openstack
/
tripleo-heat-templates
Code Issues Proposed changes
Browse Source

Merge "Add TLS support to services using memcached" into stable/victoria

changes/55/783555/1
Zuul 3 weeks ago
committed by Gerrit Code Review
parent
5e55117560 f3ac958f47
commit
5d90c727af
8 changed files with 100 additions and 23 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +13
    -0
      deployment/ceilometer/ceilometer-base-container-puppet.yaml
  2. +18
    -6
      deployment/heat/heat-base-puppet.yaml
  3. +22
    -6
      deployment/keystone/keystone-container-puppet.yaml
  4. +1
    -1
      deployment/memcached/memcached-container-puppet.yaml
  5. +18
    -10
      deployment/nova/nova-base-puppet.yaml
  6. +9
    -0
      deployment/swift/swift-proxy-container-puppet.yaml
  7. +9
    -0
      deployment/swift/swift-storage-container-puppet.yaml
  8. +10
    -0
      environments/ssl/enable-memcached-tls.yaml

+ 13
- 0
deployment/ceilometer/ceilometer-base-container-puppet.yaml View File

@ -76,6 +76,14 @@ parameters:
type: string
default: 'noop'
description: Driver or drivers to handle sending notifications.
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
GnocchiArchivePolicy:
default: 'ceilometer-low-rate'
type: string
@ -122,6 +130,11 @@ outputs:
ceilometer::snmpd_readonly_username: {get_param: SnmpdReadonlyUserName}
ceilometer::snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
ceilometer::host: "%{hiera('fqdn_canonical')}"
- if:
- {get_param: MemcachedTLS}
- ceilometer::cache_backend: 'dogpile.cache.pymemcache'
ceilometer::cache_tls_enabled: true
- {}
service_config_settings:
keystone:
# Enable default notification queue


+ 18
- 6
deployment/heat/heat-base-puppet.yaml View File

@ -132,10 +132,21 @@ parameters:
default: ''
description: Indicate whether this resource may be shared with the domain received in the request
"origin" header.
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
conditions:
service_debug_unset: {equals : [{get_param: HeatDebug}, '']}
cache_enabled: {equals : [{get_param: EnableCache}, true]}
tls_cache_enabled:
and:
- {get_param: EnableCache}
- {get_param: MemcachedTLS}
cors_allowed_origin_unset: {equals : [{get_param: HeatCorsAllowedOrigin}, '']}
outputs:
@ -192,9 +203,10 @@ outputs:
heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination}
heat::max_json_body_size: {get_param: HeatMaxJsonBodySize}
-
heat::cache::enabled: {get_param: EnableCache}
heat::cache::tls_enabled: {get_param: MemcachedTLS}
heat::cache::resource_finder_caching: false
if:
- cache_enabled
- heat::cache::enabled: true
heat::cache::backend: 'dogpile.cache.memcached'
heat::cache::resource_finder_caching: false
- {}
- tls_cache_enabled
- heat::cache::backend: 'dogpile.cache.pymemcache'
- heat::cache::backend: 'dogpile.cache.memcached'

+ 22
- 6
deployment/keystone/keystone-container-puppet.yaml View File

@ -75,6 +75,14 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
KeystoneSSLCertificate:
default: ''
description: Keystone certificate for verifying token validity.
@ -355,7 +363,14 @@ conditions:
keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]}
keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]}
service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
cache_enabled: {equals: [{get_param: EnableCache}, true]}
nontls_cache_enabled:
and:
- {get_param: EnableCache}
- not: {get_param: MemcachedTLS}
tls_cache_enabled:
and:
- {get_param: EnableCache}
- {get_param: MemcachedTLS}
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
# Security compliance
@ -482,11 +497,12 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
-
keystone::cache::enabled: {get_param: EnableCache}
keystone::cache::tls_enabled: {get_param: MemcachedTLS}
if:
- cache_enabled
- keystone::cache::enabled: true
keystone::cache::backend: 'dogpile.cache.memcached'
- {}
- tls_cache_enabled
- keystone::cache::backend: 'dogpile.cache.pymemcache'
- keystone::cache::backend: 'dogpile.cache.memcached'
-
if:
- keystone_federation_enabled
@ -525,7 +541,7 @@ outputs:
get_param: KeystoneOpenIdcIntrospectionEndpoint
-
if:
- cache_enabled
- nontls_cache_enabled
- keystone::federation::openidc::openidc_cache_type: 'memcache'
- {}
- {}


