Enable SSL options for swift-proxy's ceilometermiddleware notifications

This enables the basic SSL options (enabling SSL and setting the certificates) for the notifications emitted by the ceilometermiddleware that's in front of swift-proxy. This was enabled for the rabbitmq and the amqp drivers. Change-Id: If23d1f0d20264faaddc2e5ad54863483fa43ed41
2017-02-23 14:28:42 +02:00 · 2017-02-23 14:28:42 +02:00 · be6122e936
parent e292416990
commit be6122e936
3 changed files with 159 additions and 68 deletions
--- a/manifests/proxy/ceilometer.pp
+++ b/manifests/proxy/ceilometer.pp
@ -39,6 +39,33 @@
 #   Whether to send events to messaging driver in a background thread
 #   Defaults to false
 #
+# [*notification_ssl_ca_file*]
+#   (optional) SSL certification authority file (valid only if SSL enabled).
+#   (string value)
+#   Defaults to $::os_service_default
+#
+# [*notification_ssl_cert_file*]
+#   (optional) SSL cert file. (string value)
+#   Defaults to $::os_service_default
+#
+# [*notification_ssl_key_file*]
+#   (optional) SSL key file. (string value)
+#   Defaults to $::os_service_default
+#
+# [*amqp_ssl_key_password*]
+#   (Optional) Password for decrypting ssl_key_file (if encrypted)
+#   Defaults to $::os_service_default.
+#
+# [*rabbit_use_ssl*]
+#   (optional) Boolean. Connect over SSL for RabbitMQ. (boolean value)
+#   Defaults to $::os_service_default
+#
+# [*kombu_ssl_version*]
+#   (optional) SSL version to use (valid only if SSL enabled).
+#   Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
+#   available on some distributions. (string value)
+#   Defaults to $::os_service_default
+#
 # === DEPRECATED PARAMETERS
 #
 # [*rabbit_host*]
@ -77,20 +104,26 @@
 # Copyright 2013 eNovance licensing@enovance.com
 #
 class swift::proxy::ceilometer(
-  $default_transport_url = undef,
-  $driver                = undef,
-  $topic                 = undef,
-  $control_exchange      = undef,
-  $ensure                = 'present',
-  $group                 = 'ceilometer',
-  $nonblocking_notify    = false,
+  $default_transport_url      = undef,
+  $driver                     = $::os_service_default,
+  $topic                      = undef,
+  $control_exchange           = undef,
+  $ensure                     = 'present',
+  $group                      = 'ceilometer',
+  $nonblocking_notify         = false,
+  $notification_ssl_ca_file   = $::os_service_default,
+  $notification_ssl_cert_file = $::os_service_default,
+  $notification_ssl_key_file  = $::os_service_default,
+  $amqp_ssl_key_password      = $::os_service_default,
+  $rabbit_use_ssl             = $::os_service_default,
+  $kombu_ssl_version          = $::os_service_default,
  # DEPRECATED PARAMETERS
-  $rabbit_user           = 'guest',
-  $rabbit_password       = 'guest',
-  $rabbit_host           = '127.0.0.1',
-  $rabbit_port           = '5672',
-  $rabbit_hosts          = undef,
-  $rabbit_virtual_host   = '/',
+  $rabbit_user                = 'guest',
+  $rabbit_password            = 'guest',
+  $rabbit_host                = '127.0.0.1',
+  $rabbit_port                = '5672',
+  $rabbit_hosts               = undef,
+  $rabbit_virtual_host        = '/',
 ) inherits swift {

  include ::swift::deps
@ -141,6 +174,23 @@ deprecated. Please use swift::proxy::ceilometer::default_transport_url instead."
    'filter:ceilometer/nonblocking_notify':   value => $nonblocking_notify;
  }

+  if $amqp_url =~ /^rabbit.*/ {
+    oslo::messaging::rabbit {'swift_proxy_config':
+      kombu_ssl_ca_certs => $notification_ssl_ca_file,
+      kombu_ssl_certfile => $notification_ssl_cert_file,
+      kombu_ssl_keyfile  => $notification_ssl_key_file,
+      kombu_ssl_version  => $kombu_ssl_version,
+      rabbit_use_ssl     => $rabbit_use_ssl,
+    }
+  } elsif $amqp_url =~ /^amqp.*/ {
+    oslo::messaging::amqp {'swift_proxy_config':
+      ssl_ca_file      => $notification_ssl_ca_file,
+      ssl_cert_file    => $notification_ssl_cert_file,
+      ssl_key_file     => $notification_ssl_key_file,
+      ssl_key_password => $amqp_ssl_key_password,
+    }
+  }
+
  package { 'python-ceilometermiddleware':
    ensure => $ensure,
    tag    => ['openstack', 'swift-support-package'],
--- a/releasenotes/notes/Enable-SSL-options-for-ceilometermiddleware-notifications-bbd3b7cbb9ba0910.yaml
+++ b/releasenotes/notes/Enable-SSL-options-for-ceilometermiddleware-notifications-bbd3b7cbb9ba0910.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - It is possible to set the basic SSL options for the ceilometermiddleware's
+    notifications on swift-proxy.
--- a/spec/classes/swift_proxy_ceilometer_spec.rb
+++ b/spec/classes/swift_proxy_ceilometer_spec.rb
@ -2,71 +2,108 @@ require 'spec_helper'

 describe 'swift::proxy::ceilometer' do

-  let :facts do
-    OSDefaults.get_facts({ :osfamily => 'Debian' })
-  end
-
  let :pre_condition do
     'class { "swift":
        swift_hash_path_suffix => "dummy"
     }'
  end

-  describe "when using default parameters" do
-    it { is_expected.to contain_swift_proxy_config('filter:ceilometer/paste.filter_factory').with_value('ceilometermiddleware.swift:filter_factory') }
-    it { is_expected.to contain_swift_proxy_config('filter:ceilometer/url').with_value('rabbit://guest:guest@127.0.0.1:5672//') }
-    it { is_expected.to contain_swift_proxy_config('filter:ceilometer/nonblocking_notify').with_value('false') }
-    it { is_expected.to contain_user('swift').with_groups('ceilometer') }
-    it { is_expected.to contain_file('/var/log/ceilometer/swift-proxy-server.log').with(:owner => 'swift', :group => 'swift', :mode => '0664') }
+  shared_examples 'swift-proxy-ceilometer' do
+
+    describe "when using default parameters" do
+      it { is_expected.to contain_swift_proxy_config('filter:ceilometer/paste.filter_factory').with_value('ceilometermiddleware.swift:filter_factory') }
+      it { is_expected.to contain_swift_proxy_config('filter:ceilometer/url').with_value('rabbit://guest:guest@127.0.0.1:5672//') }
+      it { is_expected.to contain_swift_proxy_config('filter:ceilometer/nonblocking_notify').with_value('false') }
+      it { is_expected.to contain_user('swift').with_groups('ceilometer') }
+      it { is_expected.to contain_file('/var/log/ceilometer/swift-proxy-server.log').with(:owner => 'swift', :group => 'swift', :mode => '0664') }
+    end
+
+    describe "when overriding default parameters with rabbit driver" do
+      let :params do
+        { :group               => 'www-data',
+          :rabbit_user         => 'user_1',
+          :rabbit_password     => 'user_1_passw',
+          :rabbit_host         => '1.1.1.1',
+          :rabbit_port         => '5673',
+          :rabbit_virtual_host => 'rabbit',
+          :driver              => 'messagingv2',
+          :topic               => 'notifications',
+          :control_exchange    => 'swift',
+          :nonblocking_notify  => true,
+        }
+      end
+
+      context 'with single rabbit host' do
+        it { is_expected.to contain_user('swift').with_groups('www-data') }
+        it { is_expected.to contain_swift_proxy_config('filter:ceilometer/paste.filter_factory').with_value('ceilometermiddleware.swift:filter_factory') }
+        it { is_expected.to contain_swift_proxy_config('filter:ceilometer/url').with_value('rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit') }
+        it { is_expected.to contain_swift_proxy_config('filter:ceilometer/driver').with_value('messagingv2') }
+        it { is_expected.to contain_swift_proxy_config('filter:ceilometer/topic').with_value('notifications') }
+        it { is_expected.to contain_swift_proxy_config('filter:ceilometer/control_exchange').with_value('swift') }
+        it { is_expected.to contain_swift_proxy_config('filter:ceilometer/nonblocking_notify').with_value('true') }
+      end
+
+      context 'with multiple rabbit hosts' do
+        before do
+          params.merge!({ :rabbit_hosts => ['127.0.0.1:5672', '127.0.0.2:5672'] })
+        end
+
+        it { is_expected.to contain_user('swift').with_groups('www-data') }
+        it { is_expected.to contain_swift_proxy_config('filter:ceilometer/paste.filter_factory').with_value('ceilometermiddleware.swift:filter_factory') }
+        it { is_expected.to contain_swift_proxy_config('filter:ceilometer/url').with_value('rabbit://user_1:user_1_passw@127.0.0.1:5672,user_1:user_1_passw@127.0.0.2:5672/rabbit') }
+        it { is_expected.to contain_swift_proxy_config('filter:ceilometer/driver').with_value('messagingv2') }
+        it { is_expected.to contain_swift_proxy_config('filter:ceilometer/topic').with_value('notifications') }
+        it { is_expected.to contain_swift_proxy_config('filter:ceilometer/control_exchange').with_value('swift') }
+        it { is_expected.to contain_swift_proxy_config('filter:ceilometer/nonblocking_notify').with_value('true') }
+      end
+
+      context 'with default transport url' do
+        before do
+          params.merge!({ :default_transport_url => 'rabbit://user:pass@host:1234/virt' })
+        end
+
+        it { is_expected.to contain_swift_proxy_config('filter:ceilometer/url').with_value('rabbit://user:pass@host:1234/virt').with_secret(true) }
+      end
+
+      context 'with default SSL values' do
+        it { is_expected.to contain_swift_proxy_config('oslo_messaging_rabbit/rabbit_use_ssl').with_value('<SERVICE DEFAULT>') }
+        it { is_expected.to contain_swift_proxy_config('oslo_messaging_rabbit/kombu_ssl_ca_certs').with_value('<SERVICE DEFAULT>') }
+        it { is_expected.to contain_swift_proxy_config('oslo_messaging_rabbit/kombu_ssl_certfile').with_value('<SERVICE DEFAULT>') }
+        it { is_expected.to contain_swift_proxy_config('oslo_messaging_rabbit/kombu_ssl_keyfile').with_value('<SERVICE DEFAULT>') }
+        it { is_expected.to contain_swift_proxy_config('oslo_messaging_rabbit/kombu_ssl_version').with_value('<SERVICE DEFAULT>') }
+      end
+
+      context 'with overriden rabbit ssl params' do
+        before do
+          params.merge!(
+            {
+              :notification_ssl_ca_file   => '/etc/ca.cert',
+              :notification_ssl_cert_file => '/etc/certfile',
+              :notification_ssl_key_file  => '/etc/key',
+              :rabbit_use_ssl             => true,
+              :kombu_ssl_version          => 'TLSv1',
+            })
+        end
+
+        it { is_expected.to contain_swift_proxy_config('oslo_messaging_rabbit/kombu_ssl_ca_certs').with_value('/etc/ca.cert') }
+        it { is_expected.to contain_swift_proxy_config('oslo_messaging_rabbit/kombu_ssl_certfile').with_value('/etc/certfile') }
+        it { is_expected.to contain_swift_proxy_config('oslo_messaging_rabbit/kombu_ssl_keyfile').with_value('/etc/key') }
+        it { is_expected.to contain_swift_proxy_config('oslo_messaging_rabbit/rabbit_use_ssl').with_value('true') }
+        it { is_expected.to contain_swift_proxy_config('oslo_messaging_rabbit/kombu_ssl_version').with_value('TLSv1') }
+      end
+
+    end
  end

-  describe "when overriding default parameters" do
-    let :params do
-      { :group               => 'www-data',
-        :rabbit_user         => 'user_1',
-        :rabbit_password     => 'user_1_passw',
-        :rabbit_host         => '1.1.1.1',
-        :rabbit_port         => '5673',
-        :rabbit_virtual_host => 'rabbit',
-        :driver              => 'messagingv2',
-        :topic               => 'notifications',
-        :control_exchange    => 'swift',
-        :nonblocking_notify  => true,
-      }
-    end
-
-    context 'with single rabbit host' do
-      it { is_expected.to contain_user('swift').with_groups('www-data') }
-      it { is_expected.to contain_swift_proxy_config('filter:ceilometer/paste.filter_factory').with_value('ceilometermiddleware.swift:filter_factory') }
-      it { is_expected.to contain_swift_proxy_config('filter:ceilometer/url').with_value('rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit') }
-      it { is_expected.to contain_swift_proxy_config('filter:ceilometer/driver').with_value('messagingv2') }
-      it { is_expected.to contain_swift_proxy_config('filter:ceilometer/topic').with_value('notifications') }
-      it { is_expected.to contain_swift_proxy_config('filter:ceilometer/control_exchange').with_value('swift') }
-      it { is_expected.to contain_swift_proxy_config('filter:ceilometer/nonblocking_notify').with_value('true') }
-    end
-
-    context 'with multiple rabbit hosts' do
-      before do
-        params.merge!({ :rabbit_hosts => ['127.0.0.1:5672', '127.0.0.2:5672'] })
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
      end
-
-      it { is_expected.to contain_user('swift').with_groups('www-data') }
-      it { is_expected.to contain_swift_proxy_config('filter:ceilometer/paste.filter_factory').with_value('ceilometermiddleware.swift:filter_factory') }
-      it { is_expected.to contain_swift_proxy_config('filter:ceilometer/url').with_value('rabbit://user_1:user_1_passw@127.0.0.1:5672,user_1:user_1_passw@127.0.0.2:5672/rabbit') }
-      it { is_expected.to contain_swift_proxy_config('filter:ceilometer/driver').with_value('messagingv2') }
-      it { is_expected.to contain_swift_proxy_config('filter:ceilometer/topic').with_value('notifications') }
-      it { is_expected.to contain_swift_proxy_config('filter:ceilometer/control_exchange').with_value('swift') }
-      it { is_expected.to contain_swift_proxy_config('filter:ceilometer/nonblocking_notify').with_value('true') }
+      it_behaves_like 'swift-proxy-ceilometer'
    end
-
-    context 'with default transport url' do
-      before do
-        params.merge!({ :default_transport_url => 'rabbit://user:pass@host:1234/virt' })
-      end
-
-      it { is_expected.to contain_swift_proxy_config('filter:ceilometer/url').with_value('rabbit://user:pass@host:1234/virt').with_secret(true) }
-    end
-
  end

 end