Add support for keystone_authtoken/memcache_use_advanced_pool

This change introduces a single parameter, MemcacheUseAdvancedPool,
to enable usage of advanced connection pool in keystone middleware.
This is useful to avoid bursting connection to memcached.

Note that the default value of memcached_use_advanced_pool was changed
from false to true during Xena cycle[1], so this parameter is no longer
required in master. However the change in keystonemiddleware will
never be backported. This change is created so that we can switch to
advanced pool even in older releases.

[1] https://review.opendev.org/c/openstack/keystonemiddleware/+/773939

Closes-Bug: #1931047
Change-Id: I2887249af44ccfdae1592dd9120d3366fa059876

deployment/aodh/aodh-api-container-puppet.yaml

@@ -101,6 +101,11 @@ parameters:
     description: >
         Cron to delete alarms from db - Max Delay
     default: '3600'
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 resources:
   ContainersCommon:
@@ -174,6 +179,7 @@ outputs:
             aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
             aodh::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             aodh::keystone::authtoken::interface: 'internal'
+            aodh::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             aodh::policy::policies: {get_param: AodhApiPolicies}
             # NOTE: bind IP is found in hiera replacing the network name with the
             # local node IP for the given network; replacement examples

deployment/barbican/barbican-api-container-puppet.yaml

@@ -168,6 +168,11 @@ parameters:
     description: >
       Setting this to a unique value will re-run any deployment tasks which
       perform configuration on a Heat stack-update.
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
   hsm_enabled:
@@ -245,6 +250,7 @@ outputs:
             barbican::keystone::authtoken::project_name: 'service'
             barbican::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             barbican::keystone::authtoken::interface: 'internal'
+            barbican::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             barbican::keystone::notification::enable_keystone_notification: True
             barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications'
             barbican::policy::policies: {get_param: BarbicanPolicies}

deployment/cinder/cinder-api-container-puppet.yaml

@@ -88,6 +88,11 @@ parameters:
   RootStackName:
     description: The name of the stack/plan.
     type: string
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 resources:
   ContainersCommon:
@@ -163,6 +168,7 @@ outputs:
             cinder::keystone::authtoken::project_domain_name: 'Default'
             cinder::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             cinder::keystone::authtoken::interface: 'internal'
+            cinder::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             cinder::policy::policies: {get_param: CinderApiPolicies}
             cinder::notification_driver: {get_param: NotificationDriver}
             cinder::api::default_volume_type: {get_param: CinderDefaultVolumeType}

deployment/deprecated/mistral/mistral-base.yaml

@@ -57,6 +57,11 @@ parameters:
     type: number
     default: 120
     description: Mistral RPC timeout
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
   enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
@@ -102,6 +107,7 @@ outputs:
         mistral::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
         mistral::keystone::authtoken::region_name: {get_param: KeystoneRegion}
         mistral::keystone::authtoken::interface: 'internal'
+        mistral::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
         mistral::keystone_ec2_uri:
           list_join:
           - ''

deployment/deprecated/novajoin/novajoin-container-puppet.yaml

@@ -80,6 +80,11 @@ parameters:
       A hash of policies to configure for Novajoin.
     default: {}
     type: json
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 resources:
 
@@ -132,6 +137,7 @@ outputs:
         nova::metadata::novajoin::authtoken::project_name: 'service'
         nova::metadata::novajoin::authtoken::region_name: {get_param: KeystoneRegion}
         nova::metadata::novajoin::authtoken::interface: 'internal'
+        nova::metadata::novajoin::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
         nova::metadata::novajoin::policy::policies: {get_param: NovajoinPolicies}
       service_config_settings:
         nova_metadata: &nova_vendordata

deployment/deprecated/zaqar/zaqar-container-puppet.yaml

@@ -85,6 +85,11 @@ parameters:
     description: The password for the redis service account.
     type: string
     hidden: true
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
   internal_tls_enabled: {get_param: EnableInternalTLS}
@@ -153,6 +158,7 @@ outputs:
             zaqar::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
             zaqar::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             zaqar::keystone::authtoken::interface: 'internal'
+            zaqar::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             zaqar::keystone::trust::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             zaqar::logging::debug:
               if:

deployment/experimental/designate/designate-api-container-puppet.yaml

@@ -52,6 +52,11 @@ parameters:
     description: The password for the neutron service and db account, used by neutron agents.
     type: string
     hidden: true
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
   designate_workers_zero: {equals : [{get_param: DesignateWorkers}, 0]}
@@ -101,6 +106,7 @@ outputs:
             designate::keystone::authtoken::password: {get_param: DesignatePassword}
             designate::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             designate::keystone::authtoken::interface: 'internal'
+            designate::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             tripleo::profile::base::designate::api::listen_ip:
               str_replace:
                 template:

deployment/glance/glance-api-container-puppet.yaml

@@ -359,6 +359,11 @@ parameters:
     description: >
         Cron to purge db entries marked as deleted and older than $age - Max Delay
     default: '3600'
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
   cinder_backend_enabled:
@@ -480,6 +485,7 @@ outputs:
             glance::api::authtoken::user_domain_name: 'Default'
             glance::api::authtoken::project_domain_name: 'Default'
             glance::api::authtoken::interface: 'internal'
+            glance::api::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             glance::api::pipeline:
               if:
               - {get_param: GlanceCacheEnabled}

