openstack/tripleo-heat-templates
Code Issues Proposed changes

Add TLS capabilities to Memcached service

Browse Source 
Co-Authored-By: Grzegorz Grasza <xek@redhat.com>
Depends-On: https://review.opendev.org/745532
Change-Id: Ia738f6e8904a337f911cfdd58b09932c10397764
This commit is contained in:
Moisés Guimarães de Medeiros 2020-08-17 12:07:37 +02:00 committed by Moisés Guimarães
parent eaecf1bb72
commit 50c22d629c
1 changed files with 83 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
deployment/memcached/memcached-container-puppet.yaml
View File

@ -62,8 +62,13 @@ parameters:
of the internal network. Use this parameter with caution and be aware of of the internal network. Use this parameter with caution and be aware of
opening memcached to external network can be dangerous. opening memcached to external network can be dangerous.
type: string type: string
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
type: boolean
conditions: conditions:
internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]}
memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']} memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']}
service_debug: service_debug:
or: or:
@ -108,37 +113,60 @@ outputs:
source: {get_param: MemcachedIpSubnet} source: {get_param: MemcachedIpSubnet}
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached} monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
config_settings: config_settings:
# NOTE: bind IP is found in hiera replacing the network name with the local node IP map_merge:
# for the given network; replacement examples (eg. for internal_api): -
# internal_api -> IP # NOTE: bind IP is found in hiera replacing the network name with the local node IP
# internal_api_uri -> [IP] # for the given network; replacement examples (eg. for internal_api):
# internal_api_subnet - > IP/CIDR # internal_api -> IP
memcached::listen_ip: # internal_api_uri -> [IP]
str_replace: # internal_api_subnet - > IP/CIDR
template: memcached::listen_ip:
"%{hiera('$NETWORK')}" str_replace:
params: template:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} "%{hiera('$NETWORK')}"
memcached::listen_ip_uri: params:
str_replace: $NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
template: memcached::listen_ip_uri:
"%{hiera('$NETWORK_uri')}" str_replace:
params: template:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} "%{hiera('$NETWORK_uri')}"
memcached::max_memory: {get_param: MemcachedMaxMemory} params:
# https://access.redhat.com/security/cve/cve-2018-1000115 $NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP. memcached::max_memory: {get_param: MemcachedMaxMemory}
memcached::udp_port: 0 # https://access.redhat.com/security/cve/cve-2018-1000115
memcached::verbosity: # Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
list_join: memcached::udp_port: 0
- '' memcached::verbosity:
- - 'v' list_join:
- if:
- service_debug
- 'v'
- '' - ''
memcached::disable_cachedump: true - - 'v'
memcached::logfile: '/var/log/memcached/memcached.log' - if:
- service_debug
- 'v'
- ''
memcached::disable_cachedump: true
memcached::logfile: '/var/log/memcached/memcached.log'
tripleo::profile::base::memcached::enable_internal_memcached_tls: {get_param: MemcachedTLS}
-
if:
- internal_tls_enabled
- generate_service_certificates: true
tripleo::memcached::service_certificate: '/etc/pki/tls/certs/memcached.crt'
tripleo::profile::base::memcached::certificate_specs:
service_certificate: '/etc/pki/tls/certs/memcached.crt'
service_key: '/etc/pki/tls/private/memcached.key'
hostname:
str_replace:
template: "%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
principal:
str_replace:
template: "memcached/%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
postsave_cmd: "/usr/bin/certmonger-memcached-refresh.sh"
- {}
service_config_settings: service_config_settings:
collectd: collectd:
tripleo.collectd.plugins.memcached: tripleo.collectd.plugins.memcached:
@ -162,10 +190,21 @@ outputs:
dest: "/" dest: "/"
merge: true merge: true
preserve_properties: true preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions: permissions:
- path: /var/log/memcached - path: /var/log/memcached
owner: memcached:memcached owner: memcached:memcached
recurse: true recurse: true
- path: /etc/pki/tls/certs/memcached.crt
owner: memcached:memcached
optional: true
- path: /etc/pki/tls/private/memcached.key
owner: memcached:memcached
optional: true
docker_config: docker_config:
step_1: step_1:
memcached: memcached:
@ -183,8 +222,22 @@ outputs:
- /var/lib/kolla/config_files/memcached.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/kolla/config_files/memcached.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/memcached:/var/lib/kolla/config_files/src:rw,z - /var/lib/config-data/puppet-generated/memcached:/var/lib/kolla/config_files/src:rw,z
- /var/log/containers/memcached:/var/log/memcached:rw - /var/log/containers/memcached:/var/log/memcached:rw
- if:
- internal_tls_enabled
-
- /etc/pki/tls/certs/memcached.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/memcached.crt:ro
- /etc/pki/tls/private/memcached.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/memcached.key:ro
- null
environment: environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
metadata_settings:
if:
- internal_tls_enabled
-
- service: memcached
network: {get_param: [ServiceNetMap, MemcachedNetwork]}
type: node
- null
host_prep_tasks: host_prep_tasks:
- name: create persistent directories - name: create persistent directories
file: file: