32cce5f150
This patch reverts the revert of Redis TLS [1], and fixes the encryption of Redis replication traffic for HA deployments. In order to encrypt replication traffic, Redis is configured to drive outgoing replication traffic to a stunnel endpoint on <localhost:port_xxx>. Stunnel then manages the encryption up to the peer Redis master. Likewise, slave Redis nodes advertise themselves as coming from <localhost:port_yyy> in order to let the Master initiate connection the Slave over its own stunnel endpoint, should it needs to. Each redis node is assigned a unique replication port, and has dedicated stunnels to each one of its peer. This port mapping info is used by the redis resource agent to manage A/P failover. The regular Redis port is unchanged, so Redis clients (OpenStack services, HAproxy, CLI, firewall) are not impacted by this change. Only SELinux needs to be adapted. [1] I37501c4c983c87e3a38841272eb176ebbe626a65 Change-Id: I6cc818973fab25b4cd6f7a0d040aaa05a35c5bb1 Related-bug: #1737707
73 lines
2.2 KiB
Puppet
73 lines
2.2 KiB
Puppet
# Copyright 2017 Red Hat, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
# == Class: tripleo::certmonger::redis
|
|
#
|
|
# Request a certificate for RabbitMQ and do the necessary setup.
|
|
#
|
|
# === Parameters
|
|
#
|
|
# [*hostname*]
|
|
# The hostname of the node. this will be set in the CN of the certificate.
|
|
#
|
|
# [*service_certificate*]
|
|
# The path to the certificate that will be used for TLS in this service.
|
|
#
|
|
# [*service_key*]
|
|
# The path to the key that will be used for TLS in this service.
|
|
#
|
|
# [*certmonger_ca*]
|
|
# (Optional) The CA that certmonger will use to generate the certificates.
|
|
# Defaults to hiera('certmonger_ca', 'local').
|
|
#
|
|
# [*postsave_cmd*]
|
|
# (Optional) Specifies the command to execute after requesting a certificate.
|
|
# If nothing is given, it will default to: "systemctl restart ${service name}"
|
|
# Defaults to undef.
|
|
#
|
|
# [*principal*]
|
|
# (Optional) The service principal that is set for the service in kerberos.
|
|
# Defaults to undef
|
|
#
|
|
class tripleo::certmonger::redis (
|
|
$hostname,
|
|
$service_certificate,
|
|
$service_key,
|
|
$certmonger_ca = hiera('certmonger_ca', 'local'),
|
|
$postsave_cmd = undef,
|
|
$principal = undef,
|
|
) {
|
|
include ::certmonger
|
|
|
|
certmonger_certificate { 'redis' :
|
|
ensure => 'present',
|
|
certfile => $service_certificate,
|
|
keyfile => $service_key,
|
|
hostname => $hostname,
|
|
dnsname => $hostname,
|
|
principal => $principal,
|
|
postsave_cmd => $postsave_cmd,
|
|
ca => $certmonger_ca,
|
|
wait => true,
|
|
require => Class['::certmonger'],
|
|
}
|
|
|
|
file { $service_certificate :
|
|
require => Certmonger_certificate['redis'],
|
|
}
|
|
file { $service_key :
|
|
require => Certmonger_certificate['redis'],
|
|
}
|
|
}
|