Merge "Add non-tls listener to Memcached" into stable/victoria
This commit is contained in:
commit
5e55117560
|
@ -66,9 +66,19 @@ parameters:
|
||||||
of the internal network. Use this parameter with caution and be aware of
|
of the internal network. Use this parameter with caution and be aware of
|
||||||
opening memcached to external network can be dangerous.
|
opening memcached to external network can be dangerous.
|
||||||
type: string
|
type: string
|
||||||
|
MemcachedPort:
|
||||||
|
default: 11211
|
||||||
|
description: Port to have Memcached listening at.
|
||||||
|
When using MemcachedTLS, this has to be set to a different
|
||||||
|
port then the default - see below.
|
||||||
|
type: number
|
||||||
MemcachedTLS:
|
MemcachedTLS:
|
||||||
default: false
|
default: false
|
||||||
description: Set to True to enable TLS on Memcached service.
|
description: Set to True to enable TLS on Memcached service.
|
||||||
|
Because not all services support Memcached TLS, during the
|
||||||
|
migration period, Memcached will listen on 2 ports - on the
|
||||||
|
port set with MemcachedPort parameter (above) and on 11211,
|
||||||
|
without TLS.
|
||||||
type: boolean
|
type: boolean
|
||||||
CertificateKeySize:
|
CertificateKeySize:
|
||||||
type: string
|
type: string
|
||||||
|
@ -83,6 +93,13 @@ parameters:
|
||||||
|
|
||||||
conditions:
|
conditions:
|
||||||
internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]}
|
internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]}
|
||||||
|
# NOTE: A non-tls port is necessary while there are still services
|
||||||
|
# consuming Memcached that do not support TLS. Once all services
|
||||||
|
# do support TLS, this config should be dropped.
|
||||||
|
enable_non_tls_port:
|
||||||
|
and:
|
||||||
|
- internal_tls_enabled
|
||||||
|
- not: {equals: [{get_param: MemcachedPort}, 11211]}
|
||||||
memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']}
|
memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']}
|
||||||
service_debug:
|
service_debug:
|
||||||
or:
|
or:
|
||||||
|
@ -123,11 +140,23 @@ outputs:
|
||||||
- {get_param: [ServiceNetMap, MemcachedNetwork]}
|
- {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||||
template:
|
template:
|
||||||
'121 memcached <%net_cidr%>':
|
'121 memcached <%net_cidr%>':
|
||||||
dport: 11211
|
dport:
|
||||||
|
list_concat:
|
||||||
|
- - {get_param: MemcachedPort}
|
||||||
|
- if:
|
||||||
|
- enable_non_tls_port
|
||||||
|
- [11211]
|
||||||
|
- []
|
||||||
proto: 'tcp'
|
proto: 'tcp'
|
||||||
source: <%net_cidr%>
|
source: <%net_cidr%>
|
||||||
- '121 memcached':
|
- '121 memcached':
|
||||||
dport: 11211
|
dport:
|
||||||
|
list_concat:
|
||||||
|
- - {get_param: MemcachedPort}
|
||||||
|
- if:
|
||||||
|
- enable_non_tls_port
|
||||||
|
- [11211]
|
||||||
|
- []
|
||||||
proto: 'tcp'
|
proto: 'tcp'
|
||||||
source: {get_param: MemcachedIpSubnet}
|
source: {get_param: MemcachedIpSubnet}
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
|
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
|
||||||
|
@ -139,6 +168,33 @@ outputs:
|
||||||
# internal_api -> IP
|
# internal_api -> IP
|
||||||
# internal_api_uri -> [IP]
|
# internal_api_uri -> [IP]
|
||||||
# internal_api_subnet - > IP/CIDR
|
