From e3413901cdb57a999e5e23d6d6a1830aef281658 Mon Sep 17 00:00:00 2001 From: Grzegorz Grasza Date: Thu, 5 Nov 2020 14:48:53 +0100 Subject: [PATCH] Add TLS support to services using memcached This patch enables TLS connections to memcached in services which support it. Specifically the settings are consumed by swift's internal memcached client through puppet-swift; or oslo.cache, through puppet-ceilometer, puppet-keystone, puppet-nova, puppet-heat and puppet-oslo. NOTE(moguimar): Squashing fixes proposed by Rabi Mirsha in order to optimize conditions. Squashes: - Optimize conditions for TLS support (cherry picked from commit cc5eb81771cb0016f7c4ac02d17627474e210597) Depends-on: https://review.opendev.org/774227 Depends-on: https://review.opendev.org/775616 Depends-on: https://review.opendev.org/784211 Depends-on: https://review.opendev.org/779926 Depends-on: https://review.opendev.org/775649 Change-Id: Ic77ed56c32c7071ce126a1528030094b97894653 (cherry picked from commit 1ceb521805875b41ebfafb1ff7a862df4df6fd16) --- .../ceilometer-base-container-puppet.yaml | 13 ++++++++++ deployment/heat/heat-base-puppet.yaml | 24 ++++++++++++----- .../keystone/keystone-container-puppet.yaml | 26 +++++++++++++++---- .../memcached/memcached-container-puppet.yaml | 2 +- deployment/nova/nova-base-puppet.yaml | 25 +++++++++++++----- .../swift/swift-proxy-container-puppet.yaml | 9 +++++++ .../swift/swift-storage-container-puppet.yaml | 9 +++++++ environments/ssl/enable-memcached-tls.yaml | 10 +++++++ 8 files changed, 99 insertions(+), 19 deletions(-) create mode 100644 environments/ssl/enable-memcached-tls.yaml diff --git a/deployment/ceilometer/ceilometer-base-container-puppet.yaml b/deployment/ceilometer/ceilometer-base-container-puppet.yaml index f407585730..a1887bf370 100644 --- a/deployment/ceilometer/ceilometer-base-container-puppet.yaml +++ b/deployment/ceilometer/ceilometer-base-container-puppet.yaml @@ -76,6 +76,14 @@ parameters: type: string default: 'noop' description: Driver or drivers to handle sending notifications. + MemcachedTLS: + default: false + description: Set to True to enable TLS on Memcached service. + Because not all services support Memcached TLS, during the + migration period, Memcached will listen on 2 ports - on the + port set with MemcachedPort parameter (above) and on 11211, + without TLS. + type: boolean GnocchiArchivePolicy: default: 'ceilometer-low-rate' type: string @@ -129,6 +137,11 @@ outputs: ceilometer::snmpd_readonly_username: {get_param: SnmpdReadonlyUserName} ceilometer::snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword} ceilometer::host: "%{hiera('fqdn_canonical')}" + - if: + - {get_param: MemcachedTLS} + - ceilometer::cache_backend: 'dogpile.cache.pymemcache' + ceilometer::cache_tls_enabled: true + - {} service_config_settings: keystone: # Enable default notification queue diff --git a/deployment/heat/heat-base-puppet.yaml b/deployment/heat/heat-base-puppet.yaml index e01ef86dee..e8e227e6bf 100644 --- a/deployment/heat/heat-base-puppet.yaml +++ b/deployment/heat/heat-base-puppet.yaml @@ -132,10 +132,21 @@ parameters: default: '' description: Indicate whether this resource may be shared with the domain received in the request "origin" header. + MemcachedTLS: + default: false + description: Set to True to enable TLS on Memcached service. + Because not all services support Memcached TLS, during the + migration period, Memcached will listen on 2 ports - on the + port set with MemcachedPort parameter (above) and on 11211, + without TLS. + type: boolean conditions: service_debug_unset: {equals : [{get_param: HeatDebug}, '']} - cache_enabled: {equals : [{get_param: EnableCache}, true]} + tls_cache_enabled: + and: + - {get_param: EnableCache} + - {get_param: MemcachedTLS} cors_allowed_origin_unset: {equals : [{get_param: HeatCorsAllowedOrigin}, '']} outputs: @@ -192,9 +203,10 @@ outputs: heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination} heat::max_json_body_size: {get_param: HeatMaxJsonBodySize} - + heat::cache::enabled: {get_param: EnableCache} + heat::cache::tls_enabled: {get_param: MemcachedTLS} + heat::cache::resource_finder_caching: false if: - - cache_enabled - - heat::cache::enabled: true - heat::cache::backend: 'dogpile.cache.memcached' - heat::cache::resource_finder_caching: false - - {} + - tls_cache_enabled + - heat::cache::backend: 'dogpile.cache.pymemcache' + - heat::cache::backend: 'dogpile.cache.memcached' diff --git a/deployment/keystone/keystone-container-puppet.yaml b/deployment/keystone/keystone-container-puppet.yaml index e88d85e9ab..25dbdbd0ab 100644 --- a/deployment/keystone/keystone-container-puppet.yaml +++ b/deployment/keystone/keystone-container-puppet.yaml @@ -79,6 +79,14 @@ parameters: EnableInternalTLS: type: boolean default: false + MemcachedTLS: + default: false + description: Set to True to enable TLS on Memcached service. + Because not all services support Memcached TLS, during the + migration period, Memcached will listen on 2 ports - on the + port set with MemcachedPort parameter (above) and on 11211, + without TLS. + type: boolean KeystoneSSLCertificate: default: '' description: Keystone certificate for verifying token validity. @@ -355,7 +363,14 @@ conditions: keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]} keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]} service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']} - cache_enabled: {equals: [{get_param: EnableCache}, true]} + nontls_cache_enabled: + and: + - {get_param: EnableCache} + - not: {get_param: MemcachedTLS} + tls_cache_enabled: + and: + - {get_param: EnableCache} + - {get_param: MemcachedTLS} # Security compliance change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}} @@ -484,10 +499,11 @@ outputs: params: $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]} - + keystone::cache::enabled: {get_param: EnableCache} + keystone::cache::tls_enabled: {get_param: MemcachedTLS} if: - - cache_enabled - - keystone::cache_enabled: true - keystone::cache_backend: 'dogpile.cache.memcached' + - tls_cache_enabled + - keystone::cache::backend: 'dogpile.cache.pymemcache' - {} - if: @@ -527,7 +543,7 @@ outputs: get_param: KeystoneOpenIdcIntrospectionEndpoint - if: - - cache_enabled + - nontls_cache_enabled - keystone::federation::openidc::openidc_cache_type: 'memcache' - {} - {} diff --git a/deployment/memcached/memcached-container-puppet.yaml b/deployment/memcached/memcached-container-puppet.yaml index c7013cb34f..b74182f15c 100644 --- a/deployment/memcached/memcached-container-puppet.yaml +++ b/deployment/memcached/memcached-container-puppet.yaml @@ -82,7 +82,7 @@ parameters: type: boolean conditions: - internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]} + internal_tls_enabled: {get_param: MemcachedTLS} # NOTE: A non-tls port is necessary while there are still services # consuming Memcached that do not support TLS. Once all services # do support TLS, this config should be dropped. diff --git a/deployment/nova/nova-base-puppet.yaml b/deployment/nova/nova-base-puppet.yaml index 349e572f41..23ff67d3ad 100644 --- a/deployment/nova/nova-base-puppet.yaml +++ b/deployment/nova/nova-base-puppet.yaml @@ -246,11 +246,23 @@ parameters: description: Whether instances can attach cinder volumes from a different availability zone. type: boolean + MemcachedTLS: + default: false + description: Set to True to enable TLS on