+ 1
- 1
deployment/memcached/memcached-container-puppet.yaml View File

@ -92,7 +92,7 @@ parameters:
certificate for this service
conditions:
internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]}
internal_tls_enabled: {get_param: MemcachedTLS}
# NOTE: A non-tls port is necessary while there are still services
# consuming Memcached that do not support TLS. Once all services
# do support TLS, this config should be dropped.


+ 18
- 10
deployment/nova/nova-base-puppet.yaml View File

@ -247,12 +247,23 @@ parameters:
description:
Whether instances can attach cinder volumes from a different availability zone.
type: boolean
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
conditions:
compute_upgrade_level_empty: {equals : [{get_param: UpgradeLevelNovaCompute}, '']}
service_debug_unset: {equals : [{get_param: NovaDebug}, '']}
cache_enabled: {equals: [{get_param: EnableCache}, true]}
tls_cache_enabled:
and:
- {get_param: EnableCache}
- {get_param: MemcachedTLS}
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
resources:
@ -316,8 +327,6 @@ outputs:
nova::db::database_db_max_retries: -1
nova::db::database_max_retries: -1
nova::network::neutron::ovs_bridge: {get_param: NovaOVSBridge}
nova::cache::enabled: true
nova::cache::backend: 'dogpile.cache.memcached'
nova::cron::archive_deleted_rows::minute: {get_param: NovaCronArchiveDeleteRowsMinute}
nova::cron::archive_deleted_rows::hour: {get_param: NovaCronArchiveDeleteRowsHour}
nova::cron::archive_deleted_rows::monthday: {get_param: NovaCronArchiveDeleteRowsMonthday}
@ -346,14 +355,13 @@ outputs:
nova_is_additional_cell: {get_param: NovaAdditionalCell}
nova::cross_az_attach: {get_param: NovaCrossAZAttach}
- get_attr: [RoleParametersValue, value]
-
if:
- cache_enabled
- nova::cache::enabled: true
nova::cache::backend: 'dogpile.cache.memcached'
- {}
-
- nova::cache::enabled: {get_param: EnableCache}
nova::cache::tls_enabled: {get_param: MemcachedTLS}
if:
- tls_cache_enabled
- nova::cache::backend: 'dogpile.cache.pymemcache'
- nova::cache::backend: 'dogpile.cache.memcached'
- if:
- compute_upgrade_level_empty
- {}
- nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute}


+ 9
- 0
deployment/swift/swift-proxy-container-puppet.yaml View File

@ -82,6 +82,14 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
SwiftCorsAllowedOrigin:
type: string
default: ''
@ -270,6 +278,7 @@ outputs:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
swift::proxy::cache::tls_enabled: {get_param: MemcachedTLS}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: swift


+ 9
- 0
deployment/swift/swift-storage-container-puppet.yaml View File

@ -83,6 +83,14 @@ parameters:
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
# DEPRECATED options for compatibility with overcloud.yaml
# This should be removed and manipulation of the ControllerServices list
@ -170,6 +178,7 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, SwiftStorageNetwork]}
rsync::server::pid_file: 'UNSET'
swift::objectexpirer::cache_tls_enabled: {get_param: MemcachedTLS}
-
if:
- account_workers_zero


+ 10
- 0
environments/ssl/enable-memcached-tls.yaml View File

@ -0,0 +1,10 @@
# title: Enable TLS in Memcached Internal Endpoint
# description: |
# Use this environment to generate certificates and enable TLS in
# Memcached. ssl.yaml environment must also be used.
parameter_defaults:
MemcachedTLS: true
MemcachedPort: 11212
ExtraConfig:
memcached_port: 11212
memcached_authtoken_port: 11211

Write Preview
Loading…
Cancel
Save