aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/profile
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2016-06-09 09:33:20 +0300
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-03-09 11:08:20 +0000
commit3b6113bf0fe5963813f2c39a3848a7eefea778ba (patch)
tree3875a0bd12e32d4a69b9e3725ca62095dbe2ca40 /manifests/profile
parent03523df5c111694de9367e2f7dbcaa24c52eae60 (diff)
Enable TLS in the internal network for RabbitMQ
This optionally enables TLS for RabbitMQ in the internal network. Note that this leaves enable_internal_tls as undef instead of using the regular default. This is because we don't want to enable this just now, since we first want to pass the necessary hieradata via t-h-t. This will be cleaned in further commits. bp tls-via-certmonger Depends-On: I4f37e77ae12e9582fab7d326ebd4c70127c5445f Depends-On: Ic32b2cb253fa0dc43aad7226b24919b7e588faa9 Change-Id: Ic2a7f877745a0a490ddc9315123bd1180b03c514
Diffstat (limited to 'manifests/profile')
-rw-r--r--manifests/profile/base/rabbitmq.pp72
1 files changed, 57 insertions, 15 deletions
diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp
index 1eaabf0..b04d721 100644
--- a/manifests/profile/base/rabbitmq.pp
+++ b/manifests/profile/base/rabbitmq.pp
@@ -18,14 +18,41 @@
#
# === Parameters
#
+# [*certificate_specs*]
+# (Optional) The specifications to give to certmonger for the certificate
+# it will create. Note that the certificate nickname must be 'mysql' in
+# the case of this service.
+# Example with hiera:
+# tripleo::profile::base::database::mysql::certificate_specs:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "mysql/<overcloud controller fqdn>"
+# Defaults to {}.
+#
# [*config_variables*]
# (Optional) RabbitMQ environment.
# Defaults to hiera('rabbitmq_config_variables').
#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to undef
+#
# [*environment*]
# (Optional) RabbitMQ environment.
# Defaults to hiera('rabbitmq_environment').
#
+# [*generate_service_certificates*]
+# (Optional) Whether or not certmonger will generate certificates for
+# MySQL. This could be as many as specified by the $certificates_specs
+# variable.
+# Defaults to hiera('generate_service_certificate', false).
+#
+# [*inet_dist_interface*]
+# (Optional) Address to bind the inter-cluster interface
+# to. It is the inet_dist_use_interface option in the kernel variables
+# Defaults to hiera('rabbitmq::interface', undef).
+#
# [*ipv6*]
# (Optional) Whether to deploy RabbitMQ on IPv6 network.
# Defaults to str2bool(hiera('rabbit_ipv6', false)).
@@ -34,11 +61,6 @@
# (Optional) RabbitMQ environment.
# Defaults to hiera('rabbitmq_environment').
#
-# [*inet_dist_interface*]
-# (Optional) Address to bind the inter-cluster interface
-# to. It is the inet_dist_use_interface option in the kernel variables
-# Defaults to hiera('rabbitmq::interface', undef).
-#
# [*nodes*]
# (Optional) Array of host(s) for RabbitMQ nodes.
# Defaults to hiera('rabbitmq_node_names', []).
@@ -61,17 +83,31 @@
# Defaults to hiera('step')
#
class tripleo::profile::base::rabbitmq (
- $config_variables = hiera('rabbitmq_config_variables'),
- $environment = hiera('rabbitmq_environment'),
- $ipv6 = str2bool(hiera('rabbit_ipv6', false)),
- $kernel_variables = hiera('rabbitmq_kernel_variables'),
- $inet_dist_interface = hiera('rabbitmq::interface', undef),
- $nodes = hiera('rabbitmq_node_names', []),
- $rabbitmq_pass = hiera('rabbitmq::default_pass'),
- $rabbitmq_user = hiera('rabbitmq::default_user'),
- $stack_action = hiera('stack_action'),
- $step = hiera('step'),
+ $certificate_specs = {},
+ $config_variables = hiera('rabbitmq_config_variables'),
+ $enable_internal_tls = undef, # TODO(jaosorior): pass this via t-h-t
+ $environment = hiera('rabbitmq_environment'),
+ $generate_service_certificates = hiera('generate_service_certificates', false),
+ $inet_dist_interface = hiera('rabbitmq::interface', undef),
+ $ipv6 = str2bool(hiera('rabbit_ipv6', false)),
+ $kernel_variables = hiera('rabbitmq_kernel_variables'),
+ $nodes = hiera('rabbitmq_node_names', []),
+ $rabbitmq_pass = hiera('rabbitmq::default_pass'),
+ $rabbitmq_user = hiera('rabbitmq::default_user'),
+ $stack_action = hiera('stack_action'),
+ $step = hiera('step'),
) {
+ if $enable_internal_tls {
+ if $generate_service_certificates {
+ ensure_resource('class', 'tripleo::certmonger::rabbitmq', $certificate_specs)
+ }
+ $tls_certfile = $certificate_specs['service_certificate']
+ $tls_keyfile = $certificate_specs['service_key']
+ } else {
+ $tls_certfile = undef
+ $tls_keyfile = undef
+ }
+
# IPv6 environment, necessary for RabbitMQ.
if $ipv6 {
$rabbit_env = merge($environment, {
@@ -100,6 +136,9 @@ class tripleo::profile::base::rabbitmq (
config_kernel_variables => $real_kernel_variables,
config_variables => $config_variables,
environment_variables => $rabbit_env,
+ # TLS options
+ ssl_cert => $tls_certfile,
+ ssl_key => $tls_keyfile,
}
# when running multi-nodes without Pacemaker
if $manage_service {
@@ -116,6 +155,9 @@ class tripleo::profile::base::rabbitmq (
config_kernel_variables => $kernel_variables,
config_variables => $config_variables,
environment_variables => $rabbit_env,
+ # TLS options
+ ssl_cert => $tls_certfile,
+ ssl_key => $tls_keyfile,
}
}
# In case of HA, starting of rabbitmq-server is managed by pacemaker, because of which, a dependency