Merge "Add TLS support to services using memcached"

deployment/ceilometer/ceilometer-base-container-puppet.yaml

@@ -73,6 +73,14 @@ parameters:
     type: comma_delimited_list
     default: 'noop'
     description: Driver or drivers to handle sending notifications.
+  MemcachedTLS:
+    default: false
+    description: Set to True to enable TLS on Memcached service.
+                 Because not all services support Memcached TLS, during the
+                 migration period, Memcached will listen on 2 ports - on the
+                 port set with MemcachedPort parameter (above) and on 11211,
+                 without TLS.
+    type: boolean
   GnocchiArchivePolicy:
     default: 'ceilometer-low-rate'
     type: string
@@ -91,6 +99,7 @@ parameter_groups:
 conditions:
   service_debug_unset: {equals : [{get_param: CeilometerDebug}, '']}
   ceilometer_qdr_publish: {equals: [{get_param: CeilometerQdrPublish}, true]}
+  memcached_tls: {equals: [{get_param: MemcachedTLS}, true]}
 
 outputs:
   role_data:
@@ -119,6 +128,11 @@ outputs:
             ceilometer::snmpd_readonly_username: {get_param: SnmpdReadonlyUserName}
             ceilometer::snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
             ceilometer::host: "%{hiera('fqdn_canonical')}"
+          - if:
+            - memcached_tls
+            - ceilometer::cache_backend: 'dogpile.cache.pymemcache'
+              ceilometer::cache_tls_enabled: true
+            - {}
       service_config_settings:
         keystone:
           # Enable default notification queue

deployment/heat/heat-base-puppet.yaml

@@ -129,10 +129,21 @@ parameters:
     default: ''
     description: Indicate whether this resource may be shared with the domain received in the request
                  "origin" header.
+  MemcachedTLS:
+    default: false
+    description: Set to True to enable TLS on Memcached service.
+                 Because not all services support Memcached TLS, during the
+                 migration period, Memcached will listen on 2 ports - on the
+                 port set with MemcachedPort parameter (above) and on 11211,
+                 without TLS.
+    type: boolean
 
 conditions:
   service_debug_unset: {equals : [{get_param: HeatDebug}, '']}
-  cache_enabled: {equals : [{get_param: EnableCache}, true]}
+  tls_cache_enabled:
+    and:
+      - {equals : [{get_param: EnableCache}, true]}
+      - {equals : [{get_param: MemcachedTLS}, true]}
   cors_allowed_origin_unset: {equals : [{get_param: HeatCorsAllowedOrigin}, '']}
 
 outputs:
@@ -189,9 +200,10 @@ outputs:
             heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination}
             heat::max_json_body_size: {get_param: HeatMaxJsonBodySize}
           -
-            if:
+            heat::cache::enabled: {get_param: EnableCache}
-            - cache_enabled
+            heat::cache::tls_enabled: {get_param: MemcachedTLS}
-            - heat::cache::enabled: true
-              heat::cache::backend: 'dogpile.cache.memcached'
             heat::cache::resource_finder_caching: false
-            - {}
+            if:
+              - tls_cache_enabled
+              - heat::cache::backend: 'dogpile.cache.pymemcache'
+              - heat::cache::backend: 'dogpile.cache.memcached'

deployment/keystone/keystone-container-puppet.yaml

@@ -72,6 +72,14 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  MemcachedTLS:
+    default: false
+    description: Set to True to enable TLS on Memcached service.
+                 Because not all services support Memcached TLS, during the
+                 migration period, Memcached will listen on 2 ports - on the
+                 port set with MemcachedPort parameter (above) and on 11211,
+                 without TLS.
+    type: boolean
   KeystoneSSLCertificate:
     default: ''
     description: Keystone certificate for verifying token validity.
@@ -346,7 +354,14 @@ conditions:
   keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]}
   keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]}
   service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
-  cache_enabled: {equals: [{get_param: EnableCache}, true]}
+  nontls_cache_enabled:
+    and:
+      - {equals : [{get_param: EnableCache}, true]}
+      - {equals : [{get_param: MemcachedTLS}, false]}
+  tls_cache_enabled:
+    and:
+      - {equals : [{get_param: EnableCache}, true]}
+      - {equals : [{get_param: MemcachedTLS}, true]}
   enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
 
   # Security compliance
@@ -471,11 +486,12 @@ outputs:
                   params:
                     $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
           -
+            keystone::cache::enabled: {get_param: EnableCache}
+            keystone::cache::tls_enabled: {get_param: MemcachedTLS}
             if:
-            - cache_enabled
+            - tls_cache_enabled
-            - keystone::cache::enabled: true
+            - keystone::cache::backend: 'dogpile.cache.pymemcache'
-              keystone::cache::backend: 'dogpile.cache.memcached'
+            - keystone::cache::backend: 'dogpile.cache.memcached'
-            - {}
           -
             if:
             - keystone_federation_enabled
@@ -514,7 +530,7 @@ outputs:
                     get_param: KeystoneOpenIdcIntrospectionEndpoint
                 -
                   if:
-                  - cache_enabled
+                  - nontls_cache_enabled
                   - keystone::federation::openidc::openidc_cache_type: 'memcache'
                   - {}
             - {}

deployment/nova/nova-base-puppet.yaml

@@ -240,12 +240,24 @@ parameters:
     description:
       Whether instances can attach cinder volumes from a different availability zone.
     type: boolean
+  MemcachedTLS:
+    default: false
+    description: Set to True to enable TLS on Memcached service.
+                 Because not all services support Memcached TLS, during the
+                 migration period, Memcached will listen on 2 ports - on the
+                 port set with MemcachedPort parameter (above) and on 11211,
+                 without TLS.
+    type: boolean
 
 conditions:
 
   compute_upgrade_level_empty: {equals : [{get_param: UpgradeLevelNovaCompute}, '']}
   service_debug_unset: {equals : [{get_param: NovaDebug}, '']}
-  cache_enabled: {equals: [{get_param: EnableCache}, true]}
+  tls_cache_enabled:
+    and:
+      - {equals : [{get_param: EnableCache}, true]}
+      - {equals : [{get_param: MemcachedTLS}, true]}
+  cache_disabled: {equals : [{get_param: EnableCache}, false]}
   enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
 
 resources:
@@ -309,8 +321,6 @@ outputs:
           nova::db::database_db_max_retries: -1
           nova::db::database_max_retries: -1
           nova::network::neutron::ovs_bridge: {get_param: NovaOVSBridge}
-          nova::cache::enabled: true
-          nova::cache::backend: 'dogpile.cache.memcached'
           nova::cron::archive_deleted_rows::minute: {get_param: NovaCronArchiveDeleteRowsMinute}
           nova::cron::archive_deleted_rows::hour: {get_param: NovaCronArchiveDeleteRowsHour}
           nova::cron::archive_deleted_rows::monthday: {get_param: NovaCronArchiveDeleteRowsMonthday}
@@ -339,14 +349,13 @@ outputs:
           nova_is_additional_cell: {get_param: NovaAdditionalCell}
           nova::cross_az_attach: {get_param: NovaCrossAZAttach}
         - get_attr: [RoleParametersValue, value]
-        -
+        - nova::cache::enabled: {get_param: EnableCache}
-          if:
+          nova::cache::tls_enabled: {get_param: MemcachedTLS}
-          - cache_enabled
-          - nova::cache::enabled: true
-            nova::cache::backend: 'dogpile.cache.memcached'
-          - {}
-        -
           if:
+            - tls_cache_enabled
+            - nova::cache::backend: 'dogpile.cache.pymemcache'
+            - nova::cache::backend: 'dogpile.cache.memcached'
+        - if:
           - compute_upgrade_level_empty
           - {}
           - nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute}

deployment/swift/swift-proxy-container-puppet.yaml

@@ -79,6 +79,14 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  MemcachedTLS:
+    default: false
+    description: Set to True to enable TLS on Memcached service.
+                 Because not all services support Memcached TLS, during the
+                 migration period, Memcached will listen on 2 ports - on the
+                 port set with MemcachedPort parameter (above) and on 11211,
+                 without TLS.
+    type: boolean
   SwiftCorsAllowedOrigin:
     type: string
     default: ''
@@ -260,6 +268,7 @@ outputs:
                     "%{hiera('$NETWORK')}"
                   params:
                     $NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
+            swift::proxy::cache::tls_enabled: {get_param: MemcachedTLS}
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: swift

deployment/swift/swift-storage-container-puppet.yaml

@@ -80,6 +80,14 @@ parameters:
     description: >
       Setting this to a unique value will re-run any deployment tasks which
       perform configuration on a Heat stack-update.
+  MemcachedTLS:
+    default: false
+    description: Set to True to enable TLS on Memcached service.
+                 Because not all services support Memcached TLS, during the
+                 migration period, Memcached will listen on 2 ports - on the
+                 port set with MemcachedPort parameter (above) and on 11211,
+                 without TLS.
+    type: boolean
 
   # DEPRECATED options for compatibility with overcloud.yaml
   # This should be removed and manipulation of the ControllerServices list
@@ -166,6 +174,7 @@ outputs:
                  params:
                    $NETWORK: {get_param: [ServiceNetMap, SwiftStorageNetwork]}
             rsync::server::pid_file: 'UNSET'
+            swift::objectexpirer::cache_tls_enabled: {get_param: MemcachedTLS}
           -
             if:
             - account_workers_zero

environments/ssl/enable-memcached-tls.yaml

@@ -0,0 +1,10 @@
+# title: Enable TLS in Memcached Internal Endpoint
+# description: |
+#   Use this environment to generate certificates and enable TLS in
+#   Memcached. ssl.yaml environment must also be used.
+parameter_defaults:
+  MemcachedTLS: true
+  MemcachedPort: 11212
+  ExtraConfig:
+    memcached_port: 11212
+    memcached_authtoken_port: 11211