add kombu_ssl parameters to notify::rabbitmq

This adds the following parameters:
  * kombu_ssl_ca_certs
  * kombu_ssl_certfile
  * kombu_ssl_keyfile
  * kombu_ssl_version
these are necessary to establish a secure ssl
connection to rabbitmq.

Change-Id: Ia9ea7cf44664f71a4fb5cc76e3474aa54a9bb30d

manifests/notify/rabbitmq.pp

@@ -1,6 +1,40 @@
 #
 # used to configure rabbitmq notifications for glance
 #
+#  [*rabbit_password*]
+#    password to connect to the rabbit_server.
+#  [*rabbit_userid*]
+#    user to connect to the rabbit server. Optional. Defaults to 'guest'
+#  [*rabbit_host*]
+#    ip or hostname of the rabbit server. Optional. Defaults to 'localhost'
+#  [*rabbit_port*]
+#    port of the rabbit server. Optional. Defaults to 5672.
+#  [*rabbit_virtual_host*]
+#    virtual_host to use. Optional. Defaults to '/'
+#  [*rabbit_use_ssl*]
+#    (optional) Connect over SSL for RabbitMQ
+#    Defaults to false
+#  [*kombu_ssl_ca_certs*]
+#    (optional) SSL certification authority file (valid only if SSL enabled).
+#    Defaults to undef
+#  [*kombu_ssl_certfile*]
+#    (optional) SSL cert file (valid only if SSL enabled).
+#    Defaults to undef
+#  [*kombu_ssl_keyfile*]
+#    (optional) SSL key file (valid only if SSL enabled).
+#    Defaults to undef
+#  [*kombu_ssl_version*]
+#    (optional) SSL version to use (valid only if SSL enabled).
+#    Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
+#    available on some distributions.
+#    Defaults to 'SSLv3'
+#  [*rabbit_notification_exchange*]
+#    Defaults  to 'glance'
+#  [*rabbit_notification_topic*]
+#    Defaults  to 'notifications'
+#  [*rabbit_durable_queues*]
+#    Defaults  to false
+#
 class glance::notify::rabbitmq(
   $rabbit_password,
   $rabbit_userid                = 'guest',
@@ -8,6 +42,10 @@ class glance::notify::rabbitmq(
   $rabbit_port                  = '5672',
   $rabbit_virtual_host          = '/',
   $rabbit_use_ssl               = false,
+  $kombu_ssl_ca_certs           = undef,
+  $kombu_ssl_certfile           = undef,
+  $kombu_ssl_keyfile            = undef,
+  $kombu_ssl_version            = 'SSLv3',
   $rabbit_notification_exchange = 'glance',
   $rabbit_notification_topic    = 'notifications',
   $rabbit_durable_queues        = false
@@ -25,4 +63,36 @@ class glance::notify::rabbitmq(
     'DEFAULT/rabbit_use_ssl':               value => $rabbit_use_ssl;
     'DEFAULT/rabbit_durable_queues':        value => $rabbit_durable_queues;
   }
+
+  if $rabbit_use_ssl {
+    glance_api_config { 'DEFAULT/kombu_ssl_version': value => $kombu_ssl_version }
+
+    if $kombu_ssl_ca_certs {
+      glance_api_config { 'DEFAULT/kombu_ssl_ca_certs': value => $kombu_ssl_ca_certs }
+    } else {
+      glance_api_config { 'DEFAULT/kombu_ssl_ca_certs': ensure => absent}
+    }
+
+    if $kombu_ssl_certfile {
+      glance_api_config { 'DEFAULT/kombu_ssl_certfile': value => $kombu_ssl_certfile }
+    } else {
+      glance_api_config { 'DEFAULT/kombu_ssl_certfile': ensure => absent}
+    }
+
+    if $kombu_ssl_keyfile {
+      glance_api_config { 'DEFAULT/kombu_ssl_keyfile': value => $kombu_ssl_keyfile }
+    } else {
+      glance_api_config { 'DEFAULT/kombu_ssl_keyfile': ensure => absent}
+    }
+  } else {
+    glance_api_config {
+      'DEFAULT/kombu_ssl_version':  ensure => absent;
+      'DEFAULT/kombu_ssl_ca_certs': ensure => absent;
+      'DEFAULT/kombu_ssl_certfile': ensure => absent;
+      'DEFAULT/kombu_ssl_keyfile':  ensure => absent;
+    }
+    if ($kombu_ssl_keyfile or $kombu_ssl_certfile or $kombu_ssl_ca_certs) {
+      notice('Configuration of certificates with $rabbit_use_ssl == false is a useless config')
+    }
+  }
 }

spec/classes/glance_notify_rabbitmq_spec.rb

@@ -23,7 +23,7 @@ describe 'glance::notify::rabbitmq' do
   it { should contain_glance_api_config('DEFAULT/rabbit_notification_exchange').with_value('glance') }
   it { should contain_glance_api_config('DEFAULT/rabbit_notification_topic').with_value('notifications') }
 
-  describe 'when passing params' do
+  describe 'when passing params and use ssl' do
     let :params do
       {
         :rabbit_password        => 'pass',
@@ -37,7 +37,29 @@ describe 'glance::notify::rabbitmq' do
       it { should contain_glance_api_config('DEFAULT/rabbit_host').with_value('localhost2') }
       it { should contain_glance_api_config('DEFAULT/rabbit_port').with_value('5673') }
       it { should contain_glance_api_config('DEFAULT/rabbit_use_ssl').with_value('true') }
+      it { should contain_glance_api_config('DEFAULT/kombu_ssl_ca_certs').with_ensure('absent') }
+      it { should contain_glance_api_config('DEFAULT/kombu_ssl_certfile').with_ensure('absent') }
+      it { should contain_glance_api_config('DEFAULT/kombu_ssl_keyfile').with_ensure('absent') }
+      it { should contain_glance_api_config('DEFAULT/kombu_ssl_version').with_value('SSLv3') }
       it { should contain_glance_api_config('DEFAULT/rabbit_durable_queues').with_value('true') }
     end
   end
+
+  describe 'with rabbit ssl cert parameters' do
+    let :params do
+      {
+        :rabbit_password        => 'pass',
+        :rabbit_use_ssl     => 'true',
+        :kombu_ssl_ca_certs => '/etc/ca.cert',
+        :kombu_ssl_certfile => '/etc/certfile',
+        :kombu_ssl_keyfile  => '/etc/key',
+        :kombu_ssl_version  => 'TLSv1',
+      }
+    end
+    it { should contain_glance_api_config('DEFAULT/rabbit_use_ssl').with_value(true) }
+    it { should contain_glance_api_config('DEFAULT/kombu_ssl_ca_certs').with_value('/etc/ca.cert') }
+    it { should contain_glance_api_config('DEFAULT/kombu_ssl_certfile').with_value('/etc/certfile') }
+    it { should contain_glance_api_config('DEFAULT/kombu_ssl_keyfile').with_value('/etc/key') }
+    it { should contain_glance_api_config('DEFAULT/kombu_ssl_version').with_value('TLSv1') }
+  end
 end