tripleo-heat-templates/puppet/services/database/redis-base.yaml
Damien Ciabrini 91db2020df Fix Redis TLS setup and its HA deployment
This patch reverts the revert of Redis TLS [1,2], and update the
pacemaker redis template to configure Redis to encrypt the
replication traffic between Redis nodes.

[1] a3769c0317
[2] ebc8414cd0

Depends-On: I6cc818973fab25b4cd6f7a0d040aaa05a35c5bb1
Change-Id: I7f7be4bba6d41c04385f074857c82507cc8c2617
Closes-Bug: #1737707
2018-02-05 14:05:12 +00:00

91 lines
2.8 KiB
YAML

heat_template_version: queens
description: >
OpenStack Redis service configured with Puppet
parameters:
RedisPassword:
description: The password for the redis service account.
type: string
hidden: true
RedisFDLimit:
description: Configure Redis FD limit
type: string
default: 10240
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
EnableInternalTLS:
type: boolean
default: false
RedisIPv6:
default: false
description: Enable IPv6 in Redis
type: boolean
conditions:
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
redis_ipv6: {get_param: RedisIPv6}
outputs:
role_data:
description: Role data for the redis role.
value:
service_name: redis_base
config_settings:
redis::requirepass: {get_param: RedisPassword}
redis::masterauth: {get_param: RedisPassword}
redis::sentinel_auth_pass: {get_param: RedisPassword}
redis_ipv6: {get_param: RedisIPv6}
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
# Bind to localhost if internal TLS is enabled, since we put a TLs
# proxy in front.
redis::bind:
if:
- use_tls_proxy
- if:
- redis_ipv6
- '::1'
- '127.0.0.1'
- {get_param: [ServiceNetMap, RedisNetwork]}
redis::port: 6379
redis::sentinel::master_name: "%{hiera('bootstrap_nodeid')}"
redis::sentinel::redis_host: "%{hiera('bootstrap_nodeid_ip')}"
redis::sentinel::notification_script: '/usr/local/bin/redis-notifications.sh'
redis::sentinel::sentinel_bind:
if:
- use_tls_proxy
- if:
- redis_ipv6
- '::1'
- '127.0.0.1'
- {get_param: [ServiceNetMap, RedisNetwork]}
redis::ulimit: {get_param: RedisFDLimit}