diff options
author | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-08-14 16:13:50 +0000 |
---|---|---|
committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-08-18 12:21:31 +0000 |
commit | 0f8e4e366fc3e2e3f32474c71de15a739162a653 (patch) | |
tree | 092a22182469593f10cf1c3e57c4b3468d553bc1 /docker/services | |
parent | 9436d87e7e3b2767bf8dcb69e9fc0eb62173e6fb (diff) |
Enable TLS for containerized RabbitMQ
Bind mounts and adds the appropriate permissions for the cert and
key that's used for TLS.
bp tls-via-certmonger-containers
Depends-On: I62ff89362cfcc80e6e62fad09110918c36802813
Change-Id: I48325893a00690e2f5d6f1d685f903234545d5b8
Diffstat (limited to 'docker/services')
-rw-r--r-- | docker/services/rabbitmq.yaml | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/docker/services/rabbitmq.yaml b/docker/services/rabbitmq.yaml index 418c60d2..add78879 100644 --- a/docker/services/rabbitmq.yaml +++ b/docker/services/rabbitmq.yaml @@ -40,6 +40,18 @@ parameters: type: string default: '' hidden: true + EnableInternalTLS: + type: boolean + default: false + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: @@ -66,6 +78,10 @@ outputs: map_merge: - {get_attr: [RabbitmqBase, role_data, config_settings]} - rabbitmq::admin_enable: false + - if: + - internal_tls_enabled + - tripleo::certmonger::rabbitmq::postsave_cmd: "true" # TODO: restart the rabbitmq container here + - {} step_config: &step_config list_join: - "\n" @@ -85,10 +101,21 @@ outputs: dest: "/" merge: true preserve_properties: true + - source: "/var/lib/kolla/config_files/src-tls/*" + dest: "/" + merge: true + preserve_properties: true + optional: true permissions: - path: /var/lib/rabbitmq owner: rabbitmq:rabbitmq recurse: true + - path: /etc/pki/tls/certs/rabbitmq.crt + owner: rabbitmq:rabbitmq + optional: true + - path: /etc/pki/tls/private/rabbitmq.key + owner: rabbitmq:rabbitmq + optional: true docker_config: # Kolla_bootstrap runs before permissions set by kolla_config step_1: @@ -115,6 +142,17 @@ outputs: - /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro - /var/lib/rabbitmq:/var/lib/rabbitmq - /var/log/containers/rabbitmq:/var/log/rabbitmq + - if: + - internal_tls_enabled + - + - list_join: + - ':' + - - {get_param: InternalTLSCAFile} + - {get_param: InternalTLSCAFile} + - 'ro' + - /etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro + - /etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro + - null environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - KOLLA_BOOTSTRAP=True @@ -143,6 +181,17 @@ outputs: - /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro - /var/lib/rabbitmq:/var/lib/rabbitmq - /var/log/containers/rabbitmq:/var/log/rabbitmq + - if: + - internal_tls_enabled + - + - list_join: + - ':' + - - {get_param: InternalTLSCAFile} + - {get_param: InternalTLSCAFile} + - 'ro' + - /etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro + - /etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro + - null environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS docker_puppet_tasks: @@ -155,6 +204,8 @@ outputs: volumes: - /var/lib/config-data/rabbitmq/etc/rabbitmq/:/etc/rabbitmq/:ro - /var/lib/rabbitmq:/var/lib/rabbitmq:ro + metadata_settings: + get_attr: [RabbitmqBase, role_data, metadata_settings] host_prep_tasks: - name: create persistent directories file: |