Merge "Add TLS capabilities to Memcached service" into stable/train
This commit is contained in:
Zuul
Gerrit Code Review
commit
ae0ec4d80e
|
|
@ -66,8 +66,13 @@ parameters:
|
||||||
of the internal network. Use this parameter with caution and be aware of
|
of the internal network. Use this parameter with caution and be aware of
|
||||||
opening memcached to external network can be dangerous.
|
opening memcached to external network can be dangerous.
|
||||||
type: string
|
type: string
|
||||||
|
MemcachedTLS:
|
||||||
|
default: false
|
||||||
|
description: Set to True to enable TLS on Memcached service.
|
||||||
|
type: boolean
|
||||||
|
|
||||||
conditions:
|
conditions:
|
||||||
|
internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]}
|
||||||
memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']}
|
memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']}
|
||||||
service_debug:
|
service_debug:
|
||||||
or:
|
or:
|
||||||
|
|
@ -87,63 +92,86 @@ outputs:
|
||||||
service_name: memcached
|
service_name: memcached
|
||||||
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
|
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
|
||||||
config_settings:
|
config_settings:
|
||||||
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
map_merge:
|
||||||
# for the given network; replacement examples (eg. for internal_api):
|
-
|
||||||
# internal_api -> IP
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
||||||
# internal_api_uri -> [IP]
|
# for the given network; replacement examples (eg. for internal_api):
|
||||||
# internal_api_subnet - > IP/CIDR
|
# internal_api -> IP
|
||||||
memcached::listen_ip:
|
# internal_api_uri -> [IP]
|
||||||
str_replace:
|
# internal_api_subnet - > IP/CIDR
|
||||||
template:
|
memcached::listen_ip:
|
||||||
"%{hiera('$NETWORK')}"
|
str_replace:
|
||||||
params:
|
template:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
"%{hiera('$NETWORK')}"
|
||||||
memcached::listen_ip_uri:
|
params:
|
||||||
str_replace:
|
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||||
template:
|
memcached::listen_ip_uri:
|
||||||
"%{hiera('$NETWORK_uri')}"
|
str_replace:
|
||||||
params:
|
template:
|
||||||
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
"%{hiera('$NETWORK_uri')}"
|
||||||
memcached::max_connections: {get_param: MemcachedMaxConnections}
|
params:
|
||||||
memcached::max_memory: {get_param: MemcachedMaxMemory}
|
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||||
# https://access.redhat.com/security/cve/cve-2018-1000115
|
memcached::max_connections: {get_param: MemcachedMaxConnections}
|
||||||
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
|
memcached::max_memory: {get_param: MemcachedMaxMemory}
|
||||||
memcached::udp_port: 0
|
# https://access.redhat.com/security/cve/cve-2018-1000115
|
||||||
memcached::verbosity:
|
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
|
||||||
list_join:
|
memcached::udp_port: 0
|
||||||
- ''
|
memcached::verbosity:
|
||||||
- - 'v'
|
list_join:
|
||||||
- if:
|
|
||||||
- service_debug
|
|
||||||
- 'v'
|
|
||||||
- ''
|
- ''
|
||||||
memcached::disable_cachedump: true
|
- - 'v'
|
||||||
tripleo::memcached::firewall_rules:
|
- if:
|
||||||
# https://access.redhat.com/security/cve/cve-2018-1000115
|
- service_debug
|
||||||
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
|
- 'v'
|
||||||
# Memcached traffic shouldn't be open on the internet.
|
- ''
|
||||||
# Even if binding is configured on internal_api network, enforce it
|
memcached::disable_cachedump: true
|
||||||
# via firewall as well.
|
tripleo::memcached::firewall_rules:
|
||||||
if:
|
# https://access.redhat.com/security/cve/cve-2018-1000115
|
||||||
- memcached_network_unset
|
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
|
||||||
- map_merge:
|
# Memcached traffic shouldn't be open on the internet.
|
||||||
repeat:
|
# Even if binding is configured on internal_api network, enforce it
|
||||||
for_each:
