Merge "Add TLS support to services using memcached"
This commit is contained in:
commit
b2d49f6e39
|
@ -73,6 +73,14 @@ parameters:
|
||||||
type: comma_delimited_list
|
type: comma_delimited_list
|
||||||
default: 'noop'
|
default: 'noop'
|
||||||
description: Driver or drivers to handle sending notifications.
|
description: Driver or drivers to handle sending notifications.
|
||||||
|
MemcachedTLS:
|
||||||
|
default: false
|
||||||
|
description: Set to True to enable TLS on Memcached service.
|
||||||
|
Because not all services support Memcached TLS, during the
|
||||||
|
migration period, Memcached will listen on 2 ports - on the
|
||||||
|
port set with MemcachedPort parameter (above) and on 11211,
|
||||||
|
without TLS.
|
||||||
|
type: boolean
|
||||||
GnocchiArchivePolicy:
|
GnocchiArchivePolicy:
|
||||||
default: 'ceilometer-low-rate'
|
default: 'ceilometer-low-rate'
|
||||||
type: string
|
type: string
|
||||||
|
@ -91,6 +99,7 @@ parameter_groups:
|
||||||
conditions:
|
conditions:
|
||||||
service_debug_unset: {equals : [{get_param: CeilometerDebug}, '']}
|
service_debug_unset: {equals : [{get_param: CeilometerDebug}, '']}
|
||||||
ceilometer_qdr_publish: {equals: [{get_param: CeilometerQdrPublish}, true]}
|
ceilometer_qdr_publish: {equals: [{get_param: CeilometerQdrPublish}, true]}
|
||||||
|
memcached_tls: {equals: [{get_param: MemcachedTLS}, true]}
|
||||||
|
|
||||||
outputs:
|
outputs:
|
||||||
role_data:
|
role_data:
|
||||||
|
@ -119,6 +128,11 @@ outputs:
|
||||||
ceilometer::snmpd_readonly_username: {get_param: SnmpdReadonlyUserName}
|
ceilometer::snmpd_readonly_username: {get_param: SnmpdReadonlyUserName}
|
||||||
ceilometer::snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
|
ceilometer::snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
|
||||||
ceilometer::host: "%{hiera('fqdn_canonical')}"
|
ceilometer::host: "%{hiera('fqdn_canonical')}"
|
||||||
|
- if:
|
||||||
|
- memcached_tls
|
||||||
|
- ceilometer::cache_backend: 'dogpile.cache.pymemcache'
|
||||||
|
ceilometer::cache_tls_enabled: true
|
||||||
|
- {}
|
||||||
service_config_settings:
|
service_config_settings:
|
||||||
keystone:
|
keystone:
|
||||||
# Enable default notification queue
|
# Enable default notification queue
|
||||||
|
|
|
@ -129,10 +129,21 @@ parameters:
|
||||||
default: ''
|
default: ''
|
||||||
description: Indicate whether this resource may be shared with the domain received in the request
|
description: Indicate whether this resource may be shared with the domain received in the request
|
||||||
"origin" header.
|
"origin" header.
|
||||||
|
MemcachedTLS:
|
||||||
|
default: false
|
||||||
|
description: Set to True to enable TLS on Memcached service.
|
||||||
|
Because not all services support Memcached TLS, during the
|
||||||
|
migration period, Memcached will listen on 2 ports - on the
|
||||||
|
port set with MemcachedPort parameter (above) and on 11211,
|
||||||
|
without TLS.
