tripleo

Redis replication with TLS everywhere

Bug #1737707 reported by Damien Ciabrini
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Damien Ciabrini
tripleo queens-rc1

Bug Description

in https://bugs.launchpad.net/tripleo/+bug/1735259, we disabled TLS for Redis entirely as a quick way to workaround the fact that Redis replication traffic was broken with TLS.

This bug tracks the necessary fixes in tripleo to deploy a working encrypted replication traffic, and all the original bits for enabling encrypted endpoints for Redis clients.

Tags: tech-debt tls
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/527398

Alex Schultz (alex-schultz)
tags: added: tech-debt
Emilien Macchi (emilienm)
Changed in tripleo:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/527694

Changed in tripleo:
assignee: nobody → Damien Ciabrini (dciabrin)
status: Triaged → In Progress
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: queens-3 → queens-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/527398
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=32cce5f150d0c618584cf65550343f435ea6afb1
Submitter: Zuul
Branch: master

commit 32cce5f150d0c618584cf65550343f435ea6afb1
Author: Damien Ciabrini <email address hidden>
Date: Tue Dec 12 11:07:34 2017 +0000

    Fix Redis TLS setup, including replication traffic

    This patch reverts the revert of Redis TLS [1], and fixes the
    encryption of Redis replication traffic for HA deployments.

    In order to encrypt replication traffic, Redis is configured to
    drive outgoing replication traffic to a stunnel endpoint on
    <localhost:port_xxx>. Stunnel then manages the encryption up to
    the peer Redis master.

    Likewise, slave Redis nodes advertise themselves as coming from
    <localhost:port_yyy> in order to let the Master initiate connection
    the Slave over its own stunnel endpoint, should it needs to.

    Each redis node is assigned a unique replication port, and has
    dedicated stunnels to each one of its peer. This port mapping
    info is used by the redis resource agent to manage A/P failover.

    The regular Redis port is unchanged, so Redis clients (OpenStack
    services, HAproxy, CLI, firewall) are not impacted by this change.
    Only SELinux needs to be adapted.

    [1] I37501c4c983c87e3a38841272eb176ebbe626a65

    Change-Id: I6cc818973fab25b4cd6f7a0d040aaa05a35c5bb1
    Related-bug: #1737707

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/527694
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=91db2020df52126aad6835de9255f37b40775824
Submitter: Zuul
Branch: master

commit 91db2020df52126aad6835de9255f37b40775824
Author: Damien Ciabrini <email address hidden>
Date: Wed Dec 13 13:44:09 2017 +0000

    Fix Redis TLS setup and its HA deployment

    This patch reverts the revert of Redis TLS [1,2], and update the
    pacemaker redis template to configure Redis to encrypt the
    replication traffic between Redis nodes.

    [1] a3769c03175cb36f0066c173477749a26f767566
    [2] ebc8414cd0c18426ff80d9d65c964e91a7fe447f

    Depends-On: I6cc818973fab25b4cd6f7a0d040aaa05a35c5bb1
    Change-Id: I7f7be4bba6d41c04385f074857c82507cc8c2617
    Closes-Bug: #1737707

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 8.0.0.0rc1

This issue was fixed in the openstack/tripleo-heat-templates 8.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.