Add TLS capabilities to Memcached service
Co-Authored-By: Grzegorz Grasza <xek@redhat.com> Depends-On: https://review.opendev.org/745532 Change-Id: Ia738f6e8904a337f911cfdd58b09932c10397764
This commit is contained in:
parent
eaecf1bb72
commit
50c22d629c
@ -62,8 +62,13 @@ parameters:
|
|||||||
of the internal network. Use this parameter with caution and be aware of
|
of the internal network. Use this parameter with caution and be aware of
|
||||||
opening memcached to external network can be dangerous.
|
opening memcached to external network can be dangerous.
|
||||||
type: string
|
type: string
|
||||||
|
MemcachedTLS:
|
||||||
|
default: false
|
||||||
|
description: Set to True to enable TLS on Memcached service.
|
||||||
|
type: boolean
|
||||||
|
|
||||||
conditions:
|
conditions:
|
||||||
|
internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]}
|
||||||
memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']}
|
memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']}
|
||||||
service_debug:
|
service_debug:
|
||||||
or:
|
or:
|
||||||
@ -108,6 +113,8 @@ outputs:
|
|||||||
source: {get_param: MemcachedIpSubnet}
|
source: {get_param: MemcachedIpSubnet}
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
|
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
|
||||||
config_settings:
|
config_settings:
|
||||||
|
map_merge:
|
||||||
|
-
|
||||||
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
||||||
# for the given network; replacement examples (eg. for internal_api):
|
# for the given network; replacement examples (eg. for internal_api):
|
||||||
# internal_api -> IP
|
# internal_api -> IP
|
||||||
@ -139,6 +146,27 @@ outputs:
|
|||||||
- ''
|
- ''
|
||||||
memcached::disable_cachedump: true
|
memcached::disable_cachedump: true
|
||||||
memcached::logfile: '/var/log/memcached/memcached.log'
|
memcached::logfile: '/var/log/memcached/memcached.log'
|
||||||
|
tripleo::profile::base::memcached::enable_internal_memcached_tls: {get_param: MemcachedTLS}
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
- generate_service_certificates: true
|
||||||
|
tripleo::memcached::service_certificate: '/etc/pki/tls/certs/memcached.crt'
|
||||||
|
tripleo::profile::base::memcached::certificate_specs:
|
||||||
|
service_certificate: '/etc/pki/tls/certs/memcached.crt'
|
||||||
|
service_key: '/etc/pki/tls/private/memcached.key'
|
||||||
|
hostname:
|
||||||
|
str_replace:
|
||||||
|
template: "%{hiera('fqdn_$NETWORK')}"
|
||||||
|
params:
|
||||||
|
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||||
|
principal:
|
||||||
|
str_replace:
|
||||||
|
template: "memcached/%{hiera('fqdn_$NETWORK')}"
|
||||||
|
params:
|
||||||
|
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||||
|
postsave_cmd: "/usr/bin/certmonger-memcached-refresh.sh"
|
||||||
|
- {}
|
||||||
service_config_settings:
|
service_config_settings:
|
||||||
collectd:
|
collectd:
|
||||||
tripleo.collectd.plugins.memcached:
|
tripleo.collectd.plugins.memcached:
|
||||||
@ -162,10 +190,21 @@ outputs:
|
|||||||
dest: "/"
|
dest: "/"
|
||||||
merge: true
|
merge: true
|
||||||
preserve_properties: true
|
preserve_properties: true
|
||||||
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||||
|
dest: "/"
|
||||||
|
merge: true
|
||||||
|
preserve_properties: true
|
||||||
|
optional: true
|
||||||
permissions:
|
permissions:
|
||||||
- path: /var/log/memcached
|
- path: /var/log/memcached
|
||||||
owner: memcached:memcached
|
owner: memcached:memcached
|
||||||
recurse: true
|
recurse: true
|
||||||
|
- path: /etc/pki/tls/certs/memcached.crt
|
||||||
|
owner: memcached:memcached
|
||||||
|
optional: true
|
||||||
|
- path: /etc/pki/tls/private/memcached.key
|
||||||
|
owner: memcached:memcached
|
||||||
|
optional: true
|
||||||
docker_config:
|
docker_config:
|
||||||
step_1:
|
step_1:
|
||||||
memcached:
|
memcached:
|
||||||
@ -183,8 +222,22 @@ outputs:
|
|||||||
- /var/lib/kolla/config_files/memcached.json:/var/lib/kolla/config_files/config.json:ro
|
- /var/lib/kolla/config_files/memcached.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
- /var/lib/config-data/puppet-generated/memcached:/var/lib/kolla/config_files/src:rw,z
|
- /var/lib/config-data/puppet-generated/memcached:/var/lib/kolla/config_files/src:rw,z
|
||||||
- /var/log/containers/memcached:/var/log/memcached:rw
|
- /var/log/containers/memcached:/var/log/memcached:rw
|
||||||
|
- if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
-
|
||||||
|
- /etc/pki/tls/certs/memcached.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/memcached.crt:ro
|
||||||
|
- /etc/pki/tls/private/memcached.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/memcached.key:ro
|
||||||
|
- null
|
||||||
environment:
|
environment:
|
||||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||||
|
metadata_settings:
|
||||||
|
if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
-
|
||||||
|
- service: memcached
|
||||||
|
network: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||||
|
type: node
|
||||||
|
- null
|
||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
- name: create persistent directories
|
- name: create persistent directories
|
||||||
file:
|
file:
|
||||||
|
Loading…
x
Reference in New Issue
Block a user