From d905ed08052ca5dc78b5f7f56f731394f19958ed Mon Sep 17 00:00:00 2001 From: Martin André Date: Wed, 23 Aug 2017 12:44:42 +0200 Subject: Use TLS proxy for Redis' internal TLS This uses the tls_proxy resource in front of the Redis server when internal TLS is enabled. bp tls-via-certmonger Co-Authored-By: Juan Antonio Osorio Robles Change-Id: Ia50933da9e59268b17f56db34d01dcc6b6c38147 (cherry picked from commit 2d1d7875aa6f0b68005c84189627bc0716a7693f) --- manifests/profile/base/database/redis.pp | 71 ++++++++++++++++++++++++++++++-- 1 file changed, 68 insertions(+), 3 deletions(-) (limited to 'manifests/profile/base/database/redis.pp') diff --git a/manifests/profile/base/database/redis.pp b/manifests/profile/base/database/redis.pp index e357359..8d4ed94 100644 --- a/manifests/profile/base/database/redis.pp +++ b/manifests/profile/base/database/redis.pp @@ -22,6 +22,26 @@ # (Optional) Hostname of Redis master # Defaults to hiera('bootstrap_nodeid') # +# [*certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# redis_certificate_specs: +# hostname: +# service_certificate: +# service_key: +# principal: "haproxy/" +# Defaults to hiera('redis_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*redis_network*] +# (Optional) The network name where the redis endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('redis_network', undef) +# # [*redis_node_ips*] # (Optional) List of Redis node ips # Defaults to hiera('redis_node_ips') @@ -31,12 +51,57 @@ # for more details. # Defaults to hiera('step') # +# [*tls_proxy_bind_ip*] +# IP on which the TLS proxy will listen on. Required only if +# enable_internal_tls is set. +# Defaults to undef +# +# [*tls_proxy_fqdn*] +# fqdn on which the tls proxy will listen on. required only used if +# enable_internal_tls is set. +# defaults to undef +# +# [*tls_proxy_port*] +# port on which the tls proxy will listen on. Only used if +# enable_internal_tls is set. +# defaults to 6379 +# class tripleo::profile::base::database::redis ( - $bootstrap_nodeid = hiera('bootstrap_nodeid'), - $redis_node_ips = hiera('redis_node_ips'), - $step = Integer(hiera('step')), + $bootstrap_nodeid = hiera('bootstrap_nodeid'), + $certificate_specs = hiera('redis_certificate_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $redis_network = hiera('redis_network', undef), + $redis_node_ips = hiera('redis_node_ips'), + $step = Integer(hiera('step')), + $tls_proxy_bind_ip = undef, + $tls_proxy_fqdn = undef, + $tls_proxy_port = 6379, ) { if $step >= 2 { + if $enable_internal_tls { + if !$redis_network { + fail('redis_network is not set in the hieradata.') + } + if !$tls_proxy_bind_ip { + fail('tls_proxy_bind_ip is not set in the hieradata.') + } + if !$tls_proxy_fqdn { + fail('tls_proxy_fqdn is required if internal TLS is enabled.') + } + $tls_certfile = $certificate_specs['service_certificate'] + $tls_keyfile = $certificate_specs['service_key'] + + include ::tripleo::stunnel + + ::tripleo::stunnel::service_proxy { 'redis': + accept_host => $tls_proxy_bind_ip, + accept_port => $tls_proxy_port, + connect_port => $tls_proxy_port, + certificate => $tls_certfile, + key => $tls_keyfile, + notify => Class['::redis'], + } + } if downcase($bootstrap_nodeid) == $::hostname { $slaveof = undef } else { -- cgit 1.2.3-korg