32cce5f150
This patch reverts the revert of Redis TLS [1], and fixes the encryption of Redis replication traffic for HA deployments. In order to encrypt replication traffic, Redis is configured to drive outgoing replication traffic to a stunnel endpoint on <localhost:port_xxx>. Stunnel then manages the encryption up to the peer Redis master. Likewise, slave Redis nodes advertise themselves as coming from <localhost:port_yyy> in order to let the Master initiate connection the Slave over its own stunnel endpoint, should it needs to. Each redis node is assigned a unique replication port, and has dedicated stunnels to each one of its peer. This port mapping info is used by the redis resource agent to manage A/P failover. The regular Redis port is unchanged, so Redis clients (OpenStack services, HAproxy, CLI, firewall) are not impacted by this change. Only SELinux needs to be adapted. [1] I37501c4c983c87e3a38841272eb176ebbe626a65 Change-Id: I6cc818973fab25b4cd6f7a0d040aaa05a35c5bb1 Related-bug: #1737707 |
||
|---|---|---|
| .. | ||
| ca | ||
| apache_dirs.pp | ||
| etcd.pp | ||
| haproxy.pp | ||
| haproxy_dirs.pp | ||
| httpd.pp | ||
| libvirt.pp | ||
| libvirt_dirs.pp | ||
| mongodb.pp | ||
| mysql.pp | ||
| neutron.pp | ||
| opendaylight.pp | ||
| openvswitch.pp | ||
| rabbitmq.pp | ||
| redis.pp | ||