openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Merge "Add non-tls listener to Memcached" into stable/victoria

This commit is contained in:
Zuul 2021-03-19 23:56:47 +00:00 committed by Gerrit Code Review
parent 9994d4e596 76c8f9ec52
commit 5e55117560
1 changed files with 74 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
deployment/memcached/memcached-container-puppet.yaml
View File

@ -66,9 +66,19 @@ parameters:
of the internal network. Use this parameter with caution and be aware of of the internal network. Use this parameter with caution and be aware of
opening memcached to external network can be dangerous. opening memcached to external network can be dangerous.
type: string type: string
MemcachedPort:
default: 11211
description: Port to have Memcached listening at.
When using MemcachedTLS, this has to be set to a different
port then the default - see below.
type: number
MemcachedTLS: MemcachedTLS:
default: false default: false
description: Set to True to enable TLS on Memcached service. description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean type: boolean
CertificateKeySize: CertificateKeySize:
type: string type: string
@ -83,6 +93,13 @@ parameters:
conditions: conditions:
internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]} internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]}
# NOTE: A non-tls port is necessary while there are still services
# consuming Memcached that do not support TLS. Once all services
# do support TLS, this config should be dropped.
enable_non_tls_port:
and:
- internal_tls_enabled
- not: {equals: [{get_param: MemcachedPort}, 11211]}
memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']} memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']}
service_debug: service_debug:
or: or:
@ -123,11 +140,23 @@ outputs:
- {get_param: [ServiceNetMap, MemcachedNetwork]} - {get_param: [ServiceNetMap, MemcachedNetwork]}
template: template:
'121 memcached <%net_cidr%>': '121 memcached <%net_cidr%>':
dport: 11211 dport:
list_concat:
- - {get_param: MemcachedPort}
- if:
- enable_non_tls_port
- [11211]
- []
proto: 'tcp' proto: 'tcp'
source: <%net_cidr%> source: <%net_cidr%>
- '121 memcached': - '121 memcached':
dport: 11211 dport:
list_concat:
- - {get_param: MemcachedPort}
- if:
- enable_non_tls_port
- [11211]
- []
proto: 'tcp' proto: 'tcp'
source: {get_param: MemcachedIpSubnet} source: {get_param: MemcachedIpSubnet}
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached} monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
@ -139,6 +168,33 @@ outputs:
# internal_api -> IP # internal_api -> IP
# internal_api_uri -> [IP] # internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR # internal_api_subnet - > IP/CIDR
memcached::listen:
list_concat:
- - if:
- is_ipv6
- '::1'
- '127.0.0.1'
- str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
- if:
- enable_non_tls_port
- - str_replace:
template:
"notls:%{hiera('$NETWORK_uri')}:11211"
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
- if:
- is_ipv6
- 'notls:[::1]:11211'
- 'notls:127.0.0.1:11211'
- []
# NOTE(xek): the IP addresses are configured with:
# memcached::listen - the new way
# memcached::listen_ip - will be deprecated
# see: https://github.com/saz/puppet-memcached/pull/127
memcached::listen_ip: memcached::listen_ip:
- if: - if:
- is_ipv6 - is_ipv6
@ -159,6 +215,7 @@ outputs:
"%{hiera('$NETWORK_uri')}" "%{hiera('$NETWORK_uri')}"
params: params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} $NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
memcached::tcp_port: {get_param: MemcachedPort}
memcached::max_connections: {get_param: MemcachedMaxConnections} memcached::max_connections: {get_param: MemcachedMaxConnections}
memcached::max_memory: {get_param: MemcachedMaxMemory} memcached::max_memory: {get_param: MemcachedMaxMemory}
# https://access.redhat.com/security/cve/cve-2018-1000115 # https://access.redhat.com/security/cve/cve-2018-1000115
@ -175,6 +232,16 @@ outputs:
memcached::disable_cachedump: true memcached::disable_cachedump: true
memcached::logstdout: true memcached::logstdout: true
tripleo::profile::base::memcached::enable_internal_memcached_tls: {get_param: MemcachedTLS} tripleo::profile::base::memcached::enable_internal_memcached_tls: {get_param: MemcachedTLS}
-
# NOTE: This config is necessary while there are still services
# consuming Memcached that do not support TLS. Once all services
# do support TLS, this config should be dropped.
if:
- enable_non_tls_port
- memcached_port: {get_param: MemcachedPort}
memcached_authtoken_port: 11211
- memcached_port: {get_param: MemcachedPort}
memcached_authtoken_port: {get_param: MemcachedPort}
- -
if: if:
- internal_tls_enabled - internal_tls_enabled
@ -207,7 +274,11 @@ outputs:
collectd::plugin::memcached::instances: collectd::plugin::memcached::instances:
local: local:
host: "%{hiera('memcached::listen_ip_uri')}" host: "%{hiera('memcached::listen_ip_uri')}"
port: 11211 port: # collectd has no support to Memcached+TLS yet.
- if:
- enable_non_tls_port
- 11211
- {get_param: MemcachedPort}
# BEGIN DOCKER SETTINGS # BEGIN DOCKER SETTINGS
puppet_config: puppet_config:
config_volume: 'memcached' config_volume: 'memcached'