deployment/gnocchi/gnocchi-api-container-puppet.yaml

@@ -121,6 +121,11 @@ parameters:
     default: "/var/lib/tripleo-config/ceph"
     description: |
       The path where the Ceph Cluster config files are stored on the host.
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
   cors_allowed_origin_unset: {equals : [{get_param: GnocchiCorsAllowedOrigin}, '']}
@@ -203,6 +208,7 @@ outputs:
             gnocchi::keystone::authtoken::project_domain_name: 'Default'
             gnocchi::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             gnocchi::keystone::authtoken::interface: 'internal'
+            gnocchi::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS}
             gnocchi::wsgi::apache::servername:
               str_replace:

deployment/heat/heat-base-puppet.yaml

@@ -135,6 +135,11 @@ parameters:
                  port set with MemcachedPort parameter (above) and on 11211,
                  without TLS.
     type: boolean
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
   tls_cache_enabled:
@@ -172,6 +177,7 @@ outputs:
             heat::keystone::authtoken::password: {get_param: HeatPassword}
             heat::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             heat::keystone::authtoken::interface: 'internal'
+            heat::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             heat::keystone::domain::domain_name: 'heat_stack'
             heat::keystone::domain::domain_admin: 'heat_stack_domain_admin'
             heat::keystone::domain::domain_admin_email: 'heat_stack_domain_admin@localhost'

deployment/ironic/ironic-api-container-puppet.yaml

@@ -64,6 +64,11 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
   cors_allowed_origin_set:
@@ -137,6 +142,7 @@ outputs:
             ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             ironic::api::authtoken::region_name: {get_param: KeystoneRegion }
             ironic::api::authtoken::interface: 'internal'
+            ironic::api::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             # NOTE: bind IP is found in hiera replacing the network name with the
             # local node IP for the given network; replacement examples
             # (eg. for internal_api):

deployment/manila/manila-api-container-puppet.yaml

@@ -102,6 +102,11 @@ parameters:
     description: >
         Cron to purge db entries marked as deleted and older than $age - Max Delay
     default: '3600'
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 resources:
   ContainersCommon:
@@ -173,6 +178,7 @@ outputs:
             manila::keystone::authtoken::project_domain_name: 'Default'
             manila::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             manila::keystone::authtoken::interface: 'internal'
+            manila::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             # NOTE: bind IP is found in hiera replacing the network name with the
             # local node IP for the given network; replacement examples
             # (eg. for internal_api):

deployment/neutron/neutron-api-container-puppet.yaml

@@ -167,6 +167,11 @@ parameters:
     default: ''
     description: Override the private key size used when creating the
                  certificate for this service
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
   # DEPRECATED: the following options are deprecated and are currently maintained
   # for backwards compatibility. They will be removed in the Ocata cycle.
   NeutronL3HA:
@@ -302,6 +307,7 @@ outputs:
             neutron::keystone::authtoken::project_domain_name: 'Default'
             neutron::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             neutron::keystone::authtoken::interface: 'internal'
+            neutron::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             neutron::quota::quota_port: {get_param: NeutronPortQuota}
             neutron::quota::quota_security_group: {get_param: NeutronSecurityGroupQuota}
             neutron::server::placement::password: {get_param: NovaPassword}

deployment/nova/nova-api-container-puppet.yaml

@@ -226,6 +226,11 @@ parameters:
         0 means, purge data older than today in
         shadow tables.
     default: 90
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 parameter_groups:
 - label: deprecated
@@ -333,6 +338,7 @@ outputs:
             nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             nova::keystone::authtoken::interface: 'internal'
+            nova::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             nova::api::max_limit: {get_param: NovaApiMaxLimit}
             nova::api::enabled: true
             nova::network::neutron::default_floating_pool: {get_param: NovaDefaultFloatingPool}

deployment/nova/nova-metadata-container-puppet.yaml

@@ -73,6 +73,11 @@ parameters:
       each Neutron metadata-agent to point to the corresponding nova-metadata API
       service.
     type: boolean
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
   nova_workers_set:
@@ -154,6 +159,7 @@ outputs:
             nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
             nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             nova::keystone::authtoken::interface: 'internal'
+            nova::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             nova::wsgi::apache_metadata::api_port: '8775'
             nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS}
             nova::metadata::local_metadata_per_cell: {get_param: NovaLocalMetadataPerCell}

deployment/octavia/octavia-api-container-puppet.yaml

@@ -87,6 +87,11 @@ parameters:
     default: true
     description:  Set to false if the driver agent needs to be disabled for some reason.
     type: boolean
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 resources:
   ContainersCommon:
@@ -160,6 +165,7 @@ outputs:
             octavia::keystone::authtoken::project_domain_name: 'Default'
             octavia::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             octavia::keystone::authtoken::interface: 'internal'
+            octavia::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             octavia::policy::policies: {get_param: OctaviaApiPolicies}
             octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor}
             octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties}

deployment/placement/placement-api-container-puppet.yaml

@@ -80,6 +80,11 @@ parameters:
     type: boolean
     default: false
     description: Set to True to enable debugging on all services.
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
   placement_workers_set:
@@ -136,6 +141,7 @@ outputs:
             placement::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             placement::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             placement::keystone::authtoken::interface: 'internal'
+            placement::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             placement::wsgi::apache::api_port: '8778'
             placement::wsgi::apache::ssl: {get_param: EnableInternalTLS}
             # NOTE: bind IP is found in hiera replacing the network name with the local node IP

releasenotes/notes/memcache_use_advanced_pool-41ca18221e60c05a.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    The new ``MemcacheUseAdvancedPool`` parameter is added which enables usage
+    of advanced poll for memcached connections in keystone middleware. This
+    parameter is set to ``true`` by default to avoind bursting connections
+    in some services like neutron.