91db2020df
This patch reverts the revert of Redis TLS [1,2], and update the pacemaker redis template to configure Redis to encrypt the replication traffic between Redis nodes. [1]a3769c0317
[2]ebc8414cd0
Depends-On: I6cc818973fab25b4cd6f7a0d040aaa05a35c5bb1 Change-Id: I7f7be4bba6d41c04385f074857c82507cc8c2617 Closes-Bug: #1737707
91 lines
2.8 KiB
YAML
91 lines
2.8 KiB
YAML
heat_template_version: queens
|
|
|
|
description: >
|
|
OpenStack Redis service configured with Puppet
|
|
|
|
parameters:
|
|
RedisPassword:
|
|
description: The password for the redis service account.
|
|
type: string
|
|
hidden: true
|
|
RedisFDLimit:
|
|
description: Configure Redis FD limit
|
|
type: string
|
|
default: 10240
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
RedisIPv6:
|
|
default: false
|
|
description: Enable IPv6 in Redis
|
|
type: boolean
|
|
|
|
conditions:
|
|
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
|
|
redis_ipv6: {get_param: RedisIPv6}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the redis role.
|
|
value:
|
|
service_name: redis_base
|
|
config_settings:
|
|
redis::requirepass: {get_param: RedisPassword}
|
|
redis::masterauth: {get_param: RedisPassword}
|
|
redis::sentinel_auth_pass: {get_param: RedisPassword}
|
|
redis_ipv6: {get_param: RedisIPv6}
|
|
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
|
|
# for the given network; replacement examples (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
# Bind to localhost if internal TLS is enabled, since we put a TLs
|
|
# proxy in front.
|
|
redis::bind:
|
|
if:
|
|
- use_tls_proxy
|
|
- if:
|
|
- redis_ipv6
|
|
- '::1'
|
|
- '127.0.0.1'
|
|
- {get_param: [ServiceNetMap, RedisNetwork]}
|
|
redis::port: 6379
|
|
redis::sentinel::master_name: "%{hiera('bootstrap_nodeid')}"
|
|
redis::sentinel::redis_host: "%{hiera('bootstrap_nodeid_ip')}"
|
|
redis::sentinel::notification_script: '/usr/local/bin/redis-notifications.sh'
|
|
redis::sentinel::sentinel_bind:
|
|
if:
|
|
- use_tls_proxy
|
|
- if:
|
|
- redis_ipv6
|
|
- '::1'
|
|
- '127.0.0.1'
|
|
- {get_param: [ServiceNetMap, RedisNetwork]}
|
|
redis::ulimit: {get_param: RedisFDLimit}
|