Redis: Enable SSL

This updates the redis server/client configuration so that ssl is enabled if the scenario globally enables ssl. Change-Id: Ic5c2bcc5ec256bc91e2dcd08337f8d1fa0ea49d8
2023-03-20 15:08:04 +09:00 · 2023-03-20 15:08:04 +09:00 · ca4a544416
parent 3a27628625
commit ca4a544416
2 changed files with 25 additions and 4 deletions
--- a/manifests/config.pp
+++ b/manifests/config.pp
@ -69,5 +69,5 @@ class openstack_integration::config (
  $base_url           = "${proto}://${ip_for_url}"
  $keystone_auth_uri  = "${base_url}:5000"
  $keystone_admin_uri = "${base_url}:5000"
-  $tooz_url           = "redis://:a_big_secret@${ip_for_url}:6379"
+  $tooz_url           = "redis://:a_big_secret@${ip_for_url}:6379?ssl=${::openstack_integration::config::ssl}"
 }
--- a/manifests/redis.pp
+++ b/manifests/redis.pp
@ -1,9 +1,30 @@
 class openstack_integration::redis {
  include openstack_integration::config

+  $port = $openstack_integration::config::ssl ? {
+    true    => 0,
+    default => 6379
+  }
+  $tls_port = $openstack_integration::config::ssl ? {
+    true    => 6379,
+    default => 0
+  }
+
  class { 'redis':
-    bind           => $::openstack_integration::config::host,
-    ulimit_managed => false,
-    requirepass    => 'a_big_secret',
+    bind             => $::openstack_integration::config::host,
+    port             => $port,
+    tls_port         => $tls_port,
+    tls_cert_file    => $::openstack_integration::params::cert_path,
+    tls_key_file     => "/etc/redis/ssl/private/${facts['networking']['fqdn']}.pem",
+    tls_ca_cert_file => $::openstack_integration::params::ca_bundle_cert_path,
+    ulimit_managed   => false,
+    requirepass      => 'a_big_secret',
+  }
+
+  if $::openstack_integration::config::ssl {
+    openstack_integration::ssl_key { 'redis':
+      require => Package[$::redis::package_name],
+      notify  => Service[$::redis::service_name],
+    }
  }
 }