Enable redis TLS proxy in HA deployments

Redis does not have TLS out of the box. Let's use a proxy container for TLS termination. This commit enables redis TLS proxy for the HA deployment. bp tls-via-certmonger Change-Id: I45e539872a03878337def33c681c4577c1a5629e
2017-08-28 16:50:28 +02:00 · 2017-08-28 16:50:28 +02:00 · c6d8df01d7
parent 61107609c1
commit c6d8df01d7
1 changed files with 67 additions and 26 deletions
--- a/docker/services/pacemaker/database/redis.yaml
+++ b/docker/services/pacemaker/database/redis.yaml
@ -36,9 +36,19 @@ parameters:
    default: {}
    description: Parameters specific to the role
    type: json
+  EnableInternalTLS:
+    type: boolean
+    default: false
+
+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}

 resources:

+  ContainersCommon:
+    type: ../../containers-common.yaml
+
  RedisBase:
    type: ../../../../puppet/services/database/redis.yaml
    properties:
@ -74,6 +84,8 @@ outputs:
                  - 3124
                  - 6379
                  - 26379
+            tripleo::stunnel::manage_service: false
+            tripleo::stunnel::foreground: 'yes'
      step_config: ""
      service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]}
      # BEGIN DOCKER SETTINGS
@ -109,6 +121,13 @@ outputs:
            - path: /var/log/redis
              owner: redis:redis
              recurse: true
+        /var/lib/kolla/config_files/redis_tls_proxy.json:
+          command: stunnel /etc/stunnel/stunnel.conf
+          config_files:
+            - source: "/var/lib/kolla/config_files/src/*"
+              dest: "/"
+              merge: true
+              preserve_properties: true
      docker_config:
        step_1:
          redis_image_tag:
@ -134,32 +153,54 @@ outputs:
              - /usr/bin:/usr/bin:ro
              - /var/run/docker.sock:/var/run/docker.sock:rw
        step_2:
-          redis_init_bundle:
-            start_order: 2
-            detach: false
-            net: host
-            user: root
-            config_volume: 'redis_init_bundle'
-            command:
-              - '/bin/bash'
-              - '-c'
-              - str_replace:
-                  template:
-                    list_join:
-                      - '; '
-                      - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 2}' > /etc/puppet/hieradata/docker.json"
-                        - "FACTER_uuid=docker puppet apply --tags file,file_line,concat,augeas,TAGS -v -e 'CONFIG'"
-                  params:
-                    TAGS: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
-                    CONFIG: 'include ::tripleo::profile::base::pacemaker;include ::tripleo::profile::pacemaker::database::redis_bundle'
-            image: *redis_config_image
-            volumes:
-              - /etc/hosts:/etc/hosts:ro
-              - /etc/localtime:/etc/localtime:ro
-              - /etc/puppet:/tmp/puppet-etc:ro
-              - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
-              - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro
-              - /dev/shm:/dev/shm:rw
+          map_merge:
+            - redis_init_bundle:
+                start_order: 2
+                detach: false
+                net: host
+                user: root
+                config_volume: 'redis_init_bundle'
+                command:
+                  - '/bin/bash'
+                  - '-c'
+                  - str_replace:
+                      template:
+                        list_join:
+                          - '; '
+                          - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 2}' > /etc/puppet/hieradata/docker.json"
+                            - "FACTER_uuid=docker puppet apply --tags file,file_line,concat,augeas,TAGS -v -e 'CONFIG'"
+                      params:
+                        TAGS: 'pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
+                        CONFIG: 'include ::tripleo::profile::base::pacemaker;include ::tripleo::profile::pacemaker::database::redis_bundle'
+                image: *redis_config_image
+                volumes:
+                  - /etc/hosts:/etc/hosts:ro
+                  - /etc/localtime:/etc/localtime:ro
+                  - /etc/puppet:/tmp/puppet-etc:ro
+                  - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
+                  - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro
+                  - /dev/shm:/dev/shm:rw
+            - if:
+                - internal_tls_enabled
+                - redis_tls_proxy:
+                    start_order: 3
+                    image: *redis_image_pcmklatest
+                    net: host
+                    user: root
+                    restart: always
+                    volumes:
+                      list_concat:
+                        - {get_attr: [ContainersCommon, volumes]}
+                        -
+                          - /var/lib/kolla/config_files/redis_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
+                          - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro
+                          - /etc/pki/tls/certs/redis.crt:/etc/pki/tls/certs/redis.crt:ro
+                          - /etc/pki/tls/private/redis.key:/etc/pki/tls/private/redis.key:ro
+                    environment:
+                      - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+                - {}
+      metadata_settings:
+        get_attr: [RedisBase, role_data, metadata_settings]
      host_prep_tasks:
        - name: create /var/run/redis
          file: