32cce5f150
This patch reverts the revert of Redis TLS [1], and fixes the encryption of Redis replication traffic for HA deployments. In order to encrypt replication traffic, Redis is configured to drive outgoing replication traffic to a stunnel endpoint on <localhost:port_xxx>. Stunnel then manages the encryption up to the peer Redis master. Likewise, slave Redis nodes advertise themselves as coming from <localhost:port_yyy> in order to let the Master initiate connection the Slave over its own stunnel endpoint, should it needs to. Each redis node is assigned a unique replication port, and has dedicated stunnels to each one of its peer. This port mapping info is used by the redis resource agent to manage A/P failover. The regular Redis port is unchanged, so Redis clients (OpenStack services, HAproxy, CLI, firewall) are not impacted by this change. Only SELinux needs to be adapted. [1] I37501c4c983c87e3a38841272eb176ebbe626a65 Change-Id: I6cc818973fab25b4cd6f7a0d040aaa05a35c5bb1 Related-bug: #1737707
79 lines
2.6 KiB
Puppet
79 lines
2.6 KiB
Puppet
# Copyright 2016 Red Hat, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
# == Class: tripleo::profile::base::ceilometer::agent::polling
|
|
#
|
|
# Ceilometer polling Agent profile for tripleo
|
|
#
|
|
# === Parameters
|
|
#
|
|
# [*central_namespace*]
|
|
# (Optional) Use central namespace for polling agent.
|
|
# Defaults to false.
|
|
#
|
|
# [*compute_namespace*]
|
|
# (Optional) Use compute namespace for polling agent.
|
|
# Defaults to false.
|
|
#
|
|
# [*enable_internal_tls*]
|
|
# (Optional) Whether TLS in the internal network is enabled or not.
|
|
# Defaults to hiera('enable_internal_tls', false)
|
|
#
|
|
# [*ipmi_namespace*]
|
|
# (Optional) Use ipmi namespace for polling agent.
|
|
# Defaults to false.
|
|
#
|
|
# [*ceilometer_redis_password*]
|
|
# (Optional) redis password to configure coordination url
|
|
#
|
|
# [*redis_vip*]
|
|
# (Optional) redis vip to configure coordination url
|
|
#
|
|
# [*step*]
|
|
# (Optional) The current step in deployment. See tripleo-heat-templates
|
|
# for more details.
|
|
# Defaults to hiera('step')
|
|
#
|
|
class tripleo::profile::base::ceilometer::agent::polling (
|
|
$central_namespace = hiera('central_namespace', false),
|
|
$compute_namespace = hiera('compute_namespace', false),
|
|
$enable_internal_tls = hiera('enable_internal_tls', false),
|
|
$ipmi_namespace = hiera('ipmi_namespace', false),
|
|
$ceilometer_redis_password = hiera('ceilometer_redis_password', undef),
|
|
$redis_vip = hiera('redis_vip', undef),
|
|
$step = Integer(hiera('step')),
|
|
) {
|
|
include ::tripleo::profile::base::ceilometer
|
|
|
|
if $central_namespace {
|
|
include ::tripleo::profile::base::ceilometer::upgrade
|
|
}
|
|
|
|
if $enable_internal_tls {
|
|
$tls_query_param = '?ssl=true'
|
|
} else {
|
|
$tls_query_param = ''
|
|
}
|
|
|
|
if $step >= 4 {
|
|
include ::ceilometer::agent::auth
|
|
class { '::ceilometer::agent::polling':
|
|
central_namespace => $central_namespace,
|
|
compute_namespace => $compute_namespace,
|
|
ipmi_namespace => $ipmi_namespace,
|
|
coordination_url => join(['redis://:', $ceilometer_redis_password, '@', normalize_ip_for_uri($redis_vip), ':6379/', $tls_query_param]),
|
|
}
|
|
}
|
|
}
|