openstack
/
puppet-tripleo
Code Issues Proposed changes

Enable TLS configuration for containerized RabbitMQ 

In non-containerized deployments, RabbitMQ can be configured to use TLS for
serving and mirroring traffic.

Fix the creation of the rabbitmq bundle resource to enable TLS when configured.
The key and cert are passed as other configuration files and must be copied by
Kolla at container startup.

Change-Id: Ia64d79462de7012e5bceebf0ffe478a1cccdd6c9
Partial-Bug: #1709558
This commit is contained in:
Damien Ciabrini 2017-08-07 20:32:51 +00:00
parent 4600841dbc
commit 86a3261b4d
1 changed files with 76 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

128
manifests/profile/pacemaker/rabbitmq_bundle.pp
View File

@ -44,6 +44,10 @@
# (Optional) The list of rabbitmq nodes names
# Defaults to hiera('rabbitmq_node_names')
#
# [*enable_internal_tls*]
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@ -60,6 +64,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle (
$erlang_cookie = hiera('rabbitmq::erlang_cookie'),
$user_ha_queues = hiera('rabbitmq::nr_ha_queues', 0),
$rabbit_nodes = hiera('rabbitmq_node_names'),
$enable_internal_tls = hiera('enable_internal_tls', false),
$pcs_tries = hiera('pcs_tries', 20),
$step = Integer(hiera('step')),
) {
@ -102,6 +107,76 @@ class tripleo::profile::pacemaker::rabbitmq_bundle (
}
}
$storage_maps = {
'rabbitmq-cfg-files' => {
'source-dir' => '/var/lib/kolla/config_files/rabbitmq.json',
'target-dir' => '/var/lib/kolla/config_files/config.json',
'options' => 'ro',
},
'rabbitmq-cfg-data' => {
'source-dir' => '/var/lib/config-data/puppet-generated/rabbitmq/',
'target-dir' => '/var/lib/kolla/config_files/src',
'options' => 'ro',
},
'rabbitmq-hosts' => {
'source-dir' => '/etc/hosts',
'target-dir' => '/etc/hosts',
'options' => 'ro',
},
'rabbitmq-localtime' => {
'source-dir' => '/etc/localtime',
'target-dir' => '/etc/localtime',
'options' => 'ro',
},
'rabbitmq-lib' => {
'source-dir' => '/var/lib/rabbitmq',
'target-dir' => '/var/lib/rabbitmq',
'options' => 'rw',
},
'rabbitmq-pki-extracted' => {
'source-dir' => '/etc/pki/ca-trust/extracted',
'target-dir' => '/etc/pki/ca-trust/extracted',
'options' => 'ro',
},
'rabbitmq-pki-ca-bundle-crt' => {
'source-dir' => '/etc/pki/tls/certs/ca-bundle.crt',
'target-dir' => '/etc/pki/tls/certs/ca-bundle.crt',
'options' => 'ro',
},
'rabbitmq-pki-ca-bundle-trust-crt' => {
'source-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt',
'target-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt',
'options' => 'ro',
},
'rabbitmq-pki-cert' => {
'source-dir' => '/etc/pki/tls/cert.pem',
'target-dir' => '/etc/pki/tls/cert.pem',
'options' => 'ro',
},
'rabbitmq-dev-log' => {
'source-dir' => '/dev/log',
'target-dir' => '/dev/log',
'options' => 'rw',
},
}
if $enable_internal_tls {
$storage_maps_tls = {
'rabbitmq-pki-cert' => {
'source-dir' => '/etc/pki/tls/certs/rabbitmq.crt',
'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt',
'options' => 'ro',
},
'rabbitmq-pki-key' => {
'source-dir' => '/etc/pki/tls/private/rabbitmq.key',
'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key',
'options' => 'ro',
},
}
} else {
$storage_maps_tls = {}
}
pacemaker::resource::bundle { 'rabbitmq-bundle':
image => $rabbitmq_docker_image,
replicas => $rabbitmq_nodes_count,
@ -114,58 +189,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle (
options => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS',
run_command => '/bin/bash /usr/local/bin/kolla_start',
network => "control-port=${rabbitmq_docker_control_port}",
storage_maps => {
'rabbitmq-cfg-files' => {
'source-dir' => '/var/lib/kolla/config_files/rabbitmq.json',
'target-dir' => '/var/lib/kolla/config_files/config.json',
'options' => 'ro',
},
'rabbitmq-cfg-data' => {
'source-dir' => '/var/lib/config-data/puppet-generated/rabbitmq/',
'target-dir' => '/var/lib/kolla/config_files/src',
'options' => 'ro',
},
'rabbitmq-hosts' => {
'source-dir' => '/etc/hosts',
'target-dir' => '/etc/hosts',
'options' => 'ro',
},
'rabbitmq-localtime' => {
'source-dir' => '/etc/localtime',
'target-dir' => '/etc/localtime',
'options' => 'ro',
},
'rabbitmq-lib' => {
'source-dir' => '/var/lib/rabbitmq',
'target-dir' => '/var/lib/rabbitmq',
'options' => 'rw',
},
'rabbitmq-pki-extracted' => {
'source-dir' => '/etc/pki/ca-trust/extracted',
'target-dir' => '/etc/pki/ca-trust/extracted',
'options' => 'ro',
},
'rabbitmq-pki-ca-bundle-crt' => {
'source-dir' => '/etc/pki/tls/certs/ca-bundle.crt',
'target-dir' => '/etc/pki/tls/certs/ca-bundle.crt',
'options' => 'ro',
},
'rabbitmq-pki-ca-bundle-trust-crt' => {
'source-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt',
'target-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt',
'options' => 'ro',
},
'rabbitmq-pki-cert' => {
'source-dir' => '/etc/pki/tls/cert.pem',
'target-dir' => '/etc/pki/tls/cert.pem',
'options' => 'ro',
},
'rabbitmq-dev-log' => {
'source-dir' => '/dev/log',
'target-dir' => '/dev/log',
'options' => 'rw',
},
},
storage_maps => merge($storage_maps, $storage_maps_tls),
}
# The default nr of ha queues is ceiling(N/2)