Browse Source

Merge "Add TLS capabilities to Memcached service" into stable/train

changes/47/782747/2
Zuul 2 weeks ago
committed by Gerrit Code Review
parent
commit
ae0ec4d80e
1 changed files with 109 additions and 56 deletions
  1. +109
    -56
      deployment/memcached/memcached-container-puppet.yaml

+ 109
- 56
deployment/memcached/memcached-container-puppet.yaml View File

@ -66,8 +66,13 @@ parameters:
of the internal network. Use this parameter with caution and be aware of
opening memcached to external network can be dangerous.
type: string
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
type: boolean
conditions:
internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]}
memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']}
service_debug:
or:
@ -87,63 +92,86 @@ outputs:
service_name: memcached
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
config_settings:
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
memcached::listen_ip:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
memcached::listen_ip_uri:
str_replace:
template:
"%{hiera('$NETWORK_uri')}"
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
memcached::max_connections: {get_param: MemcachedMaxConnections}
memcached::max_memory: {get_param: MemcachedMaxMemory}
# https://access.redhat.com/security/cve/cve-2018-1000115
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
memcached::udp_port: 0
memcached::verbosity:
list_join:
- ''
- - 'v'
- if:
- service_debug
- 'v'
map_merge:
-
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
memcached::listen_ip:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
memcached::listen_ip_uri:
str_replace:
template:
"%{hiera('$NETWORK_uri')}"
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
memcached::max_connections: {get_param: MemcachedMaxConnections}
memcached::max_memory: {get_param: MemcachedMaxMemory}
# https://access.redhat.com/security/cve/cve-2018-1000115
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
memcached::udp_port: 0
memcached::verbosity:
list_join:
- ''
memcached::disable_cachedump: true
tripleo::memcached::firewall_rules:
# https://access.redhat.com/security/cve/cve-2018-1000115
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
# Memcached traffic shouldn't be open on the internet.
# Even if binding is configured on internal_api network, enforce it
# via firewall as well.
if:
- memcached_network_unset
- map_merge:
repeat:
for_each:
<%net_cidr%>:
get_param:
- ServiceData
- net_cidr_map
- {get_param: [ServiceNetMap, MemcachedNetwork]}
template:
'121 memcached <%net_cidr%>':
dport: 11211
proto: 'tcp'
source: <%net_cidr%>
- '121 memcached':
dport: 11211
proto: 'tcp'
source: {get_param: MemcachedIpSubnet}
memcached::logstdout: true
- - 'v'
- if:
- service_debug
- 'v'
- ''
memcached::disable_cachedump: true
tripleo::memcached::firewall_rules:
# https://access.redhat.com/security/cve/cve-2018-1000115
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
# Memcached traffic shouldn't be open on the internet.
# Even if binding is configured on internal_api network, enforce it
# via firewall as well.
if:
- memcached_network_unset
- map_merge:
repeat:
for_each:
<%net_cidr%>:
get_param:
- ServiceData
- net_cidr_map
- {get_param: [ServiceNetMap, MemcachedNetwork]}
template:
'121 memcached <%net_cidr%>':
dport: 11211
proto: 'tcp'
source: <%net_cidr%>
- '121 memcached':
dport: 11211
proto: 'tcp'
source: {get_param: MemcachedIpSubnet}
memcached::logstdout: true
tripleo::profile::base::memcached::enable_internal_memcached_tls: {get_param: MemcachedTLS}
-
if:
- internal_tls_enabled
- generate_service_certificates: true
tripleo::memcached::service_certificate: '/etc/pki/tls/certs/memcached.crt'
tripleo::profile::base::memcached::certificate_specs:
service_certificate: '/etc/pki/tls/certs/memcached.crt'
service_key: '/etc/pki/tls/private/memcached.key'
hostname:
str_replace:
template: "%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
principal:
str_replace:
template: "memcached/%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
postsave_cmd: "/usr/bin/certmonger-memcached-refresh.sh"
- {}
service_config_settings:
collectd:
tripleo.collectd.plugins.memcached:
@ -167,10 +195,21 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/log/memcached
owner: memcached:memcached
recurse: true
- path: /etc/pki/tls/certs/memcached.crt
owner: memcached:memcached
optional: true
- path: /etc/pki/tls/private/memcached.key
owner: memcached:memcached
optional: true
docker_config:
step_1:
memcached:
@ -188,8 +227,22 @@ outputs:
- /var/lib/kolla/config_files/memcached.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/memcached:/var/lib/kolla/config_files/src:rw,z
- /var/log/containers/memcached:/var/log/memcached:rw
- if:
- internal_tls_enabled
-
- /etc/pki/tls/certs/memcached.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/memcached.crt:ro
- /etc/pki/tls/private/memcached.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/memcached.key:ro
- null
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
metadata_settings:
if:
- internal_tls_enabled
-
- service: memcached
network: {get_param: [ServiceNetMap, MemcachedNetwork]}
type: node
- null
host_prep_tasks:
- name: create persistent directories
file:


Loading…
Cancel
Save