# internal_api_subnet - > IP/CIDR
|
||||||
|
memcached::listen:
|
||||||
|
list_concat:
|
||||||
|
- - if:
|
||||||
|
- is_ipv6
|
||||||
|
- '::1'
|
||||||
|
- '127.0.0.1'
|
||||||
|
- str_replace:
|
||||||
|
template:
|
||||||
|
"%{hiera('$NETWORK')}"
|
||||||
|
params:
|
||||||
|
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||||
|
- if:
|
||||||
|
- enable_non_tls_port
|
||||||
|
- - str_replace:
|
||||||
|
template:
|
||||||
|
"notls:%{hiera('$NETWORK_uri')}:11211"
|
||||||
|
params:
|
||||||
|
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||||
|
- if:
|
||||||
|
- is_ipv6
|
||||||
|
- 'notls:[::1]:11211'
|
||||||
|
- 'notls:127.0.0.1:11211'
|
||||||
|
- []
|
||||||
|
# NOTE(xek): the IP addresses are configured with:
|
||||||
|
# memcached::listen - the new way
|
||||||
|
# memcached::listen_ip - will be deprecated
|
||||||
|
# see: https://github.com/saz/puppet-memcached/pull/127
|
||||||
memcached::listen_ip:
|
memcached::listen_ip:
|
||||||
- if:
|
- if:
|
||||||
- is_ipv6
|
- is_ipv6
|
||||||
|
@ -159,6 +215,7 @@ outputs:
|
||||||
"%{hiera('$NETWORK_uri')}"
|
"%{hiera('$NETWORK_uri')}"
|
||||||
params:
|
params:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||||
|
memcached::tcp_port: {get_param: MemcachedPort}
|
||||||
memcached::max_connections: {get_param: MemcachedMaxConnections}
|
memcached::max_connections: {get_param: MemcachedMaxConnections}
|
||||||
memcached::max_memory: {get_param: MemcachedMaxMemory}
|
memcached::max_memory: {get_param: MemcachedMaxMemory}
|
||||||
# https://access.redhat.com/security/cve/cve-2018-1000115
|
# https://access.redhat.com/security/cve/cve-2018-1000115
|
||||||
|
@ -175,6 +232,16 @@ outputs:
|
||||||
memcached::disable_cachedump: true
|
memcached::disable_cachedump: true
|
||||||
memcached::logstdout: true
|
memcached::logstdout: true
|
||||||
tripleo::profile::base::memcached::enable_internal_memcached_tls: {get_param: MemcachedTLS}
|
tripleo::profile::base::memcached::enable_internal_memcached_tls: {get_param: MemcachedTLS}
|
||||||
|
-
|
||||||
|
# NOTE: This config is necessary while there are still services
|
||||||
|
# consuming Memcached that do not support TLS. Once all services
|
||||||
|
# do support TLS, this config should be dropped.
|
||||||
|
if:
|
||||||
|
- enable_non_tls_port
|
||||||
|
- memcached_port: {get_param: MemcachedPort}
|
||||||
|
memcached_authtoken_port: 11211
|
||||||
|
- memcached_port: {get_param: MemcachedPort}
|
||||||
|
memcached_authtoken_port: {get_param: MemcachedPort}
|
||||||
-
|
-
|
||||||
if:
|
if:
|
||||||
- internal_tls_enabled
|
- internal_tls_enabled
|
||||||
|
@ -207,7 +274,11 @@ outputs:
|
||||||
collectd::plugin::memcached::instances:
|
collectd::plugin::memcached::instances:
|
||||||
local:
|
local:
|
||||||
host: "%{hiera('memcached::listen_ip_uri')}"
|
host: "%{hiera('memcached::listen_ip_uri')}"
|
||||||
port: 11211
|
port: # collectd has no support to Memcached+TLS yet.
|
||||||
|
- if:
|
||||||
|
- enable_non_tls_port
|
||||||
|
- 11211
|
||||||
|
- {get_param: MemcachedPort}
|
||||||
# BEGIN DOCKER SETTINGS
|
# BEGIN DOCKER SETTINGS
|
||||||
puppet_config:
|
puppet_config:
|
||||||
config_volume: 'memcached'
|
config_volume: 'memcached'
|
||||||
|
|
Loading…
Reference in New Issue