openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Merge "Add TLS capabilities to Memcached service" into stable/ussuri

This commit is contained in:
Zuul 2021-04-06 19:54:02 +00:00 committed by Gerrit Code Review
parent a9308f5801 e140e22e1e
commit d5971cac2e
1 changed files with 84 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

115
deployment/memcached/memcached-container-puppet.yaml
View File

@ -66,8 +66,13 @@ parameters:
of the internal network. Use this parameter with caution and be aware of of the internal network. Use this parameter with caution and be aware of
opening memcached to external network can be dangerous. opening memcached to external network can be dangerous.
type: string type: string
MemcachedTLS:
default: false
description: Set to True to enable TLS on Memcached service.
type: boolean
conditions: conditions:
internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]}
memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']} memcached_network_unset: {equals : [{get_param: MemcachedIpSubnet}, '']}
service_debug: service_debug:
or: or:
@ -112,38 +117,61 @@ outputs:
source: {get_param: MemcachedIpSubnet} source: {get_param: MemcachedIpSubnet}
monitoring_subscription: {get_param: MonitoringSubscriptionMemcached} monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
config_settings: config_settings:
# NOTE: bind IP is found in hiera replacing the network name with the local node IP map_merge:
# for the given network; replacement examples (eg. for internal_api): -
# internal_api -> IP # NOTE: bind IP is found in hiera replacing the network name with the local node IP
# internal_api_uri -> [IP] # for the given network; replacement examples (eg. for internal_api):
# internal_api_subnet - > IP/CIDR # internal_api -> IP
memcached::listen_ip: # internal_api_uri -> [IP]
str_replace: # internal_api_subnet - > IP/CIDR
template: memcached::listen_ip:
"%{hiera('$NETWORK')}" str_replace:
params: template:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} "%{hiera('$NETWORK')}"
memcached::listen_ip_uri: params:
str_replace: $NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
template: memcached::listen_ip_uri:
"%{hiera('$NETWORK_uri')}" str_replace:
params: template:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} "%{hiera('$NETWORK_uri')}"
memcached::max_connections: {get_param: MemcachedMaxConnections} params:
memcached::max_memory: {get_param: MemcachedMaxMemory} $NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
# https://access.redhat.com/security/cve/cve-2018-1000115 memcached::max_connections: {get_param: MemcachedMaxConnections}
# Only accept TCP to avoid spoofed traffic amplification DoS on UDP. memcached::max_memory: {get_param: MemcachedMaxMemory}
memcached::udp_port: 0 # https://access.redhat.com/security/cve/cve-2018-1000115
memcached::verbosity: # Only accept TCP to avoid spoofed traffic amplification DoS on UDP.
list_join: memcached::udp_port: 0
- '' memcached::verbosity:
- - 'v' list_join:
- if:
- service_debug
- 'v'
- '' - ''
memcached::disable_cachedump: true - - 'v'
memcached::logstdout: true - if:
- service_debug
- 'v'
- ''
memcached::disable_cachedump: true
memcached::logstdout: true
tripleo::profile::base::memcached::enable_internal_memcached_tls: {get_param: MemcachedTLS}
-
if:
- internal_tls_enabled
- generate_service_certificates: true
tripleo::memcached::service_certificate: '/etc/pki/tls/certs/memcached.crt'
tripleo::profile::base::memcached::certificate_specs:
service_certificate: '/etc/pki/tls/certs/memcached.crt'
service_key: '/etc/pki/tls/private/memcached.key'
hostname:
str_replace:
template: "%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
principal:
str_replace:
template: "memcached/%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
postsave_cmd: "/usr/bin/certmonger-memcached-refresh.sh"
- {}
service_config_settings: service_config_settings:
collectd: collectd:
tripleo.collectd.plugins.memcached: tripleo.collectd.plugins.memcached:
@ -167,10 +195,21 @@ outputs:
dest: "/" dest: "/"
merge: true merge: true
preserve_properties: true preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions: permissions:
- path: /var/log/memcached - path: /var/log/memcached
owner: memcached:memcached owner: memcached:memcached
recurse: true recurse: true
- path: /etc/pki/tls/certs/memcached.crt
owner: memcached:memcached
optional: true
- path: /etc/pki/tls/private/memcached.key
owner: memcached:memcached
optional: true
docker_config: docker_config:
step_1: step_1:
memcached: memcached:
@ -188,8 +227,22 @@ outputs:
- /var/lib/kolla/config_files/memcached.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/kolla/config_files/memcached.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/memcached:/var/lib/kolla/config_files/src:rw,z - /var/lib/config-data/puppet-generated/memcached:/var/lib/kolla/config_files/src:rw,z
- /var/log/containers/memcached:/var/log/memcached:rw - /var/log/containers/memcached:/var/log/memcached:rw
- if:
- internal_tls_enabled
-
- /etc/pki/tls/certs/memcached.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/memcached.crt:ro
- /etc/pki/tls/private/memcached.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/memcached.key:ro
- null
environment: environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
metadata_settings:
if:
- internal_tls_enabled
-
- service: memcached
network: {get_param: [ServiceNetMap, MemcachedNetwork]}
type: node
- null
host_prep_tasks: host_prep_tasks:
- name: create persistent directories - name: create persistent directories
file: file: