summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ci/environments/scenario001-multinode-containers.yaml1
-rw-r--r--docker/services/ceph-ansible/ceph-base.yaml1
-rw-r--r--docker/services/database/redis.yaml87
-rw-r--r--docker/services/pacemaker/haproxy.yaml1
-rw-r--r--puppet/services/database/redis-base.yaml20
-rw-r--r--puppet/services/database/redis.yaml41
-rw-r--r--puppet/services/pacemaker/database/redis.yaml11
7 files changed, 136 insertions, 26 deletions
diff --git a/ci/environments/scenario001-multinode-containers.yaml b/ci/environments/scenario001-multinode-containers.yaml
index 5014a79b..79d5a280 100644
--- a/ci/environments/scenario001-multinode-containers.yaml
+++ b/ci/environments/scenario001-multinode-containers.yaml
@@ -123,6 +123,7 @@ parameter_defaults:
CephAdminKey: 'AQDLOh1VgEp6FRAAFzT7Zw+Y9V6JJExQAsRnRQ=='
CephClientKey: 'AQC+vYNXgDAgAhAAc8UoYt+OTz5uhV7ItLdwUw=='
CephPoolDefaultSize: 1
+ DockerCephDaemonImage: ceph/daemon:tag-build-master-jewel-centos-7
NovaEnableRbdBackend: true
CinderEnableRbdBackend: true
CinderBackupBackend: ceph
diff --git a/docker/services/ceph-ansible/ceph-base.yaml b/docker/services/ceph-ansible/ceph-base.yaml
index 2f2af2d6..2a592869 100644
--- a/docker/services/ceph-ansible/ceph-base.yaml
+++ b/docker/services/ceph-ansible/ceph-base.yaml
@@ -118,7 +118,6 @@ parameters:
DockerCephDaemonImage:
description: image
type: string
- default: 'ceph/daemon:tag-build-master-jewel-centos-7'
conditions:
custom_registry_host:
diff --git a/docker/services/database/redis.yaml b/docker/services/database/redis.yaml
index 980a8c6d..487b4c67 100644
--- a/docker/services/database/redis.yaml
+++ b/docker/services/database/redis.yaml
@@ -36,9 +36,19 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
+
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
+ ContainersCommon:
+ type: ../containers-common.yaml
+
RedisBase:
type: ../../../puppet/services/database/redis.yaml
properties:
@@ -56,6 +66,8 @@ outputs:
map_merge:
- {get_attr: [RedisBase, role_data, config_settings]}
- redis::daemonize: false
+ tripleo::stunnel::manage_service: false
+ tripleo::stunnel::foreground: 'yes'
step_config: &step_config
get_attr: [RedisBase, role_data, step_config]
service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]}
@@ -80,31 +92,60 @@ outputs:
- path: /var/run/redis
owner: redis:redis
recurse: true
+ /var/lib/kolla/config_files/redis_tls_proxy.json:
+ command: stunnel /etc/stunnel/stunnel.conf
+ config_files:
+ - source: "/var/lib/kolla/config_files/src/*"
+ dest: "/"
+ merge: true
+ preserve_properties: true
docker_config:
step_1:
- redis_init_logs:
- start_order: 0
- detach: false
- image: &redis_image {get_param: DockerRedisImage}
- privileged: false
- user: root
- volumes:
- - /var/log/containers/redis:/var/log/redis
- command: ['/bin/bash', '-c', 'chown -R redis:redis /var/log/redis']
- redis:
- start_order: 1
- image: *redis_image
- net: host
- privileged: false
- restart: always
- volumes:
- - /run:/run
- - /var/lib/kolla/config_files/redis.json:/var/lib/kolla/config_files/config.json:ro
- - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro
- - /etc/localtime:/etc/localtime:ro
- - /var/log/containers/redis:/var/log/redis
- environment:
- - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ map_merge:
+ - redis_init_logs:
+ start_order: 0
+ detach: false
+ image: &redis_image {get_param: DockerRedisImage}
+ privileged: false
+ user: root
+ volumes:
+ - /var/log/containers/redis:/var/log/redis
+ command: ['/bin/bash', '-c', 'chown -R redis:redis /var/log/redis']
+ - redis:
+ start_order: 1
+ image: *redis_image
+ net: host
+ privileged: false
+ restart: always
+ volumes:
+ - /run:/run
+ - /var/lib/kolla/config_files/redis.json:/var/lib/kolla/config_files/config.json:ro
+ - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro
+ - /etc/localtime:/etc/localtime:ro
+ - /var/log/containers/redis:/var/log/redis
+ environment:
+ - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ - if:
+ - internal_tls_enabled
+ - redis_tls_proxy:
+ start_order: 2
+ image: *redis_image
+ net: host
+ user: root
+ restart: always
+ volumes:
+ list_concat:
+ - {get_attr: [ContainersCommon, volumes]}
+ -
+ - /var/lib/kolla/config_files/redis_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
+ - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro
+ - /etc/pki/tls/certs/redis.crt:/etc/pki/tls/certs/redis.crt:ro
+ - /etc/pki/tls/private/redis.key:/etc/pki/tls/private/redis.key:ro
+ environment:
+ - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ - {}
+ metadata_settings:
