera('step')), - $memcached_ips = hiera('memcached_node_ips'), + $memcached_ips = hiera('memcached_node_ips', []), + $memcached_port = hiera('memcached_authtoken_port', 11211), + $security_strategy = hiera('memcached_authtoken_security_strategy', undef), + $secret_key = hiera('memcached_authtoken_secret_key', undef), ) { if $step >= 3 { @@ -37,8 +53,16 @@ class tripleo::profile::base::placement::authtoken ( $memcache_servers = suffix(any2array(normalize_ip_for_uri($memcached_ips)), ':11211') } + if $secret_key { + $hashed_secret_key = sha256("${secret_key}+placement") + } else { + $hashed_secret_key = undef + } + class { '::placement::keystone::authtoken': - memcached_servers => $memcache_servers, + memcached_servers => $memcache_servers, + memcache_security_strategy => $security_strategy, + memcache_secret_key => $hashed_secret_key, } } } diff --git a/releasenotes/notes/add-memcache-security-92060c4fe540774c.yaml b/releasenotes/notes/add-memcache-security-92060c4fe540774c.yaml new file mode 100644 index 000000000..68ccbab9e --- /dev/null +++ b/releasenotes/notes/add-memcache-security-92060c4fe540774c.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Add ability to specify the memcache_security_strategy and + memcache_secret_key for keystone authtoken middleware. The keys + used by individual services are hashed with a salt (the service + name), to isolate them.