Add TLS capabilities to Memcached service
Co-Authored-By: Grzegorz Grasza <xek@redhat.com>
Depends-On: https://review.opendev.org/775674
Change-Id: Ia738f6e8904a337f911cfdd58b09932c10397764
(cherry picked from commit 50c22d629c
)
This commit is contained in:
parent
6e690970a1
commit
8ecc24fcc1
|
@ -66,8 +66,13 @@ parameters:
|
|||
of the internal network. Use this parameter with caution and be aware of
|
||||
opening memcached to external network can be dangerous.
|
||||
type: string
|
||||
MemcachedTLS:
|
||||
default: false
|
||||
description: Set to True to enable TLS on Memcached service.
|
||||
type: boolean
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]}
|
||||
memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']}
|
||||
service_debug:
|
||||
or:
|
||||
|
@ -87,63 +92,86 @@ outputs:
|
|||
service_name: memcached
|
||||
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
|
||||
config_settings:
|
||||
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
||||
# for the given network; replacement examples (eg. for internal_api):
|
||||
# internal_api -> IP
|
||||
# internal_api_uri -> [IP]
|
||||
# internal_api_subnet - > IP/CIDR
|
||||
memcached::listen_ip:
|
||||
str_replace:
|
||||
template:
|
||||
"%{hiera('$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||
memcached::listen_ip_uri:
|
||||
str_replace:
|
||||
template:
|
||||
"%{hiera('$NETWORK_uri')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||
memcached::max_connections: {get_param: MemcachedMaxConnections}
|
||||
memcached::max_memory: {get_param: MemcachedMaxMemory}
|
||||
# https://access.redhat.com/security/cve/cve-2018-1000115
|
||||
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
|
||||
memcached::udp_port: 0
|
||||
memcached::verbosity:
|
||||
list_join:
|
||||
- ''
|
||||
- - 'v'
|
||||
- if:
|
||||
- service_debug
|
||||
- 'v'
|
||||
map_merge:
|
||||
-
|
||||
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
||||
# for the given network; replacement examples (eg. for internal_api):
|
||||
# internal_api -> IP
|
||||
# internal_api_uri -> [IP]
|
||||
# internal_api_subnet - > IP/CIDR
|
||||
memcached::listen_ip:
|
||||
str_replace:
|
||||
template:
|
||||
"%{hiera('$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||
memcached::listen_ip_uri:
|
||||
str_replace:
|
||||
template:
|
||||
"%{hiera('$NETWORK_uri')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||
memcached::max_connections: {get_param: MemcachedMaxConnections}
|
||||
memcached::max_memory: {get_param: MemcachedMaxMemory}
|
||||
# https://access.redhat.com/security/cve/cve-2018-1000115
|
||||
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
|
||||
memcached::udp_port: 0
|
||||
memcached::verbosity:
|
||||
list_join:
|
||||
- ''
|
||||
memcached::disable_cachedump: true
|
||||
tripleo::memcached::firewall_rules:
|
||||
# https://access.redhat.com/security/cve/cve-2018-1000115
|
||||
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
|
||||
# Memcached traffic shouldn't be open on the internet.
|
||||
# Even if binding is configured on internal_api network, enforce it
|
||||
# via firewall as well.
|
||||
if:
|
||||
- memcached_network_unset
|
||||
- map_merge:
|
||||
repeat:
|
||||
for_each:
|
||||
<%net_cidr%>:
|
||||
get_param:
|
||||
- ServiceData
|
||||
- net_cidr_map
|
||||
- {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||
template:
|
||||
'121 memcached <%net_cidr%>':
|
||||
dport: 11211
|
||||
proto: 'tcp'
|
||||
source: <%net_cidr%>
|
||||
- '121 memcached':
|
||||
dport: 11211
|
||||
proto: 'tcp'
|
||||
source: {get_param: MemcachedIpSubnet}
|
||||
memcached::logstdout: true
|
||||
- - 'v'
|
||||
- if:
|
||||
- service_debug
|
||||
- 'v'
|
||||
- ''
|
||||
memcached::disable_cachedump: true
|
||||
tripleo::memcached::firewall_rules:
|
||||
# https://access.redhat.com/security/cve/cve-2018-1000115
|
||||
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
|
||||
# Memcached traffic shouldn't be open on the internet.
|
||||
# Even if binding is configured on internal_api network, enforce it
|
||||
# via firewall as well.
|
||||
if:
|
||||
- memcached_network_unset
|
||||
- map_merge:
|
||||
repeat:
|
||||
for_each:
|
||||
<%net_cidr%>:
|
||||
get_param:
|
||||
- ServiceData
|
||||
- net_cidr_map
|
||||
- {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||
template:
|
||||
'121 memcached <%net_cidr%>':
|
||||
dport: 11211
|
||||
proto: 'tcp'
|
||||
source: <%net_cidr%>
|
||||
- '121 memcached':
|
||||
dport: 11211
|
||||
proto: 'tcp'
|
||||
source: {get_param: MemcachedIpSubnet}
|
||||
memcached::logstdout: true
|
||||
tripleo::profile::base::memcached::enable_internal_memcached_tls: {get_param: MemcachedTLS}
|
||||
-
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
- generate_service_certificates: true
|
||||
tripleo::memcached::service_certificate: '/etc/pki/tls/certs/memcached.crt'
|
||||
tripleo::profile::base::memcached::certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/memcached.crt'
|
||||
service_key: '/etc/pki/tls/private/memcached.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "memcached/%{hiera('fqdn_$NETWORK')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-memcached-refresh.sh"
|
||||
- {}
|
||||
service_config_settings:
|
||||
collectd:
|
||||
tripleo.collectd.plugins.memcached:
|
||||
|
@ -167,10 +195,21 @@ outputs:
|
|||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
optional: true
|
||||
permissions:
|
||||
- path: /var/log/memcached
|
||||
owner: memcached:memcached
|
||||
recurse: true
|
||||
- path: /etc/pki/tls/certs/memcached.crt
|
||||
owner: memcached:memcached
|
||||
optional: true
|
||||
- path: /etc/pki/tls/private/memcached.key
|
||||
owner: memcached:memcached
|
||||
optional: true
|
||||
docker_config:
|
||||
step_1:
|
||||
memcached:
|
||||
|
@ -188,8 +227,22 @@ outputs:
|
|||
- /var/lib/kolla/config_files/memcached.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/memcached:/var/lib/kolla/config_files/src:rw,z
|
||||
- /var/log/containers/memcached:/var/log/memcached:rw
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- /etc/pki/tls/certs/memcached.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/memcached.crt:ro
|
||||
- /etc/pki/tls/private/memcached.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/memcached.key:ro
|
||||
- null
|
||||
environment:
|
||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||
metadata_settings:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- service: memcached
|
||||
network: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||
type: node
|
||||
- null
|
||||
host_prep_tasks:
|
||||
- name: create persistent directories
|
||||
file:
|
||||
|
|
Loading…
Reference in New Issue