Add procted-mode only to services that support it

chronological order: * #272 was opened * #365 was opened * #365 was merged * #272 was merged without a rebase * tests are broken
voxpupuli · Oct 10, 2020 · 1cfcb00 · 1cfcb00
1 parent d443861
commit 1cfcb00
Show file tree

Hide file tree

Showing 7 changed files with 48 additions and 1 deletion.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -1112,6 +1112,14 @@ Specify the port of the master redis server.
 
 Default value: `6379`
 
+##### `protected_mode`
+
+Data type: `Boolean`
+
+Whether protected mode is enabled or not. Only applicable when no bind is set.
+
+Default value: `$redis::params::sentinel_protected_mode`
+
 ##### `package_name`
 
 Data type: `String[1]`
@@ -1244,6 +1252,14 @@ Data type: `Stdlib::Ensure::Service`
 
 Default value: `'running'`
 
+##### `minimum_version`
+
+Data type: `String[5]`
+
+
+
+Default value: `$redis::params::minimum_version`
+
 ## Defined types
 
 ### `redis::instance`
@@ -1955,6 +1971,14 @@ set if cluster_enabled is true
 
 Default value: `$redis::cluster_migration_barrier`
 
+##### `supports_protected_mode`
+
+Data type: `Boolean`
+
+Determine support for the protected mode. If it's supported we default to enabling it. We don't add the config option to systems that do not yet support it
+
+Default value: `$redis::supports_protected_mode`
+
 ##### `output_buffer_limit_slave`
 
 Data type: `String[1]`

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -332,6 +332,7 @@
   Integer[0] $cluster_migration_barrier                          = 1,
   Hash[String[1], Hash] $instances                               = {},
 ) inherits redis::params {
+
   contain redis::preinstall
   contain redis::install
   contain redis::config

diff --git a/manifests/instance.pp b/manifests/instance.pp
@@ -194,6 +194,8 @@
 #   Minimum number of slaves master will remain connected with, for another
 #   slave to migrate to a  master which is no longer covered by any slave Only
 #   set if cluster_enabled is true
+# @param supports_protected_mode
+#   Determine support for the protected mode. If it's supported we default to enabling it. We don't add the config option to systems that do not yet support it
 define redis::instance (
   Boolean $activerehashing                                       = $redis::activerehashing,
   Boolean $aof_load_truncated                                    = $redis::aof_load_truncated,
@@ -285,6 +287,7 @@
   Stdlib::Absolutepath $pid_file                                 = "/var/run/redis/redis-server-${name}.pid",
   Variant[Stdlib::Absolutepath, Enum['']] $unixsocket            = "/var/run/redis/redis-server-${name}.sock",
   Stdlib::Absolutepath $workdir                                  = "${redis::workdir}/redis-server-${name}",
+  Boolean $supports_protected_mode                               = $redis::supports_protected_mode,
 ) {
   if $title == 'default' {
     $redis_file_name_orig = $config_file_orig

diff --git a/manifests/sentinel.pp b/manifests/sentinel.pp
@@ -139,9 +139,23 @@
   Stdlib::Absolutepath $working_dir = $redis::params::sentinel_working_dir,
   Optional[Stdlib::Absolutepath] $notification_script = undef,
   Optional[Stdlib::Absolutepath] $client_reconfig_script = undef,
+  String[5] $minimum_version = $redis::params::minimum_version,
 ) inherits redis::params {
   require 'redis'
 
+  if $package_ensure =~ /^([0-9]+:)?[0-9]+\.[0-9]/ {
+    if ':' in $package_ensure {
+      $_redis_version_real = split($package_ensure, ':')
+      $redis_version_real = $_redis_version_real[1]
+    } else {
+      $redis_version_real = $package_ensure
+    }
+  } else {
+    $redis_version_real = pick(getvar('redis_server_version'), $minimum_version)
+  }
+
+  $supports_protected_mode = !$redis_version_real or versioncmp($redis_version_real, '3.2.0') >= 0
+
   if $facts['os']['family'] == 'Debian' {
     package { $package_name:
       ensure => $package_ensure,

diff --git a/spec/classes/redis_sentinel_spec.rb b/spec/classes/redis_sentinel_spec.rb
@@ -136,6 +136,7 @@
 dir /tmp/redis
 daemonize #{facts[:osfamily] == 'RedHat' ? 'no' : 'yes'}
 pidfile #{pidfile}
+protected-mode yes
 
 sentinel monitor cow 127.0.0.1 6379 2
 sentinel down-after-milliseconds cow 6000

diff --git a/templates/redis-sentinel.conf.erb b/templates/redis-sentinel.conf.erb
@@ -5,7 +5,9 @@ port <%= @sentinel_port %>
 dir <%= @working_dir %>
 daemonize <%= @daemonize ? 'yes' : 'no' %>
 pidfile <%= @pid_file %>
+<% if @supports_protected_mode -%>
 protected-mode <%= @protected_mode ? 'yes' : 'no' %>
+<% end -%>
 
 sentinel monitor <%= @master_name %> <%= @redis_host %> <%= @redis_port %> <%= @quorum %>
 sentinel down-after-milliseconds <%= @master_name %> <%= @down_after %>

diff --git a/templates/redis.conf.erb b/templates/redis.conf.erb
@@ -34,11 +34,13 @@ pidfile <%= @pid_file %>
 # IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain
 # sockets.
 #
-# By default protected mode is enabled. You should disable it only if
+# By default protected mode is enabled *on systems that support it*. You should disable it only if
 # you are sure you want clients from other hosts to connect to Redis
 # even if no authentication is configured, nor a specific set of interfaces
 # are explicitly listed using the "bind" directive.
+#<% if @supports_protected_mode -%>
 protected-mode <%= @protected_mode ? 'yes' : 'no' %>
+<% end -%>
 
 <% end -%>
 # Accept connections on the specified port, default is 6379.