Initial support of TLS in RabbitMQ

Depending on security.tls.enabled switch disables or enables secured
communications between RabbitMQ, etcd and the rest of the world.

Change-Id: If9d376a7808e44a4845c78d3d6e4267bfb80848b
Depends-On: I574d64082e77f49024f49aa7b30c4f2f6cc044ac
Depends-On: I3f05ce795beade0af12eb3426df759a1af8806af
Depends-On: Ib4b3ea4da7c1f641b9ab0223226348de5eac94df
This commit is contained in:
Aleksandr Mogylchenko 2017-01-25 17:10:48 +01:00
parent 7e0ea13b6c
commit 3c31c9b488
7 changed files with 53 additions and 1 deletions

1
service/files/ca.pem.j2 Normal file
View File

@ -0,0 +1 @@
{{ security.tls.ca_cert }}

View File

@ -1,3 +1,8 @@
NODENAME=rabbit@{{ network_topology["private"]["address"] }}
USE_LONGNAME=true
LOG_BASE=/var/log/ccp/rabbitmq
{% if security.tls.enabled %}
ERL_SSL_PATH=`erl -eval 'io:format("~p", [code:lib_dir(ssl, ebin)]),halt().' -noshell`
SERVER_ADDITIONAL_ERL_ARGS="-pa $ERL_SSL_PATH -proto_dist inet_tls -ssl_dist_opt server_certfile /opt/ccp/etc/tls/rabbitmq.pem -ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true server_cacertfile /opt/ccp/etc/tls/ca.pem"
CTL_ERL_ARGS="$SERVER_ADDITIONAL_ERL_ARGS"
{% endif %}

View File

@ -1,14 +1,28 @@
[
{rabbit, [
{dummy_param_without_comma, true}
{% if not security.tls.enabled %}
,{tcp_listeners, [
{"0.0.0.0", {{ rabbitmq.port.cont }} }
]}
{% else %}
,{tcp_listeners, [] }
,{ssl_listeners, [
{"0.0.0.0", {{ rabbitmq.port.cont }} }
]}
{% endif %}
,{default_user, <<"{{ rabbitmq.user }}">>}
,{default_pass, <<"{{ rabbitmq.password }}">>}
,{loopback_users, []}
,{cluster_partition_handling, pause_minority}
,{queue_master_locator, <<"random">>}
{% if security.tls.enabled %}
,{ssl_options, [{cacertfile,"/opt/ccp/etc/tls/ca.pem"},
{certfile,"/opt/ccp/etc/tls/rabbitmq_certificate.pem"},
{keyfile,"/opt/ccp/etc/tls/rabbitmq_server_key.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,false}]}
{% endif %}
]}
,{autocluster, [
{dummy_param_without_comma, true}
@ -18,8 +32,12 @@
,{cluster_cleanup, true}
,{cleanup_warn_only, false}
,{etcd_ttl, 15}
{% if not security.tls.enabled %}
,{etcd_scheme, http}
,{etcd_host, "etcd"}
{% else %}
,{etcd_scheme, https}
{% endif %}
,{etcd_host, "{{ address('etcd') }}"}
,{etcd_port, {{ etcd.client_port.cont }}}
]}
].

View File

@ -0,0 +1,2 @@
{{ security.tls.server_key }}
{{ security.tls.server_cert }}

View File

@ -0,0 +1 @@
{{ security.tls.server_key }}

View File

@ -0,0 +1 @@
{{ security.tls.server_cert }}

View File

@ -32,6 +32,12 @@ service:
- rabbitmq-readiness
- rabbitmq-liveness
- rabbitmq-check-helpers
# {% if security.tls.enabled %}
- server_certificate
- server_key
- ca_certificate
- combined
# {% endif %}
post:
- name: create-startup-marker
command: "date +%s > /tmp/rabbit-startup-marker"
@ -61,3 +67,21 @@ files:
path: /opt/ccp/bin/rabbitmq-check-helpers.sh
content: rabbitmq-check-helpers.sh.j2
perm: "644"
# {% if security.tls.enabled %}
server_certificate:
path: /opt/ccp/etc/tls/rabbitmq_certificate.pem
content: server.pem.j2
perm: "0644"
server_key:
path: /opt/ccp/etc/tls/rabbitmq_server_key.pem
content: server-key.pem.j2
perm: "0644"
ca_certificate:
path: /opt/ccp/etc/tls/ca.pem
content: ca.pem.j2
perm: "0644"
combined:
path: /opt/ccp/etc/tls/rabbitmq.pem
content: rabbitmq_combined.pem.j2
perm: "0644"
# {% endif %}