Revert "Use TLS proxy for Redis' internal TLS"
This reverts commit 2d1d7875aa
.
Closes-Bug: #1735259
Change-Id: I37501c4c983c87e3a38841272eb176ebbe626a65
This commit is contained in:
parent
091b587acb
commit
fbc089eddf
|
@ -1,72 +0,0 @@
|
|||
# Copyright 2017 Red Hat, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
# == Class: tripleo::certmonger::redis
|
||||
#
|
||||
# Request a certificate for RabbitMQ and do the necessary setup.
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*hostname*]
|
||||
# The hostname of the node. this will be set in the CN of the certificate.
|
||||
#
|
||||
# [*service_certificate*]
|
||||
# The path to the certificate that will be used for TLS in this service.
|
||||
#
|
||||
# [*service_key*]
|
||||
# The path to the key that will be used for TLS in this service.
|
||||
#
|
||||
# [*certmonger_ca*]
|
||||
# (Optional) The CA that certmonger will use to generate the certificates.
|
||||
# Defaults to hiera('certmonger_ca', 'local').
|
||||
#
|
||||
# [*postsave_cmd*]
|
||||
# (Optional) Specifies the command to execute after requesting a certificate.
|
||||
# If nothing is given, it will default to: "systemctl restart ${service name}"
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*principal*]
|
||||
# (Optional) The service principal that is set for the service in kerberos.
|
||||
# Defaults to undef
|
||||
#
|
||||
class tripleo::certmonger::redis (
|
||||
$hostname,
|
||||
$service_certificate,
|
||||
$service_key,
|
||||
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
||||
$postsave_cmd = undef,
|
||||
$principal = undef,
|
||||
) {
|
||||
include ::certmonger
|
||||
|
||||
certmonger_certificate { 'redis' :
|
||||
ensure => 'present',
|
||||
certfile => $service_certificate,
|
||||
keyfile => $service_key,
|
||||
hostname => $hostname,
|
||||
dnsname => $hostname,
|
||||
principal => $principal,
|
||||
postsave_cmd => $postsave_cmd,
|
||||
ca => $certmonger_ca,
|
||||
wait => true,
|
||||
require => Class['::certmonger'],
|
||||
}
|
||||
|
||||
file { $service_certificate :
|
||||
require => Certmonger_certificate['redis'],
|
||||
}
|
||||
file { $service_key :
|
||||
require => Certmonger_certificate['redis'],
|
||||
}
|
||||
}
|
|
@ -1434,19 +1434,11 @@ class tripleo::haproxy (
|
|||
}
|
||||
|
||||
if $redis {
|
||||
if $enable_internal_tls {
|
||||
$redis_tcp_check_ssl_options = ['connect ssl']
|
||||
$redis_ssl_member_options = ['check-ssl', "ca-file ${ca_bundle}"]
|
||||
} else {
|
||||
$redis_tcp_check_ssl_options = []
|
||||
$redis_ssl_member_options = []
|
||||
}
|
||||
if $redis_password {
|
||||
$redis_tcp_check_password_options = ["send AUTH\\ ${redis_password}\\r\\n"]
|
||||
$redis_tcp_check_options = ["send AUTH\\ ${redis_password}\\r\\n"]
|
||||
} else {
|
||||
$redis_tcp_check_password_options = []
|
||||
$redis_tcp_check_options = []
|
||||
}
|
||||
$redis_tcp_check_options = union($redis_tcp_check_ssl_options, $redis_tcp_check_password_options)
|
||||
haproxy::listen { 'redis':
|
||||
bind => $redis_bind_opts,
|
||||
options => {
|
||||
|
@ -1466,8 +1458,7 @@ class tripleo::haproxy (
|
|||
ports => '6379',
|
||||
ipaddresses => hiera('redis_node_ips', $controller_hosts_real),
|
||||
server_names => hiera('redis_node_names', $controller_hosts_names_real),
|
||||
options => union($haproxy_member_options, $redis_ssl_member_options),
|
||||
verifyhost => false,
|
||||
options => $haproxy_member_options,
|
||||
}
|
||||
if $manage_firewall {
|
||||
include ::tripleo::firewall
|
||||
|
|
|
@ -18,30 +18,20 @@
|
|||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*enable_internal_tls*]
|
||||
# (Optional) Whether TLS in the internal network is enabled or not.
|
||||
# Defaults to hiera('enable_internal_tls', false)
|
||||
#
|
||||
# [*step*]
|
||||
# (Optional) The current step in deployment. See tripleo-heat-templates
|
||||
# for more details.
|
||||
# Defaults to hiera('step')
|
||||
#
|
||||
class tripleo::profile::base::aodh::evaluator (
|
||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||
$step = Integer(hiera('step')),
|
||||
$step = Integer(hiera('step')),
|
||||
) {
|
||||
|
||||
include ::tripleo::profile::base::aodh
|
||||
if $enable_internal_tls {
|
||||
$tls_query_param = '?ssl=true'
|
||||
} else {
|
||||
$tls_query_param = ''
|
||||
}
|
||||
|
||||
if $step >= 4 {
|
||||
class { '::aodh::evaluator':
|
||||
coordination_url => join(['redis://:', hiera('aodh_redis_password'), '@', normalize_ip_for_uri(hiera('redis_vip')), ':6379/', $tls_query_param]),
|
||||
coordination_url => join(['redis://:', hiera('aodh_redis_password'), '@', normalize_ip_for_uri(hiera('redis_vip')), ':6379/']),
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -18,31 +18,20 @@
|
|||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*enable_internal_tls*]
|
||||
# (Optional) Whether TLS in the internal network is enabled or not.
|
||||
# Defaults to hiera('enable_internal_tls', false)
|
||||
#
|
||||
# [*step*]
|
||||
# (Optional) The current step in deployment. See tripleo-heat-templates
|
||||
# for more details.
|
||||
# Defaults to hiera('step')
|
||||
#
|
||||
class tripleo::profile::base::ceilometer::agent::central (
|
||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||
$step = Integer(hiera('step')),
|
||||
$step = Integer(hiera('step')),
|
||||
) {
|
||||
include ::tripleo::profile::base::ceilometer
|
||||
|
||||
if $enable_internal_tls {
|
||||
$tls_query_param = '?ssl=true'
|
||||
} else {
|
||||
$tls_query_param = ''
|
||||
}
|
||||
|
||||
if $step >= 4 {
|
||||
include ::ceilometer::agent::auth
|
||||
class { '::ceilometer::agent::central':
|
||||
coordination_url => join(['redis://:', hiera('ceilometer_redis_password'), '@', normalize_ip_for_uri(hiera('redis_vip')), ':6379/', $tls_query_param]),
|
||||
coordination_url => join(['redis://:', hiera('ceilometer_redis_password'), '@', normalize_ip_for_uri(hiera('redis_vip')), ':6379/']),
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -26,10 +26,6 @@
|
|||
# (Optional) Use compute namespace for polling agent.
|
||||
# Defaults to false.
|
||||
#
|
||||
# [*enable_internal_tls*]
|
||||
# (Optional) Whether TLS in the internal network is enabled or not.
|
||||
# Defaults to hiera('enable_internal_tls', false)
|
||||
#
|
||||
# [*ipmi_namespace*]
|
||||
# (Optional) Use ipmi namespace for polling agent.
|
||||
# Defaults to false.
|
||||
|
@ -48,7 +44,6 @@
|
|||
class tripleo::profile::base::ceilometer::agent::polling (
|
||||
$central_namespace = hiera('central_namespace', false),
|
||||
$compute_namespace = hiera('compute_namespace', false),
|
||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||
$ipmi_namespace = hiera('ipmi_namespace', false),
|
||||
$ceilometer_redis_password = hiera('ceilometer_redis_password', undef),
|
||||
$redis_vip = hiera('redis_vip', undef),
|
||||
|
@ -60,19 +55,13 @@ class tripleo::profile::base::ceilometer::agent::polling (
|
|||
include ::tripleo::profile::base::ceilometer::upgrade
|
||||
}
|
||||
|
||||
if $enable_internal_tls {
|
||||
$tls_query_param = '?ssl=true'
|
||||
} else {
|
||||
$tls_query_param = ''
|
||||
}
|
||||
|
||||
if $step >= 4 {
|
||||
include ::ceilometer::agent::auth
|
||||
class { '::ceilometer::agent::polling':
|
||||
central_namespace => $central_namespace,
|
||||
compute_namespace => $compute_namespace,
|
||||
ipmi_namespace => $ipmi_namespace,
|
||||
coordination_url => join(['redis://:', $ceilometer_redis_password, '@', normalize_ip_for_uri($redis_vip), ':6379/', $tls_query_param]),
|
||||
coordination_url => join(['redis://:', $ceilometer_redis_password, '@', normalize_ip_for_uri($redis_vip), ':6379/']),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -78,11 +78,6 @@
|
|||
# it will create.
|
||||
# Defaults to hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}).
|
||||
#
|
||||
# [*redis_certificate_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Defaults to hiera('redis_certificate_specs', {}).
