diff --git a/deployment/ceilometer/ceilometer-base-container-puppet.yaml b/deployment/ceilometer/ceilometer-base-container-puppet.yaml index ea08309708..b31c0d70fa 100644 --- a/deployment/ceilometer/ceilometer-base-container-puppet.yaml +++ b/deployment/ceilometer/ceilometer-base-container-puppet.yaml @@ -76,6 +76,14 @@ parameters: type: string default: 'noop' description: Driver or drivers to handle sending notifications. + MemcachedTLS: + default: false + description: Set to True to enable TLS on Memcached service. + Because not all services support Memcached TLS, during the + migration period, Memcached will listen on 2 ports - on the + port set with MemcachedPort parameter (above) and on 11211, + without TLS. + type: boolean GnocchiArchivePolicy: default: 'ceilometer-low-rate' type: string @@ -122,6 +130,11 @@ outputs: ceilometer::snmpd_readonly_username: {get_param: SnmpdReadonlyUserName} ceilometer::snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword} ceilometer::host: "%{hiera('fqdn_canonical')}" + - if: + - {get_param: MemcachedTLS} + - ceilometer::cache_backend: 'dogpile.cache.pymemcache' + ceilometer::cache_tls_enabled: true + - {} service_config_settings: keystone: # Enable default notification queue diff --git a/deployment/heat/heat-base-puppet.yaml b/deployment/heat/heat-base-puppet.yaml index d9e8e79b91..8b42b0b3d4 100644 --- a/deployment/heat/heat-base-puppet.yaml +++ b/deployment/heat/heat-base-puppet.yaml @@ -132,10 +132,21 @@ parameters: default: '' description: Indicate whether this resource may be shared with the domain received in the request "origin" header. + MemcachedTLS: + default: false + description: Set to True to enable TLS on Memcached service. + Because not all services support Memcached TLS, during the + migration period, Memcached will listen on 2 ports - on the + port set with MemcachedPort parameter (above) and on 11211, + without TLS. + type: boolean conditions: service_debug_unset: {equals : [{get_param: HeatDebug}, '']} - cache_enabled: {equals : [{get_param: EnableCache}, true]} + tls_cache_enabled: + and: + - {get_param: EnableCache} + - {get_param: MemcachedTLS} cors_allowed_origin_unset: {equals : [{get_param: HeatCorsAllowedOrigin}, '']} outputs: @@ -192,9 +203,10 @@ outputs: heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination} heat::max_json_body_size: {get_param: HeatMaxJsonBodySize} - + heat::cache::enabled: {get_param: EnableCache} + heat::cache::tls_enabled: {get_param: MemcachedTLS} + heat::cache::resource_finder_caching: false if: - - cache_enabled - - heat::cache::enabled: true - heat::cache::backend: 'dogpile.cache.memcached' - heat::cache::resource_finder_caching: false - - {} + - tls_cache_enabled + - heat::cache::backend: 'dogpile.cache.pymemcache' + - heat::cache::backend: 'dogpile.cache.memcached' diff --git a/deployment/keystone/keystone-container-puppet.yaml b/deployment/keystone/keystone-container-puppet.yaml index 06ccf86d1a..4332e07bb9 100644 --- a/deployment/keystone/keystone-container-puppet.yaml +++ b/deployment/keystone/keystone-container-puppet.yaml @@ -75,6 +75,14 @@ parameters: EnableInternalTLS: type: boolean default: false + MemcachedTLS: + default: false + description: Set to True to enable TLS on Memcached service. + Because not all services support Memcached TLS, during the + migration period, Memcached will listen on 2 ports - on the + port set with MemcachedPort parameter (above) and on 11211, + without TLS. + type: boolean KeystoneSSLCertificate: default: '' description: Keystone certificate for verifying token validity. @@ -355,7 +363,14 @@ conditions: keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]} keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]} service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']} - cache_enabled: {equals: [{get_param: EnableCache}, true]} + nontls_cache_enabled: + and: + - {get_param: EnableCache} + - not: {get_param: MemcachedTLS} + tls_cache_enabled: + and: + - {get_param: EnableCache} + - {get_param: MemcachedTLS} enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]} # Security compliance @@ -482,11 +497,12 @@ outputs: params: $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} - + keystone::cache::enabled: {get_param: EnableCache} + keystone::cache::tls_enabled: {get_param: MemcachedTLS} if: - - cache_enabled - - keystone::cache::enabled: true - keystone::cache::backend: 'dogpile.cache.memcached' - - {} + - tls_cache_enabled + - keystone::cache::backend: 'dogpile.cache.pymemcache' + - keystone::cache::backend: 'dogpile.cache.memcached' - if: - keystone_federation_enabled @@ -525,7 +541,7 @@ outputs: get_param: KeystoneOpenIdcIntrospectionEndpoint - if: - - cache_enabled + - nontls_cache_enabled - keystone::federation::openidc::openidc_cache_type: 'memcache' - {} - {} diff --git a/deployment/memcached/memcached-container-puppet.yaml b/deployment/memcached/memcached-container-puppet.yaml index d5b9c3143b..f440a8c528 100644 --- a/deployment/memcached/memcached-container-puppet.yaml +++ b/deployment/memcached/memcached-container-puppet.yaml @@ -92,7 +92,7 @@ parameters: certificate for this service conditions: - internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]} + internal_tls_enabled: {get_param: MemcachedTLS} # NOTE: A non-tls port is necessary while there are still services # consuming Memcached that do not support TLS. Once all services # do support TLS, this config should be dropped. diff --git a/deployment/nova/nova-base-puppet.yaml b/deployment/nova/nova-base-puppet.yaml index 5cd8ff9706..f94abdaa1a 100644 --- a/deployment/nova/nova-base-puppet.yaml +++ b/deployment/nova/nova-base-puppet.yaml @@ -247,12 +247,23 @@ parameters: description: Whether instances can attach cinder volumes from a different availability zone. type: boolean + MemcachedTLS: + default: false + description: Set to True to enable TLS on Memcached service. + Because not all services support Memcached TLS, during the + migration period, Memcached will listen on 2 ports - on the + port set with MemcachedPort parameter (above) and on 11211, + without TLS. + type: boolean conditions: compute_upgrade_level_empty: {equals : [{get_param: UpgradeLevelNovaCompute}, '']} service_debug_unset: {equals : [{get_param: NovaDebug}, '']} - cache_enabled: {equals: [{get_param: EnableCache}, true]} + tls_cache_enabled: + and: + - {get_param: EnableCache} + - {get_param: MemcachedTLS} enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]} resources: @@ -316,8 +327,6 @@ outputs: nova::db::database_db_max_retries: -1 nova::db::database_max_retries: -1 nova::network::neutron::ovs_bridge: {get_param: NovaOVSBridge} - nova::cache::enabled: true - nova::cache::backend: 'dogpile.cache.memcached' nova::cron::archive_deleted_rows::minute: {get_param: NovaCronArchiveDeleteRowsMinute} nova::cron::archive_deleted_rows::hour: {get_param: NovaCronArchiveDeleteRowsHour} nova::cron::archive_deleted_rows::monthday: {get_param: NovaCronArchiveDeleteRowsMonthday} @@ -346,14 +355,13 @@ outputs: nova_is_additional_cell: {get_param: NovaAdditionalCell} nova::cross_az_attach: {get_param: NovaCrossAZAttach} - get_attr: [RoleParametersValue, value] - - - if: - - cache_enabled - - nova::cache::enabled: true - nova::cache::backend: 'dogpile.cache.memcached' - - {} - - + - nova::cache::enabled: {get_param: EnableCache} + nova::cache::tls_enabled: {get_param: MemcachedTLS} if: + - tls_cache_enabled + - nova::cache::backend: 'dogpile.cache.pymemcache' + - nova::cache::backend: 'dogpile.cache.memcached' + - if: - compute_upgrade_level_empty - {} - nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute} diff --git a/deployment/swift/swift-proxy-container-puppet.yaml b/deployment/swift/swift-proxy-container-puppet.yaml index d0f5abc916..039ab701b2 100644 --- a/deployment/swift/swift-proxy-container-puppet.yaml +++ b/deployment/swift/swift-proxy-container-puppet.yaml @@ -82,6 +82,14 @@ parameters: EnableInternalTLS: type: boolean default: false + MemcachedTLS: + default: false + description: Set to True to enable TLS on Memcached service. + Because not all services support Memcached TLS, during the + migration period, Memcached will listen on 2 ports - on the + port set with MemcachedPort parameter (above) and on 11211, + without TLS. + type: boolean SwiftCorsAllowedOrigin: type: string default: '' @@ -270,6 +278,7 @@ outputs: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]} + swift::proxy::cache::tls_enabled: {get_param: MemcachedTLS} # BEGIN DOCKER SETTINGS puppet_config: config_volume: swift diff --git a/deployment/swift/swift-storage-container-puppet.yaml b/deployment/swift/swift-storage-container-puppet.yaml index 7da68ea0ec..75b911ebbd 100644 --- a/deployment/swift/swift-storage-container-puppet.yaml +++ b/deployment/swift/swift-storage-container-puppet.yaml @@ -83,6 +83,14 @@ parameters: description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. + MemcachedTLS: + default: false + description: Set to True to enable TLS on Memcached service. + Because not all services support Memcached TLS, during the + migration period, Memcached will listen on 2 ports - on the + port set with MemcachedPort parameter (above) and on 11211, + without TLS. + type: boolean # DEPRECATED options for compatibility with overcloud.yaml # This should be removed and manipulation of the ControllerServices list @@ -170,6 +178,7 @@ outputs: params: $NETWORK: {get_param: [ServiceNetMap, SwiftStorageNetwork]} rsync::server::pid_file: 'UNSET' + swift::objectexpirer::cache_tls_enabled: {get_param: MemcachedTLS} - if: - account_workers_zero diff --git a/environments/ssl/enable-memcached-tls.yaml b/environments/ssl/enable-memcached-tls.yaml new file mode 100644 index 0000000000..6f73a8b5ff --- /dev/null +++ b/environments/ssl/enable-memcached-tls.yaml @@ -0,0 +1,10 @@ +# title: Enable TLS in Memcached Internal Endpoint +# description: | +# Use this environment to generate certificates and enable TLS in +# Memcached. ssl.yaml environment must also be used. +parameter_defaults: + MemcachedTLS: true + MemcachedPort: 11212 + ExtraConfig: + memcached_port: 11212 + memcached_authtoken_port: 11211