Initial support of TLS in RabbitMQ
Depending on security.tls.enabled switch disables or enables secured communications between RabbitMQ, etcd and the rest of the world. Change-Id: If9d376a7808e44a4845c78d3d6e4267bfb80848b Depends-On: I574d64082e77f49024f49aa7b30c4f2f6cc044ac Depends-On: I3f05ce795beade0af12eb3426df759a1af8806af Depends-On: Ib4b3ea4da7c1f641b9ab0223226348de5eac94df
This commit is contained in:
parent
7e0ea13b6c
commit
3c31c9b488
|
@ -0,0 +1 @@
|
|||
{{ security.tls.ca_cert }}
|
|
@ -1,3 +1,8 @@
|
|||
NODENAME=rabbit@{{ network_topology["private"]["address"] }}
|
||||
USE_LONGNAME=true
|
||||
LOG_BASE=/var/log/ccp/rabbitmq
|
||||
{% if security.tls.enabled %}
|
||||
ERL_SSL_PATH=`erl -eval 'io:format("~p", [code:lib_dir(ssl, ebin)]),halt().' -noshell`
|
||||
SERVER_ADDITIONAL_ERL_ARGS="-pa $ERL_SSL_PATH -proto_dist inet_tls -ssl_dist_opt server_certfile /opt/ccp/etc/tls/rabbitmq.pem -ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true server_cacertfile /opt/ccp/etc/tls/ca.pem"
|
||||
CTL_ERL_ARGS="$SERVER_ADDITIONAL_ERL_ARGS"
|
||||
{% endif %}
|
||||
|
|
|
@ -1,14 +1,28 @@
|
|||
[
|
||||
{rabbit, [
|
||||
{dummy_param_without_comma, true}
|
||||
{% if not security.tls.enabled %}
|
||||
,{tcp_listeners, [
|
||||
{"0.0.0.0", {{ rabbitmq.port.cont }} }
|
||||
]}
|
||||
{% else %}
|
||||
,{tcp_listeners, [] }
|
||||
,{ssl_listeners, [
|
||||
{"0.0.0.0", {{ rabbitmq.port.cont }} }
|
||||
]}
|
||||
{% endif %}
|
||||
,{default_user, <<"{{ rabbitmq.user }}">>}
|
||||
,{default_pass, <<"{{ rabbitmq.password }}">>}
|
||||
,{loopback_users, []}
|
||||
,{cluster_partition_handling, pause_minority}
|
||||
,{queue_master_locator, <<"random">>}
|
||||
{% if security.tls.enabled %}
|
||||
,{ssl_options, [{cacertfile,"/opt/ccp/etc/tls/ca.pem"},
|
||||
{certfile,"/opt/ccp/etc/tls/rabbitmq_certificate.pem"},
|
||||
{keyfile,"/opt/ccp/etc/tls/rabbitmq_server_key.pem"},
|
||||
{verify,verify_peer},
|
||||
{fail_if_no_peer_cert,false}]}
|
||||
{% endif %}
|
||||
]}
|
||||
,{autocluster, [
|
||||
{dummy_param_without_comma, true}
|
||||
|
@ -18,8 +32,12 @@
|
|||
,{cluster_cleanup, true}
|
||||
,{cleanup_warn_only, false}
|
||||
,{etcd_ttl, 15}
|
||||
{% if not security.tls.enabled %}
|
||||
,{etcd_scheme, http}
|
||||
,{etcd_host, "etcd"}
|
||||
{% else %}
|
||||
,{etcd_scheme, https}
|
||||
{% endif %}
|
||||
,{etcd_host, "{{ address('etcd') }}"}
|
||||
,{etcd_port, {{ etcd.client_port.cont }}}
|
||||
]}
|
||||
].
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
{{ security.tls.server_key }}
|
||||
{{ security.tls.server_cert }}
|
|
@ -0,0 +1 @@
|
|||
{{ security.tls.server_key }}
|
|
@ -0,0 +1 @@
|
|||
{{ security.tls.server_cert }}
|
|
@ -32,6 +32,12 @@ service:
|
|||
- rabbitmq-readiness
|
||||
- rabbitmq-liveness
|
||||
- rabbitmq-check-helpers
|
||||
# {% if security.tls.enabled %}
|
||||
- server_certificate
|
||||
- server_key
|
||||
- ca_certificate
|
||||
- combined
|
||||
# {% endif %}
|
||||
post:
|
||||
- name: create-startup-marker
|
||||
command: "date +%s > /tmp/rabbit-startup-marker"
|
||||
|
@ -61,3 +67,21 @@ files:
|
|||
path: /opt/ccp/bin/rabbitmq-check-helpers.sh
|
||||
content: rabbitmq-check-helpers.sh.j2
|
||||
perm: "644"
|
||||
# {% if security.tls.enabled %}
|
||||
server_certificate:
|
||||
path: /opt/ccp/etc/tls/rabbitmq_certificate.pem
|
||||
content: server.pem.j2
|
||||
perm: "0644"
|
||||
server_key:
|
||||
path: /opt/ccp/etc/tls/rabbitmq_server_key.pem
|
||||
content: server-key.pem.j2
|
||||
perm: "0644"
|
||||
ca_certificate:
|
||||
path: /opt/ccp/etc/tls/ca.pem
|
||||
content: ca.pem.j2
|
||||
perm: "0644"
|
||||
combined:
|
||||
path: /opt/ccp/etc/tls/rabbitmq.pem
|
||||
content: rabbitmq_combined.pem.j2
|
||||
perm: "0644"
|
||||
# {% endif %}
|
||||
|
|
Loading…
Reference in New Issue