diff options
-rw-r--r-- | ci/environments/scenario001-multinode-containers.yaml | 1 | ||||
-rw-r--r-- | docker/services/ceph-ansible/ceph-base.yaml | 1 | ||||
-rw-r--r-- | docker/services/database/redis.yaml | 87 | ||||
-rw-r--r-- | docker/services/pacemaker/haproxy.yaml | 1 | ||||
-rw-r--r-- | puppet/services/database/redis-base.yaml | 20 | ||||
-rw-r--r-- | puppet/services/database/redis.yaml | 41 | ||||
-rw-r--r-- | puppet/services/pacemaker/database/redis.yaml | 11 |
7 files changed, 136 insertions, 26 deletions
diff --git a/ci/environments/scenario001-multinode-containers.yaml b/ci/environments/scenario001-multinode-containers.yaml index 5014a79b..79d5a280 100644 --- a/ci/environments/scenario001-multinode-containers.yaml +++ b/ci/environments/scenario001-multinode-containers.yaml @@ -123,6 +123,7 @@ parameter_defaults: CephAdminKey: 'AQDLOh1VgEp6FRAAFzT7Zw+Y9V6JJExQAsRnRQ==' CephClientKey: 'AQC+vYNXgDAgAhAAc8UoYt+OTz5uhV7ItLdwUw==' CephPoolDefaultSize: 1 + DockerCephDaemonImage: ceph/daemon:tag-build-master-jewel-centos-7 NovaEnableRbdBackend: true CinderEnableRbdBackend: true CinderBackupBackend: ceph diff --git a/docker/services/ceph-ansible/ceph-base.yaml b/docker/services/ceph-ansible/ceph-base.yaml index 2f2af2d6..2a592869 100644 --- a/docker/services/ceph-ansible/ceph-base.yaml +++ b/docker/services/ceph-ansible/ceph-base.yaml @@ -118,7 +118,6 @@ parameters: DockerCephDaemonImage: description: image type: string - default: 'ceph/daemon:tag-build-master-jewel-centos-7' conditions: custom_registry_host: diff --git a/docker/services/database/redis.yaml b/docker/services/database/redis.yaml index 980a8c6d..487b4c67 100644 --- a/docker/services/database/redis.yaml +++ b/docker/services/database/redis.yaml @@ -36,9 +36,19 @@ parameters: default: {} description: Parameters specific to the role type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: + ContainersCommon: + type: ../containers-common.yaml + RedisBase: type: ../../../puppet/services/database/redis.yaml properties: @@ -56,6 +66,8 @@ outputs: map_merge: - {get_attr: [RedisBase, role_data, config_settings]} - redis::daemonize: false + tripleo::stunnel::manage_service: false + tripleo::stunnel::foreground: 'yes' step_config: &step_config get_attr: [RedisBase, role_data, step_config] service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]} @@ -80,31 +92,60 @@ outputs: - path: /var/run/redis owner: redis:redis recurse: true + /var/lib/kolla/config_files/redis_tls_proxy.json: + command: stunnel /etc/stunnel/stunnel.conf + config_files: + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true docker_config: step_1: - redis_init_logs: - start_order: 0 - detach: false - image: &redis_image {get_param: DockerRedisImage} - privileged: false - user: root - volumes: - - /var/log/containers/redis:/var/log/redis - command: ['/bin/bash', '-c', 'chown -R redis:redis /var/log/redis'] - redis: - start_order: 1 - image: *redis_image - net: host - privileged: false - restart: always - volumes: - - /run:/run - - /var/lib/kolla/config_files/redis.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro - - /etc/localtime:/etc/localtime:ro - - /var/log/containers/redis:/var/log/redis - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + map_merge: + - redis_init_logs: + start_order: 0 + detach: false + image: &redis_image {get_param: DockerRedisImage} + privileged: false + user: root + volumes: + - /var/log/containers/redis:/var/log/redis + command: ['/bin/bash', '-c', 'chown -R redis:redis /var/log/redis'] + - redis: + start_order: 1 + image: *redis_image + net: host + privileged: false + restart: always + volumes: + - /run:/run + - /var/lib/kolla/config_files/redis.