diff options
author | Martin André <m.andre@redhat.com> | 2017-08-23 08:53:12 +0200 |
---|---|---|
committer | Emilien Macchi <emilien@redhat.com> | 2017-09-06 06:47:55 +0000 |
commit | dc646db94395ce4ad29d430107f6cb19e7a44d31 (patch) | |
tree | ce510f11c88a36ba1219b47517bc5fc778372392 /puppet/services/database/redis-base.yaml | |
parent | 1b3264c2ad7a5ac3cfdf3f37dd6e899ee7063cfa (diff) |
TLS proxy for redis
Redis does not have TLS out of the box. Let's use a proxy container for
TLS termination.
bp tls-via-certmonger
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: Ie2ae0d048a71e1b1b4edb10c74bc0395a1a9d5c9
Depends-On: I078567c831ade540cf704f81564e2b7654c85c0b
Depends-On: Ia50933da9e59268b17f56db34d01dcc6b6c38147
(cherry picked from commit c2a93cf4c5d9d6b5ee0536380751a7a9540927cc)
Diffstat (limited to 'puppet/services/database/redis-base.yaml')
-rw-r--r-- | puppet/services/database/redis-base.yaml | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/puppet/services/database/redis-base.yaml b/puppet/services/database/redis-base.yaml index 2a6a89e9..8436062a 100644 --- a/puppet/services/database/redis-base.yaml +++ b/puppet/services/database/redis-base.yaml @@ -38,6 +38,12 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} outputs: role_data: @@ -53,10 +59,20 @@ outputs: # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - redis::bind: {get_param: [ServiceNetMap, RedisNetwork]} + # Bind to localhost if internal TLS is enabled, since we put a TLs + # proxy in front. + redis::bind: + if: + - use_tls_proxy + - 'localhost' + - {get_param: [ServiceNetMap, RedisNetwork]} redis::port: 6379 redis::sentinel::master_name: "%{hiera('bootstrap_nodeid')}" redis::sentinel::redis_host: "%{hiera('bootstrap_nodeid_ip')}" redis::sentinel::notification_script: '/usr/local/bin/redis-notifications.sh' - redis::sentinel::sentinel_bind: {get_param: [ServiceNetMap, RedisNetwork]} + redis::sentinel::sentinel_bind: + if: + - use_tls_proxy + - 'localhost' + - {get_param: [ServiceNetMap, RedisNetwork]} redis::ulimit: {get_param: RedisFDLimit} |