|
# via firewall as well.
|
||||||
<%net_cidr%>:
|
if:
|
||||||
get_param:
|
- memcached_network_unset
|
||||||
- ServiceData
|
- map_merge:
|
||||||
- net_cidr_map
|
repeat:
|
||||||
- {get_param: [ServiceNetMap, MemcachedNetwork]}
|
for_each:
|
||||||
template:
|
<%net_cidr%>:
|
||||||
'121 memcached <%net_cidr%>':
|
get_param:
|
||||||
dport: 11211
|
- ServiceData
|
||||||
proto: 'tcp'
|
- net_cidr_map
|
||||||
source: <%net_cidr%>
|
- {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||||
- '121 memcached':
|
template:
|
||||||
dport: 11211
|
'121 memcached <%net_cidr%>':
|
||||||
proto: 'tcp'
|
dport: 11211
|
||||||
source: {get_param: MemcachedIpSubnet}
|
proto: 'tcp'
|
||||||
memcached::logstdout: true
|
source: <%net_cidr%>
|
||||||
|
- '121 memcached':
|
||||||
|
dport: 11211
|
||||||
|
proto: 'tcp'
|
||||||
|
source: {get_param: MemcachedIpSubnet}
|
||||||
|
memcached::logstdout: true
|
||||||
|
tripleo::profile::base::memcached::enable_internal_memcached_tls: {get_param: MemcachedTLS}
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
- generate_service_certificates: true
|
||||||
|
tripleo::memcached::service_certificate: '/etc/pki/tls/certs/memcached.crt'
|
||||||
|
tripleo::profile::base::memcached::certificate_specs:
|
||||||
|
service_certificate: '/etc/pki/tls/certs/memcached.crt'
|
||||||
|
service_key: '/etc/pki/tls/private/memcached.key'
|
||||||
|
hostname:
|
||||||
|
str_replace:
|
||||||
|
template: "%{hiera('fqdn_$NETWORK')}"
|
||||||
|
params:
|
||||||
|
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||||
|
principal:
|
||||||
|
str_replace:
|
||||||
|
template: "memcached/%{hiera('fqdn_$NETWORK')}"
|
||||||
|
params:
|
||||||
|
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||||
|
postsave_cmd: "/usr/bin/certmonger-memcached-refresh.sh"
|
||||||
|
- {}
|
||||||
service_config_settings:
|
service_config_settings:
|
||||||
collectd:
|
collectd:
|
||||||
tripleo.collectd.plugins.memcached:
|
tripleo.collectd.plugins.memcached:
|
||||||
|
|
@ -167,10 +195,21 @@ outputs:
|
||||||
dest: "/"
|
dest: "/"
|
||||||
merge: true
|
merge: true
|
||||||
preserve_properties: true
|
preserve_properties: true
|
||||||
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||||
|
dest: "/"
|
||||||
|
merge: true
|
||||||
|
preserve_properties: true
|
||||||
|
optional: true
|
||||||
permissions:
|
permissions:
|
||||||
- path: /var/log/memcached
|
- path: /var/log/memcached
|
||||||
owner: memcached:memcached
|
owner: memcached:memcached
|
||||||
recurse: true
|
recurse: true
|
||||||
|
- path: /etc/pki/tls/certs/memcached.crt
|
||||||
|
owner: memcached:memcached
|
||||||
|
optional: true
|
||||||
|
- path: /etc/pki/tls/private/memcached.key
|
||||||
|
owner: memcached:memcached
|
||||||
|
optional: true
|
||||||
docker_config:
|
docker_config:
|
||||||
step_1:
|
step_1:
|
||||||
memcached:
|
memcached:
|
||||||
|
|
@ -188,8 +227,22 @@ outputs:
|
||||||
- /var/lib/kolla/config_files/memcached.json:/var/lib/kolla/config_files/config.json:ro
|
- /var/lib/kolla/config_files/memcached.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
- /var/lib/config-data/puppet-generated/memcached:/var/lib/kolla/config_files/src:rw,z
|
- /var/lib/config-data/puppet-generated/memcached:/var/lib/kolla/config_files/src:rw,z
|
||||||
- /var/log/containers/memcached:/var/log/memcached:rw
|
- /var/log/containers/memcached:/var/log/memcached:rw
|
||||||
|
- if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
-
|
||||||
|
- /etc/pki/tls/certs/memcached.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/memcached.crt:ro
|
||||||
|
- /etc/pki/tls/private/memcached.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/memcached.key:ro
|
||||||
|
- null
|
||||||
environment:
|
environment:
|
||||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||||
|
metadata_settings:
|
||||||
|
if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
-
|
||||||
|
- service: memcached
|
||||||
|
network: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||||
|
type: node
|
||||||
|
- null
|
||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
- name: create persistent directories
|
- name: create persistent directories
|
||||||
file:
|
file:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue