summaryrefslogtreecommitdiffstats
path: root/manifests/profile/pacemaker
diff options
context:
space:
mode:
authorMartin André <m.andre@redhat.com>2017-08-23 12:44:42 +0200
committerEmilien Macchi <emilien@redhat.com>2017-09-05 22:55:43 +0000
commitd905ed08052ca5dc78b5f7f56f731394f19958ed (patch)
tree8194f96bab0cbd29a37859c7e1967824e2614966 /manifests/profile/pacemaker
parenta3f44bb6af9acc64569391dca8e85b854ae37072 (diff)
Use TLS proxy for Redis' internal TLS
This uses the tls_proxy resource in front of the Redis server when internal TLS is enabled. bp tls-via-certmonger Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: Ia50933da9e59268b17f56db34d01dcc6b6c38147 (cherry picked from commit 2d1d7875aa6f0b68005c84189627bc0716a7693f)
Diffstat (limited to 'manifests/profile/pacemaker')
-rw-r--r--manifests/profile/pacemaker/database/redis.pp65
1 files changed, 65 insertions, 0 deletions
diff --git a/manifests/profile/pacemaker/database/redis.pp b/manifests/profile/pacemaker/database/redis.pp
index bc91be7..e6a2bf8 100644
--- a/manifests/profile/pacemaker/database/redis.pp
+++ b/manifests/profile/pacemaker/database/redis.pp
@@ -22,6 +22,21 @@
# (Optional) The hostname of the node responsible for bootstrapping tasks
# Defaults to hiera('redis_short_bootstrap_node_name')
#
+# [*certificate_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Example with hiera:
+# redis_certificate_specs:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "haproxy/<overcloud controller fqdn>"
+# Defaults to hiera('redis_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
# [*enable_load_balancer*]
# (Optional) Whether load balancing is enabled for this cluster
# Defaults to hiera('enable_load_balancer', true)
@@ -39,16 +54,42 @@
# https://github.com/arioch/puppet-redis/pull/192. Set redis::ulimit via hiera
# to control this limit.
#
+# [*redis_network*]
+# (Optional) The network name where the redis endpoint is listening on.
+# This is set by t-h-t.
+# Defaults to hiera('redis_network', undef)
+#
# [*pcs_tries*]
# (Optional) The number of times pcs commands should be retried.
# Defaults to hiera('pcs_tries', 20)
#
+# [*tls_proxy_bind_ip*]
+# IP on which the TLS proxy will listen on. Required only if
+# enable_internal_tls is set.
+# Defaults to undef
+#
+# [*tls_proxy_fqdn*]
+# fqdn on which the tls proxy will listen on. required only used if
+# enable_internal_tls is set.
+# defaults to undef
+#
+# [*tls_proxy_port*]
+# port on which the tls proxy will listen on. Only used if
+# enable_internal_tls is set.
+# defaults to 6379
+#
class tripleo::profile::pacemaker::database::redis (
+ $certificate_specs = hiera('redis_certificate_specs', {}),
+ $enable_internal_tls = hiera('enable_internal_tls', false),
$bootstrap_node = hiera('redis_short_bootstrap_node_name'),
$enable_load_balancer = hiera('enable_load_balancer', true),
$step = Integer(hiera('step')),
$redis_file_limit = undef,
+ $redis_network = hiera('redis_network', undef),
$pcs_tries = hiera('pcs_tries', 20),
+ $tls_proxy_bind_ip = undef,
+ $tls_proxy_fqdn = undef,
+ $tls_proxy_port = 6379,
) {
if $::hostname == downcase($bootstrap_node) {
$pacemaker_master = true
@@ -57,6 +98,30 @@ class tripleo::profile::pacemaker::database::redis (
}
if $step >= 1 {
+ if $enable_internal_tls {
+ if !$redis_network {
+ fail('redis_network is not set in the hieradata.')
+ }
+ if !$tls_proxy_bind_ip {
+ fail('tls_proxy_bind_ip is not set in the hieradata.')
+ }
+ if !$tls_proxy_fqdn {
+ fail('tls_proxy_fqdn is required if internal TLS is enabled.')
+ }
+ $tls_certfile = $certificate_specs['service_certificate']
+ $tls_keyfile = $certificate_specs['service_key']
+
+ include ::tripleo::stunnel
+
+ ::tripleo::stunnel::service_proxy { 'redis':
+ accept_host => $tls_proxy_bind_ip,
+ accept_port => $tls_proxy_port,
+ connect_port => $tls_proxy_port,
+ certificate => $tls_certfile,
+ key => $tls_keyfile,
+ notify => Class['::redis'],
+ }
+ }
# If the old hiera key exists we use that to set the ulimit in order not to break
# operators which set it. We might remove this in a later release (post pike anyway)
$old_redis_file_limit = hiera('redis_file_limit', undef)