aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDamien Ciabrini <dciabrin@redhat.com>2017-08-07 20:32:51 +0000
committerDamien Ciabrini <dciabrin@redhat.com>2017-08-09 07:51:58 +0000
commit86a3261b4d08e2d8f8393b73ae3d481b8ac736fd (patch)
tree8a7c4275d9a57687cb28f46a7074256834b0e53c
parent4600841dbcc0ee970256a6e2f35056c3e624bf98 (diff)
Enable TLS configuration for containerized RabbitMQ
In non-containerized deployments, RabbitMQ can be configured to use TLS for serving and mirroring traffic. Fix the creation of the rabbitmq bundle resource to enable TLS when configured. The key and cert are passed as other configuration files and must be copied by Kolla at container startup. Change-Id: Ia64d79462de7012e5bceebf0ffe478a1cccdd6c9 Partial-Bug: #1709558
-rw-r--r--manifests/profile/pacemaker/rabbitmq_bundle.pp128
1 files changed, 76 insertions, 52 deletions
diff --git a/manifests/profile/pacemaker/rabbitmq_bundle.pp b/manifests/profile/pacemaker/rabbitmq_bundle.pp
index 5dd22d2..4d6b9af 100644
--- a/manifests/profile/pacemaker/rabbitmq_bundle.pp
+++ b/manifests/profile/pacemaker/rabbitmq_bundle.pp
@@ -44,6 +44,10 @@
# (Optional) The list of rabbitmq nodes names
# Defaults to hiera('rabbitmq_node_names')
#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -60,6 +64,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle (
$erlang_cookie = hiera('rabbitmq::erlang_cookie'),
$user_ha_queues = hiera('rabbitmq::nr_ha_queues', 0),
$rabbit_nodes = hiera('rabbitmq_node_names'),
+ $enable_internal_tls = hiera('enable_internal_tls', false),
$pcs_tries = hiera('pcs_tries', 20),
$step = Integer(hiera('step')),
) {
@@ -102,6 +107,76 @@ class tripleo::profile::pacemaker::rabbitmq_bundle (
}
}
+ $storage_maps = {
+ 'rabbitmq-cfg-files' => {
+ 'source-dir' => '/var/lib/kolla/config_files/rabbitmq.json',
+ 'target-dir' => '/var/lib/kolla/config_files/config.json',
+ 'options' => 'ro',
+ },
+ 'rabbitmq-cfg-data' => {
+ 'source-dir' => '/var/lib/config-data/puppet-generated/rabbitmq/',
+ 'target-dir' => '/var/lib/kolla/config_files/src',
+ 'options' => 'ro',
+ },
+ 'rabbitmq-hosts' => {
+ 'source-dir' => '/etc/hosts',
+ 'target-dir' => '/etc/hosts',
+ 'options' => 'ro',
+ },
+ 'rabbitmq-localtime' => {
+ 'source-dir' => '/etc/localtime',
+ 'target-dir' => '/etc/localtime',
+ 'options' => 'ro',
+ },
+ 'rabbitmq-lib' => {
+ 'source-dir' => '/var/lib/rabbitmq',
+ 'target-dir' => '/var/lib/rabbitmq',
+ 'options' => 'rw',
+ },
+ 'rabbitmq-pki-extracted' => {
+ 'source-dir' => '/etc/pki/ca-trust/extracted',
+ 'target-dir' => '/etc/pki/ca-trust/extracted',
+ 'options' => 'ro',
+ },
+ 'rabbitmq-pki-ca-bundle-crt' => {
+ 'source-dir' => '/etc/pki/tls/certs/ca-bundle.crt',
+ 'target-dir' => '/etc/pki/tls/certs/ca-bundle.crt',
+ 'options' => 'ro',
+ },
+ 'rabbitmq-pki-ca-bundle-trust-crt' => {
+ 'source-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt',
+ 'target-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt',
+ 'options' => 'ro',
+ },
+ 'rabbitmq-pki-cert' => {
+ 'source-dir' => '/etc/pki/tls/cert.pem',
+ 'target-dir' => '/etc/pki/tls/cert.pem',
+ 'options' => 'ro',
+ },
+ 'rabbitmq-dev-log' => {
+ 'source-dir' => '/dev/log',
+ 'target-dir' => '/dev/log',
+ 'options' => 'rw',
+ },
+ }
+
+ if $enable_internal_tls {
+ $storage_maps_tls = {
+ 'rabbitmq-pki-cert' => {
+ 'source-dir' => '/etc/pki/tls/certs/rabbitmq.crt',
+ 'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt',
+ 'options' => 'ro',
+ },
+ 'rabbitmq-pki-key' => {
+ 'source-dir' => '/etc/pki/tls/private/rabbitmq.key',
+ 'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key',
+ 'options' => 'ro',
+ },
+ }
+ } else {
+ $storage_maps_tls = {}
+ }
+
pacemaker::resource::bundle { 'rabbitmq-bundle':
image => $rabbitmq_docker_image,
replicas => $rabbitmq_nodes_count,
@@ -114,58 +189,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle (
options => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS',
run_command => '/bin/bash /usr/local/bin/kolla_start',
network => "control-port=${rabbitmq_docker_control_port}",
- storage_maps => {
- 'rabbitmq-cfg-files' => {
- 'source-dir' => '/var/lib/kolla/config_files/rabbitmq.json',
- 'target-dir' => '/var/lib/kolla/config_files/config.json',
- 'options' => 'ro',
- },
- 'rabbitmq-cfg-data' => {
- 'source-dir' => '/var/lib/config-data/puppet-generated/rabbitmq/',
- 'target-dir' => '/var/lib/kolla/config_files/src',
- 'options' => 'ro',
- },
- 'rabbitmq-hosts' => {
- 'source-dir' => '/etc/hosts',
- 'target-dir' => '/etc/hosts',
- 'options' => 'ro',
- },
- 'rabbitmq-localtime' => {
- 'source-dir' => '/etc/localtime',
- 'target-dir' => '/etc/localtime',
- 'options' => 'ro',
- },
- 'rabbitmq-lib' => {
- 'source-dir' => '/var/lib/rabbitmq',
- 'target-dir' => '/var/lib/rabbitmq',
- 'options' => 'rw',
- },
- 'rabbitmq-pki-extracted' => {
- 'source-dir' => '/etc/pki/ca-trust/extracted',
- 'target-dir' => '/etc/pki/ca-trust/extracted',
- 'options' => 'ro',
- },
- 'rabbitmq-pki-ca-bundle-crt' => {
- 'source-dir' => '/etc/pki/tls/certs/ca-bundle.crt',
- 'target-dir' => '/etc/pki/tls/certs/ca-bundle.crt',
- 'options' => 'ro',
- },
- 'rabbitmq-pki-ca-bundle-trust-crt' => {
- 'source-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt',
- 'target-dir' => '/etc/pki/tls/certs/ca-bundle.trust.crt',
- 'options' => 'ro',
- },
- 'rabbitmq-pki-cert' => {
- 'source-dir' => '/etc/pki/tls/cert.pem',
- 'target-dir' => '/etc/pki/tls/cert.pem',
- 'options' => 'ro',
- },
- 'rabbitmq-dev-log' => {
- 'source-dir' => '/dev/log',
- 'target-dir' => '/dev/log',
- 'options' => 'rw',
- },
- },
+ storage_maps => merge($storage_maps, $storage_maps_tls),
}
# The default nr of ha queues is ceiling(N/2)