Add redis password parameter
Redis server API is not protected with a password
by default.
To fix this issue we need to provide a way to
configure redis with authentification in salt-formula.
This patch addresses the problem for redis used
by contrail analytics.
Co-Authored-By Inessa Vasilevskaya <ivasilevskaya@mirantis.com>
Change-Id: Ia927d5995c2d223b81ed3f3d2a9b389d0a1f021b
Related-Prod: PROD-22096
diff --git a/README.rst b/README.rst
index e285e13..3507284 100644
--- a/README.rst
+++ b/README.rst
@@ -168,6 +168,7 @@
cache:
engine: redis
host: 127.0.0.1
+ password: guest
port: 6379
members:
- host: 127.0.0.1
@@ -332,6 +333,7 @@
cache:
engine: redis
host: 127.0.0.1
+ password: guest
port: 6379
members:
- host: 127.0.0.1
@@ -473,6 +475,7 @@
cache:
engine: redis
host: 127.0.0.1
+ password: guest
port: 6379
members:
- host: 127.0.0.1
diff --git a/metadata/service/control/cluster.yml b/metadata/service/control/cluster.yml
index dedcc1f..f3e60e2 100644
--- a/metadata/service/control/cluster.yml
+++ b/metadata/service/control/cluster.yml
@@ -9,6 +9,7 @@
opencontrail_identity_version: '2.0'
keystone_admin_password: 'none'
keystone_service_token: 'none'
+ redis_password: 'none'
openstack_region: RegionOne
opencontrail:
common:
@@ -160,6 +161,7 @@
engine: redis
host: ${_param:cluster_local_address}
port: 6379
+ password: ${_param:redis_password}
members:
- host: ${_param:cluster_node01_address}
id: 1
diff --git a/metadata/service/control/control.yml b/metadata/service/control/control.yml
index c3bb5d1..ca7d426 100644
--- a/metadata/service/control/control.yml
+++ b/metadata/service/control/control.yml
@@ -10,6 +10,7 @@
keystone_admin_password: 'none'
keystone_service_token: 'none'
openstack_region: RegionOne
+ redis_password: 'none'
opencontrail:
common:
version: ${_param:opencontrail_version}
@@ -116,6 +117,7 @@
web:
version: ${_param:opencontrail_version}
enabled: True
+ password: ${_param:redis_password}
bind:
address: ${_param:cluster_local_address}
analytics:
diff --git a/metadata/service/control/single.yml b/metadata/service/control/single.yml
index f17d610..42181a4 100644
--- a/metadata/service/control/single.yml
+++ b/metadata/service/control/single.yml
@@ -10,6 +10,7 @@
keystone_admin_password: 'none'
keystone_service_token: 'none'
openstack_region: RegionOne
+ redis_password: 'none'
opencontrail:
common:
version: ${_param:opencontrail_version}
@@ -141,6 +142,7 @@
engine: redis
host: ${_param:single_address}
port: 6379
+ password: ${_param:redis_password}
members:
- host: ${_param:single_address}
id: 1
diff --git a/opencontrail/files/4.0/config.global.js b/opencontrail/files/4.0/config.global.js
index e420435..a92a22d 100644
--- a/opencontrail/files/4.0/config.global.js
+++ b/opencontrail/files/4.0/config.global.js
@@ -261,7 +261,7 @@
{%- else %}
config.redis_dump_file = '/var/lib/redis/dump-webui.rdb';
{%- endif %}
-config.redis_password = '';
+config.redis_password = '{{ web.cache.get('password', 'guest') }}';
/* Cassandra Server */
config.cassandra = {};
diff --git a/opencontrail/files/4.0/contrail-alarm-gen.conf b/opencontrail/files/4.0/contrail-alarm-gen.conf
index e0c51a3..035367f 100644
--- a/opencontrail/files/4.0/contrail-alarm-gen.conf
+++ b/opencontrail/files/4.0/contrail-alarm-gen.conf
@@ -1,4 +1,5 @@
{%- from "opencontrail/map.jinja" import collector with context %}
+{%- from "opencontrail/map.jinja" import web with context %}
[DEFAULTS]
