Merge "Add TLS support to services using memcached" into stable/train
This commit is contained in:
commit
e1cc751ea9
|
@ -76,6 +76,14 @@ parameters:
|
|||
type: string
|
||||
default: 'noop'
|
||||
description: Driver or drivers to handle sending notifications.
|
||||
MemcachedTLS:
|
||||
default: false
|
||||
description: Set to True to enable TLS on Memcached service.
|
||||
Because not all services support Memcached TLS, during the
|
||||
migration period, Memcached will listen on 2 ports - on the
|
||||
port set with MemcachedPort parameter (above) and on 11211,
|
||||
without TLS.
|
||||
type: boolean
|
||||
GnocchiArchivePolicy:
|
||||
default: 'ceilometer-low-rate'
|
||||
type: string
|
||||
|
@ -129,6 +137,11 @@ outputs:
|
|||
ceilometer::snmpd_readonly_username: {get_param: SnmpdReadonlyUserName}
|
||||
ceilometer::snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
|
||||
ceilometer::host: "%{hiera('fqdn_canonical')}"
|
||||
- if:
|
||||
- {get_param: MemcachedTLS}
|
||||
- ceilometer::cache_backend: 'dogpile.cache.pymemcache'
|
||||
ceilometer::cache_tls_enabled: true
|
||||
- {}
|
||||
service_config_settings:
|
||||
keystone:
|
||||
# Enable default notification queue
|
||||
|
|
|
@ -132,10 +132,21 @@ parameters:
|
|||
default: ''
|
||||
description: Indicate whether this resource may be shared with the domain received in the request
|
||||
"origin" header.
|
||||
MemcachedTLS:
|
||||
default: false
|
||||
description: Set to True to enable TLS on Memcached service.
|
||||
Because not all services support Memcached TLS, during the
|
||||
migration period, Memcached will listen on 2 ports - on the
|
||||
port set with MemcachedPort parameter (above) and on 11211,
|
||||
without TLS.
|
||||
type: boolean
|
||||
|
||||
conditions:
|
||||
service_debug_unset: {equals : [{get_param: HeatDebug}, '']}
|
||||
cache_enabled: {equals : [{get_param: EnableCache}, true]}
|
||||
tls_cache_enabled:
|
||||
and:
|
||||
- {get_param: EnableCache}
|
||||
- {get_param: MemcachedTLS}
|
||||
cors_allowed_origin_unset: {equals : [{get_param: HeatCorsAllowedOrigin}, '']}
|
||||
|
||||
outputs:
|
||||
|
@ -192,9 +203,10 @@ outputs:
|
|||
heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination}
|
||||
heat::max_json_body_size: {get_param: HeatMaxJsonBodySize}
|
||||
-
|
||||
heat::cache::enabled: {get_param: EnableCache}
|
||||
heat::cache::tls_enabled: {get_param: MemcachedTLS}
|
||||
heat::cache::resource_finder_caching: false
|
||||
if:
|
||||
- cache_enabled
|
||||
- heat::cache::enabled: true
|
||||
heat::cache::backend: 'dogpile.cache.memcached'
|
||||
heat::cache::resource_finder_caching: false
|
||||
- {}
|
||||
- tls_cache_enabled
|
||||
- heat::cache::backend: 'dogpile.cache.pymemcache'
|
||||
- heat::cache::backend: 'dogpile.cache.memcached'
|
||||
|
|
|
@ -79,6 +79,14 @@ parameters:
|
|||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
MemcachedTLS:
|
||||
default: false
|
||||
description: Set to True to enable TLS on Memcached service.
|
||||
Because not all services support Memcached TLS, during the
|
||||
migration period, Memcached will listen on 2 ports - on the
|
||||
port set with MemcachedPort parameter (above) and on 11211,
|
||||
without TLS.
|
||||
type: boolean
|
||||
KeystoneSSLCertificate:
|
||||
default: ''
|
||||
description: Keystone certificate for verifying token validity.
|
||||
|
@ -355,7 +363,14 @@ conditions:
|
|||
keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]}
|
||||
keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]}
|
||||
service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
|
||||
cache_enabled: {equals: [{get_param: EnableCache}, true]}
|
||||
nontls_cache_enabled:
|
||||
and:
|
||||
- {get_param: EnableCache}
|
||||
- not: {get_param: MemcachedTLS}
|
||||
tls_cache_enabled:
|
||||
and:
|
||||
- {get_param: EnableCache}
|
||||
- {get_param: MemcachedTLS}
|
||||
|
||||
# Security compliance
|
||||
change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}}
|
||||
|
@ -484,10 +499,11 @@ outputs:
|
|||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
|
||||
-
|
||||
keystone::cache::enabled: {get_param: EnableCache}
|
||||
keystone::cache::tls_enabled: {get_param: MemcachedTLS}
|
||||
if:
|
||||
- cache_enabled
|
||||
- keystone::cache_enabled: true
|
||||
keystone::cache_backend: 'dogpile.cache.memcached'
|
||||
- tls_cache_enabled
|
||||
- keystone::cache::backend: 'dogpile.cache.pymemcache'
|
||||
- {}
|
||||
-
|
||||
if:
|
||||
|
@ -527,7 +543,7 @@ outputs:
|
|||
get_param: KeystoneOpenIdcIntrospectionEndpoint
|
||||
-
|
||||
if:
|
||||
- cache_enabled
|
||||
- nontls_cache_enabled
|
||||
- keystone::federation::openidc::openidc_cache_type: 'memcache'
|
||||
- {}
|
||||
- {}
|
||||
|
|
|
@ -82,7 +82,7 @@ parameters:
|
|||
type: boolean
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]}
|
||||
internal_tls_enabled: {get_param: MemcachedTLS}
|
||||
# NOTE: A non-tls port is necessary while there are still services
|
||||
# consuming Memcached that do not support TLS. Once all services
|
||||
# do support TLS, this config should be dropped.
|
||||
|
|
|
@ -242,11 +242,23 @@ parameters:
|
|||
description:
|
||||
Whether instances can attach cinder volumes from a different availability zone.
|
||||
type: boolean
|
||||
MemcachedTLS:
|
||||
default: false
|
||||
description: Set to True to enable TLS on Memcached service.
|
||||
Because not all services support Memcached TLS, during the
|
||||
migration period, Memcached will listen on 2 ports - on the
|
||||
port set with MemcachedPort parameter (above) and on 11211,
|
||||
without TLS.
|
||||
type: boolean
|
||||
|
||||
conditions:
|
||||
|
||||
compute_upgrade_level_empty: {equals : [{get_param: UpgradeLevelNovaCompute}, '']}
|
||||
service_debug_unset: {equals : [{get_param: NovaDebug}, '']}
|
||||
tls_cache_enabled:
|
||||
and:
|
||||
- {get_param: EnableCache}
|
||||
- {get_param: MemcachedTLS}
|
||||
cache_enabled: {equals: [{get_param: EnableCache}, true]}
|
||||
|
||||
resources:
|
||||
|
@ -339,14 +351,13 @@ outputs:
|
|||
nova_is_additional_cell: {get_param: NovaAdditionalCell}
|
||||
nova::cross_az_attach: {get_param: NovaCrossAZAttach}
|
||||
- get_attr: [RoleParametersValue, value]
|
||||
-
|
||||
if:
|
||||
- cache_enabled
|
||||
- nova::cache::enabled: true
|
||||
nova::cache::backend: 'dogpile.cache.memcached'
|
||||
- {}
|
||||
-
|
||||
- nova::cache::enabled: {get_param: EnableCache}
|
||||
nova::cache::tls_enabled: {get_param: MemcachedTLS}
|
||||
if:
|
||||
- tls_cache_enabled
|
||||
- nova::cache::backend: 'dogpile.cache.pymemcache'
|
||||
- nova::cache::backend: 'dogpile.cache.memcached'
|
||||
- if:
|
||||
- compute_upgrade_level_empty
|
||||
- {}
|
||||
- nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute}
|
||||
|
|
|
@ -82,6 +82,14 @@ parameters:
|
|||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
MemcachedTLS:
|
||||
default: false
|
||||
description: Set to True to enable TLS on Memcached service.
|
||||
Because not all services support Memcached TLS, during the
|
||||
migration period, Memcached will listen on 2 ports - on the
|
||||
port set with MemcachedPort parameter (above) and on 11211,
|
||||
without TLS.
|
||||
type: boolean
|
||||
SwiftCorsAllowedOrigin:
|
||||
type: string
|
||||
default: ''
|
||||
|
@ -267,6 +275,7 @@ outputs:
|
|||
"%{hiera('$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
|
||||
swift::proxy::cache::tls_enabled: {get_param: MemcachedTLS}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
config_volume: swift
|
||||
|
|
|
@ -83,6 +83,14 @@ parameters:
|
|||
description: >
|
||||
Setting this to a unique value will re-run any deployment tasks which
|
||||
perform configuration on a Heat stack-update.
|
||||
MemcachedTLS:
|
||||
default: false
|
||||
description: Set to True to enable TLS on Memcached service.
|
||||
Because not all services support Memcached TLS, during the
|
||||
migration period, Memcached will listen on 2 ports - on the
|
||||
port set with MemcachedPort parameter (above) and on 11211,
|
||||
without TLS.
|
||||
type: boolean
|
||||
|
||||
# DEPRECATED options for compatibility with overcloud.yaml
|
||||
# This should be removed and manipulation of the ControllerServices list
|
||||
|
@ -170,6 +178,7 @@ outputs:
|
|||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, SwiftStorageNetwork]}
|
||||
rsync::server::pid_file: 'UNSET'
|
||||
swift::objectexpirer::cache_tls_enabled: {get_param: MemcachedTLS}
|
||||
-
|
||||
if:
|
||||
- account_workers_zero
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
# title: Enable TLS in Memcached Internal Endpoint
|
||||
# description: |
|
||||
# Use this environment to generate certificates and enable TLS in
|
||||
# Memcached. ssl.yaml environment must also be used.
|
||||
parameter_defaults:
|
||||
MemcachedTLS: true
|
||||
MemcachedPort: 11212
|
||||
ExtraConfig:
|
||||
memcached_port: 11212
|
||||
memcached_authtoken_port: 11211
|
Loading…
Reference in New Issue