aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin André <m.andre@redhat.com>2017-08-28 16:50:28 +0200
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-09-11 20:22:32 +0000
commit1fee3d63adee44d7c0bb8bb2529163a954216476 (patch)
tree835f1121b58dd57969f59e953bbca0c3fb5034e9
parente73c84ad5685df4cdca70d9ad255635de2cf63f7 (diff)
Enable redis TLS proxy in HA deployments
Redis does not have TLS out of the box. Let's use a proxy container for TLS termination. This commit enables redis TLS proxy for the HA deployment. bp tls-via-certmonger Change-Id: I45e539872a03878337def33c681c4577c1a5629e (cherry picked from commit c6d8df01d7aa8b44af9ac152b3bb08f07e2e02b7)
-rw-r--r--docker/services/pacemaker/database/redis.yaml93
1 files changed, 67 insertions, 26 deletions
diff --git a/docker/services/pacemaker/database/redis.yaml b/docker/services/pacemaker/database/redis.yaml
index 0b8aa046..ac641201 100644
--- a/docker/services/pacemaker/database/redis.yaml
+++ b/docker/services/pacemaker/database/redis.yaml
@@ -36,9 +36,19 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
+
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
+ ContainersCommon:
+ type: ../../containers-common.yaml
+
RedisBase:
type: ../../../../puppet/services/database/redis.yaml
properties:
@@ -74,6 +84,8 @@ outputs:
- 3124
- 6379
- 26379
+ tripleo::stunnel::manage_service: false
+ tripleo::stunnel::foreground: 'yes'
step_config: ""
service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
@@ -109,6 +121,13 @@ outputs:
- path: /var/log/redis
owner: redis:redis
recurse: true
+ /var/lib/kolla/config_files/redis_tls_proxy.json:
+ command: stunnel /etc/stunnel/stunnel.conf
+ config_files:
+ - source: "/var/lib/kolla/config_files/src/*"
+ dest: "/"
+ merge: true
+ preserve_properties: true
docker_config:
step_1:
redis_image_tag:
@@ -134,32 +153,54 @@ outputs:
- /usr/bin:/usr/bin:ro
- /var/run/docker.sock:/var/run/docker.sock:rw
step_2:
- redis_init_bundle:
- start_order: 2
- detach: false
- net: host
- user: root
- config_volume: 'redis_init_bundle'
- command:
- - '/bin/bash'
- - '-c'
- - str_replace:
- template:
- list_join:
- - '; '
- - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 2}' > /etc/puppet/hieradata/docker.json"
- - "FACTER_uuid=docker puppet apply --tags file,file_line,concat,augeas,TAGS -v -e 'CONFIG'"
- params:
- TAGS: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
- CONFIG: 'include ::tripleo::profile::base::pacemaker;include ::tripleo::profile::pacemaker::database::redis_bundle'
- image: *redis_config_image
- volumes:
- - /etc/hosts:/etc/hosts:ro
- - /etc/localtime:/etc/localtime:ro
- - /etc/puppet:/tmp/puppet-etc:ro
- - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
- - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro
- - /dev/shm:/dev/shm:rw
+ map_merge:
+ - redis_init_bundle:
+ start_order: 2
+ detach: false
+ net: host
+ user: root
+ config_volume: 'redis_init_bundle'
+ command:
+ - '/bin/bash'
+ - '-c'
+ - str_replace:
+ template:
+ list_join:
+ - '; '
+ - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 2}' > /etc/puppet/hieradata/docker.json"
+ - "FACTER_uuid=docker puppet apply --tags file,file_line,concat,augeas,TAGS -v -e 'CONFIG'"
+ params:
+ TAGS: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
+ CONFIG: 'include ::tripleo::profile::base::pacemaker;include ::tripleo::profile::pacemaker::database::redis_bundle'
+ image: *redis_config_image
+ volumes:
+ - /etc/hosts:/etc/hosts:ro
+ - /etc/localtime:/etc/localtime:ro
+ - /etc/puppet:/tmp/puppet-etc:ro
+ - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
+ - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro
+ - /dev/shm:/dev/shm:rw
+ - if:
+ - internal_tls_enabled
+ - redis_tls_proxy:
+ start_order: 3
+ image: *redis_image_pcmklatest
+ net: host
+ user: root
+ restart: always
+ volumes:
+ list_concat:
+ - {get_attr: [ContainersCommon, volumes]}
+ -
+ - /var/lib/kolla/config_files/redis_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
+ - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro
+ - /etc/pki/tls/certs/redis.crt:/etc/pki/tls/certs/redis.crt:ro
+ - /etc/pki/tls/private/redis.key:/etc/pki/tls/private/redis.key:ro
+ environment:
+ - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ - {}
+ metadata_settings:
+ get_attr: [RedisBase, role_data, metadata_settings]
host_prep_tasks:
- name: create /var/run/redis
file: