Implement glance memcache security strategy

Provides an option to authenticate and optionally encrypt the token
data stored in the cache:
memcache_security_strategy = MAC/ENCRYPT
memcache_secret_key = secret_key

Change-Id: I1ba1f4fa61684d3dd5f0aa1478044e0f46b7cffc
Related-Prod: PROD-22099
diff --git a/README.rst b/README.rst
index 6e96364..f050338 100644
--- a/README.rst
+++ b/README.rst
@@ -446,6 +446,26 @@
 You can read more about it here:
     https://docs.openstack.org/security-guide/databases/database-access-control.html
 
+Glance services on controller node with memcached caching and security strategy:
+
+.. code-block:: yaml
+
+    glance:
+      server:
+        enabled: true
+        ...
+        cache:
+          engine: memcached
+          members:
+          - host: 127.0.0.1
+            port: 11211
+          - host: 127.0.0.1
+            port: 11211
+          security:
+            enabled: true
+            strategy: ENCRYPT
+            secret_key: secret
+
 Usage
 =====
 
diff --git a/glance/files/pike/glance-api.conf.Debian b/glance/files/pike/glance-api.conf.Debian
index 0bcab9b..604f9d9 100644
--- a/glance/files/pike/glance-api.conf.Debian
+++ b/glance/files/pike/glance-api.conf.Debian
@@ -3275,6 +3275,14 @@
 
 {%- if server.cache is defined %}
 memcached_servers={%- for member in server.cache.members %}{{ member.host }}:11211{% if not loop.last %},{% endif %}{%- endfor %}
+  {%- if server.cache.get('security', {}).get('enabled', False) %}
+memcache_security_strategy = {{ server.cache.security.get('strategy', 'ENCRYPT') }}
+    {%- if server.cache.security.secret_key is not defined or not server.cache.security.secret_key %}
+    {%- do salt.test.exception('server.cache.security.secret_key is not defined: Please add secret_key') %}
+    {%- else %}
+memcache_secret_key = {{ server.cache.security.secret_key }}
+    {%- endif %}
+  {%- endif %}
 {%- endif %}
 #
 # From keystonemiddleware.auth_token
diff --git a/glance/files/pike/glance-registry.conf.Debian b/glance/files/pike/glance-registry.conf.Debian
index e6553d7..45c976f 100644
--- a/glance/files/pike/glance-registry.conf.Debian
+++ b/glance/files/pike/glance-registry.conf.Debian
@@ -1197,6 +1197,14 @@
 
 {%- if server.cache is defined %}
 memcached_servers={%- for member in server.cache.members %}{{ member.host }}:11211{% if not loop.last %},{% endif %}{%- endfor %}
+  {%- if server.cache.get('security', {}).get('enabled', False) %}
+memcache_security_strategy = {{ server.cache.security.get('strategy', 'ENCRYPT') }}
+    {%- if server.cache.security.secret_key is not defined or not server.cache.security.secret_key %}
+    {%- do salt.test.exception('server.cache.security.secret_key is not defined: Please add secret_key') %}
+    {%- else %}
+memcache_secret_key = {{ server.cache.security.secret_key }}
+    {%- endif %}
+  {%- endif %}
 {%- endif %}
 # Complete "public" Identity API endpoint. This endpoint should not be an
 # "admin" endpoint, as it should be accessible by all end users. Unauthenticated
diff --git a/tests/pillar/cluster.sls b/tests/pillar/cluster.sls
index b06af82..b207e46 100644
--- a/tests/pillar/cluster.sls
+++ b/tests/pillar/cluster.sls
@@ -58,3 +58,16 @@
       image_tag: 256
       image_location: 15
       user_storage: 0
+    cache:
+      engine: memcached
+      members:
+      - host: 127.0.0.1
+        port: 11211
+      - host: 127.0.1.1
+        port: 11211
+      - host: 127.0.2.1
+        port: 11211
+      security:
+        enabled: true
+        strategy: ENCRYPT
+        secret_key: secret