Merge "Add TLS support to services using memcached" into stable/train

deployment/ceilometer/ceilometer-base-container-puppet.yaml

@@ -76,6 +76,14 @@ parameters:
     type: string
     default: 'noop'
     description: Driver or drivers to handle sending notifications.
+  MemcachedTLS:
+    default: false
+    description: Set to True to enable TLS on Memcached service.
+                 Because not all services support Memcached TLS, during the
+                 migration period, Memcached will listen on 2 ports - on the
+                 port set with MemcachedPort parameter (above) and on 11211,
+                 without TLS.
+    type: boolean
   GnocchiArchivePolicy:
     default: 'ceilometer-low-rate'
     type: string
@@ -129,6 +137,11 @@ outputs:
             ceilometer::snmpd_readonly_username: {get_param: SnmpdReadonlyUserName}
             ceilometer::snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
             ceilometer::host: "%{hiera('fqdn_canonical')}"
+          - if:
+            - {get_param: MemcachedTLS}
+            - ceilometer::cache_backend: 'dogpile.cache.pymemcache'
+              ceilometer::cache_tls_enabled: true
+            - {}
       service_config_settings:
         keystone:
           # Enable default notification queue

deployment/heat/heat-base-puppet.yaml

@@ -132,10 +132,21 @@ parameters:
     default: ''
     description: Indicate whether this resource may be shared with the domain received in the request
                  "origin" header.
+  MemcachedTLS:
+    default: false
+    description: Set to True to enable TLS on Memcached service.
+                 Because not all services support Memcached TLS, during the
+                 migration period, Memcached will listen on 2 ports - on the
+                 port set with MemcachedPort parameter (above) and on 11211,
+                 without TLS.
+    type: boolean
 
 conditions:
   service_debug_unset: {equals : [{get_param: HeatDebug}, '']}
-  cache_enabled: {equals : [{get_param: EnableCache}, true]}
+  tls_cache_enabled:
+    and:
+      - {get_param: EnableCache}
+      - {get_param: MemcachedTLS}
   cors_allowed_origin_unset: {equals : [{get_param: HeatCorsAllowedOrigin}, '']}
 
 outputs:
@@ -192,9 +203,10 @@ outputs:
             heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination}
             heat::max_json_body_size: {get_param: HeatMaxJsonBodySize}
           -
+            heat::cache::enabled: {get_param: EnableCache}
+            heat::cache::tls_enabled: {get_param: MemcachedTLS}
+            heat::cache::resource_finder_caching: false
             if:
-            - cache_enabled
+              - tls_cache_enabled
-            - heat::cache::enabled: true
+              - heat::cache::backend: 'dogpile.cache.pymemcache'
-              heat::cache::backend: 'dogpile.cache.memcached'
+              - heat::cache::backend: 'dogpile.cache.memcached'
-              heat::cache::resource_finder_caching: false
-            - {}

deployment/keystone/keystone-container-puppet.yaml

@@ -79,6 +79,14 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  MemcachedTLS:
+    default: false
+    description: Set to True to enable TLS on Memcached service.
+                 Because not all services support Memcached TLS, during the
+                 migration period, Memcached will listen on 2 ports - on the
+                 port set with MemcachedPort parameter (above) and on 11211,
+                 without TLS.
+    type: boolean
   KeystoneSSLCertificate:
     default: ''
     description: Keystone certificate for verifying token validity.
@@ -355,7 +363,14 @@ conditions:
   keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]}
   keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]}
   service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
-  cache_enabled: {equals: [{get_param: EnableCache}, true]}
+  nontls_cache_enabled:
+    and:
+      - {get_param: EnableCache}
+      - not: {get_param: MemcachedTLS}
+  tls_cache_enabled:
+    and:
+      - {get_param: EnableCache}
+      - {get_param: MemcachedTLS}
 
   # Security compliance
   change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}}
@@ -484,10 +499,11 @@ outputs:
                   params:
                     $NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
           -
+            keystone::cache::enabled: {get_param: EnableCache}
+            keystone::cache::tls_enabled: {get_param: MemcachedTLS}
             if:
-            - cache_enabled
+            - tls_cache_enabled
-            - keystone::cache_enabled: true
+            - keystone::cache::backend: 'dogpile.cache.pymemcache'
-              keystone::cache_backend: 'dogpile.cache.memcached'
             - {}
           -
             if:
@@ -527,7 +543,7 @@ outputs:
                     get_param: KeystoneOpenIdcIntrospectionEndpoint
                 -
                   if:
-                  - cache_enabled
+                  - nontls_cache_enabled
                   - keystone::federation::openidc::openidc_cache_type: 'memcache'
                   - {}
             - {}

deployment/memcached/memcached-container-puppet.yaml

@@ -82,7 +82,7 @@ parameters:
     type: boolean
 
 conditions:
-  internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]}
+  internal_tls_enabled: {get_param: MemcachedTLS}
   # NOTE: A non-tls port is necessary while there are still services
   # consuming Memcached that do not support TLS. Once all services
   # do support TLS, this config should be dropped.

deployment/nova/nova-base-puppet.yaml

@@ -242,11 +242,23 @@ parameters:
     description:
       Whether instances can attach cinder volumes from a different availability zone.
     type: boolean
+  MemcachedTLS:
+    default: false
+    description: Set to True to enable TLS on Memcached service.
+                 Because not all services support Memcached TLS, during the
+                 migration period, Memcached will listen on 2 ports - on the
+                 port set with MemcachedPort parameter (above) and on 11211,
+                 without TLS.
+    type: boolean
 
 conditions:
 
   compute_upgrade_level_empty: {equals : [{get_param: UpgradeLevelNovaCompute}, '']}
   service_debug_unset: {equals : [{get_param: NovaDebug}, '']}
+  tls_cache_enabled:
+    and:
+      - {get_param: EnableCache}
+      - {get_param: MemcachedTLS}
   cache_enabled: {equals: [{get_param: EnableCache}, true]}
 
 resources:
@@ -339,14 +351,13 @@ outputs:
           nova_is_additional_cell: {get_param: NovaAdditionalCell}
           nova::cross_az_attach: {get_param: NovaCrossAZAttach}
         - get_attr: [RoleParametersValue, value]
-        -
+        - nova::cache::enabled: {get_param: EnableCache}
-          if:
+          nova::cache::tls_enabled: {get_param: MemcachedTLS}
-          - cache_enabled
-          - nova::cache::enabled: true
-            nova::cache::backend: 'dogpile.cache.memcached'
-          - {}
-        -
           if:
+            - tls_cache_enabled
+            - nova::cache::backend: 'dogpile.cache.pymemcache'
+            - nova::cache::backend: 'dogpile.cache.memcached'
+        - if:
           - compute_upgrade_level_empty
           - {}
           - nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute}

deployment/swift/swift-proxy-container-puppet.yaml

@@ -82,6 +82,14 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  MemcachedTLS:
+    default: false
+    description: Set to True to enable TLS on Memcached service.
+                 Because not all services support Memcached TLS, during the
+                 migration period, Memcached will listen on 2 ports - on the
+                 port set with MemcachedPort parameter (above) and on 11211,
+                 without TLS.
+    type: boolean
   SwiftCorsAllowedOrigin:
     type: string
     default: ''
@@ -267,6 +275,7 @@ outputs:
                     "%{hiera('$NETWORK')}"
                   params:
                     $NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
+            swift::proxy::cache::tls_enabled: {get_param: MemcachedTLS}
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: swift

deployment/swift/swift-storage-container-puppet.yaml

@@ -83,6 +83,14 @@ parameters:
     description: >
       Setting this to a unique value will re-run any deployment tasks which
       perform configuration on a Heat stack-update.
+  MemcachedTLS:
+    default: false
+    description: Set to True to enable TLS on Memcached service.
+                 Because not all services support Memcached TLS, during the
+                 migration period, Memcached will listen on 2 ports - on the
+                 port set with MemcachedPort parameter (above) and on 11211,
+                 without TLS.
+    type: boolean
 
   # DEPRECATED options for compatibility with overcloud.yaml
   # This should be removed and manipulation of the ControllerServices list
@@ -170,6 +178,7 @@ outputs:
                  params:
                    $NETWORK: {get_param: [ServiceNetMap, SwiftStorageNetwork]}
             rsync::server::pid_file: 'UNSET'
+            swift::objectexpirer::cache_tls_enabled: {get_param: MemcachedTLS}
           -
             if:
             - account_workers_zero

environments/ssl/enable-memcached-tls.yaml

@@ -0,0 +1,10 @@
+# title: Enable TLS in Memcached Internal Endpoint
+# description: |
+#   Use this environment to generate certificates and enable TLS in
+#   Memcached. ssl.yaml environment must also be used.
+parameter_defaults:
+  MemcachedTLS: true
+  MemcachedPort: 11212
+  ExtraConfig:
+    memcached_port: 11212
+    memcached_authtoken_port: 11211