host_ip = {{ collector.bind.address }}
collectors = {% for member in collector.analytics.members %}{{ member.host }}:8086 {% endfor %}
@@ -30,6 +31,7 @@
[REDIS]
redis_server_port=6379
redis_uve_list = {% for member in collector.database.members %}{{ member.host }}:6379 {% endfor %}
+redis_password = {{ web.get('cache', {}).get('password', 'guest') }}
[SANDESH]
#sandesh_ssl_enable=False
diff --git a/opencontrail/files/4.0/contrail-analytics-api.conf b/opencontrail/files/4.0/contrail-analytics-api.conf
index 98544ae..629862e 100644
--- a/opencontrail/files/4.0/contrail-analytics-api.conf
+++ b/opencontrail/files/4.0/contrail-analytics-api.conf
@@ -1,4 +1,5 @@
{%- from "opencontrail/map.jinja" import collector with context %}
+{%- from "opencontrail/map.jinja" import web with context %}
[DEFAULTS]
host_ip = {{ collector.bind.address }}
collectors = {% for member in collector.database.members %}{{ member.host }}:8086 {% endfor %}
@@ -33,6 +34,7 @@
[REDIS]
redis_query_port = 6379
redis_uve_list = {% for member in collector.database.members %}{{ member.host }}:6379 {% endfor %}
+redis_password = {{ web.get('cache', {}).get('password', 'guest') }}
[SANDESH]
#sandesh_ssl_enable=False
diff --git a/opencontrail/files/4.0/contrail-collector.conf b/opencontrail/files/4.0/contrail-collector.conf
index 35f89cf..6613826 100644
--- a/opencontrail/files/4.0/contrail-collector.conf
+++ b/opencontrail/files/4.0/contrail-collector.conf
@@ -1,4 +1,5 @@
{%- from "opencontrail/map.jinja" import collector with context %}
+{%- from "opencontrail/map.jinja" import web with context %}
#
# Copyright (c) 2014 Juniper Networks, Inc. All rights reserved.
#
@@ -115,3 +116,4 @@
[REDIS]
port=6379
server=127.0.0.1
+password={{ web.get('cache', {}).get('password', 'guest') }}
diff --git a/opencontrail/files/4.0/contrail-query-engine.conf b/opencontrail/files/4.0/contrail-query-engine.conf
index 3cc9ef6..7ffd52c 100644
--- a/opencontrail/files/4.0/contrail-query-engine.conf
+++ b/opencontrail/files/4.0/contrail-query-engine.conf
@@ -1,4 +1,5 @@
{%- from "opencontrail/map.jinja" import collector with context %}
+{%- from "opencontrail/map.jinja" import web with context %}
#
# Copyright (c) 2014 Juniper Networks, Inc. All rights reserved.
#
@@ -31,6 +32,7 @@
[REDIS]
port=6379
server=127.0.0.1
+password = {{ web.get('cache', {}).get('password', 'guest') }}
[SANDESH]
# sandesh_ssl_enable=false
diff --git a/opencontrail/files/4.0/redis.conf b/opencontrail/files/4.0/redis.conf
index db9c433..5c1f1c9 100644
--- a/opencontrail/files/4.0/redis.conf
+++ b/opencontrail/files/4.0/redis.conf
@@ -1,4 +1,5 @@
{%- from "opencontrail/map.jinja" import collector with context %}
+{%- from "opencontrail/map.jinja" import web with context %}
# Redis configuration file example
# Note on units: when memory size is needed, it is possible to specify
@@ -193,6 +194,9 @@
# refuse the slave request.
#
# masterauth <master-password>
+{%- if web.get('cache', {}).get("password", None) %}
+masterauth {{ web.cache.password }}
+{%- endif %}
# When a slave loses its connection with the master, or when the replication
# is still in progress, the slave can act in two different ways:
@@ -329,6 +333,9 @@
# use a very strong password otherwise it will be very easy to break.
#
# requirepass foobared
+{%- if web.get('cache', {}).get("password", None) %}
+requirepass {{ web.cache.password }}
+{%- endif %}
# Command renaming.
#