From f9dbba70438e065de784075408666abb08414e00 Mon Sep 17 00:00:00 2001 From: Gage Hugo Date: Fri, 21 Feb 2020 17:12:38 +0000 Subject: [PATCH] Revert "Revert "Keystone Authtoken Cache: allow universal secret key to be set"" This reverts commit 90d070390db08abf9da42a2bac54397112bbcd48. Change-Id: I017c6e9676b872e1aab21f9dc8aa2f93db58d49f --- aodh/templates/configmap-etc.yaml | 4 ++++ aodh/values.yaml | 1 + barbican/templates/configmap-etc.yaml | 3 +++ barbican/values.yaml | 9 +++++++++ ceilometer/templates/configmap-etc.yaml | 4 ++++ ceilometer/values.yaml | 7 +++++++ cinder/templates/configmap-etc.yaml | 3 +++ cinder/values.yaml | 8 ++++++++ congress/templates/configmap-etc.yaml | 3 +++ congress/values.yaml | 7 +++++++ designate/templates/configmap-etc.yaml | 4 ++++ designate/values.yaml | 1 + glance/templates/configmap-etc.yaml | 6 ++++++ glance/values.yaml | 9 +++++++++ heat/templates/configmap-etc.yaml | 3 +++ heat/values.yaml | 8 ++++++++ ironic/templates/configmap-etc.yaml | 3 +++ ironic/values.yaml | 7 +++++++ magnum/templates/configmap-etc.yaml | 3 +++ magnum/values.yaml | 8 ++++++++ mistral/templates/configmap-etc.yaml | 3 +++ mistral/values.yaml | 8 ++++++++ neutron/templates/configmap-etc.yaml | 3 +++ neutron/values.yaml | 8 ++++++++ nova/templates/configmap-etc.yaml | 7 +++++++ nova/values.yaml | 8 ++++++++ octavia/templates/configmap-etc.yaml | 6 ++++++ octavia/values.yaml | 2 ++ panko/templates/configmap-etc.yaml | 4 ++++ panko/values.yaml | 1 + rally/templates/configmap-etc.yaml | 3 +++ rally/values.yaml | 3 +++ senlin/templates/configmap-etc.yaml | 3 +++ senlin/values.yaml | 8 ++++++++ 34 files changed, 168 insertions(+) diff --git a/aodh/templates/configmap-etc.yaml b/aodh/templates/configmap-etc.yaml index 94836a35b4..3a1cd40d8d 100644 --- a/aodh/templates/configmap-etc.yaml +++ b/aodh/templates/configmap-etc.yaml @@ -53,6 +53,10 @@ limitations under the License. {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.aodh.keystone_authtoken "memcached_servers" -}} {{- end -}} +{{- if empty .Values.conf.aodh.keystone_authtoken.memcache_secret_key -}} +{{- $_ := set .Values.conf.aodh.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} +{{- end -}} + {{- if empty .Values.conf.aodh.database.connection -}} {{- $_ := tuple "oslo_db" "internal" "aodh" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.aodh.database "connection" -}} {{- end -}} diff --git a/aodh/values.yaml b/aodh/values.yaml index f5879aaa59..8c9e9ee24a 100644 --- a/aodh/values.yaml +++ b/aodh/values.yaml @@ -468,6 +468,7 @@ conf: keystone_authtoken: auth_version: v3 auth_type: password + memcache_security_strategy: ENCRYPT service_credentials: auth_type: password interface: internal diff --git a/barbican/templates/configmap-etc.yaml b/barbican/templates/configmap-etc.yaml index 82a88e10cb..0e640876a5 100644 --- a/barbican/templates/configmap-etc.yaml +++ b/barbican/templates/configmap-etc.yaml @@ -47,6 +47,9 @@ limitations under the License. {{- if empty .Values.conf.barbican.keystone_authtoken.memcached_servers -}} {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.barbican.keystone_authtoken "memcached_servers" -}} {{- end -}} +{{- if empty .Values.conf.barbican.keystone_authtoken.memcache_secret_key -}} +{{- $_ := set .Values.conf.barbican.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} +{{- end -}} {{- if empty .Values.conf.barbican.DEFAULT.sql_connection -}} {{- $_ := tuple "oslo_db" "internal" "barbican" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.barbican.DEFAULT "sql_connection" -}} diff --git a/barbican/values.yaml b/barbican/values.yaml index 270323659d..aef40919a5 100644 --- a/barbican/values.yaml +++ b/barbican/values.yaml @@ -448,6 +448,8 @@ conf: keystone_authtoken: auth_type: password auth_version: v3 + memcache_security_strategy: ENCRYPT + memcache_secret_key: null database: max_retries: -1 barbican_api: @@ -631,6 +633,13 @@ endpoints: http: default: 15672 oslo_cache: + auth: + # NOTE(portdirect): this is used to define the value for keystone + # authtoken cache encryption key, if not set it will be populated + # automatically with a random value, but to take advantage of + # this feature all services should be set to use the same key, + # and memcache service. + memcache_secret_key: null hosts: default: memcached host_fqdn_override: diff --git a/ceilometer/templates/configmap-etc.yaml b/ceilometer/templates/configmap-etc.yaml index 3f3440852a..695908495e 100644 --- a/ceilometer/templates/configmap-etc.yaml +++ b/ceilometer/templates/configmap-etc.yaml @@ -28,6 +28,10 @@ limitations under the License. {{- if empty .Values.conf.ceilometer.keystone_authtoken.memcached_servers -}} {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.ceilometer.keystone_authtoken "memcached_servers" -}} {{- end -}} +{{- if empty .Values.conf.ceilometer.keystone_authtoken.memcache_secret_key -}} +{{- $_ := set .Values.conf.ceilometer.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} +{{- end -}} + {{- if empty .Values.conf.ceilometer.cache.memcache_servers -}} {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.ceilometer.cache "memcache_servers" -}} {{- end -}} diff --git a/ceilometer/values.yaml b/ceilometer/values.yaml index 7113c99632..486f834611 100644 --- a/ceilometer/values.yaml +++ b/ceilometer/values.yaml @@ -1877,6 +1877,13 @@ endpoints: mongodb: default: 27017 oslo_cache: + auth: + # NOTE(portdirect): this is used to define the value for keystone + # authtoken cache encryption key, if not set it will be populated + # automatically with a random value, but to take advantage of + # this feature all services should be set to use the same key, + # and memcache service. + memcache_secret_key: null hosts: default: memcached host_fqdn_override: diff --git a/cinder/templates/configmap-etc.yaml b/cinder/templates/configmap-etc.yaml index cc9c78f961..8eb105dae3 100644 --- a/cinder/templates/configmap-etc.yaml +++ b/cinder/templates/configmap-etc.yaml @@ -47,6 +47,9 @@ limitations under the License. {{- if empty .Values.conf.cinder.keystone_authtoken.memcached_servers -}} {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.cinder.keystone_authtoken "memcached_servers" -}} {{- end -}} +{{- if empty .Values.conf.cinder.keystone_authtoken.memcache_secret_key -}} +{{- $_ := set .Values.conf.cinder.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} +{{- end -}} {{- if empty .Values.conf.cinder.database.connection -}} {{- $_ := tuple "oslo_db" "internal" "cinder" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.cinder.database "connection" -}} diff --git a/cinder/values.yaml b/cinder/values.yaml index 2282b2e85f..87b9c81510 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -856,6 +856,7 @@ conf: keystone_authtoken: auth_version: v3 auth_type: password + memcache_security_strategy: ENCRYPT oslo_policy: policy_file: /etc/cinder/policy.yaml oslo_concurrency: @@ -1385,6 +1386,13 @@ endpoints: http: default: 15672 oslo_cache: + auth: + # NOTE(portdirect): this is used to define the value for keystone + # authtoken cache encryption key, if not set it will be populated + # automatically with a random value, but to take advantage of + # this feature all services should be set to use the same key, + # and memcache service. + memcache_secret_key: null hosts: default: memcached host_fqdn_override: diff --git a/congress/templates/configmap-etc.yaml b/congress/templates/configmap-etc.yaml index 7455273f1f..4c671beab7 100644 --- a/congress/templates/configmap-etc.yaml +++ b/congress/templates/configmap-etc.yaml @@ -28,6 +28,9 @@ limitations under the License. {{- if empty .Values.conf.congress.keystone_authtoken.memcached_servers -}} {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.congress.keystone_authtoken "memcached_servers" -}} {{- end -}} +{{- if empty .Values.conf.congress.keystone_authtoken.memcache_secret_key -}} +{{- $_ := set .Values.conf.congress.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} +{{- end -}} {{- if empty .Values.conf.congress.keystone_authtoken.auth_url -}} {{- $_ := tuple "identity" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.congress.keystone_authtoken "auth_url" -}} diff --git a/congress/values.yaml b/congress/values.yaml index 4799ec83c7..bec6a509de 100644 --- a/congress/values.yaml +++ b/congress/values.yaml @@ -284,6 +284,13 @@ endpoints: mysql: default: 3306 oslo_cache: + auth: + # NOTE(portdirect): this is used to define the value for keystone + # authtoken cache encryption key, if not set it will be populated + # automatically with a random value, but to take advantage of + # this feature all services should be set to use the same key, + # and memcache service. + memcache_secret_key: null hosts: default: memcached host_fqdn_override: diff --git a/designate/templates/configmap-etc.yaml b/designate/templates/configmap-etc.yaml index 9d91b8bd12..8423f59011 100644 --- a/designate/templates/configmap-etc.yaml +++ b/designate/templates/configmap-etc.yaml @@ -51,6 +51,10 @@ {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.designate.keystone_authtoken "memcached_servers" -}} {{- end -}} +{{- if empty .Values.conf.designate.keystone_authtoken.memcache_secret_key -}} +{{- $_ := set .Values.conf.designate.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} +{{- end -}} + {{- if empty (index .Values.conf.designate "storage:sqlalchemy").connection -}} {{- $_ := tuple "oslo_db" "internal" "user" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set (index .Values.conf.designate "storage:sqlalchemy") "connection" -}} {{- $_ := tuple "oslo_db" "internal" "user" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.designate.database "connection" -}} diff --git a/designate/values.yaml b/designate/values.yaml index b156be2483..9a700306fd 100644 --- a/designate/values.yaml +++ b/designate/values.yaml @@ -570,6 +570,7 @@ conf: keystone_authtoken: auth_version: v3 auth_type: password + memcache_security_strategy: ENCRYPT logging: loggers: keys: diff --git a/glance/templates/configmap-etc.yaml b/glance/templates/configmap-etc.yaml index f65b8762a5..b145afc499 100644 --- a/glance/templates/configmap-etc.yaml +++ b/glance/templates/configmap-etc.yaml @@ -75,6 +75,12 @@ limitations under the License. {{- if empty .Values.conf.glance_registry.keystone_authtoken.memcached_servers -}} {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.glance_registry.keystone_authtoken "memcached_servers" -}} {{- end -}} +{{- if empty .Values.conf.glance.keystone_authtoken.memcache_secret_key -}} +{{- $_ := set .Values.conf.glance.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} +{{- end -}} +{{- if empty .Values.conf.glance_registry.keystone_authtoken.memcache_secret_key -}} +{{- $_ := set .Values.conf.glance_registry.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} +{{- end -}} {{- if empty .Values.conf.glance.database.connection -}} {{- $_ := tuple "oslo_db" "internal" "glance" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.glance.database "connection" -}} diff --git a/glance/values.yaml b/glance/values.yaml index 456fc9620c..5f98574247 100644 --- a/glance/values.yaml +++ b/glance/values.yaml @@ -253,6 +253,7 @@ conf: keystone_authtoken: auth_type: password auth_version: v3 + memcache_security_strategy: ENCRYPT glance_store: rbd_store_chunk_size: 8 rbd_store_replication: 3 @@ -381,6 +382,7 @@ conf: keystone_authtoken: auth_type: password auth_version: v3 + memcache_security_strategy: ENCRYPT paste_deploy: flavor: keystone database: @@ -681,6 +683,13 @@ endpoints: mysql: default: 3306 oslo_cache: + auth: + # NOTE(portdirect): this is used to define the value for keystone + # authtoken cache encryption key, if not set it will be populated + # automatically with a random value, but to take advantage of + # this feature all services should be set to use the same key, + # and memcache service. + memcache_secret_key: null hosts: default: memcached host_fqdn_override: diff --git a/heat/templates/configmap-etc.yaml b/heat/templates/configmap-etc.yaml index 5266665e21..115ea9ae28 100644 --- a/heat/templates/configmap-etc.yaml +++ b/heat/templates/configmap-etc.yaml @@ -70,6 +70,9 @@ limitations under the License. {{- if empty .Values.conf.heat.keystone_authtoken.memcached_servers -}} {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.heat.keystone_authtoken "memcached_servers" -}} {{- end -}} +{{- if empty .Values.conf.heat.keystone_authtoken.memcache_secret_key -}} +{{- $_ := set .Values.conf.heat.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} +{{- end -}} {{- if empty .Values.conf.heat.database.connection -}} {{- $_ := tuple "oslo_db" "internal" "heat" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.heat.database "connection" -}} diff --git a/heat/values.yaml b/heat/values.yaml index 13189c960b..282c17a9f7 100644 --- a/heat/values.yaml +++ b/heat/values.yaml @@ -439,6 +439,7 @@ conf: keystone_authtoken: auth_type: password auth_version: v3 + memcache_security_strategy: ENCRYPT database: max_retries: -1 trustee: @@ -950,6 +951,13 @@ endpoints: mysql: default: 3306 oslo_cache: + auth: + # NOTE(portdirect): this is used to define the value for keystone + # authtoken cache encryption key, if not set it will be populated + # automatically with a random value, but to take advantage of + # this feature all services should be set to use the same key, + # and memcache service. + memcache_secret_key: null hosts: default: memcached host_fqdn_override: diff --git a/ironic/templates/configmap-etc.yaml b/ironic/templates/configmap-etc.yaml index 7781d7cd66..c7268c4edf 100644 --- a/ironic/templates/configmap-etc.yaml +++ b/ironic/templates/configmap-etc.yaml @@ -45,6 +45,9 @@ limitations under the License. {{- if empty .Values.conf.ironic.keystone_authtoken.memcached_servers -}} {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.ironic.keystone_authtoken "memcached_servers" -}} {{- end -}} +{{- if empty .Values.conf.ironic.keystone_authtoken.memcache_secret_key -}} +{{- $_ := set .Values.conf.ironic.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} +{{- end -}} {{- if empty .Values.conf.ironic.database.connection -}} {{- $_ := tuple "oslo_db" "internal" "ironic" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.ironic.database "connection" -}} diff --git a/ironic/values.yaml b/ironic/values.yaml index d1617316f5..5946474ad0 100644 --- a/ironic/values.yaml +++ b/ironic/values.yaml @@ -457,6 +457,13 @@ endpoints: mysql: default: 3306 oslo_cache: + auth: + # NOTE(portdirect): this is used to define the value for keystone + # authtoken cache encryption key, if not set it will be populated + # automatically with a random value, but to take advantage of + # this feature all services should be set to use the same key, + # and memcache service. + memcache_secret_key: null hosts: default: memcached host_fqdn_override: diff --git a/magnum/templates/configmap-etc.yaml b/magnum/templates/configmap-etc.yaml index cb41e77ce9..ead495fe06 100644 --- a/magnum/templates/configmap-etc.yaml +++ b/magnum/templates/configmap-etc.yaml @@ -47,6 +47,9 @@ limitations under the License. {{- if empty .Values.conf.magnum.keystone_authtoken.memcached_servers -}} {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.magnum.keystone_authtoken "memcached_servers" -}} {{- end -}} +{{- if empty .Values.conf.magnum.keystone_authtoken.memcache_secret_key -}} +{{- $_ := set .Values.conf.magnum.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} +{{- end -}} {{- if empty .Values.conf.magnum.database.connection -}} {{- $_ := tuple "oslo_db" "internal" "magnum" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.magnum.database "connection" -}} diff --git a/magnum/values.yaml b/magnum/values.yaml index 1204f16661..3dc1f47437 100644 --- a/magnum/values.yaml +++ b/magnum/values.yaml @@ -129,6 +129,7 @@ conf: keystone_authtoken: auth_type: password auth_version: v3 + memcache_security_strategy: ENCRYPT api: # NOTE(portdirect): the bind port should not be defined, and is manipulated # via the endpoints section. @@ -428,6 +429,13 @@ endpoints: mysql: default: 3306 oslo_cache: + auth: + # NOTE(portdirect): this is used to define the value for keystone + # authtoken cache encryption key, if not set it will be populated + # automatically with a random value, but to take advantage of + # this feature all services should be set to use the same key, + # and memcache service. + memcache_secret_key: null hosts: default: memcached host_fqdn_override: diff --git a/mistral/templates/configmap-etc.yaml b/mistral/templates/configmap-etc.yaml index 26890764d4..bd085aef24 100644 --- a/mistral/templates/configmap-etc.yaml +++ b/mistral/templates/configmap-etc.yaml @@ -47,6 +47,9 @@ limitations under the License. {{- if empty .Values.conf.mistral.keystone_authtoken.memcached_servers -}} {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.mistral.keystone_authtoken "memcached_servers" -}} {{- end -}} +{{- if empty .Values.conf.mistral.keystone_authtoken.memcache_secret_key -}} +{{- $_ := set .Values.conf.mistral.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} +{{- end -}} {{- if empty .Values.conf.mistral.database.connection -}} {{- $_ := tuple "oslo_db" "internal" "mistral" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.mistral.database "connection" -}} diff --git a/mistral/values.yaml b/mistral/values.yaml index d74411bdf2..e0682eb11d 100644 --- a/mistral/values.yaml +++ b/mistral/values.yaml @@ -303,6 +303,13 @@ endpoints: http: default: 15672 oslo_cache: + auth: + # NOTE(portdirect): this is used to define the value for keystone + # authtoken cache encryption key, if not set it will be populated + # automatically with a random value, but to take advantage of + # this feature all services should be set to use the same key, + # and memcache service. + memcache_secret_key: null hosts: default: memcached host_fqdn_override: @@ -461,6 +468,7 @@ conf: keystone_authtoken: auth_type: password auth_version: v3 + memcache_security_strategy: ENCRYPT logging: loggers: keys: diff --git a/neutron/templates/configmap-etc.yaml b/neutron/templates/configmap-etc.yaml index 7eb3b1907a..f08105e10e 100644 --- a/neutron/templates/configmap-etc.yaml +++ b/neutron/templates/configmap-etc.yaml @@ -49,6 +49,9 @@ limitations under the License. {{- if empty $envAll.Values.conf.neutron.keystone_authtoken.memcached_servers -}} {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set $envAll.Values.conf.neutron.keystone_authtoken "memcached_servers" -}} {{- end }} +{{- if empty .Values.conf.neutron.keystone_authtoken.memcache_secret_key -}} +{{- $_ := set .Values.conf.neutron.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} +{{- end -}} {{- if empty $envAll.Values.conf.neutron.database.connection -}} {{- $_ := tuple "oslo_db" "internal" "neutron" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set $envAll.Values.conf.neutron.database "connection" -}} diff --git a/neutron/values.yaml b/neutron/values.yaml index 8cb00d38bd..03c2da9b00 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -1847,6 +1847,7 @@ conf: ironic: endpoint_type: internal keystone_authtoken: + memcache_security_strategy: ENCRYPT auth_type: password auth_version: v3 octavia: @@ -2169,6 +2170,13 @@ endpoints: http: default: 15672 oslo_cache: + auth: + # NOTE(portdirect): this is used to define the value for keystone + # authtoken cache encryption key, if not set it will be populated + # automatically with a random value, but to take advantage of + # this feature all services should