c2a93cf4c5
Redis does not have TLS out of the box. Let's use a proxy container for TLS termination. bp tls-via-certmonger Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: Ie2ae0d048a71e1b1b4edb10c74bc0395a1a9d5c9 Depends-On: I078567c831ade540cf704f81564e2b7654c85c0b Depends-On: Ia50933da9e59268b17f56db34d01dcc6b6c38147
79 lines
2.5 KiB
YAML
79 lines
2.5 KiB
YAML
heat_template_version: pike
|
|
|
|
description: >
|
|
OpenStack Redis service configured with Puppet
|
|
|
|
parameters:
|
|
RedisPassword:
|
|
description: The password for the redis service account.
|
|
type: string
|
|
hidden: true
|
|
RedisFDLimit:
|
|
description: Configure Redis FD limit
|
|
type: string
|
|
default: 10240
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
|
|
conditions:
|
|
use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the redis role.
|
|
value:
|
|
service_name: redis_base
|
|
config_settings:
|
|
redis::requirepass: {get_param: RedisPassword}
|
|
redis::masterauth: {get_param: RedisPassword}
|
|
redis::sentinel_auth_pass: {get_param: RedisPassword}
|
|
# NOTE: bind IP is found in Heat replacing the network name with the local node IP
|
|
# for the given network; replacement examples (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
# Bind to localhost if internal TLS is enabled, since we put a TLs
|
|
# proxy in front.
|
|
redis::bind:
|
|
if:
|
|
- use_tls_proxy
|
|
- 'localhost'
|
|
- {get_param: [ServiceNetMap, RedisNetwork]}
|
|
redis::port: 6379
|
|
redis::sentinel::master_name: "%{hiera('bootstrap_nodeid')}"
|
|
redis::sentinel::redis_host: "%{hiera('bootstrap_nodeid_ip')}"
|
|
redis::sentinel::notification_script: '/usr/local/bin/redis-notifications.sh'
|
|
redis::sentinel::sentinel_bind:
|
|
if:
|
|
- use_tls_proxy
|
|
- 'localhost'
|
|
- {get_param: [ServiceNetMap, RedisNetwork]}
|
|
redis::ulimit: {get_param: RedisFDLimit}
|