From 410b9f96c0ec156ffeb00f31293735b120eaa260 Mon Sep 17 00:00:00 2001 From: Giulio Fidente Date: Tue, 22 Mar 2016 17:22:59 +0100 Subject: Allow the Redis specific monitor to use authentication When accessing Redis, if password protected, we need to update the HAProxy checks so that they use a password or we won't be able to gather which node is the replica master. Also adds PING/PONG and QUIT/OK sequence before and after the info command is sent. More at https://bugzilla.redhat.com/show_bug.cgi?id=1320036 Change-Id: Ia9e61e66c5426061eab8172f0a25820989597780 --- manifests/loadbalancer.pp | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index 0d70f32..d61eea6 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -303,6 +303,11 @@ # (optional) Enable or not Redis binding # Defaults to false # +# [*redis_password*] +# (optional) Password for Redis authentication, eventually needed by the +# specific monitoring we do from HAProxy for Redis +# Defaults to undef +# # [*midonet_api*] # (optional) Enable or not MidoNet API binding # Defaults to false @@ -408,6 +413,7 @@ class tripleo::loadbalancer ( $mysql_clustercheck = false, $rabbitmq = false, $redis = false, + $redis_password = undef, $midonet_api = false, $service_ports = {} ) { @@ -1344,12 +1350,17 @@ class tripleo::loadbalancer ( } if $redis { + if $redis_password { + $redis_tcp_check_options = ["send AUTH\\ ${redis_password}\\r\\n"] + } else { + $redis_tcp_check_options = [] + } haproxy::listen { 'redis': bind => $redis_bind_opts, options => { 'balance' => 'first', 'option' => ['tcp-check',], - 'tcp-check' => ['send info\ replication\r\n','expect string role:master'], + 'tcp-check' => union($redis_tcp_check_options, ['send PING\r\n','expect string +PONG','send info\ replication\r\n','expect string role:master','send QUIT\r\n','expect string +OK']), }, collect_exported => false, } -- cgit 1.2.3-korg