diff options
| author |   Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-08-28 09:07:16 +0300 |
|---|---|---|
| committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-09-05 09:38:27 +0000 |
| commit | 4d09ff3881b51938a71d69c713848cc8ae2c3f1d (patch) | |
| tree | bc3c4e2c7f31ec7210948cdbb23466152eb434cd | |
| parent | 193d275b119a406e5bbe4f2593711b3ec7723afe (diff) | |
Enable TLS for rabbitmq's replication traffic
This follows the RabbitMQ docs [1] for enabling TLS for the replication
traffic. It reuses the certificate that rabbitmq already has.
Unfortunately, pacemaker uses the shortname for the rabbitmq nodes, so
we are not able to do proper verification of the certificates, since we
can't allocate a certificate for shortnames. So, until pacemaker can
track the rabbit nodes through their FQDNs, we don't set any verification
options.
[1] https://www.rabbitmq.com/clustering-ssl.html
Depends on: https://github.com/voxpupuli/puppet-rabbitmq/pull/574
bp tls-via-certmonger
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
Change-Id: I265c89cb8898a6da78a606664a22c50f5e57a847
(cherry picked from commit 52404b85dc140d9ddc4605365454df0e052ee2cb)
| -rw-r--r-- | manifests/profile/base/rabbitmq.pp | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp index fbe5113..9f5819a 100644 --- a/manifests/profile/base/rabbitmq.pp +++ b/manifests/profile/base/rabbitmq.pp @@ -93,9 +93,19 @@ class tripleo::profile::base::rabbitmq ( if $enable_internal_tls { $tls_certfile = $certificate_specs['service_certificate'] $tls_keyfile = $certificate_specs['service_key'] + $cert_option = "-ssl_dist_opt server_certfile ${tls_certfile}" + $key_option = "-ssl_dist_opt server_keyfile ${tls_keyfile}" + $secure_renegotiate = '-ssl_dist_opt server_secure_renegotiate true -ssl_dist_opt client_secure_renegotiate true' + + $rabbitmq_additional_erl_args = "\"${cert_option} ${key_option} ${secure_renegotiate}\"" + $environment_real = merge($environment, { + 'RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS' => $rabbitmq_additional_erl_args, + 'RABBITMQ_CTL_ERL_ARGS' => $rabbitmq_additional_erl_args + }) } else { $tls_certfile = undef $tls_keyfile = undef + $environment_real = $environment } if $inet_dist_interface { @@ -116,7 +126,7 @@ class tripleo::profile::base::rabbitmq ( cluster_nodes => $nodes, config_kernel_variables => $real_kernel_variables, config_variables => $config_variables, - environment_variables => $environment, + environment_variables => $environment_real, # TLS options ssl_cert => $tls_certfile, ssl_key => $tls_keyfile, |