summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAleksandr Mogylchenko <amogylchenko@mirantis.com>2017-01-25 17:10:48 +0100
committerAleksandr Mogylchenko <amogylchenko@mirantis.com>2017-02-10 15:56:57 +0100
commit3c31c9b4889fe8cd23f1e5dca5e825433ba2c744 (patch)
tree6814ef36efa5ce644fe019e5db89ea54b754503c
parent7e0ea13b6c5db08672bc0befaf549b79064f098f (diff)
Initial support of TLS in RabbitMQ
Depending on security.tls.enabled switch disables or enables secured communications between RabbitMQ, etcd and the rest of the world. Change-Id: If9d376a7808e44a4845c78d3d6e4267bfb80848b Depends-On: I574d64082e77f49024f49aa7b30c4f2f6cc044ac Depends-On: I3f05ce795beade0af12eb3426df759a1af8806af Depends-On: Ib4b3ea4da7c1f641b9ab0223226348de5eac94df
Notes
Notes (review): Code-Review+2: Proskurin Kirill <kproskurin@mirantis.com> Code-Review+1: Dmitry Mescheryakov (dmitryme) <dmescheryakov@mirantis.com> Code-Review+2: Sergey Reshetnyak <sreshetniak@mirantis.com> Workflow+1: Sergey Reshetnyak <sreshetniak@mirantis.com> Verified+2: Jenkins Submitted-by: Jenkins Submitted-at: Fri, 10 Feb 2017 15:13:09 +0000 Reviewed-on: https://review.openstack.org/425266 Project: openstack/fuel-ccp-rabbitmq Branch: refs/heads/master
-rw-r--r--service/files/ca.pem.j21
-rw-r--r--service/files/rabbitmq-env.conf.j25
-rw-r--r--service/files/rabbitmq.config.j220
-rw-r--r--service/files/rabbitmq_combined.pem.j22
-rw-r--r--service/files/server-key.pem.j21
-rw-r--r--service/files/server.pem.j21
-rw-r--r--service/rabbitmq.yaml24
7 files changed, 53 insertions, 1 deletions
diff --git a/service/files/ca.pem.j2 b/service/files/ca.pem.j2
new file mode 100644
index 0000000..d52069b
--- /dev/null
+++ b/service/files/ca.pem.j2
@@ -0,0 +1 @@
{{ security.tls.ca_cert }}
diff --git a/service/files/rabbitmq-env.conf.j2 b/service/files/rabbitmq-env.conf.j2
index 916fce3..1779740 100644
--- a/service/files/rabbitmq-env.conf.j2
+++ b/service/files/rabbitmq-env.conf.j2
@@ -1,3 +1,8 @@
1NODENAME=rabbit@{{ network_topology["private"]["address"] }} 1NODENAME=rabbit@{{ network_topology["private"]["address"] }}
2USE_LONGNAME=true 2USE_LONGNAME=true
3LOG_BASE=/var/log/ccp/rabbitmq 3LOG_BASE=/var/log/ccp/rabbitmq
4{% if security.tls.enabled %}
5ERL_SSL_PATH=`erl -eval 'io:format("~p", [code:lib_dir(ssl, ebin)]),halt().' -noshell`
6SERVER_ADDITIONAL_ERL_ARGS="-pa $ERL_SSL_PATH -proto_dist inet_tls -ssl_dist_opt server_certfile /opt/ccp/etc/tls/rabbitmq.pem -ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true server_cacertfile /opt/ccp/etc/tls/ca.pem"
7CTL_ERL_ARGS="$SERVER_ADDITIONAL_ERL_ARGS"
8{% endif %}
diff --git a/service/files/rabbitmq.config.j2 b/service/files/rabbitmq.config.j2
index 108bf13..4c63ef3 100644
--- a/service/files/rabbitmq.config.j2
+++ b/service/files/rabbitmq.config.j2
@@ -1,14 +1,28 @@
1[ 1[
2 {rabbit, [ 2 {rabbit, [
3 {dummy_param_without_comma, true} 3 {dummy_param_without_comma, true}
4 {% if not security.tls.enabled %}
4 ,{tcp_listeners, [ 5 ,{tcp_listeners, [
5 {"0.0.0.0", {{ rabbitmq.port.cont }} } 6 {"0.0.0.0", {{ rabbitmq.port.cont }} }
6 ]} 7 ]}
8 {% else %}
9 ,{tcp_listeners, [] }
10 ,{ssl_listeners, [
11 {"0.0.0.0", {{ rabbitmq.port.cont }} }
12 ]}
13 {% endif %}
7 ,{default_user, <<"{{ rabbitmq.user }}">>} 14 ,{default_user, <<"{{ rabbitmq.user }}">>}
