32cce5f150
This patch reverts the revert of Redis TLS [1], and fixes the encryption of Redis replication traffic for HA deployments. In order to encrypt replication traffic, Redis is configured to drive outgoing replication traffic to a stunnel endpoint on <localhost:port_xxx>. Stunnel then manages the encryption up to the peer Redis master. Likewise, slave Redis nodes advertise themselves as coming from <localhost:port_yyy> in order to let the Master initiate connection the Slave over its own stunnel endpoint, should it needs to. Each redis node is assigned a unique replication port, and has dedicated stunnels to each one of its peer. This port mapping info is used by the redis resource agent to manage A/P failover. The regular Redis port is unchanged, so Redis clients (OpenStack services, HAproxy, CLI, firewall) are not impacted by this change. Only SELinux needs to be adapted. [1] I37501c4c983c87e3a38841272eb176ebbe626a65 Change-Id: I6cc818973fab25b4cd6f7a0d040aaa05a35c5bb1 Related-bug: #1737707 |
||
---|---|---|
.. | ||
ca | ||
apache_dirs.pp | ||
etcd.pp | ||
haproxy.pp | ||
haproxy_dirs.pp | ||
httpd.pp | ||
libvirt.pp | ||
libvirt_dirs.pp | ||
mongodb.pp | ||
mysql.pp | ||
neutron.pp | ||
opendaylight.pp | ||
openvswitch.pp | ||
rabbitmq.pp | ||
redis.pp |