Add support for keystone_authtoken/memcache_use_advanced_pool

This change introduces a single parameter, MemcacheUseAdvancedPool,
to enable usage of advanced connection pool in keystone middleware.
This is useful to avoid bursting connection to memcached.

Note that the default value of memcached_use_advanced_pool was changed
from false to true during Xena cycle[1], so this parameter is no longer
required in master. However the change in keystonemiddleware will
never be backported. This change is created so that we can switch to
advanced pool even in older releases.

[1] https://review.opendev.org/c/openstack/keystonemiddleware/+/773939

(To Victoria)
Conflicts:
	deployment/aodh/aodh-api-container-puppet.yaml
	deployment/glance/glance-api-container-puppet.yaml
	deployment/gnocchi/gnocchi-api-container-puppet.yaml
	deployment/manila/manila-api-container-puppet.yaml
	deployment/nova/nova-api-container-puppet.yaml

Closes-Bug: #1931047
Change-Id: I2887249af44ccfdae1592dd9120d3366fa059876
(cherry picked from commit 09bcacd25a)
(cherry picked from commit 9a89b9add6)

deployment/aodh/aodh-base.yaml

@@ -61,6 +61,11 @@ parameters:
     type: string
     default: 'noop'
     description: Driver or drivers to handle sending notifications.
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
   service_debug_unset: {equals : [{get_param: AodhDebug}, '']}
@@ -108,6 +113,7 @@ outputs:
         aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
         aodh::keystone::authtoken::region_name: {get_param: KeystoneRegion}
         aodh::keystone::authtoken::interface: 'internal'
+        aodh::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
         aodh::auth::auth_password: {get_param: AodhPassword}
         aodh::auth::auth_region: {get_param: KeystoneRegion}
         aodh::auth::auth_project_name: 'service'

deployment/barbican/barbican-api-container-puppet.yaml

@@ -176,6 +176,11 @@ parameters:
     description: >
       Setting this to a unique value will re-run any deployment tasks which
       perform configuration on a Heat stack-update.
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
   service_debug_unset:  {equals : [{get_param: BarbicanDebug}, '']}
@@ -259,6 +264,7 @@ outputs:
             barbican::keystone::authtoken::project_name: 'service'
             barbican::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             barbican::keystone::authtoken::interface: 'internal'
+            barbican::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             barbican::keystone::notification::enable_keystone_notification: True
             barbican::keystone::notification::keystone_notification_topic: 'barbican_notifications'
             barbican::policy::policies: {get_param: BarbicanPolicies}

deployment/cinder/cinder-api-container-puppet.yaml

@@ -91,6 +91,11 @@ parameters:
   RootStackName:
     description: The name of the stack/plan.
     type: string
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
 
@@ -187,6 +192,7 @@ outputs:
             cinder::keystone::authtoken::project_domain_name: 'Default'
             cinder::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             cinder::keystone::authtoken::interface: 'internal'
+            cinder::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             cinder::policy::policies: {get_param: CinderApiPolicies}
             cinder::notification_driver: {get_param: NotificationDriver}
             cinder::api::default_volume_type: {get_param: CinderDefaultVolumeType}

deployment/deprecated/mistral/mistral-base.yaml

@@ -62,6 +62,11 @@ parameters:
     type: number
     default: 120
     description: Mistral RPC timeout
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
   service_debug_unset: {equals : [{get_param: MistralDebug}, '']}
@@ -108,6 +113,7 @@ outputs:
         mistral::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
         mistral::keystone::authtoken::region_name: {get_param: KeystoneRegion}
         mistral::keystone::authtoken::interface: 'internal'
+        mistral::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
         mistral::keystone_ec2_uri:
           list_join:
           - ''

deployment/deprecated/novajoin/novajoin-container-puppet.yaml

@@ -83,6 +83,11 @@ parameters:
       A hash of policies to configure for Novajoin.
     default: {}
     type: json
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 resources:
 
