diff --git a/service/files/ca.pem.j2 b/service/files/ca.pem.j2 new file mode 100644 index 0000000..d52069b --- /dev/null +++ b/service/files/ca.pem.j2 @@ -0,0 +1 @@ +{{ security.tls.ca_cert }} diff --git a/service/files/rabbitmq-env.conf.j2 b/service/files/rabbitmq-env.conf.j2 index 916fce3..1779740 100644 --- a/service/files/rabbitmq-env.conf.j2 +++ b/service/files/rabbitmq-env.conf.j2 @@ -1,3 +1,8 @@ NODENAME=rabbit@{{ network_topology["private"]["address"] }} USE_LONGNAME=true LOG_BASE=/var/log/ccp/rabbitmq +{% if security.tls.enabled %} +ERL_SSL_PATH=`erl -eval 'io:format("~p", [code:lib_dir(ssl, ebin)]),halt().' -noshell` +SERVER_ADDITIONAL_ERL_ARGS="-pa $ERL_SSL_PATH -proto_dist inet_tls -ssl_dist_opt server_certfile /opt/ccp/etc/tls/rabbitmq.pem -ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true server_cacertfile /opt/ccp/etc/tls/ca.pem" +CTL_ERL_ARGS="$SERVER_ADDITIONAL_ERL_ARGS" +{% endif %} diff --git a/service/files/rabbitmq.config.j2 b/service/files/rabbitmq.config.j2 index 108bf13..4c63ef3 100644 --- a/service/files/rabbitmq.config.j2 +++ b/service/files/rabbitmq.config.j2 @@ -1,14 +1,28 @@ [ {rabbit, [ {dummy_param_without_comma, true} + {% if not security.tls.enabled %} ,{tcp_listeners, [ {"0.0.0.0", {{ rabbitmq.port.cont }} } ]} + {% else %} + ,{tcp_listeners, [] } + ,{ssl_listeners, [ + {"0.0.0.0", {{ rabbitmq.port.cont }} } + ]} + {% endif %} ,{default_user, <<"{{ rabbitmq.user }}">>} ,{default_pass, <<"{{ rabbitmq.password }}">>} ,{loopback_users, []} ,{cluster_partition_handling, pause_minority} ,{queue_master_locator, <<"random">>} + {% if security.tls.enabled %} + ,{ssl_options, [{cacertfile,"/opt/ccp/etc/tls/ca.pem"}, + {certfile,"/opt/ccp/etc/tls/rabbitmq_certificate.pem"}, + {keyfile,"/opt/ccp/etc/tls/rabbitmq_server_key.pem"}, + {verify,verify_peer}, + {fail_if_no_peer_cert,false}]} + {% endif %} ]} ,{autocluster, [ {dummy_param_without_comma, true} @@ -18,8 +32,12 @@ ,{cluster_cleanup, true} ,{cleanup_warn_only, false} ,{etcd_ttl, 15} + {% if not security.tls.enabled %} ,{etcd_scheme, http} - ,{etcd_host, "etcd"} + {% else %} + ,{etcd_scheme, https} + {% endif %} + ,{etcd_host, "{{ address('etcd') }}"} ,{etcd_port, {{ etcd.client_port.cont }}} ]} ]. diff --git a/service/files/rabbitmq_combined.pem.j2 b/service/files/rabbitmq_combined.pem.j2 new file mode 100644 index 0000000..a2ad4b1 --- /dev/null +++ b/service/files/rabbitmq_combined.pem.j2 @@ -0,0 +1,2 @@ +{{ security.tls.server_key }} +{{ security.tls.server_cert }} diff --git a/service/files/server-key.pem.j2 b/service/files/server-key.pem.j2 new file mode 100644 index 0000000..70cf751 --- /dev/null +++ b/service/files/server-key.pem.j2 @@ -0,0 +1 @@ +{{ security.tls.server_key }} diff --git a/service/files/server.pem.j2 b/service/files/server.pem.j2 new file mode 100644 index 0000000..8abc152 --- /dev/null +++ b/service/files/server.pem.j2 @@ -0,0 +1 @@ +{{ security.tls.server_cert }} diff --git a/service/rabbitmq.yaml b/service/rabbitmq.yaml index 0bc6c1f..52c5117 100644 --- a/service/rabbitmq.yaml +++ b/service/rabbitmq.yaml @@ -32,6 +32,12 @@ service: - rabbitmq-readiness - rabbitmq-liveness - rabbitmq-check-helpers + # {% if security.tls.enabled %} + - server_certificate + - server_key + - ca_certificate + - combined + # {% endif %} post: - name: create-startup-marker command: "date +%s > /tmp/rabbit-startup-marker" @@ -61,3 +67,21 @@ files: path: /opt/ccp/bin/rabbitmq-check-helpers.sh content: rabbitmq-check-helpers.sh.j2 perm: "644" +# {% if security.tls.enabled %} + server_certificate: + path: /opt/ccp/etc/tls/rabbitmq_certificate.pem + content: server.pem.j2 + perm: "0644" + server_key: + path: /opt/ccp/etc/tls/rabbitmq_server_key.pem + content: server-key.pem.j2 + perm: "0644" + ca_certificate: + path: /opt/ccp/etc/tls/ca.pem + content: ca.pem.j2 + perm: "0644" + combined: + path: /opt/ccp/etc/tls/rabbitmq.pem + content: rabbitmq_combined.pem.j2 + perm: "0644" +# {% endif %}