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro + - /etc/localtime:/etc/localtime:ro + - /var/log/containers/redis:/var/log/redis + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - if: + - internal_tls_enabled + - redis_tls_proxy: + start_order: 2 + image: *redis_image + net: host + user: root + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/redis_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro + - /etc/pki/tls/certs/redis.crt:/etc/pki/tls/certs/redis.crt:ro + - /etc/pki/tls/private/redis.key:/etc/pki/tls/private/redis.key:ro + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - {} + metadata_settings: + get_attr: [RedisBase, role_data, metadata_settings] host_prep_tasks: - name: create persistent directories file: diff --git a/docker/services/pacemaker/haproxy.yaml b/docker/services/pacemaker/haproxy.yaml index 2e5c7424..3cdc5255 100644 --- a/docker/services/pacemaker/haproxy.yaml +++ b/docker/services/pacemaker/haproxy.yaml @@ -88,6 +88,7 @@ outputs: - get_param: InternalTLSCAFile - get_param: HAProxyInternalTLSKeysDirectory - get_param: HAProxyInternalTLSCertsDirectory + - get_param: DeployedSSLCertificatePath tripleo::profile::pacemaker::haproxy_bundle::internal_certs_directory: {get_param: HAProxyInternalTLSCertsDirectory} tripleo::profile::pacemaker::haproxy_bundle::internal_keys_directory: {get_param: HAProxyInternalTLSKeysDirectory} # disable the use CRL file until we can restart the container when the file expires diff --git a/puppet/services/database/redis-base.yaml b/puppet/services/database/redis-base.yaml index 2a6a89e9..8436062a 100644 --- a/puppet/services/database/redis-base.yaml +++ b/puppet/services/database/redis-base.yaml @@ -38,6 +38,12 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} outputs: role_data: @@ -53,10 +59,20 @@ outputs: # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - redis::bind: {get_param: [ServiceNetMap, RedisNetwork]} + # Bind to localhost if internal TLS is enabled, since we put a TLs + # proxy in front. + redis::bind: + if: + - use_tls_proxy + - 'localhost' + - {get_param: [ServiceNetMap, RedisNetwork]} redis::port: 6379 redis::sentinel::master_name: "%{hiera('bootstrap_nodeid')}" redis::sentinel::redis_host: "%{hiera('bootstrap_nodeid_ip')}" redis::sentinel::notification_script: '/usr/local/bin/redis-notifications.sh' - redis::sentinel::sentinel_bind: {get_param: [ServiceNetMap, RedisNetwork]} + redis::sentinel::sentinel_bind: + if: + - use_tls_proxy + - 'localhost' + - {get_param: [ServiceNetMap, RedisNetwork]} redis::ulimit: {get_param: RedisFDLimit} diff --git a/puppet/services/database/redis.yaml b/puppet/services/database/redis.yaml index bdcc4fcd..810e467e 100644 --- a/puppet/services/database/redis.yaml +++ b/puppet/services/database/redis.yaml @@ -30,8 +30,15 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} resources: + RedisBase: type: ./redis-base.yaml properties: @@ -41,6 +48,7 @@ resources: EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} + EnableInternalTLS: {get_param: EnableInternalTLS} outputs: role_data: @@ -55,8 +63,41 @@ outputs: dport: - 6379 - 26379 + tripleo::profile::base::database::redis::tls_proxy_bind_ip: + get_param: [ServiceNetMap, RedisNetwork] + tripleo::profile::base::database::redis::tls_proxy_fqdn: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} + tripleo::profile::base::database::redis::tls_proxy_port: 6379 + - if: + - use_tls_proxy + - redis_certificate_specs: + service_certificate: '/etc/pki/tls/certs/redis.crt' + service_key: '/etc/pki/tls/private/redis.key' + hostname: + str_replace: + template: "%{hiera('cloud_name_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} + principal: + str_replace: + template: "redis/%{hiera('cloud_name_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} + - {} step_config: | include ::tripleo::profile::base::database::redis + metadata_settings: + if: + - use_tls_proxy + - + - service: redis + network: {get_param: [ServiceNetMap, RabbitmqNetwork]} + type: vip + - null upgrade_tasks: - name: Check if redis is deployed command: systemctl is-enabled redis diff --git a/puppet/services/pacemaker/database/redis.yaml b/puppet/services/pacemaker/database/redis.yaml index 66eb4b2a..e466f304 100644 --- a/puppet/services/pacemaker/database/redis.yaml +++ b/puppet/services/pacemaker/database/redis.yaml @@ -53,5 +53,16 @@ outputs: - redis::service_manage: false redis::notify_service: false redis::managed_by_cluster_manager: true + tripleo::profile::pacemaker::database::redis::tls_proxy_bind_ip: + get_param: [ServiceNetMap, RedisNetwork] + tripleo::profile::pacemaker::database::redis::tls_proxy_fqdn: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} + tripleo::profile::pacemaker::database::redis::tls_proxy_port: 6379 step_config: | include ::tripleo::profile::pacemaker::database::redis + metadata_settings: + get_attr: [RedisBase, role_data, metadata_settings] |