Add TLS support to services using memcached

This patch enables TLS connections to memcached in services which
support it. Specifically the settings are consumed by swift's internal
memcached client through puppet-swift; or oslo.cache, through
puppet-ceilometer, puppet-keystone, puppet-nova, puppet-heat
and puppet-oslo.

Depends-on: https://review.opendev.org/772685
Depends-on: https://review.opendev.org/761605
Depends-on: https://review.opendev.org/764764
Depends-on: https://review.opendev.org/764763
Depends-on: https://review.opendev.org/765100
Change-Id: Ic77ed56c32c7071ce126a1528030094b97894653
This commit is contained in:
Grzegorz Grasza 2020-11-05 14:48:53 +01:00
parent 125ebd64f4
commit 1ceb521805
7 changed files with 101 additions and 22 deletions

@ -76,6 +76,14 @@ parameters:
type: comma_delimited_list
default: 'noop'
description: Driver or drivers to handle sending notifications.
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
GnocchiArchivePolicy:
default: 'ceilometer-low-rate'
type: string
@ -94,6 +102,7 @@ parameter_groups:
conditions:
service_debug_unset: {equals : [{get_param: CeilometerDebug}, '']}
ceilometer_qdr_publish: {equals: [{get_param: CeilometerQdrPublish}, true]}
memcached_tls: {equals: [{get_param: MemcachedTLS}, true]}
outputs:
role_data:
@ -122,6 +131,11 @@ outputs:
ceilometer::snmpd_readonly_username: {get_param: SnmpdReadonlyUserName}
ceilometer::snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
ceilometer::host: "%{hiera('fqdn_canonical')}"
- if:
- memcached_tls
- ceilometer::cache_backend: 'dogpile.cache.pymemcache'
ceilometer::cache_tls_enabled: true
- {}
service_config_settings:
keystone:
# Enable default notification queue

@ -132,10 +132,21 @@ parameters:
default: ''
description: Indicate whether this resource may be shared with the domain received in the request
"origin" header.
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
conditions:
service_debug_unset: {equals : [{get_param: HeatDebug}, '']}
cache_enabled: {equals : [{get_param: EnableCache}, true]}
tls_cache_enabled:
and:
- {equals : [{get_param: EnableCache}, true]}
- {equals : [{get_param: MemcachedTLS}, true]}
cors_allowed_origin_unset: {equals : [{get_param: HeatCorsAllowedOrigin}, '']}
outputs:
@ -192,9 +203,10 @@ outputs:
heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination}
heat::max_json_body_size: {get_param: HeatMaxJsonBodySize}
-
heat::cache::enabled: {get_param: EnableCache}
heat::cache::tls_enabled: {get_param: MemcachedTLS}
heat::cache::resource_finder_caching: false
if:
- cache_enabled
- heat::cache::enabled: true
heat::cache::backend: 'dogpile.cache.memcached'
heat::cache::resource_finder_caching: false
- {}
- tls_cache_enabled
- heat::cache::backend: 'dogpile.cache.pymemcache'
- heat::cache::backend: 'dogpile.cache.memcached'

@ -75,6 +75,14 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
KeystoneSSLCertificate:
default: ''
description: Keystone certificate for verifying token validity.
@ -350,7 +358,14 @@ conditions:
keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]}
keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]}
service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
cache_enabled: {equals: [{get_param: EnableCache}, true]}
nontls_cache_enabled:
and:
- {equals : [{get_param: EnableCache}, true]}
- {equals : [{get_param: MemcachedTLS}, false]}
tls_cache_enabled:
and:
- {equals : [{get_param: EnableCache}, true]}
- {equals : [{get_param: MemcachedTLS}, true]}
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
# Security compliance
@ -477,11 +492,12 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
-
keystone::cache::enabled: {get_param: EnableCache}
keystone::cache::tls_enabled: {get_param: MemcachedTLS}
if:
- cache_enabled
- keystone::cache::enabled: true
keystone::cache::backend: 'dogpile.cache.memcached'
- {}
- tls_cache_enabled
- keystone::cache::backend: 'dogpile.cache.pymemcache'
- keystone::cache::backend: 'dogpile.cache.memcached'
-
if:
- keystone_federation_enabled
@ -520,7 +536,7 @@ outputs:
get_param: KeystoneOpenIdcIntrospectionEndpoint
-
if:
- cache_enabled
- nontls_cache_enabled
- keystone::federation::openidc::openidc_cache_type: 'memcache'
- {}
- {}

@ -243,12 +243,24 @@ parameters:
description:
Whether instances can attach cinder volumes from a different availability zone.
type: boolean
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
conditions:
compute_upgrade_level_empty: {equals : [{get_param: UpgradeLevelNovaCompute}, '']}
service_debug_unset: {equals : [{get_param: NovaDebug}, '']}
cache_enabled: {equals: [{get_param: EnableCache}, true]}
tls_cache_enabled:
and:
- {equals : [{get_param: EnableCache}, true]}
- {equals : [{get_param: MemcachedTLS}, true]}
cache_disabled: {equals : [{get_param: EnableCache}, false]}
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
resources:
@ -312,8 +324,6 @@ outputs:
nova::db::database_db_max_retries: -1
nova::db::database_max_retries: -1
nova::network::neutron::ovs_bridge: {get_param: NovaOVSBridge}
nova::cache::enabled: true
nova::cache::backend: 'dogpile.cache.memcached'
nova::cron::archive_deleted_rows::minute: {get_param: NovaCronArchiveDeleteRowsMinute}
nova::cron::archive_deleted_rows::hour: {get_param: NovaCronArchiveDeleteRowsHour}
nova::cron::archive_deleted_rows::monthday: {get_param: NovaCronArchiveDeleteRowsMonthday}
@ -342,14 +352,13 @@ outputs:
nova_is_additional_cell: {get_param: NovaAdditionalCell}
nova::cross_az_attach: {get_param: NovaCrossAZAttach}
- get_attr: [RoleParametersValue, value]
-
if:
- cache_enabled
- nova::cache::enabled: true
nova::cache::backend: 'dogpile.cache.memcached'
- {}
-
- nova::cache::enabled: {get_param: EnableCache}
nova::cache::tls_enabled: {get_param: MemcachedTLS}
if:
- tls_cache_enabled
- nova::cache::backend: 'dogpile.cache.pymemcache'
- nova::cache::backend: 'dogpile.cache.memcached'
- if:
- compute_upgrade_level_empty
- {}
- nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute}

@ -82,6 +82,14 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
SwiftCorsAllowedOrigin:
type: string
default: ''
@ -265,6 +273,7 @@ outputs:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
swift::proxy::cache::tls_enabled: {get_param: MemcachedTLS}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: swift

@ -83,6 +83,14 @@ parameters:
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
# DEPRECATED options for compatibility with overcloud.yaml
# This should be removed and manipulation of the ControllerServices list
@ -170,6 +178,7 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, SwiftStorageNetwork]}
rsync::server::pid_file: 'UNSET'
swift::objectexpirer::cache_tls_enabled: {get_param: MemcachedTLS}
-
if:
- account_workers_zero

@ -0,0 +1,10 @@
# title: Enable TLS in Memcached Internal Endpoint
# description: |
# Use this environment to generate certificates and enable TLS in
# Memcached. ssl.yaml environment must also be used.
parameter_defaults:
MemcachedTLS: true
MemcachedPort: 11212
ExtraConfig:
memcached_port: 11212
memcached_authtoken_port: 11211