|
||||
#
|
||||
# [*etcd_certificate_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
|
@ -98,7 +93,6 @@ class tripleo::profile::base::certmonger_user (
|
|||
$mongodb_certificate_specs = hiera('mongodb_certificate_specs',{}),
|
||||
$mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
|
||||
$rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
|
||||
$redis_certificate_specs = hiera('redis_certificate_specs', {}),
|
||||
$etcd_certificate_specs = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
|
||||
) {
|
||||
unless empty($haproxy_certificates_specs) {
|
||||
|
@ -143,9 +137,6 @@ class tripleo::profile::base::certmonger_user (
|
|||
unless empty($rabbitmq_certificate_specs) {
|
||||
ensure_resource('class', 'tripleo::certmonger::rabbitmq', $rabbitmq_certificate_specs)
|
||||
}
|
||||
unless empty($redis_certificate_specs) {
|
||||
ensure_resource('class', 'tripleo::certmonger::redis', $redis_certificate_specs)
|
||||
}
|
||||
unless empty($etcd_certificate_specs) {
|
||||
ensure_resource('class', 'tripleo::certmonger::etcd', $etcd_certificate_specs)
|
||||
}
|
||||
|
|
|
@ -22,26 +22,6 @@
|
|||
# (Optional) Hostname of Redis master
|
||||
# Defaults to hiera('bootstrap_nodeid')
|
||||
#
|
||||
# [*certificate_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Example with hiera:
|
||||
# redis_certificate_specs:
|
||||
# hostname: <overcloud controller fqdn>
|
||||
# service_certificate: <service certificate path>
|
||||
# service_key: <service key path>
|
||||
# principal: "haproxy/<overcloud controller fqdn>"
|
||||
# Defaults to hiera('redis_certificate_specs', {}).
|
||||
#
|
||||
# [*enable_internal_tls*]
|
||||
# (Optional) Whether TLS in the internal network is enabled or not.
|
||||
# Defaults to hiera('enable_internal_tls', false)
|
||||
#
|
||||
# [*redis_network*]
|
||||
# (Optional) The network name where the redis endpoint is listening on.
|
||||
# This is set by t-h-t.
|
||||
# Defaults to hiera('redis_network', undef)
|
||||
#
|
||||
# [*redis_node_ips*]
|
||||
# (Optional) List of Redis node ips
|
||||
# Defaults to hiera('redis_node_ips')
|
||||
|
@ -51,57 +31,12 @@
|
|||
# for more details.
|
||||
# Defaults to hiera('step')
|
||||
#
|
||||
# [*tls_proxy_bind_ip*]
|
||||
# IP on which the TLS proxy will listen on. Required only if
|
||||
# enable_internal_tls is set.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*tls_proxy_fqdn*]
|
||||
# fqdn on which the tls proxy will listen on. required only used if
|
||||
# enable_internal_tls is set.
|
||||
# defaults to undef
|
||||
#
|
||||
# [*tls_proxy_port*]
|
||||
# port on which the tls proxy will listen on. Only used if
|
||||
# enable_internal_tls is set.
|
||||
# defaults to 6379
|
||||
#
|
||||
class tripleo::profile::base::database::redis (
|
||||
$bootstrap_nodeid = hiera('bootstrap_nodeid'),
|
||||
$certificate_specs = hiera('redis_certificate_specs', {}),
|
||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||
$redis_network = hiera('redis_network', undef),
|
||||
$redis_node_ips = hiera('redis_node_ips'),
|
||||
$step = Integer(hiera('step')),
|
||||
$tls_proxy_bind_ip = undef,
|
||||
$tls_proxy_fqdn = undef,
|
||||
$tls_proxy_port = 6379,
|
||||
$bootstrap_nodeid = hiera('bootstrap_nodeid'),
|
||||
$redis_node_ips = hiera('redis_node_ips'),
|
||||
$step = Integer(hiera('step')),
|
||||
) {
|
||||
if $step >= 2 {
|
||||
if $enable_internal_tls {
|
||||
if !$redis_network {
|
||||
fail('redis_network is not set in the hieradata.')