+ get_attr: [RedisBase, role_data, metadata_settings]
host_prep_tasks:
- name: create persistent directories
file:
diff --git a/docker/services/pacemaker/haproxy.yaml b/docker/services/pacemaker/haproxy.yaml
index 2e5c7424..3cdc5255 100644
--- a/docker/services/pacemaker/haproxy.yaml
+++ b/docker/services/pacemaker/haproxy.yaml
@@ -88,6 +88,7 @@ outputs:
- get_param: InternalTLSCAFile
- get_param: HAProxyInternalTLSKeysDirectory
- get_param: HAProxyInternalTLSCertsDirectory
+ - get_param: DeployedSSLCertificatePath
tripleo::profile::pacemaker::haproxy_bundle::internal_certs_directory: {get_param: HAProxyInternalTLSCertsDirectory}
tripleo::profile::pacemaker::haproxy_bundle::internal_keys_directory: {get_param: HAProxyInternalTLSKeysDirectory}
# disable the use CRL file until we can restart the container when the file expires
diff --git a/puppet/services/database/redis-base.yaml b/puppet/services/database/redis-base.yaml
index 2a6a89e9..8436062a 100644
--- a/puppet/services/database/redis-base.yaml
+++ b/puppet/services/database/redis-base.yaml
@@ -38,6 +38,12 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
+
+conditions:
+ use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
outputs:
role_data:
@@ -53,10 +59,20 @@ outputs:
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
- redis::bind: {get_param: [ServiceNetMap, RedisNetwork]}
+ # Bind to localhost if internal TLS is enabled, since we put a TLs
+ # proxy in front.
+ redis::bind:
+ if:
+ - use_tls_proxy
+ - 'localhost'
+ - {get_param: [ServiceNetMap, RedisNetwork]}
redis::port: 6379
redis::sentinel::master_name: "%{hiera('bootstrap_nodeid')}"
redis::sentinel::redis_host: "%{hiera('bootstrap_nodeid_ip')}"
redis::sentinel::notification_script: '/usr/local/bin/redis-notifications.sh'
- redis::sentinel::sentinel_bind: {get_param: [ServiceNetMap, RedisNetwork]}
+ redis::sentinel::sentinel_bind:
+ if:
+ - use_tls_proxy
+ - 'localhost'
+ - {get_param: [ServiceNetMap, RedisNetwork]}
redis::ulimit: {get_param: RedisFDLimit}
diff --git a/puppet/services/database/redis.yaml b/puppet/services/database/redis.yaml
index bdcc4fcd..810e467e 100644
--- a/puppet/services/database/redis.yaml
+++ b/puppet/services/database/redis.yaml
@@ -30,8 +30,15 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
+
+conditions:
+ use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
resources:
+
RedisBase:
type: ./redis-base.yaml
properties:
@@ -41,6 +48,7 @@ resources:
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
+ EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:
role_data:
@@ -55,8 +63,41 @@ outputs:
dport:
- 6379
- 26379
+ tripleo::profile::base::database::redis::tls_proxy_bind_ip:
+ get_param: [ServiceNetMap, RedisNetwork]
+ tripleo::profile::base::database::redis::tls_proxy_fqdn:
+ str_replace:
+ template:
+ "%{hiera('fqdn_$NETWORK')}"
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
+ tripleo::profile::base::database::redis::tls_proxy_port: 6379
+ - if:
+ - use_tls_proxy
+ - redis_certificate_specs:
+ service_certificate: '/etc/pki/tls/certs/redis.crt'
+ service_key: '/etc/pki/tls/private/redis.key'
+ hostname:
+ str_replace:
+ template: "%{hiera('cloud_name_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
+ principal:
+ str_replace:
+ template: "redis/%{hiera('cloud_name_NETWORK')}"
+ params:
+ NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
+ - {}
step_config: |
include ::tripleo::profile::base::database::redis
+ metadata_settings:
+ if:
+ - use_tls_proxy
+ -
+ - service: redis
+ network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
+ type: vip
+ - null
upgrade_tasks:
- name: Check if redis is deployed
command: systemctl is-enabled redis
diff --git a/puppet/services/pacemaker/database/redis.yaml b/puppet/services/pacemaker/database/redis.yaml
index 66eb4b2a..e466f304 100644
--- a/puppet/services/pacemaker/database/redis.yaml
+++ b/puppet/services/pacemaker/database/redis.yaml
@@ -53,5 +53,16 @@ outputs:
- redis::service_manage: false
redis::notify_service: false
redis::managed_by_cluster_manager: true
+ tripleo::profile::pacemaker::database::redis::tls_proxy_bind_ip:
+ get_param: [ServiceNetMap, RedisNetwork]
+ tripleo::profile::pacemaker::database::redis::tls_proxy_fqdn:
+ str_replace:
+ template:
+ "%{hiera('fqdn_$NETWORK')}"
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
+ tripleo::profile::pacemaker::database::redis::tls_proxy_port: 6379
step_config: |
include ::tripleo::profile::pacemaker::database::redis
+ metadata_settings:
+ get_attr: [RedisBase, role_data, metadata_settings]