From 76c8f9ec52504b936373a1ec634e5ee37fea36db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es=20de=20Medeiros?= Date: Wed, 13 Jan 2021 16:30:36 +0100 Subject: [PATCH] Add non-tls listener to Memcached MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This step is required in order to migrate services to use TLS one by one. This config should go away once all services support TLS. NOTE(moguimar): Squashing two extra fixes here that were merged after the first patch in master. Squashes: - Fix memcached firewall condition (cherry picked from commit 2ee68bf9a713d5f4b5b6b73c40633627fb905d6c) - Fix parameters for puppet-memcached-6.0.0 (cherry picked from commit 9be84a2fc268b2a8838f10d740d181e54ede6572) Change-Id: I7a38a01f498d350d065a7c312a6654832fe24e6a Co-authored-By: Grzegorz Grasza Signed-off-by: Moisés Guimarães de Medeiros (cherry picked from commit 125ebd64f4cbd0685ae45f985ef29835edcf9e50) --- .../memcached/memcached-container-puppet.yaml | 77 ++++++++++++++++++- 1 file changed, 74 insertions(+), 3 deletions(-) diff --git a/deployment/memcached/memcached-container-puppet.yaml b/deployment/memcached/memcached-container-puppet.yaml index 8f7d067c6d..d5b9c3143b 100644 --- a/deployment/memcached/memcached-container-puppet.yaml +++ b/deployment/memcached/memcached-container-puppet.yaml @@ -66,9 +66,19 @@ parameters: of the internal network. Use this parameter with caution and be aware of opening memcached to external network can be dangerous. type: string + MemcachedPort: + default: 11211 + description: Port to have Memcached listening at. + When using MemcachedTLS, this has to be set to a different + port then the default - see below. + type: number MemcachedTLS: default: false description: Set to True to enable TLS on Memcached service. + Because not all services support Memcached TLS, during the + migration period, Memcached will listen on 2 ports - on the + port set with MemcachedPort parameter (above) and on 11211, + without TLS. type: boolean CertificateKeySize: type: string @@ -83,6 +93,13 @@ parameters: conditions: internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]} + # NOTE: A non-tls port is necessary while there are still services + # consuming Memcached that do not support TLS. Once all services + # do support TLS, this config should be dropped. + enable_non_tls_port: + and: + - internal_tls_enabled + - not: {equals: [{get_param: MemcachedPort}, 11211]} memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']} service_debug: or: @@ -123,11 +140,23 @@ outputs: - {get_param: [ServiceNetMap, MemcachedNetwork]} template: '121 memcached <%net_cidr%>': - dport: 11211 + dport: + list_concat: + - - {get_param: MemcachedPort} + - if: + - enable_non_tls_port + - [11211] + - [] proto: 'tcp' source: <%net_cidr%> - '121 memcached': - dport: 11211 + dport: + list_concat: + - - {get_param: MemcachedPort} + - if: + - enable_non_tls_port + - [11211] + - [] proto: 'tcp' source: {get_param: MemcachedIpSubnet} monitoring_subscription: {get_param: MonitoringSubscriptionMemcached} @@ -139,6 +168,33 @@ outputs: # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR + memcached::listen: + list_concat: + - - if: + - is_ipv6 + - '::1' + - '127.0.0.1' + - str_replace: + template: + "%{hiera('$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} + - if: + - enable_non_tls_port + - - str_replace: + template: + "notls:%{hiera('$NETWORK_uri')}:11211" + params: + $NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} + - if: + - is_ipv6 + - 'notls:[::1]:11211' + - 'notls:127.0.0.1:11211' + - [] + # NOTE(xek): the IP addresses are configured with: + # memcached::listen - the new way + # memcached::listen_ip - will be deprecated + # see: https://github.com/saz/puppet-memcached/pull/127 memcached::listen_ip: - if: - is_ipv6 @@ -159,6 +215,7 @@ outputs: "%{hiera('$NETWORK_uri')}" params: $NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} + memcached::tcp_port: {get_param: MemcachedPort} memcached::max_connections: {get_param: MemcachedMaxConnections} memcached::max_memory: {get_param: MemcachedMaxMemory} # https://access.redhat.com/security/cve/cve-2018-1000115 @@ -175,6 +232,16 @@ outputs: memcached::disable_cachedump: true memcached::logstdout: true tripleo::profile::base::memcached::enable_internal_memcached_tls: {get_param: MemcachedTLS} + - + # NOTE: This config is necessary while there are still services + # consuming Memcached that do not support TLS. Once all services + # do support TLS, this config should be dropped. + if: + - enable_non_tls_port + - memcached_port: {get_param: MemcachedPort} + memcached_authtoken_port: 11211 + - memcached_port: {get_param: MemcachedPort} + memcached_authtoken_port: {get_param: MemcachedPort} - if: - internal_tls_enabled @@ -207,7 +274,11 @@ outputs: collectd::plugin::memcached::instances: local: host: "%{hiera('memcached::listen_ip_uri')}" - port: 11211 + port: # collectd has no support to Memcached+TLS yet. + - if: + - enable_non_tls_port + - 11211 + - {get_param: MemcachedPort} # BEGIN DOCKER SETTINGS puppet_config: config_volume: 'memcached'