32cce5f150
This patch reverts the revert of Redis TLS [1], and fixes the encryption of Redis replication traffic for HA deployments. In order to encrypt replication traffic, Redis is configured to drive outgoing replication traffic to a stunnel endpoint on <localhost:port_xxx>. Stunnel then manages the encryption up to the peer Redis master. Likewise, slave Redis nodes advertise themselves as coming from <localhost:port_yyy> in order to let the Master initiate connection the Slave over its own stunnel endpoint, should it needs to. Each redis node is assigned a unique replication port, and has dedicated stunnels to each one of its peer. This port mapping info is used by the redis resource agent to manage A/P failover. The regular Redis port is unchanged, so Redis clients (OpenStack services, HAproxy, CLI, firewall) are not impacted by this change. Only SELinux needs to be adapted. [1] I37501c4c983c87e3a38841272eb176ebbe626a65 Change-Id: I6cc818973fab25b4cd6f7a0d040aaa05a35c5bb1 Related-bug: #1737707 |
||
---|---|---|
files | ||
lib | ||
manifests | ||
releasenotes | ||
spec | ||
templates | ||
zuul.d | ||
.gitignore | ||
.gitreview | ||
.sync.yml | ||
Gemfile | ||
LICENSE | ||
Puppetfile_extras | ||
README.md | ||
Rakefile | ||
bindep.txt | ||
metadata.json | ||
setup.cfg | ||
setup.py | ||
test-requirements.txt | ||
tox.ini |
README.md
Team and repository tags
puppet-tripleo
Lightweight composition layer for Puppet TripleO.
Contributing
- Free software: Apache License (2.0)
- Source: http://git.openstack.org/cgit/openstack/puppet-tripleo
- Bugs: http://bugs.launchpad.net/tripleo (tag: puppet)
- Documentation: