diff --git a/ansible/roles/keystone/defaults/main.yml b/ansible/roles/keystone/defaults/main.yml index 76241d54e2..7902500331 100644 --- a/ansible/roles/keystone/defaults/main.yml +++ b/ansible/roles/keystone/defaults/main.yml @@ -214,3 +214,6 @@ keystone_should_remove_attribute_mappings: False keystone_should_remove_identity_providers: False keystone_federation_oidc_response_type: "id_token" keystone_federation_oidc_scopes: "openid email profile" + +# OIDC caching +keystone_oidc_enable_memcached: "{{ enable_memcached }}" diff --git a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 index 9f7236e68e..8408268e31 100644 --- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 +++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 @@ -64,6 +64,10 @@ LogLevel info {% endif %} OIDCCryptoPassphrase {{ keystone_federation_openid_crypto_password }} OIDCRedirectURI {{ keystone_public_url }}/redirect_uri +{% if enable_memcached | bool and keystone_oidc_enable_memcached | bool %} + OIDCCacheType memcache + OIDCMemCacheServers "{% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}" +{% endif %} Require valid-user diff --git a/releasenotes/notes/oidc-memcache-backend-198e27c5168a3d4e.yaml b/releasenotes/notes/oidc-memcache-backend-198e27c5168a3d4e.yaml new file mode 100644 index 0000000000..cbb32882d7 --- /dev/null +++ b/releasenotes/notes/oidc-memcache-backend-198e27c5168a3d4e.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Keystone OIDC integration now uses memcached for the caching backend if + ``enable_memcached`` is ``True``. This can be disabled by setting + ``keystone_oidc_enable_memcached`` to ``False``.