8 ,{default_pass, <<"{{ rabbitmq.password }}">>} 15 ,{default_pass, <<"{{ rabbitmq.password }}">>}
9 ,{loopback_users, []} 16 ,{loopback_users, []}
10 ,{cluster_partition_handling, pause_minority} 17 ,{cluster_partition_handling, pause_minority}
11 ,{queue_master_locator, <<"random">>} 18 ,{queue_master_locator, <<"random">>}
19 {% if security.tls.enabled %}
20 ,{ssl_options, [{cacertfile,"/opt/ccp/etc/tls/ca.pem"},
21 {certfile,"/opt/ccp/etc/tls/rabbitmq_certificate.pem"},
22 {keyfile,"/opt/ccp/etc/tls/rabbitmq_server_key.pem"},
23 {verify,verify_peer},
24 {fail_if_no_peer_cert,false}]}
25 {% endif %}
12 ]} 26 ]}
13 ,{autocluster, [ 27 ,{autocluster, [
14 {dummy_param_without_comma, true} 28 {dummy_param_without_comma, true}
@@ -18,8 +32,12 @@
18 ,{cluster_cleanup, true} 32 ,{cluster_cleanup, true}
19 ,{cleanup_warn_only, false} 33 ,{cleanup_warn_only, false}
20 ,{etcd_ttl, 15} 34 ,{etcd_ttl, 15}
35 {% if not security.tls.enabled %}
21 ,{etcd_scheme, http} 36 ,{etcd_scheme, http}
22 ,{etcd_host, "etcd"} 37 {% else %}
38 ,{etcd_scheme, https}
39 {% endif %}
40 ,{etcd_host, "{{ address('etcd') }}"}
23 ,{etcd_port, {{ etcd.client_port.cont }}} 41 ,{etcd_port, {{ etcd.client_port.cont }}}
24 ]} 42 ]}
25]. 43].
diff --git a/service/files/rabbitmq_combined.pem.j2 b/service/files/rabbitmq_combined.pem.j2
new file mode 100644
index 0000000..a2ad4b1
--- /dev/null
+++ b/service/files/rabbitmq_combined.pem.j2
@@ -0,0 +1,2 @@
1{{ security.tls.server_key }}
2{{ security.tls.server_cert }}
diff --git a/service/files/server-key.pem.j2 b/service/files/server-key.pem.j2
new file mode 100644
index 0000000..70cf751
--- /dev/null
+++ b/service/files/server-key.pem.j2
@@ -0,0 +1 @@
{{ security.tls.server_key }}
diff --git a/service/files/server.pem.j2 b/service/files/server.pem.j2
new file mode 100644
index 0000000..8abc152
--- /dev/null
+++ b/service/files/server.pem.j2
@@ -0,0 +1 @@
{{ security.tls.server_cert }}
diff --git a/service/rabbitmq.yaml b/service/rabbitmq.yaml
index 0bc6c1f..52c5117 100644
--- a/service/rabbitmq.yaml
+++ b/service/rabbitmq.yaml
@@ -32,6 +32,12 @@ service:
32 - rabbitmq-readiness 32 - rabbitmq-readiness
33 - rabbitmq-liveness 33 - rabbitmq-liveness
34 - rabbitmq-check-helpers 34 - rabbitmq-check-helpers
35 # {% if security.tls.enabled %}
36 - server_certificate
37 - server_key
38 - ca_certificate
39 - combined
40 # {% endif %}
35 post: 41 post:
36 - name: create-startup-marker 42 - name: create-startup-marker
37 command: "date +%s > /tmp/rabbit-startup-marker" 43 command: "date +%s > /tmp/rabbit-startup-marker"
@@ -61,3 +67,21 @@ files:
61 path: /opt/ccp/bin/rabbitmq-check-helpers.sh 67 path: /opt/ccp/bin/rabbitmq-check-helpers.sh
62 content: rabbitmq-check-helpers.sh.j2 68 content: rabbitmq-check-helpers.sh.j2
63 perm: "644" 69 perm: "644"
70# {% if security.tls.enabled %}
71 server_certificate:
72 path: /opt/ccp/etc/tls/rabbitmq_certificate.pem
73 content: server.pem.j2
74 perm: "0644"
75 server_key:
76 path: /opt/ccp/etc/tls/rabbitmq_server_key.pem
77 content: server-key.pem.j2
78 perm: "0644"
79 ca_certificate:
80 path: /opt/ccp/etc/tls/ca.pem
81 content: ca.pem.j2
82 perm: "0644"
83 combined:
84 path: /opt/ccp/etc/tls/rabbitmq.pem
85 content: rabbitmq_combined.pem.j2
86 perm: "0644"
87# {% endif %}