diff --git a/deployment/memcached/memcached-container-puppet.yaml b/deployment/memcached/memcached-container-puppet.yaml index e63735c763..c7013cb34f 100644 --- a/deployment/memcached/memcached-container-puppet.yaml +++ b/deployment/memcached/memcached-container-puppet.yaml @@ -66,13 +66,30 @@ parameters: of the internal network. Use this parameter with caution and be aware of opening memcached to external network can be dangerous. type: string + MemcachedPort: + default: 11211 + description: Port to have Memcached listening at. + When using MemcachedTLS, this has to be set to a different + port then the default - see below. + type: number MemcachedTLS: default: false description: Set to True to enable TLS on Memcached service. + Because not all services support Memcached TLS, during the + migration period, Memcached will listen on 2 ports - on the + port set with MemcachedPort parameter (above) and on 11211, + without TLS. type: boolean conditions: internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]} + # NOTE: A non-tls port is necessary while there are still services + # consuming Memcached that do not support TLS. Once all services + # do support TLS, this config should be dropped. + enable_non_tls_port: + and: + - internal_tls_enabled + - not: {equals: [{get_param: MemcachedPort}, 11211]} memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']} service_debug: or: @@ -103,6 +120,33 @@ outputs: # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR + memcached::listen: + list_concat: + - - if: + - is_ipv6 + - '::1' + - '127.0.0.1' + - str_replace: + template: + "%{hiera('$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} + - if: + - enable_non_tls_port + - - str_replace: + template: + "notls:%{hiera('$NETWORK_uri')}:11211" + params: + $NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} + - if: + - is_ipv6 + - 'notls:[::1]:11211' + - 'notls:127.0.0.1:11211' + - [] + # NOTE(xek): the IP addresses are configured with: + # memcached::listen - the new way + # memcached::listen_ip - will be deprecated + # see: https://github.com/saz/puppet-memcached/pull/127 memcached::listen_ip: - if: - is_ipv6 @@ -123,6 +167,7 @@ outputs: "%{hiera('$NETWORK_uri')}" params: $NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} + memcached::tcp_port: {get_param: MemcachedPort} memcached::max_connections: {get_param: MemcachedMaxConnections} memcached::max_memory: {get_param: MemcachedMaxMemory} # https://access.redhat.com/security/cve/cve-2018-1000115 @@ -155,15 +200,37 @@ outputs: - {get_param: [ServiceNetMap, MemcachedNetwork]} template: '121 memcached <%net_cidr%>': - dport: 11211 + dport: + list_concat: + - - {get_param: MemcachedPort} + - if: + - enable_non_tls_port + - [11211] + - [] proto: 'tcp' source: <%net_cidr%> - '121 memcached': - dport: 11211 + dport: + list_concat: + - - {get_param: MemcachedPort} + - if: + - enable_non_tls_port + - [11211] + - [] proto: 'tcp' source: {get_param: MemcachedIpSubnet} memcached::logstdout: true tripleo::profile::base::memcached::enable_internal_memcached_tls: {get_param: MemcachedTLS} + - + # NOTE: This config is necessary while there are still services + # consuming Memcached that do not support TLS. Once all services + # do support TLS, this config should be dropped. + if: + - enable_non_tls_port + - memcached_port: {get_param: MemcachedPort} + memcached_authtoken_port: 11211 + - memcached_port: {get_param: MemcachedPort} + memcached_authtoken_port: {get_param: MemcachedPort} - if: - internal_tls_enabled @@ -191,7 +258,11 @@ outputs: collectd::plugin::memcached::instances: local: host: "%{hiera('memcached::listen_ip_uri')}" - port: 11211 + port: # collectd has no support to Memcached+TLS yet. + - if: + - enable_non_tls_port + - 11211 + - {get_param: MemcachedPort} # BEGIN DOCKER SETTINGS puppet_config: config_volume: 'memcached'