be set to use the same key, + # and memcache service. + memcache_secret_key: null hosts: default: memcached host_fqdn_override: diff --git a/nova/templates/configmap-etc.yaml b/nova/templates/configmap-etc.yaml index b93fb8241e..6ed6f1c67f 100644 --- a/nova/templates/configmap-etc.yaml +++ b/nova/templates/configmap-etc.yaml @@ -48,6 +48,9 @@ limitations under the License. {{- if empty .Values.conf.nova.keystone_authtoken.memcached_servers -}} {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.nova.keystone_authtoken "memcached_servers" -}} {{- end -}} +{{- if empty .Values.conf.nova.keystone_authtoken.memcache_secret_key -}} +{{- $_ := set .Values.conf.nova.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} +{{- end -}} {{- if .Values.conf.nova.service_user.send_service_user_token -}} @@ -211,6 +214,10 @@ limitations under the License. {{- $_ := set .Values.conf.nova.ironic "auth_version" .Values.endpoints.identity.auth.ironic.auth_version -}} {{- end -}} +{{- if empty .Values.conf.nova.ironic.memcache_secret_key -}} +{{- $_ := (default (randAlphaNum 64) .Values.endpoints.oslo_cache.auth.memcache_secret_key) | set .Values.conf.nova.ironic "memcache_secret_key" -}} +{{- end -}} + {{- if empty .Values.conf.nova.ironic.memcache_servers -}} {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.nova.ironic "memcache_servers" -}} {{- end -}} diff --git a/nova/values.yaml b/nova/values.yaml index 0e5c83c9d9..e65b7cb9a4 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -1727,6 +1727,7 @@ conf: keystone_authtoken: auth_type: password auth_version: v3 + memcache_security_strategy: ENCRYPT service_user: auth_type: password send_service_user_token: false @@ -1949,6 +1950,13 @@ endpoints: http: default: 15672 oslo_cache: + auth: + # NOTE(portdirect): this is used to define the value for keystone + # authtoken cache encryption key, if not set it will be populated + # automatically with a random value, but to take advantage of + # this feature all services should be set to use the same key, + # and memcache service. + memcache_secret_key: null hosts: default: memcached host_fqdn_override: diff --git a/octavia/templates/configmap-etc.yaml b/octavia/templates/configmap-etc.yaml index a0d8d30d0d..e8d166c6ff 100644 --- a/octavia/templates/configmap-etc.yaml +++ b/octavia/templates/configmap-etc.yaml @@ -49,6 +49,9 @@ limitations under the License. {{- if empty .Values.conf.octavia.keystone_authtoken.memcached_servers -}} {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.octavia.keystone_authtoken "memcached_servers" -}} {{- end -}} +{{- if empty .Values.conf.octavia.keystone_authtoken.memcache_secret_key -}} +{{- $_ := set .Values.conf.octavia.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} +{{- end -}} {{- if empty .Values.conf.octavia.service_auth.auth_url -}} {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.octavia.service_auth "auth_url" -}} @@ -73,6 +76,9 @@ limitations under the License. {{- if empty .Values.conf.octavia.service_auth.memcached_servers -}} {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.octavia.service_auth "memcached_servers" -}} {{- end -}} +{{- if empty .Values.conf.octavia.service_auth.memcache_secret_key -}} +{{- $_ := set .Values.conf.octavia.service_auth "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} +{{- end -}} {{- if empty .Values.conf.octavia.database.connection -}} {{- $_ := tuple "oslo_db" "internal" "octavia" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.octavia.database "connection" -}} diff --git a/octavia/values.yaml b/octavia/values.yaml index 1701fed892..e879792543 100644 --- a/octavia/values.yaml +++ b/octavia/values.yaml @@ -220,6 +220,7 @@ conf: keystone_authtoken: auth_type: password auth_version: v3 + memcache_security_strategy: ENCRYPT certificates: ca_private_key_passphrase: foobar ca_private_key: /etc/octavia/certs/private/cakey.pem @@ -259,6 +260,7 @@ conf: auth_type: password cafile: "" auth_version: v3 + memcache_security_strategy: ENCRYPT logging: loggers: keys: diff --git a/panko/templates/configmap-etc.yaml b/panko/templates/configmap-etc.yaml index 57803a6a52..b00e7b6ce4 100644 --- a/panko/templates/configmap-etc.yaml +++ b/panko/templates/configmap-etc.yaml @@ -53,6 +53,10 @@ limitations under the License. {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.panko.keystone_authtoken "memcached_servers" -}} {{- end -}} +{{- if empty .Values.conf.panko.keystone_authtoken.memcache_secret_key -}} +{{- $_ := set .Values.conf.panko.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} +{{- end -}} + {{- if empty .Values.conf.panko.database.connection -}} {{- $_ := tuple "oslo_db" "internal" "panko" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.panko.database "connection" -}} {{- end -}} diff --git a/panko/values.yaml b/panko/values.yaml index 1b3893fe69..75dba8d62a 100644 --- a/panko/values.yaml +++ b/panko/values.yaml @@ -258,6 +258,7 @@ conf: keystone_authtoken: auth_version: v3 auth_type: password + memcache_security_strategy: ENCRYPT logging: loggers: keys: diff --git a/rally/templates/configmap-etc.yaml b/rally/templates/configmap-etc.yaml index 03b8d3ff44..2bbe5fec72 100644 --- a/rally/templates/configmap-etc.yaml +++ b/rally/templates/configmap-etc.yaml @@ -44,6 +44,9 @@ limitations under the License. {{- if empty .Values.conf.rally.keystone_authtoken.memcached_servers -}} {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.rally.keystone_authtoken "memcached_servers" -}} {{- end -}} +{{- if empty .Values.conf.rally.keystone_authtoken.memcache_secret_key -}} +{{- $_ := set .Values.conf.rally.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} +{{- end -}} {{- if empty .Values.conf.rally.database.connection -}} {{- $_ := tuple "oslo_db" "internal" "rally" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.rally.database "connection" -}} diff --git a/rally/values.yaml b/rally/values.yaml index d89e366ebd..178bd7f566 100644 --- a/rally/values.yaml +++ b/rally/values.yaml @@ -280,6 +280,9 @@ endpoints: mysql: default: 3306 oslo_cache: + auth: + keystone_authtoken: + secret_key: null hosts: default: memcached host_fqdn_override: diff --git a/senlin/templates/configmap-etc.yaml b/senlin/templates/configmap-etc.yaml index 15772d8db0..da78fbc64e 100644 --- a/senlin/templates/configmap-etc.yaml +++ b/senlin/templates/configmap-etc.yaml @@ -48,6 +48,9 @@ limitations under the License. {{- if empty .Values.conf.senlin.keystone_authtoken.memcached_servers -}} {{- $_ := tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" | set .Values.conf.senlin.keystone_authtoken "memcached_servers" -}} {{- end -}} +{{- if empty .Values.conf.senlin.keystone_authtoken.memcache_secret_key -}} +{{- $_ := set .Values.conf.senlin.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}} +{{- end -}} {{- if empty .Values.conf.senlin.database.connection -}} {{- $_ := tuple "oslo_db" "internal" "senlin" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.senlin.database "connection" -}} diff --git a/senlin/values.yaml b/senlin/values.yaml index 1516e95e18..c3d466163d 100644 --- a/senlin/values.yaml +++ b/senlin/values.yaml @@ -175,6 +175,7 @@ conf: keystone_authtoken: auth_type: password auth_version: v3 + memcache_security_strategy: ENCRYPT senlin_api: # NOTE(portdirect): the bind port should not be defined, and is manipulated # via the endpoints section. @@ -447,6 +448,13 @@ endpoints: mysql: default: 3306 oslo_cache: + auth: + # NOTE(portdirect): this is used to define the value for keystone + # authtoken cache encryption key, if not set it will be populated + # automatically with a random value, but to take advantage of + # this feature all services should be set to use the same key, + # and memcache service. + memcache_secret_key: null hosts: default: memcached host_fqdn_override: