Add TLS support to services using memcached
This patch enables TLS connections to memcached in services which support it. Specifically the settings are consumed by swift's internal memcached client through puppet-swift; or oslo.cache, through puppet-ceilometer, puppet-keystone, puppet-nova, puppet-heat and puppet-oslo. NOTE(moguimar): Squashing fixes proposed by Rabi Mirsha in order to optimize conditions. Squashes: - Optimize conditions for TLS support (cherry picked from commitcc5eb81771
) Depends-on: https://review.opendev.org/774227 Depends-on: https://review.opendev.org/775616 Depends-on: https://review.opendev.org/784211 Depends-on: https://review.opendev.org/779926 Depends-on: https://review.opendev.org/775649 Change-Id: Ic77ed56c32c7071ce126a1528030094b97894653 (cherry picked from commit1ceb521805
)
This commit is contained in:
parent
b277ccf6bb
commit
e3413901cd
|
@ -76,6 +76,14 @@ parameters:
|
|||
type: string
|
||||
default: 'noop'
|
||||
description: Driver or drivers to handle sending notifications.
|
||||
MemcachedTLS:
|
||||
default: false
|
||||
description: Set to True to enable TLS on Memcached service.
|
||||
Because not all services support Memcached TLS, during the
|
||||
migration period, Memcached will listen on 2 ports - on the
|
||||
port set with MemcachedPort parameter (above) and on 11211,
|
||||
without TLS.
|
||||
type: boolean
|
||||
GnocchiArchivePolicy:
|
||||
default: 'ceilometer-low-rate'
|
||||
type: string
|
||||
|
@ -129,6 +137,11 @@ outputs:
|
|||
ceilometer::snmpd_readonly_username: {get_param: SnmpdReadonlyUserName}
|
||||
ceilometer::snmpd_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
|
||||
ceilometer::host: "%{hiera('fqdn_canonical')}"
|
||||
- if:
|
||||
- {get_param: MemcachedTLS}
|
||||
- ceilometer::cache_backend: 'dogpile.cache.pymemcache'
|
||||
ceilometer::cache_tls_enabled: true
|
||||
- {}
|
||||
service_config_settings:
|
||||
keystone:
|
||||
# Enable default notification queue
|
||||
|
|
|
@ -132,10 +132,21 @@ parameters:
|
|||
default: ''
|
||||
description: Indicate whether this resource may be shared with the domain received in the request
|
||||
"origin" header.
|
||||
MemcachedTLS:
|
||||
default: false
|
||||
description: Set to True to enable TLS on Memcached service.
|
||||
Because not all services support Memcached TLS, during the
|
||||
migration period, Memcached will listen on 2 ports - on the
|
||||
port set with MemcachedPort parameter (above) and on 11211,
|
||||
without TLS.
|
||||
type: boolean
|
||||
|
||||
conditions:
|
||||
service_debug_unset: {equals : [{get_param: HeatDebug}, '']}
|
||||
cache_enabled: {equals : [{get_param: EnableCache}, true]}
|
||||
tls_cache_enabled:
|
||||
and:
|
||||
- {get_param: EnableCache}
|
||||
- {get_param: MemcachedTLS}
|
||||
cors_allowed_origin_unset: {equals : [{get_param: HeatCorsAllowedOrigin}, '']}
|
||||
|
||||
outputs:
|
||||
|
@ -192,9 +203,10 @@ outputs:
|
|||
heat::cron::purge_deleted::destination: {get_param: HeatCronPurgeDeletedDestination}
|
||||
heat::max_json_body_size: {get_param: HeatMaxJsonBodySize}
|
||||
-
|
||||
heat::cache::enabled: {get_param: EnableCache}
|
||||
heat::cache::tls_enabled: {get_param: MemcachedTLS}
|
||||
heat::cache::resource_finder_caching: false
|
||||
if:
|
||||
- cache_enabled
|
||||
- heat::cache::enabled: true
|
||||
heat::cache::backend: 'dogpile.cache.memcached'
|
||||
heat::cache::resource_finder_caching: false
|
||||
- {}
|
||||
- tls_cache_enabled
|
||||
- heat::cache::backend: 'dogpile.cache.pymemcache'
|
||||
- heat::cache::backend: 'dogpile.cache.memcached'
|
||||
|
|
|
@ -79,6 +79,14 @@ parameters:
|
|||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
MemcachedTLS:
|
||||
default: false
|
||||
description: Set to True to enable TLS on Memcached service.
|
||||
Because not all services support Memcached TLS, during the
|
||||
migration period, Memcached will listen on 2 ports - on the
|
||||
port set with MemcachedPort parameter (above) and on 11211,
|
||||
without TLS.
|
||||
type: boolean
|
||||
KeystoneSSLCertificate:
|
||||
default: ''
|
||||
description: Keystone certificate for verifying token validity.
|
||||
|
@ -355,7 +363,14 @@ conditions:
|
|||
keystone_federation_enabled: {equals: [{get_param: KeystoneFederationEnable}, True]}
|
||||
keystone_openidc_enabled: {equals: [{get_param: KeystoneOpenIdcEnable}, True]}
|
||||
service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
|
||||
cache_enabled: {equals: [{get_param: EnableCache}, true]}
|
||||
nontls_cache_enabled:
|
||||
and:
|
||||
- {get_param: EnableCache}
|
||||
- not: {get_param: MemcachedTLS}
|
||||
tls_cache_enabled:
|
||||
and:
|
||||
- {get_param: EnableCache}
|
||||
- {get_param: MemcachedTLS}
|
||||
|
||||
# Security compliance
|
||||
change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}}
|
||||
|
@ -484,10 +499,11 @@ outputs:
|
|||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, KeystoneAdminApiNetwork]}
|
||||
-
|
||||
keystone::cache::enabled: {get_param: EnableCache}
|
||||
keystone::cache::tls_enabled: {get_param: MemcachedTLS}
|
||||
if:
|
||||
- cache_enabled
|
||||
- keystone::cache_enabled: true
|
||||
keystone::cache_backend: 'dogpile.cache.memcached'
|
||||
- tls_cache_enabled
|
||||
- keystone::cache::backend: 'dogpile.cache.pymemcache'
|
||||
- {}
|
||||
-
|
||||
if:
|
||||
|
@ -527,7 +543,7 @@ outputs:
|
|||
get_param: KeystoneOpenIdcIntrospectionEndpoint
|
||||
-
|
||||
if:
|
||||
- cache_enabled
|
||||
- nontls_cache_enabled
|
||||
- keystone::federation::openidc::openidc_cache_type: 'memcache'
|
||||
- {}
|
||||
- {}
|
||||
|
|
|
@ -82,7 +82,7 @@ parameters:
|
|||
type: boolean
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]}
|
||||
internal_tls_enabled: {get_param: MemcachedTLS}
|
||||
# NOTE: A non-tls port is necessary while there are still services
|
||||
# consuming Memcached that do not support TLS. Once all services
|
||||
# do support TLS, this config should be dropped.
|
||||
|
|
|
@ -246,11 +246,23 @@ parameters:
|
|||
description:
|
||||
Whether instances can attach cinder volumes from a different availability zone.
|
||||
type: boolean
|
||||
MemcachedTLS:
|
||||
default: false
|
||||
description: Set to True to enable TLS on Memcached service.
|
||||
Because not all services support Memcached TLS, during the
|
||||
migration period, Memcached will listen on 2 ports - on the
|
||||
port set with MemcachedPort parameter (above) and on 11211,
|
||||
without TLS.
|
||||
type: boolean
|
||||
|
||||
conditions:
|
||||
|
||||
compute_upgrade_level_empty: {equals : [{get_param: UpgradeLevelNovaCompute}, '']}
|
||||
service_debug_unset: {equals : [{get_param: NovaDebug}, '']}
|
||||
tls_cache_enabled:
|
||||
and:
|
||||
- {get_param: EnableCache}
|
||||
- {get_param: MemcachedTLS}
|
||||
cache_enabled: {equals: [{get_param: EnableCache}, true]}
|
||||
|
||||
resources:
|
||||
|
@ -375,14 +387,13 @@ outputs:
|
|||
nova_is_additional_cell: {get_param: NovaAdditionalCell}
|
||||
nova::cross_az_attach: {get_param: NovaCrossAZAttach}
|
||||
- get_attr: [RoleParametersValue, value]
|
||||
-
|
||||
if:
|
||||
- cache_enabled
|
||||
- nova::cache::enabled: true
|
||||
nova::cache::backend: 'dogpile.cache.memcached'
|
||||
- {}
|
||||
-
|
||||
- nova::cache::enabled: {get_param: EnableCache}
|
||||
nova::cache::tls_enabled: {get_param: MemcachedTLS}
|
||||
if:
|
||||
- tls_cache_enabled
|
||||
- nova::cache::backend: 'dogpile.cache.pymemcache'
|
||||
- nova::cache::backend: 'dogpile.cache.memcached'
|
||||
- if:
|
||||
- compute_upgrade_level_empty
|
||||
- {}
|
||||
- nova::upgrade_level_compute: {get_param: UpgradeLevelNovaCompute}
|
||||
|
|
|
@ -82,6 +82,14 @@ parameters:
|
|||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
MemcachedTLS:
|
||||
default: false
|
||||
description: Set to True to enable TLS on Memcached service.
|
||||
Because not all services support Memcached TLS, during the
|
||||
migration period, Memcached will listen on 2 ports - on the
|
||||
port set with MemcachedPort parameter (above) and on 11211,
|
||||
without TLS.
|
||||
type: boolean
|
||||
SwiftCorsAllowedOrigin:
|
||||
type: string
|
||||
default: ''
|
||||
|
@ -267,6 +275,7 @@ outputs:
|
|||
"%{hiera('$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, SwiftProxyNetwork]}
|
||||
swift::proxy::cache::tls_enabled: {get_param: MemcachedTLS}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
config_volume: swift
|
||||
|
|
|
@ -83,6 +83,14 @@ parameters:
|
|||
description: >
|
||||
Setting this to a unique value will re-run any deployment tasks which
|
||||
perform configuration on a Heat stack-update.
|
||||
MemcachedTLS:
|
||||
default: false
|
||||
description: Set to True to enable TLS on Memcached service.
|
||||
Because not all services support Memcached TLS, during the
|
||||
migration period, Memcached will listen on 2 ports - on the
|
||||
port set with MemcachedPort parameter (above) and on 11211,
|
||||
without TLS.
|
||||
type: boolean
|
||||
|
||||
# DEPRECATED options for compatibility with overcloud.yaml
|
||||
# This should be removed and manipulation of the ControllerServices list
|
||||
|
@ -170,6 +178,7 @@ outputs:
|
|||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, SwiftStorageNetwork]}
|
||||
rsync::server::pid_file: 'UNSET'
|
||||
swift::objectexpirer::cache_tls_enabled: {get_param: MemcachedTLS}
|
||||
-
|
||||
if:
|
||||
- account_workers_zero
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
# title: Enable TLS in Memcached Internal Endpoint
|
||||
# description: |
|
||||
# Use this environment to generate certificates and enable TLS in
|
||||
# Memcached. ssl.yaml environment must also be used.
|
||||
parameter_defaults:
|
||||
MemcachedTLS: true
|
||||
MemcachedPort: 11212
|
||||
ExtraConfig:
|
||||
memcached_port: 11212
|
||||
memcached_authtoken_port: 11211
|
Loading…
Reference in New Issue