Browse Source

Merge "Add non-tls listener to Memcached" into stable/train

changes/47/782747/2
Zuul 1 week ago
committed by Gerrit Code Review
parent
commit
b19fb6c5a5
1 changed files with 74 additions and 3 deletions
  1. +74
    -3
      deployment/memcached/memcached-container-puppet.yaml

+ 74
- 3
deployment/memcached/memcached-container-puppet.yaml View File

@ -66,13 +66,30 @@ parameters:
of the internal network. Use this parameter with caution and be aware of
opening memcached to external network can be dangerous.
type: string
MemcachedPort:
default: 11211
description: Port to have Memcached listening at.
When using MemcachedTLS, this has to be set to a different
port then the default - see below.
type: number
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
Because not all services support Memcached TLS, during the
migration period, Memcached will listen on 2 ports - on the
port set with MemcachedPort parameter (above) and on 11211,
without TLS.
type: boolean
conditions:
internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]}
# NOTE: A non-tls port is necessary while there are still services
# consuming Memcached that do not support TLS. Once all services
# do support TLS, this config should be dropped.
enable_non_tls_port:
and:
- internal_tls_enabled
- not: {equals: [{get_param: MemcachedPort}, 11211]}
memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']}
service_debug:
or:
@ -103,6 +120,33 @@ outputs:
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
memcached::listen:
list_concat:
- - if:
- is_ipv6
- '::1'
- '127.0.0.1'
- str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
- if:
- enable_non_tls_port
- - str_replace:
template:
"notls:%{hiera('$NETWORK_uri')}:11211"
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
- if:
- is_ipv6
- 'notls:[::1]:11211'
- 'notls:127.0.0.1:11211'
- []
# NOTE(xek): the IP addresses are configured with:
# memcached::listen - the new way
# memcached::listen_ip - will be deprecated
# see: https://github.com/saz/puppet-memcached/pull/127
memcached::listen_ip:
- if:
- is_ipv6
@ -123,6 +167,7 @@ outputs:
"%{hiera('$NETWORK_uri')}"
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
memcached::tcp_port: {get_param: MemcachedPort}
memcached::max_connections: {get_param: MemcachedMaxConnections}
memcached::max_memory: {get_param: MemcachedMaxMemory}
# https://access.redhat.com/security/cve/cve-2018-1000115
@ -155,15 +200,37 @@ outputs:
- {get_param: [ServiceNetMap, MemcachedNetwork]}
template:
'121 memcached <%net_cidr%>':
dport: 11211
dport:
list_concat:
- - {get_param: MemcachedPort}
- if:
- enable_non_tls_port
- [11211]
- []
proto: 'tcp'
source: <%net_cidr%>
- '121 memcached':
dport: 11211
dport:
list_concat:
- - {get_param: MemcachedPort}
- if:
- enable_non_tls_port
- [11211]
- []
proto: 'tcp'
source: {get_param: MemcachedIpSubnet}
memcached::logstdout: true
tripleo::profile::base::memcached::enable_internal_memcached_tls: {get_param: MemcachedTLS}
-
# NOTE: This config is necessary while there are still services
# consuming Memcached that do not support TLS. Once all services
# do support TLS, this config should be dropped.
if:
- enable_non_tls_port
- memcached_port: {get_param: MemcachedPort}
memcached_authtoken_port: 11211
- memcached_port: {get_param: MemcachedPort}
memcached_authtoken_port: {get_param: MemcachedPort}
-
if:
- internal_tls_enabled
@ -191,7 +258,11 @@ outputs:
collectd::plugin::memcached::instances:
local:
host: "%{hiera('memcached::listen_ip_uri')}"
port: 11211
port: # collectd has no support to Memcached+TLS yet.
- if:
- enable_non_tls_port
- 11211
- {get_param: MemcachedPort}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: 'memcached'


Loading…
Cancel
Save