|
||||
}
|
||||
if !$tls_proxy_bind_ip {
|
||||
fail('tls_proxy_bind_ip is not set in the hieradata.')
|
||||
}
|
||||
if !$tls_proxy_fqdn {
|
||||
fail('tls_proxy_fqdn is required if internal TLS is enabled.')
|
||||
}
|
||||
$tls_certfile = $certificate_specs['service_certificate']
|
||||
$tls_keyfile = $certificate_specs['service_key']
|
||||
|
||||
include ::tripleo::stunnel
|
||||
|
||||
::tripleo::stunnel::service_proxy { 'redis':
|
||||
accept_host => $tls_proxy_bind_ip,
|
||||
accept_port => $tls_proxy_port,
|
||||
connect_port => $tls_proxy_port,
|
||||
certificate => $tls_certfile,
|
||||
key => $tls_keyfile,
|
||||
notify => Class['::redis'],
|
||||
}
|
||||
}
|
||||
if downcase($bootstrap_nodeid) == $::hostname {
|
||||
$slaveof = undef
|
||||
} else {
|
||||
|
|
|
@ -84,11 +84,9 @@ class tripleo::profile::base::gnocchi::api (
|
|||
}
|
||||
$tls_certfile = $certificates_specs["httpd-${gnocchi_network}"]['service_certificate']
|
||||
$tls_keyfile = $certificates_specs["httpd-${gnocchi_network}"]['service_key']
|
||||
$tls_query_param = '?ssl=true'
|
||||
} else {
|
||||
$tls_certfile = undef
|
||||
$tls_keyfile = undef
|
||||
$tls_query_param = ''
|
||||
}
|
||||
|
||||
if $step >= 4 and $sync_db {
|
||||
|
@ -106,11 +104,11 @@ class tripleo::profile::base::gnocchi::api (
|
|||
|
||||
if $step >= 4 {
|
||||
class { '::gnocchi::storage':
|
||||
coordination_url => join(['redis://:', $gnocchi_redis_password, '@', normalize_ip_for_uri($redis_vip), ':6379/', $tls_query_param]),
|
||||
coordination_url => join(['redis://:', $gnocchi_redis_password, '@', normalize_ip_for_uri($redis_vip), ':6379/']),
|
||||
}
|
||||
|
||||
class { '::gnocchi::storage::incoming::redis':
|
||||
redis_url => join(['redis://:', $gnocchi_redis_password, '@', normalize_ip_for_uri($redis_vip), ':6379/', $tls_query_param]),
|
||||
redis_url => join(['redis://:', $gnocchi_redis_password, '@', normalize_ip_for_uri($redis_vip), ':6379/']),
|
||||
}
|
||||
|
||||
case $gnocchi_backend {
|
||||
|
|
|
@ -87,11 +87,9 @@ class tripleo::profile::base::zaqar (
|
|||
}
|
||||
$tls_certfile = $certificates_specs["httpd-${zaqar_api_network}"]['service_certificate']
|
||||
$tls_keyfile = $certificates_specs["httpd-${zaqar_api_network}"]['service_key']
|
||||
$tls_query_param = '?ssl=true'
|
||||
} else {
|
||||
$tls_certfile = undef
|
||||
$tls_keyfile = undef
|
||||
$tls_query_param = ''
|
||||
}
|
||||
|
||||
if $step >= 4 or ( $step >= 3 and $is_bootstrap ) {
|
||||
|
@ -118,7 +116,7 @@ class tripleo::profile::base::zaqar (
|
|||
}
|
||||
} elsif $messaging_store == 'redis' {
|
||||
class {'::zaqar::messaging::redis':
|
||||
uri => join(['redis://:', $zaqar_redis_password, '@', normalize_ip_for_uri($redis_vip), ':6379/', $tls_query_param]),
|
||||
uri => join(['redis://:', $zaqar_redis_password, '@', normalize_ip_for_uri($redis_vip), ':6379/']),
|
||||
}
|
||||
} else {
|
||||
fail("unsupported Zaqar messaging_store set: ${messaging_store}")
|
||||
|
|
|
@ -22,21 +22,6 @@
|
|||
# (Optional) The hostname of the node responsible for bootstrapping tasks
|
||||
# Defaults to hiera('redis_short_bootstrap_node_name')
|
||||
#
|
||||
# [*certificate_specs*]
|
||||
# (Optional) The specifications to give to certmonger for the certificate(s)
|
||||
# it will create.
|
||||
# Example with hiera:
|
||||
# redis_certificate_specs:
|
||||
# hostname: <overcloud controller fqdn>
|
||||
# service_certificate: <service certificate path>
|
||||
# service_key: <service key path>
|
||||
# principal: "haproxy/<overcloud controller fqdn>"
|
||||
# Defaults to hiera('redis_certificate_specs', {}).
|
||||
#
|
||||
# [*enable_internal_tls*]
|
||||
# (Optional) Whether TLS in the internal network is enabled or not.
|
||||
# Defaults to hiera('enable_internal_tls', false)
|
||||
#
|
||||
# [*enable_load_balancer*]
|
||||
# (Optional) Whether load balancing is enabled for this cluster
|
||||
# Defaults to hiera('enable_load_balancer', true)
|
||||
|
@ -54,42 +39,16 @@
|
|||
# https://github.com/arioch/puppet-redis/pull/192. Set redis::ulimit via hiera
|
||||
# to control this limit.
|
||||
#
|
||||
# [*redis_network*]
|
||||
# (Optional) The network name where the redis endpoint is listening on.
|
||||
# This is set by t-h-t.
|
||||
# Defaults to hiera('redis_network', undef)
|
||||
#
|
||||
# [*pcs_tries*]
|
||||
# (Optional) The number of times pcs commands should be retried.
|
||||
# Defaults to hiera('pcs_tries', 20)
|
||||
#
|
||||
# [*tls_proxy_bind_ip*]
|
||||
# IP on which the TLS proxy will listen on. Required only if
|
||||
# enable_internal_tls is set.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*tls_proxy_fqdn*]
|
||||
# fqdn on which the tls proxy will listen on. required only used if
|
||||
# enable_internal_tls is set.
|
||||
# defaults to undef
|
||||
#
|
||||
# [*tls_proxy_port*]
|
||||
# port on which the tls proxy will listen on. Only used if
|
||||
# enable_internal_tls is set.
|
||||
# defaults to 6379
|
||||
#
|
||||
class tripleo::profile::pacemaker::database::redis (
|
||||
$certificate_specs = hiera('redis_certificate_specs', {}),
|
||||
$enable_internal_tls = hiera('enable_internal_tls', false),
|
||||
$bootstrap_node = hiera('redis_short_bootstrap_node_name'),
|
||||
$enable_load_balancer = hiera('enable_load_balancer', true),
|
||||
$step = Integer(hiera('step')),
|
||||
$redis_file_limit = undef,
|
||||
$redis_network = hiera('redis_network', undef),
|
||||
$pcs_tries = hiera('pcs_tries', 20),
|
||||
$tls_proxy_bind_ip = undef,
|
||||
$tls_proxy_fqdn = undef,
|
||||
$tls_proxy_port = 6379,
|
||||
) {
|
||||
if $::hostname == downcase($bootstrap_node) {
|
||||
$pacemaker_master = true
|
||||
|
@ -98,30 +57,6 @@ class tripleo::profile::pacemaker::database::redis (
|
|||
}
|
||||
|
||||
if $step >= 1 {
|
||||
if $enable_internal_tls {
|
||||
if !$redis_network {
|
||||
fail('redis_network is not set in the hieradata.')
|
||||
}
|
||||
if !$tls_proxy_bind_ip {
|
||||
fail('tls_proxy_bind_ip is not set in the hieradata.')
|
||||
}
|
||||
if !$tls_proxy_fqdn {
|
||||
fail('tls_proxy_fqdn is required if internal TLS is enabled.')
|
||||
}
|
||||
$tls_certfile = $certificate_specs['service_certificate']
|
||||
$tls_keyfile = $certificate_specs['service_key']
|
||||
|
||||
include ::tripleo::stunnel
|
||||
|
||||
::tripleo::stunnel::service_proxy { 'redis':
|
||||
accept_host => $tls_proxy_bind_ip,
|
||||
accept_port => $tls_proxy_port,
|
||||
connect_port => $tls_proxy_port,
|
||||
certificate => $tls_certfile,
|
||||
key => $tls_keyfile,
|
||||
notify => Class['::redis'],
|
||||
}
|
||||
}
|
||||
# If the old hiera key exists we use that to set the ulimit in order not to break
|
||||
# operators which set it. We might remove this in a later release (post pike anyway)
|
||||
$old_redis_file_limit = hiera('redis_file_limit', undef)
|
||||
|
|
Loading…
Reference in New Issue