Add TLS support to services using memcached
This patch enables TLS connections to memcached in services which support it. Specifically the settings are consumed by swift's internal memcached client through puppet-swift; or oslo.cache, through puppet-ceilometer, puppet-keystone, puppet-nova, puppet-heat and puppet-oslo. Depends-on: https://review.opendev.org/772685 Depends-on: https://review.opendev.org/761605 Depends-on: https://review.opendev.org/764764 Depends-on: https://review.opendev.org/764763 Depends-on: https://review.opendev.org/765100 Change-Id: Ic77ed56c32c7071ce126a1528030094b97894653
This commit is contained in:
parent
125ebd64f4
commit
1ceb521805
deployment
ceilometer
heat
keystone
nova
swift
environments/ssl
@ -76,6 +76,14 @@ parameters:
|
||||
type: comma_delimited_list
|
||||
default: 'noop'
|
||||
description: Driver or drivers to handle sending notifications.
|
||||
MemcachedTLS:
|
||||
default: false
|
||||
description: Set to True to enable TLS on Memcached service.
|
||||
Because not all services support Memcached TLS, during the
|
||||
migration period, Memcached will listen on 2 ports - on the
|
||||
port set with MemcachedPort parameter (above) and on 11211,
|
||||
without TLS.
|
||||
type: boolean
|
||||
GnocchiArchivePolicy:
|
||||
default: 'ceilometer-low-rate'
|
||||
type: string
|
||||
@ -94,6 +102,7 @@ parameter_groups:
|
||||
conditions:
|
||||
service_debug_unset: {equals : [{get_param: CeilometerDebug}, '']}
|
||||
ceilometer_qdr_publish: {equals: [{get_param: CeilometerQdrPublish}, true]}
|
||||
memcached_tls: {equals: [{get_param: MemcachedTLS}, true]}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
@ -122,6 +131,11 @@ outputs:
|
||||
ceilometer::snmpd_readonly_username: {get_param: SnmpdReadonlyUserName}
|
||||
ceilometer::snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
|
||||
ceilometer::host: "%{hiera('fqdn_canonical')}"
|
||||
- if:
|
||||
- memcached_tls
|
||||
- ceilometer::cache_backend: 'dogpile.cache.pymemcache'
|
||||
ceilometer::cache_tls_enabled: true
|
||||
- {}
|
||||
service_config_settings:
|
||||
keystone:
|
||||
# Enable default notification queue
|
||||
|
@ -132,10 +132,21 @@ parameters:
|
||||
default: ''
|
||||
description: Indicate whether this resource may be shared with the domain received in the request
|
||||
"origin" header.
|
||||
MemcachedTLS:
|
||||
default: false
|
||||
description: Set to True to enable TLS on Memcached service.
|
||||
Because not all services support Memcached TLS, during the
|
||||
migration period, Memcached will listen on 2 ports - on the
|
||||
port set with MemcachedPort parameter (above) and on 11211,
|
||||
without TLS.
|
||||
type: boolean
|
||||
|
||||
conditions:
|
||||
service_debug_unset: {equals : [{get_param: HeatDebug}, '']}
|
||||
cache_enabled: {equals : [{get_param: EnableCache}, true]}
|
||||
tls_cache_enabled:
|
||||
and:
|
||||
- {equals : [{get_param: EnableCache}, true]}
|
||||
- {equals : [{get_param: MemcachedTLS}, true]}
|
||||
cors_allowed_origin_unset: {equals : [{get_param: HeatCorsAllowedOrigin}, '']}
|
||||
|
||||
outputs:
|
||||
@ -192,9 +203,10 @@ outputs:
|
||||
heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination}
|
||||
heat::max_json_body_size: {get_param: HeatMaxJsonBodySize}
|
||||
-
|
||||
heat::cache::enabled: {get_param: EnableCache}
|
||||
heat::cache::tls_enabled: {get_param: MemcachedTLS}
|
||||
heat::cache::resource_finder_caching: false
|
||||
if:
|
||||
- cache_enabled
|
||||
- heat::cache::enabled: true
|
||||
heat::cache::backend: 'dogpile.cache.memcached'
|
||||
heat::cache::resource_finder_caching: false
|
||||
- {}
|
||||
- tls_cache_enabled
|
||||
- heat::cache::backend: 'dogpile.cache.pymemcache'
|
||||
- heat::cache::backend: 'dogpile.cache.memcached'
|
||||
|
@ -75,6 +75,14 @@ parameters:
|
||||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
MemcachedTLS:
|
||||
default: false
|
||||
description: Set to True to enable TLS on Memcached service.
|
||||
Because not all services support Memcached TLS, during the
|
||||
migration period, Memcached will listen on 2 ports - on the
|
||||
port set with MemcachedPort parameter (above) and on 11211,
|
||||
without TLS.
|
||||
type: boolean
|
||||
KeystoneSSLCertificate:
|
||||
default: ''
|
||||
description: Keystone certificate for verifying token validity.
|
||||
@ -350,7 +358,14 @@ conditions:
|
||||
keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]}
|
||||
keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]}
|
||||
service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
|
||||
cache_enabled: {equals: [{get_param: EnableCache}, true]}
|
||||
nontls_cache_enabled:
|
||||
and:
|
||||
- {equals : [{get_param: EnableCache}, true]}
|
||||
- {equals : [{get_param: MemcachedTLS}, false]}
|
||||
tls_cache_enabled:
|
||||
and:
|
||||
- {equals : [{get_param: EnableCache}, true]}
|
||||
- {equals : [{get_param: MemcachedTLS}, true]}
|
||||
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
|
||||
|
||||
# Security compliance
|
||||
@ -477,11 +492,12 @@ outputs:
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
|
||||
-
|
||||
keystone::cache::enabled: {get_param: EnableCache}
|
||||
keystone::cache::tls_enabled: {get_param: MemcachedTLS}
|
||||
if:
|
||||
- cache_enabled
|
||||
- keystone::cache::enabled: true
|
||||
keystone::cache::backend: 'dogpile.cache.memcached'
|
||||
- {}
|
||||
- tls_cache_enabled
|
||||
- keystone::cache::backend: 'dogpile.cache.pymemcache'
|
||||
- keystone::cache::backend: 'dogpile.cache.memcached'
|
||||
-
|
||||
if:
|
||||
- keystone_federation_enabled
|
||||
@ -520,7 +536,7 @@ outputs:
|
||||
get_param: KeystoneOpenIdcIntrospectionEndpoint
|
||||
-
|
||||
if:
|
||||
- cache_enabled
|
||||
- nontls_cache_enabled
|
||||
- keystone::federation::openidc::openidc_cache_type: 'memcache'
|
||||
- {}
|
||||
- {}
|
||||
|
@ -243,12 +243,24 @@ parameters:
|
||||
description:
|
||||
Whether instances can attach cinder volumes from a different availability zone.
|
||||
type: boolean
|
||||
MemcachedTLS:
|
||||
default: false
|
||||
description: Set to True to enable TLS on Memcached service.
|
||||
Because not all services support Memcached TLS, during the
|
||||
migration period, Memcached will listen on 2 ports - on the
|
||||
port set with MemcachedPort parameter (above) and on 11211,
|
||||
without TLS.
|
||||
type: boolean
|
||||
|
||||
conditions:
|
||||
|
||||
compute_upgrade_level_empty: {equals : [{get_param: UpgradeLevelNovaCompute}, '']}
|
||||
service_debug_unset: {equals : [{get_param: NovaDebug}, '']}
|
||||
cache_enabled: {equals: [{get_param: EnableCache}, true]}
|
||||
tls_cache_enabled:
|
||||
and:
|
||||
- {equals : [{get_param: EnableCache}, true]}
|
||||
- {equals : [{get_param: MemcachedTLS}, true]}
|
||||
cache_disabled: {equals : [{get_param: EnableCache}, false]}
|
||||
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
|
||||
|
||||
resources:
|
||||
@ -312,8 +324,6 @@ outputs:
|
||||
nova::db::database_db_max_retries: -1
|
||||
nova::db::database_max_retries: -1
|
||||
nova::network::neutron::ovs_bridge: {get_param: NovaOVSBridge}
|
||||
nova::cache::enabled: true
|
||||
nova::cache::backend: 'dogpile.cache.memcached'
|
||||
nova::cron::archive_deleted_rows::minute: {get_param: NovaCronArchiveDeleteRowsMinute}
|
||||
nova::cron::archive_deleted_rows::hour: {get_param: NovaCronArchiveDeleteRowsHour}
|
||||
nova::cron::archive_deleted_rows::monthday: {get_param: NovaCronArchiveDeleteRowsMonthday}
|
||||
@ -342,14 +352,13 @@ outputs:
|
||||
nova_is_additional_cell: {get_param: NovaAdditionalCell}
|
||||
nova::cross_az_attach: {get_param: NovaCrossAZAttach}
|
||||
- get_attr: [RoleParametersValue, value]
|
||||
-
|
||||
if:
|
||||
- cache_enabled
|
||||
- nova::cache::enabled: true
|
||||
nova::cache::backend: 'dogpile.cache.memcached'
|
||||
- {}
|
||||
-
|
||||
- nova::cache::enabled: {get_param: EnableCache}
|
||||
nova::cache::tls_enabled: {get_param: MemcachedTLS}
|
||||
if:
|
||||
- tls_cache_enabled
|
||||
- nova::cache::backend: 'dogpile.cache.pymemcache'
|
||||
- nova::cache::backend: 'dogpile.cache.memcached'
|
||||
- if:
|
||||
- compute_upgrade_level_empty
|
||||
- {}
|
||||
- nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute}
|
||||
|
@ -82,6 +82,14 @@ parameters:
|
||||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
MemcachedTLS:
|
||||
default: false
|
||||
description: Set to True to enable TLS on Memcached service.
|
||||
Because not all services support Memcached TLS, during the
|
||||
migration period, Memcached will listen on 2 ports - on the
|
||||
port set with MemcachedPort parameter (above) and on 11211,
|
||||
without TLS.
|
||||
type: boolean
|
||||
SwiftCorsAllowedOrigin:
|
||||
type: string
|
||||
default: ''
|
||||
@ -265,6 +273,7 @@ outputs:
|
||||
"%{hiera('$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
|
||||
swift::proxy::cache::tls_enabled: {get_param: MemcachedTLS}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
config_volume: swift
|
||||
|
@ -83,6 +83,14 @@ parameters:
|
||||
description: >
|
||||
Setting this to a unique value will re-run any deployment tasks which
|
||||
perform configuration on a Heat stack-update.
|
||||
MemcachedTLS:
|
||||
default: false
|
||||
description: Set to True to enable TLS on Memcached service.
|
||||
Because not all services support Memcached TLS, during the
|
||||
migration period, Memcached will listen on 2 ports - on the
|
||||
port set with MemcachedPort parameter (above) and on 11211,
|
||||
without TLS.
|
||||
type: boolean
|
||||
|
||||
# DEPRECATED options for compatibility with overcloud.yaml
|
||||
# This should be removed and manipulation of the ControllerServices list
|
||||
@ -170,6 +178,7 @@ outputs:
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, SwiftStorageNetwork]}
|
||||
rsync::server::pid_file: 'UNSET'
|
||||
swift::objectexpirer::cache_tls_enabled: {get_param: MemcachedTLS}
|
||||
-
|
||||
if:
|
||||
- account_workers_zero
|
||||
|
10
environments/ssl/enable-memcached-tls.yaml
Normal file
10
environments/ssl/enable-memcached-tls.yaml
Normal file
@ -0,0 +1,10 @@
|
||||
# title: Enable TLS in Memcached Internal Endpoint
|
||||
# description: |
|
||||
# Use this environment to generate certificates and enable TLS in
|
||||
# Memcached. ssl.yaml environment must also be used.
|
||||
parameter_defaults:
|
||||
MemcachedTLS: true
|
||||
MemcachedPort: 11212
|
||||
ExtraConfig:
|
||||
memcached_port: 11212
|
||||
memcached_authtoken_port: 11211
|
Loading…
x
Reference in New Issue
Block a user