|
||||||
|
type: boolean
|
||||||
|
|
||||||
conditions:
|
conditions:
|
||||||
service_debug_unset: {equals : [{get_param: HeatDebug}, '']}
|
service_debug_unset: {equals : [{get_param: HeatDebug}, '']}
|
||||||
cache_enabled: {equals : [{get_param: EnableCache}, true]}
|
tls_cache_enabled:
|
||||||
|
and:
|
||||||
|
- {equals : [{get_param: EnableCache}, true]}
|
||||||
|
- {equals : [{get_param: MemcachedTLS}, true]}
|
||||||
cors_allowed_origin_unset: {equals : [{get_param: HeatCorsAllowedOrigin}, '']}
|
cors_allowed_origin_unset: {equals : [{get_param: HeatCorsAllowedOrigin}, '']}
|
||||||
|
|
||||||
outputs:
|
outputs:
|
||||||
|
@ -189,9 +200,10 @@ outputs:
|
||||||
heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination}
|
heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination}
|
||||||
heat::max_json_body_size: {get_param: HeatMaxJsonBodySize}
|
heat::max_json_body_size: {get_param: HeatMaxJsonBodySize}
|
||||||
-
|
-
|
||||||
if:
|
heat::cache::enabled: {get_param: EnableCache}
|
||||||
- cache_enabled
|
heat::cache::tls_enabled: {get_param: MemcachedTLS}
|
||||||
- heat::cache::enabled: true
|
|
||||||
heat::cache::backend: 'dogpile.cache.memcached'
|
|
||||||
heat::cache::resource_finder_caching: false
|
heat::cache::resource_finder_caching: false
|
||||||
- {}
|
if:
|
||||||
|
- tls_cache_enabled
|
||||||
|
- heat::cache::backend: 'dogpile.cache.pymemcache'
|
||||||
|
- heat::cache::backend: 'dogpile.cache.memcached'
|
||||||
|
|
|
@ -72,6 +72,14 @@ parameters:
|
||||||
EnableInternalTLS:
|
EnableInternalTLS:
|
||||||
type: boolean
|
type: boolean
|
||||||
default: false
|
default: false
|
||||||
|
MemcachedTLS:
|
||||||
|
default: false
|
||||||
|
description: Set to True to enable TLS on Memcached service.
|
||||||
|
Because not all services support Memcached TLS, during the
|
||||||
|
migration period, Memcached will listen on 2 ports - on the
|
||||||
|
port set with MemcachedPort parameter (above) and on 11211,
|
||||||
|
without TLS.
|
||||||
|
type: boolean
|
||||||
KeystoneSSLCertificate:
|
KeystoneSSLCertificate:
|
||||||
default: ''
|
default: ''
|
||||||
description: Keystone certificate for verifying token validity.
|
description: Keystone certificate for verifying token validity.
|
||||||
|
@ -346,7 +354,14 @@ conditions:
|
||||||
keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]}
|
keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]}
|
||||||
keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]}
|
keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]}
|
||||||
service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
|
service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
|
||||||
cache_enabled: {equals: [{get_param: EnableCache}, true]}
|
nontls_cache_enabled:
|
||||||
|
and:
|
||||||
|
- {equals : [{get_param: EnableCache}, true]}
|
||||||
|
- {equals : [{get_param: MemcachedTLS}, false]}
|
||||||
|
tls_cache_enabled:
|
||||||
|
and:
|
||||||
|
- {equals : [{get_param: EnableCache}, true]}
|
||||||
|
- {equals : [{get_param: MemcachedTLS}, true]}
|
||||||
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
|
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
|
||||||
|
|
||||||
# Security compliance
|
# Security compliance
|
||||||
|
@ -471,11 +486,12 @@ outputs:
|
||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
|
||||||
-
|
-
|
||||||
|
keystone::cache::enabled: {get_param: EnableCache}
|
||||||
|
keystone::cache::tls_enabled: {get_param: MemcachedTLS}
|
||||||
if:
|
if:
|
||||||
- cache_enabled
|
- tls_cache_enabled
|
||||||
- keystone::cache::enabled: true
|
- keystone::cache::backend: 'dogpile.cache.pymemcache'
|
||||||
keystone::cache::backend: 'dogpile.cache.memcached'
|
- keystone::cache::backend: 'dogpile.cache.memcached'
|
||||||
- {}
|
|
||||||
-
|
-
|
||||||
if:
|
if:
|
||||||
- keystone_federation_enabled
|
- keystone_federation_enabled
|
||||||
|
@ -514,7 +530,7 @@ outputs:
|
||||||
get_param: KeystoneOpenIdcIntrospectionEndpoint
|
get_param: KeystoneOpenIdcIntrospectionEndpoint
|
||||||
-
|
-
|
||||||
if:
|
if:
|
||||||
- cache_enabled
|
- nontls_cache_enabled
|
||||||
- keystone::federation::openidc::openidc_cache_type: 'memcache'
|
- keystone::federation::openidc::openidc_cache_type: 'memcache'
|
||||||
- {}
|
- {}
|
||||||
- {}
|
- {}
|
||||||
|
|
|
@ -240,12 +240,24 @@ parameters:
|
||||||
description:
|
description:
|
||||||
Whether instances can attach cinder volumes from a different availability zone.
|
Whether instances can attach cinder volumes from a different availability zone.
|
||||||
type: boolean
|
type: boolean
|
||||||
|
MemcachedTLS:
|
||||||
|
default: false
|
||||||
|
description: Set to True to enable TLS on Memcached service.
|
||||||
|
Because not all services support Memcached TLS, during the
|
||||||
|
migration period, Memcached will listen on 2 ports - on the
|
||||||
|
port set with MemcachedPort parameter (above) and on 11211,
|
||||||
|
without TLS.
|
||||||
|
type: boolean
|
||||||
|
|
||||||
conditions:
|
conditions:
|
||||||
|
|
||||||
compute_upgrade_level_empty: {equals : [{get_param: UpgradeLevelNovaCompute}, '']}
|
compute_upgrade_level_empty: {equals : [{get_param: UpgradeLevelNovaCompute}, '']}
|
||||||
service_debug_unset: {equals : [{get_param: NovaDebug}, '']}
|
service_debug_unset: {equals : [{get_param: NovaDebug}, '']}
|
||||||
cache_enabled: {equals: [{get_param: EnableCache}, true]}
|
tls_cache_enabled:
|
||||||
|
and:
|
||||||
|
- {equals : [{get_param: EnableCache}, true]}
|
||||||
|
- {equals : [{get_param: MemcachedTLS}, true]}
|
||||||
|
cache_disabled: {equals : [{get_param: EnableCache}, false]}
|
||||||
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
|
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
|
@ -309,8 +321,6 @@ outputs:
|
||||||
nova::db::database_db_max_retries: -1
|
nova::db::database_db_max_retries: -1
|
||||||
nova::db::database_max_retries: -1
|
nova::db::database_max_retries: -1
|
||||||
nova::network::neutron::ovs_bridge: {get_param: NovaOVSBridge}
|
nova::network::neutron::ovs_bridge: {get_param: NovaOVSBridge}
|
||||||
nova::cache::enabled: true
|
|
||||||
nova::cache::backend: 'dogpile.cache.memcached'
|
|
||||||
nova::cron::archive_deleted_rows::minute: {get_param: NovaCronArchiveDeleteRowsMinute}
|
nova::cron::archive_deleted_rows::minute: {get_param: NovaCronArchiveDeleteRowsMinute}
|
||||||
nova::cron::archive_deleted_rows::hour: {get_param: NovaCronArchiveDeleteRowsHour}
|
nova::cron::archive_deleted_rows::hour: {get_param: NovaCronArchiveDeleteRowsHour}
|
||||||
nova::cron::archive_deleted_rows::monthday: {get_param: NovaCronArchiveDeleteRowsMonthday}
|
nova::cron::archive_deleted_rows::monthday: {get_param: NovaCronArchiveDeleteRowsMonthday}
|
||||||
|
@ -339,14 +349,13 @@ outputs:
|
||||||
nova_is_additional_cell: {get_param: NovaAdditionalCell}
|
nova_is_additional_cell: {get_param: NovaAdditionalCell}
|
||||||
nova::cross_az_attach: {get_param: NovaCrossAZAttach}
|
nova::cross_az_attach: {get_param: NovaCrossAZAttach}
|
||||||
- get_attr: [RoleParametersValue, value]
|
- get_attr: [RoleParametersValue, value]
|
||||||
-
|
- nova::cache::enabled: {get_param: EnableCache}
|
||||||
if:
|
nova::cache::tls_enabled: {get_param: MemcachedTLS}
|
||||||
- cache_enabled
|
|
||||||
- nova::cache::enabled: true
|
|
||||||
nova::cache::backend: 'dogpile.cache.memcached'
|
|
||||||
- {}
|
|
||||||
-
|
|
||||||
if:
|
if:
|
||||||
|
- tls_cache_enabled
|
||||||
|
- nova::cache::backend: 'dogpile.cache.pymemcache'
|
||||||
|
- nova::cache::backend: 'dogpile.cache.memcached'
|
||||||
|
- if:
|
||||||
- compute_upgrade_level_empty
|
- compute_upgrade_level_empty
|
||||||
- {}
|
- {}
|
||||||
- nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute}
|
- nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute}
|
||||||
|
|
|
@ -79,6 +79,14 @@ parameters:
|
||||||
EnableInternalTLS:
|
EnableInternalTLS:
|
||||||
type: boolean
|
type: boolean
|
||||||
default: false
|
default: false
|
||||||
|
MemcachedTLS:
|
||||||
|
default: false
|
||||||
|
description: Set to True to enable TLS on Memcached service.
|
||||||
|
Because not all services support Memcached TLS, during the
|
||||||
|
migration period, Memcached will listen on 2 ports - on the
|
||||||
|
port set with MemcachedPort parameter (above) and on 11211,
|
||||||
|
without TLS.
|
||||||
|
type: boolean
|
||||||
SwiftCorsAllowedOrigin:
|
SwiftCorsAllowedOrigin:
|
||||||
type: string
|
type: string
|
||||||
default: ''
|
default: ''
|
||||||
|
@ -260,6 +268,7 @@ outputs:
|
||||||
"%{hiera('$NETWORK')}"
|
"%{hiera('$NETWORK')}"
|
||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
|
||||||
|
swift::proxy::cache::tls_enabled: {get_param: MemcachedTLS}
|
||||||
# BEGIN DOCKER SETTINGS
|
# BEGIN DOCKER SETTINGS
|
||||||
puppet_config:
|
puppet_config:
|
||||||
config_volume: swift
|
config_volume: swift
|
||||||
|
|
|
@ -80,6 +80,14 @@ parameters:
|
||||||
description: >
|
description: >
|
||||||
Setting this to a unique value will re-run any deployment tasks which
|
Setting this to a unique value will re-run any deployment tasks which
|
||||||
perform configuration on a Heat stack-update.
|
perform configuration on a Heat stack-update.
|
||||||
|
MemcachedTLS:
|
||||||
|
default: false
|
||||||
|
description: Set to True to enable TLS on Memcached service.
|
||||||
|
Because not all services support Memcached TLS, during the
|
||||||
|
migration period, Memcached will listen on 2 ports - on the
|
||||||
|
port set with MemcachedPort parameter (above) and on 11211,
|
||||||
|
without TLS.
|
||||||
|
type: boolean
|
||||||
|
|
||||||
# DEPRECATED options for compatibility with overcloud.yaml
|
# DEPRECATED options for compatibility with overcloud.yaml
|
||||||
# This should be removed and manipulation of the ControllerServices list
|
# This should be removed and manipulation of the ControllerServices list
|
||||||
|
@ -166,6 +174,7 @@ outputs:
|
||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, SwiftStorageNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, SwiftStorageNetwork]}
|
||||||
rsync::server::pid_file: 'UNSET'
|
rsync::server::pid_file: 'UNSET'
|
||||||
|
swift::objectexpirer::cache_tls_enabled: {get_param: MemcachedTLS}
|
||||||
-
|
-
|
||||||
if:
|
if:
|
||||||
- account_workers_zero
|
- account_workers_zero
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
# title: Enable TLS in Memcached Internal Endpoint
|
||||||
|
# description: |
|
||||||
|
# Use this environment to generate certificates and enable TLS in
|
||||||
|
# Memcached. ssl.yaml environment must also be used.
|
||||||
|
parameter_defaults:
|
||||||
|
MemcachedTLS: true
|
||||||
|
MemcachedPort: 11212
|
||||||
|
ExtraConfig:
|
||||||
|
memcached_port: 11212
|
||||||
|
memcached_authtoken_port: 11211
|
Loading…
Reference in New Issue