Add procted-mode only to services that support it

chronological order: * voxpupuli#272 was opened * voxpupuli#365 was opened * voxpupuli#365 was merged * voxpupuli#272 was merged without a rebase * tests are broken
bastelfreak · Oct 10, 2020 · 779eb44 · 779eb44
1 parent d443861
commit 779eb44
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 1 deletion.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -1112,6 +1112,14 @@ Specify the port of the master redis server.
 
 Default value: `6379`
 
+##### `protected_mode`
+
+Data type: `Boolean`
+
+Whether protected mode is enabled or not. Only applicable when no bind is set.
+
+Default value: `$redis::params::sentinel_protected_mode`
+
 ##### `package_name`
 
 Data type: `String[1]`
@@ -1244,6 +1252,14 @@ Data type: `Stdlib::Ensure::Service`
 
 Default value: `'running'`
 
+##### `minimum_version`
+
+Data type: `String[5]`
+
+
+
+Default value: `$redis::params::minimum_version`
+
 ## Defined types
 
 ### `redis::instance`

diff --git a/manifests/sentinel.pp b/manifests/sentinel.pp
@@ -139,9 +139,23 @@
   Stdlib::Absolutepath $working_dir = $redis::params::sentinel_working_dir,
   Optional[Stdlib::Absolutepath] $notification_script = undef,
   Optional[Stdlib::Absolutepath] $client_reconfig_script = undef,
+  String[5] $minimum_version = $redis::params::minimum_version,
 ) inherits redis::params {
   require 'redis'
 
+  if $package_ensure =~ /^([0-9]+:)?[0-9]+\.[0-9]/ {
+    if ':' in $package_ensure {
+      $_redis_version_real = split($package_ensure, ':')
+      $redis_version_real = $_redis_version_real[1]
+    } else {
+      $redis_version_real = $package_ensure
+    }
+  } else {
+    $redis_version_real = pick(getvar('redis_server_version'), $minimum_version)
+  }
+
+  $supports_protected_mode = !$redis_version_real or versioncmp($redis_version_real, '3.2.0') >= 0
+
   if $facts['os']['family'] == 'Debian' {
     package { $package_name:
       ensure => $package_ensure,

diff --git a/spec/classes/redis_sentinel_spec.rb b/spec/classes/redis_sentinel_spec.rb
@@ -136,6 +136,7 @@
 dir /tmp/redis
 daemonize #{facts[:osfamily] == 'RedHat' ? 'no' : 'yes'}
 pidfile #{pidfile}
+protected-mode yes
 
 sentinel monitor cow 127.0.0.1 6379 2
 sentinel down-after-milliseconds cow 6000

diff --git a/templates/redis-sentinel.conf.erb b/templates/redis-sentinel.conf.erb
@@ -5,7 +5,9 @@ port <%= @sentinel_port %>
 dir <%= @working_dir %>
 daemonize <%= @daemonize ? 'yes' : 'no' %>
 pidfile <%= @pid_file %>
+<% if @supports_protected_mode -%>
 protected-mode <%= @protected_mode ? 'yes' : 'no' %>
+<% end -%>
 
 sentinel monitor <%= @master_name %> <%= @redis_host %> <%= @redis_port %> <%= @quorum %>
 sentinel down-after-milliseconds <%= @master_name %> <%= @down_after %>

diff --git a/templates/redis.conf.erb b/templates/redis.conf.erb
@@ -34,11 +34,13 @@ pidfile <%= @pid_file %>
 # IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain
 # sockets.
 #
-# By default protected mode is enabled. You should disable it only if
+# By default protected mode is enabled *on systems that support it*. You should disable it only if
 # you are sure you want clients from other hosts to connect to Redis
 # even if no authentication is configured, nor a specific set of interfaces
 # are explicitly listed using the "bind" directive.
+#<% if @supports_protected_mode -%>
 protected-mode <%= @protected_mode ? 'yes' : 'no' %>
+<% end -%>
 
 <% end -%>
 # Accept connections on the specified port, default is 6379.