@@ -135,6 +140,7 @@ outputs:
         nova::metadata::novajoin::authtoken::project_name: 'service'
         nova::metadata::novajoin::authtoken::region_name: {get_param: KeystoneRegion}
         nova::metadata::novajoin::authtoken::interface: 'internal'
+        nova::metadata::novajoin::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
         nova::metadata::novajoin::policy::policies: {get_param: NovajoinPolicies}
       service_config_settings:
         nova_metadata: &nova_vendordata

deployment/experimental/designate/designate-api-container-puppet.yaml

@@ -55,6 +55,11 @@ parameters:
     description: The password for the neutron service and db account, used by neutron agents.
     type: string
     hidden: true
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
   designate_workers_zero: {equals : [{get_param: DesignateWorkers}, 0]}
@@ -105,6 +110,7 @@ outputs:
             designate::keystone::authtoken::password: {get_param: DesignatePassword}
             designate::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             designate::keystone::authtoken::interface: 'internal'
+            designate::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             tripleo::profile::base::designate::api::listen_ip:
               str_replace:
                 template:

deployment/glance/glance-api-container-puppet.yaml

@@ -296,6 +296,11 @@ parameters:
   ContainerGlanceApiConfigImage:
     description: The container image to use for the glance_api config_volume
     type: string
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
 
@@ -438,6 +443,7 @@ outputs:
             glance::api::authtoken::user_domain_name: 'Default'
             glance::api::authtoken::project_domain_name: 'Default'
             glance::api::authtoken::interface: 'internal'
+            glance::api::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             glance::api::pipeline:
               if:
               - glance_cache_enabled

deployment/gnocchi/gnocchi-api-container-puppet.yaml

@@ -122,6 +122,11 @@ parameters:
     default: ''
     description: Indicate whether this resource may be shared with the domain received in the request
                  "origin" header.
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
   cors_allowed_origin_unset: {equals : [{get_param: GnocchiCorsAllowedOrigin}, '']}
@@ -206,6 +211,7 @@ outputs:
             gnocchi::keystone::authtoken::project_domain_name: 'Default'
             gnocchi::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             gnocchi::keystone::authtoken::interface: 'internal'
+            gnocchi::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS}
             gnocchi::wsgi::apache::servername:
               str_replace:

deployment/heat/heat-base-puppet.yaml

@@ -140,6 +140,11 @@ parameters:
                  port set with MemcachedPort parameter (above) and on 11211,
                  without TLS.
     type: boolean
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
   service_debug_unset: {equals : [{get_param: HeatDebug}, '']}
@@ -179,6 +184,7 @@ outputs:
             heat::keystone::authtoken::password: {get_param: HeatPassword}
             heat::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             heat::keystone::authtoken::interface: 'internal'
+            heat::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             heat::keystone::domain::domain_name: 'heat_stack'
             heat::keystone::domain::domain_admin: 'heat_stack_domain_admin'
             heat::keystone::domain::domain_admin_email: 'heat_stack_domain_admin@localhost'

deployment/ironic/ironic-api-container-puppet.yaml

@@ -67,6 +67,11 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
@@ -144,6 +149,7 @@ outputs:
             ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             ironic::api::authtoken::region_name: {get_param: KeystoneRegion }
             ironic::api::authtoken::interface: 'internal'
+            ironic::api::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             # NOTE: bind IP is found in hiera replacing the network name with the
             # local node IP for the given network; replacement examples
             # (eg. for internal_api):

deployment/manila/manila-api-container-puppet.yaml

@@ -60,6 +60,11 @@ parameters:
                  When not set, the list is inferred via the storage back end/s
                  enabled.
     type: comma_delimited_list
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
 
@@ -139,6 +144,7 @@ outputs:
             manila::keystone::authtoken::project_domain_name: 'Default'
             manila::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             manila::keystone::authtoken::interface: 'internal'
+            manila::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             # NOTE: bind IP is found in hiera replacing the network name with the
             # local node IP for the given network; replacement examples
             # (eg. for internal_api):

deployment/neutron/neutron-api-container-puppet.yaml

@@ -173,6 +173,11 @@ parameters:
     default: ''
     description: Override the private key size used when creating the
                  certificate for this service
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
   # DEPRECATED: the following options are deprecated and are currently maintained
   # for backwards compatibility. They will be removed in the Ocata cycle.
   NeutronL3HA:
@@ -309,6 +314,7 @@ outputs:
             neutron::keystone::authtoken::project_domain_name: 'Default'
             neutron::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             neutron::keystone::authtoken::interface: 'internal'
+            neutron::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             neutron::quota::quota_port: {get_param: NeutronPortQuota}
             neutron::quota::quota_security_group: {get_param: NeutronSecurityGroupQuota}
             neutron::server::placement::region_name: {get_param: KeystoneRegion}

deployment/nova/nova-api-container-puppet.yaml

@@ -105,6 +105,11 @@ parameters:
     default: 1000
     description: Max number of objects returned per API query
     type: number
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 parameter_groups:
 - label: deprecated
@@ -221,6 +226,7 @@ outputs:
             nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             nova::keystone::authtoken::interface: 'internal'
+            nova::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             nova::api::max_limit: {get_param: NovaApiMaxLimit}
             nova::api::enabled: true
             nova::api::default_floating_pool: {get_param: NovaDefaultFloatingPool}

deployment/nova/nova-metadata-container-puppet.yaml

@@ -76,6 +76,11 @@ parameters:
       each Neutron metadata-agent to point to the corresponding nova-metadata API
       service.
     type: boolean
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
@@ -164,6 +169,7 @@ outputs:
             nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
             nova::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             nova::keystone::authtoken::interface: 'internal'
+            nova::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             nova::wsgi::apache_metadata::api_port: '8775'
             nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS}
             nova::metadata::local_metadata_per_cell: {get_param: NovaLocalMetadataPerCell}

deployment/octavia/octavia-api-container-puppet.yaml

@@ -90,6 +90,11 @@ parameters:
     default: true
     description:  Set to false if the driver agent needs to be disabled for some reason.
     type: boolean
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
 
@@ -172,6 +177,7 @@ outputs:
             octavia::keystone::authtoken::project_domain_name: 'Default'
             octavia::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             octavia::keystone::authtoken::interface: 'internal'
+            octavia::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             octavia::policy::policies: {get_param: OctaviaApiPolicies}
             octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor}
             octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties}

deployment/placement/placement-api-container-puppet.yaml

@@ -83,6 +83,11 @@ parameters:
     type: boolean
     default: false
     description: Set to True to enable debugging on all services.
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
   placement_workers_zero: {equals : [{get_param: PlacementWorkers}, 0]}
@@ -142,6 +147,7 @@ outputs:
             placement::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             placement::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             placement::keystone::authtoken::interface: 'internal'
+            placement::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             placement::wsgi::apache::api_port: '8778'
             placement::wsgi::apache::ssl: {get_param: EnableInternalTLS}
             # NOTE: bind IP is found in hiera replacing the network name with the local node IP

deployment/zaqar/zaqar-container-puppet.yaml

@@ -90,6 +90,11 @@ parameters:
     description: The password for the redis service account.
     type: string
     hidden: true
+  MemcacheUseAdvancedPool:
+    type: boolean
+    description: |
+      Use the advanced (eventlet safe) memcached client pool.
+    default: true
 
 conditions:
   internal_tls_enabled: {get_param: EnableInternalTLS}
@@ -160,6 +165,7 @@ outputs:
             zaqar::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri]}
             zaqar::keystone::authtoken::region_name: {get_param: KeystoneRegion}
             zaqar::keystone::authtoken::interface: 'internal'
+            zaqar::keystone::authtoken::memcache_use_advanced_pool: {get_param: MemcacheUseAdvancedPool}
             zaqar::keystone::trust::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
             zaqar::logging::debug:
               if:

releasenotes/notes/memcache_use_advanced_pool-41ca18221e60c05a.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    The new ``MemcacheUseAdvancedPool`` parameter is added which enables usage
+    of advanced poll for memcached connections in keystone middleware. This
+    parameter is set to ``true`` by default to avoind bursting connections
+    in some services like neutron.