Merge "Adding ability to configure passthrough_whitelist and alias parameters"
diff --git a/README.rst b/README.rst
index 1d4595c..297d432 100644
--- a/README.rst
+++ b/README.rst
@@ -385,7 +385,7 @@
...
networking: contrail
-Nova services on compute node with memcached caching:
+Nova services on compute node with memcached caching and security strategy:
.. code-block:: yaml
@@ -400,6 +400,10 @@
port: 11211
- host: 127.0.0.1
port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
Client-side RabbitMQ HA setup:
diff --git a/nova/files/pike/nova-compute.conf.Debian b/nova/files/pike/nova-compute.conf.Debian
index e272b50..d3757e7 100644
--- a/nova/files/pike/nova-compute.conf.Debian
+++ b/nova/files/pike/nova-compute.conf.Debian
@@ -5742,6 +5742,14 @@
{%- endif %}
{%- if compute.cache is defined %}
memcached_servers={%- for member in compute.cache.members %}{{ member.host }}:11211{% if not loop.last %},{% endif %}{%- endfor %}
+ {%- if compute.cache.get('security', {}).get('enabled', False) %}
+memcache_security_strategy = {{ compute.cache.security.get('strategy', 'ENCRYPT') }}
+ {%- if compute.cache.security.secret_key is not defined or not compute.cache.security.secret_key %}
+ {%- do salt.test.exception('compute.cache.security.secret_key is not defined: Please add secret_key') %}
+ {%- else %}
+memcache_secret_key = {{ compute.cache.security.secret_key }}
+ {%- endif %}
+ {%- endif %}
{%- endif %}
# Complete "public" Identity API endpoint. This endpoint should not be an
# "admin" endpoint, as it should be accessible by all end users. Unauthenticated
diff --git a/nova/files/pike/nova-controller.conf.Debian b/nova/files/pike/nova-controller.conf.Debian
index 4ceefeb..3a434db 100644
--- a/nova/files/pike/nova-controller.conf.Debian
+++ b/nova/files/pike/nova-controller.conf.Debian
@@ -5749,6 +5749,14 @@
{%- endif %}
{%- if controller.cache is defined %}
memcached_servers={%- for member in controller.cache.members %}{{ member.host }}:11211{% if not loop.last %},{% endif %}{%- endfor %}
+ {%- if controller.cache.get('security', {}).get('enabled', False) %}
+memcache_security_strategy = {{ controller.cache.security.get('strategy', 'ENCRYPT') }}
+ {%- if controller.cache.security.secret_key is not defined or not controller.cache.security.secret_key %}
+ {%- do salt.test.exception('controller.cache.security.secret_key is not defined: Please add secret_key') %}
+ {%- else %}
+memcache_secret_key = {{ controller.cache.security.secret_key }}
+ {%- endif %}
+ {%- endif %}
{%- endif %}
# Complete "public" Identity API endpoint. This endpoint should not be an
# "admin" endpoint, as it should be accessible by all end users. Unauthenticated
diff --git a/nova/map.jinja b/nova/map.jinja
index 7aa4d8b..370f517 100644
--- a/nova/map.jinja
+++ b/nova/map.jinja
@@ -112,7 +112,7 @@
}, merge=pillar.nova.get('controller', {}), base='BaseDefaults') %}
{% set upgrade = pillar.get('nova', {}).get('upgrade', {}) %}
-{% set pin_level = 'auto' %}
+{% set pin_level = pillar.get('nova', {}).get('upgrade', {}).get('old_release','') %}
{% set upgrade_levels = salt['grains.filter_by']({
'Debian': {
@@ -285,7 +285,7 @@
{% set compute = salt["grains.filter_by"](compute_defaults, merge=pillar.nova.get("compute", {}), base='BaseDefaults') %}
{%- if pillar.nova.get('upgrade',{}).get('upgrade_enabled',False) %}
- {% do compute.update(upgrade_levels) %}
+ {% do compute.update({'upgrade_levels': {'compute': 'auto'}}) %}
{% do controller.update(upgrade_levels) %}
{%- endif %}
diff --git a/tests/pillar/compute_cluster.sls b/tests/pillar/compute_cluster.sls
index c057c09..c3a55e2 100644
--- a/tests/pillar/compute_cluster.sls
+++ b/tests/pillar/compute_cluster.sls
@@ -74,6 +74,10 @@
port: 11211
- host: 127.0.2.1
port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
libvirt:
hw_disk_discard: unmap
live_migration_tunnelled: False
diff --git a/tests/pillar/compute_cluster_vmware.sls b/tests/pillar/compute_cluster_vmware.sls
index ceaf142..8cf5646 100644
--- a/tests/pillar/compute_cluster_vmware.sls
+++ b/tests/pillar/compute_cluster_vmware.sls
@@ -63,6 +63,10 @@
port: 11211
- host: 127.0.2.1
port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
compute_driver: vmwareapi.VMwareVCDriver
vmware:
host_username: vmware
diff --git a/tests/pillar/compute_cluster_vmware_queens.sls b/tests/pillar/compute_cluster_vmware_queens.sls
index 1d6b0cf..d508fc1 100644
--- a/tests/pillar/compute_cluster_vmware_queens.sls
+++ b/tests/pillar/compute_cluster_vmware_queens.sls
@@ -63,6 +63,10 @@
port: 11211
- host: 127.0.2.1
port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
compute_driver: vmwareapi.VMwareVCDriver
vmware:
host_username: vmware
diff --git a/tests/pillar/compute_single.sls b/tests/pillar/compute_single.sls
index 8d752de..b000da7 100644
--- a/tests/pillar/compute_single.sls
+++ b/tests/pillar/compute_single.sls
@@ -60,6 +60,10 @@
members:
- host: 127.0.0.1
port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
qemu:
user: nova
group: cinder
diff --git a/tests/pillar/compute_single_config_drive_options.sls b/tests/pillar/compute_single_config_drive_options.sls
index 6351252..78cf088 100644
--- a/tests/pillar/compute_single_config_drive_options.sls
+++ b/tests/pillar/compute_single_config_drive_options.sls
@@ -58,6 +58,10 @@
members:
- host: 127.0.0.1
port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
config_drive:
cdrom: True
format: iso9660
diff --git a/tests/pillar/control_single.sls b/tests/pillar/control_single.sls
index eb91fd9..338d63b 100644
--- a/tests/pillar/control_single.sls
+++ b/tests/pillar/control_single.sls
@@ -66,6 +66,10 @@
members:
- host: 127.0.0.1
port: 11211
+ security:
+ enabled: true
+ strategy: ENCRYPT
+ secret_key: secret
policy:
'context_is_admin': 'role:admin or role:administrator'
'compute:create': 'rule:admin_or_owner'