Memcached service. + Because not all services support Memcached TLS, during the + migration period, Memcached will listen on 2 ports - on the + port set with MemcachedPort parameter (above) and on 11211, + without TLS. + type: boolean conditions: compute_upgrade_level_empty: {equals : [{get_param: UpgradeLevelNovaCompute}, '']} service_debug_unset: {equals : [{get_param: NovaDebug}, '']} + tls_cache_enabled: + and: + - {get_param: EnableCache} + - {get_param: MemcachedTLS} cache_enabled: {equals: [{get_param: EnableCache}, true]} resources: @@ -375,14 +387,13 @@ outputs: nova_is_additional_cell: {get_param: NovaAdditionalCell} nova::cross_az_attach: {get_param: NovaCrossAZAttach} - get_attr: [RoleParametersValue, value] - - - if: - - cache_enabled - - nova::cache::enabled: true - nova::cache::backend: 'dogpile.cache.memcached' - - {} - - + - nova::cache::enabled: {get_param: EnableCache} + nova::cache::tls_enabled: {get_param: MemcachedTLS} if: + - tls_cache_enabled + - nova::cache::backend: 'dogpile.cache.pymemcache' + - nova::cache::backend: 'dogpile.cache.memcached' + - if: - compute_upgrade_level_empty - {} - nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute} diff --git a/deployment/swift/swift-proxy-container-puppet.yaml b/deployment/swift/swift-proxy-container-puppet.yaml index a39a2ce964..94fe4a15e0 100644 --- a/deployment/swift/swift-proxy-container-puppet.yaml +++ b/deployment/swift/swift-proxy-container-puppet.yaml @@ -82,6 +82,14 @@ parameters: EnableInternalTLS: type: boolean default: false + MemcachedTLS: + default: false + description: Set to True to enable TLS on Memcached service. + Because not all services support Memcached TLS, during the + migration period, Memcached will listen on 2 ports - on the + port set with MemcachedPort parameter (above) and on 11211, + without TLS. + type: boolean SwiftCorsAllowedOrigin: type: string default: '' @@ -267,6 +275,7 @@ outputs: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]} + swift::proxy::cache::tls_enabled: {get_param: MemcachedTLS} # BEGIN DOCKER SETTINGS puppet_config: config_volume: swift diff --git a/deployment/swift/swift-storage-container-puppet.yaml b/deployment/swift/swift-storage-container-puppet.yaml index 449b385174..75be2fd188 100644 --- a/deployment/swift/swift-storage-container-puppet.yaml +++ b/deployment/swift/swift-storage-container-puppet.yaml @@ -83,6 +83,14 @@ parameters: description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. + MemcachedTLS: + default: false + description: Set to True to enable TLS on Memcached service. + Because not all services support Memcached TLS, during the + migration period, Memcached will listen on 2 ports - on the + port set with MemcachedPort parameter (above) and on 11211, + without TLS. + type: boolean # DEPRECATED options for compatibility with overcloud.yaml # This should be removed and manipulation of the ControllerServices list @@ -170,6 +178,7 @@ outputs: params: $NETWORK: {get_param: [ServiceNetMap, SwiftStorageNetwork]} rsync::server::pid_file: 'UNSET' + swift::objectexpirer::cache_tls_enabled: {get_param: MemcachedTLS} - if: - account_workers_zero diff --git a/environments/ssl/enable-memcached-tls.yaml b/environments/ssl/enable-memcached-tls.yaml new file mode 100644 index 0000000000..6f73a8b5ff --- /dev/null +++ b/environments/ssl/enable-memcached-tls.yaml @@ -0,0 +1,10 @@ +# title: Enable TLS in Memcached Internal Endpoint +# description: | +# Use this environment to generate certificates and enable TLS in +# Memcached. ssl.yaml environment must also be used. +parameter_defaults: + MemcachedTLS: true + MemcachedPort: 11212 + ExtraConfig: + memcached_port: 11212 + memcached_authtoken_port: 11211