Add TLS support to services using memcached

This patch enables TLS connections to memcached in services which
support it. Specifically the settings are consumed by swift's internal
memcached client through puppet-swift; or oslo.cache, through
puppet-ceilometer, puppet-keystone, puppet-nova, puppet-heat
and puppet-oslo.

NOTE(moguimar): Squashing fixes proposed by Rabi Mirsha in order to
optimize conditions.

Squashes:
- Optimize conditions for TLS support
  (cherry picked from commit cc5eb81771)

Depends-on: https://review.opendev.org/774227
Depends-on: https://review.opendev.org/775616
Depends-on: https://review.opendev.org/784211
Depends-on: https://review.opendev.org/779926
Depends-on: https://review.opendev.org/775649
Change-Id: Ic77ed56c32c7071ce126a1528030094b97894653
(cherry picked from commit 1ceb521805)
This commit is contained in:
Grzegorz Grasza 2020-11-05 14:48:53 +01:00
parent b277ccf6bb
commit e3413901cd
8 changed files with 99 additions and 19 deletions

View File

@ -76,6 +76,14 @@ parameters:
type: string
default: 'noop'
description: Driver or drivers to handle sending notifications.
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
GnocchiArchivePolicy:
default: 'ceilometer-low-rate'
type: string
@ -129,6 +137,11 @@ outputs:
ceilometer::snmpd_readonly_username: {get_param: SnmpdReadonlyUserName}
ceilometer::snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
ceilometer::host: "%{hiera('fqdn_canonical')}"
- if:
- {get_param: MemcachedTLS}
- ceilometer::cache_backend: 'dogpile.cache.pymemcache'
ceilometer::cache_tls_enabled: true
- {}
service_config_settings:
keystone:
# Enable default notification queue

View File

@ -132,10 +132,21 @@ parameters:
default: ''
description: Indicate whether this resource may be shared with the domain received in the request
"origin" header.
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
conditions:
service_debug_unset: {equals : [{get_param: HeatDebug}, '']}
cache_enabled: {equals : [{get_param: EnableCache}, true]}
tls_cache_enabled:
and:
- {get_param: EnableCache}
- {get_param: MemcachedTLS}
cors_allowed_origin_unset: {equals : [{get_param: HeatCorsAllowedOrigin}, '']}
outputs:
@ -192,9 +203,10 @@ outputs:
heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination}
heat::max_json_body_size: {get_param: HeatMaxJsonBodySize}
-
heat::cache::enabled: {get_param: EnableCache}
heat::cache::tls_enabled: {get_param: MemcachedTLS}
heat::cache::resource_finder_caching: false
if:
- cache_enabled
- heat::cache::enabled: true
heat::cache::backend: 'dogpile.cache.memcached'
heat::cache::resource_finder_caching: false
- {}
- tls_cache_enabled
- heat::cache::backend: 'dogpile.cache.pymemcache'
- heat::cache::backend: 'dogpile.cache.memcached'

View File

@ -79,6 +79,14 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
KeystoneSSLCertificate:
default: ''
description: Keystone certificate for verifying token validity.
@ -355,7 +363,14 @@ conditions:
keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]}
keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]}
service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
cache_enabled: {equals: [{get_param: EnableCache}, true]}
nontls_cache_enabled:
and:
- {get_param: EnableCache}
- not: {get_param: MemcachedTLS}
tls_cache_enabled:
and:
- {get_param: EnableCache}
- {get_param: MemcachedTLS}
# Security compliance
change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}}
@ -484,10 +499,11 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
-
keystone::cache::enabled: {get_param: EnableCache}
keystone::cache::tls_enabled: {get_param: MemcachedTLS}
if:
- cache_enabled
- keystone::cache_enabled: true
keystone::cache_backend: 'dogpile.cache.memcached'
- tls_cache_enabled
- keystone::cache::backend: 'dogpile.cache.pymemcache'
- {}
-
if:
@ -527,7 +543,7 @@ outputs:
get_param: KeystoneOpenIdcIntrospectionEndpoint
-
if:
- cache_enabled
- nontls_cache_enabled
- keystone::federation::openidc::openidc_cache_type: 'memcache'
- {}
- {}

View File

@ -82,7 +82,7 @@ parameters:
type: boolean
conditions:
internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]}
internal_tls_enabled: {get_param: MemcachedTLS}
# NOTE: A non-tls port is necessary while there are still services
# consuming Memcached that do not support TLS. Once all services
# do support TLS, this config should be dropped.

View File

@ -246,11 +246,23 @@ parameters:
description:
Whether instances can attach cinder volumes from a different availability zone.
type: boolean
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
conditions:
compute_upgrade_level_empty: {equals : [{get_param: UpgradeLevelNovaCompute}, '']}
service_debug_unset: {equals : [{get_param: NovaDebug}, '']}
tls_cache_enabled:
and:
- {get_param: EnableCache}
- {get_param: MemcachedTLS}
cache_enabled: {equals: [{get_param: EnableCache}, true]}
resources:
@ -375,14 +387,13 @@ outputs:
nova_is_additional_cell: {get_param: NovaAdditionalCell}
nova::cross_az_attach: {get_param: NovaCrossAZAttach}
- get_attr: [RoleParametersValue, value]
-
if:
- cache_enabled
- nova::cache::enabled: true
nova::cache::backend: 'dogpile.cache.memcached'
- {}
-
- nova::cache::enabled: {get_param: EnableCache}
nova::cache::tls_enabled: {get_param: MemcachedTLS}
if:
- tls_cache_enabled
- nova::cache::backend: 'dogpile.cache.pymemcache'
- nova::cache::backend: 'dogpile.cache.memcached'
- if:
- compute_upgrade_level_empty
- {}
- nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute}

View File

@ -82,6 +82,14 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
SwiftCorsAllowedOrigin:
type: string
default: ''
@ -267,6 +275,7 @@ outputs:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
swift::proxy::cache::tls_enabled: {get_param: MemcachedTLS}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: swift

View File

@ -83,6 +83,14 @@ parameters:
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
# DEPRECATED options for compatibility with overcloud.yaml
# This should be removed and manipulation of the ControllerServices list
@ -170,6 +178,7 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, SwiftStorageNetwork]}
rsync::server::pid_file: 'UNSET'
swift::objectexpirer::cache_tls_enabled: {get_param: MemcachedTLS}
-
if:
- account_workers_zero

View File

@ -0,0 +1,10 @@
# title: Enable TLS in Memcached Internal Endpoint
# description: |
# Use this environment to generate certificates and enable TLS in
# Memcached. ssl.yaml environment must also be used.
parameter_defaults:
MemcachedTLS: true
MemcachedPort: 11212
ExtraConfig:
memcached_port: 11212
memcached_authtoken_port: 11211