Allow insecure SSL communications with RabbitMQ
Add insecure option to [rabbitmq] section of murano.conf This is a partial fix because it improves Engine <-> RMQ communications but the same problem exist on Agent <-> RMQ side Partial-Bug: #1578421 Change-Id: I55207c3016da12be45918a7dc33795abf69627b4
This commit is contained in:
parent
d4cbcf2b4f
commit
091b4d1d18
@ -96,6 +96,7 @@ Just set *ssl* parameter to True to enable ssl.
|
||||
password = guest
|
||||
virtual_host = /
|
||||
ssl = True
|
||||
insecure = False
|
||||
|
||||
If you want to configure Murano Agent in a different way change
|
||||
the default template. It can be found in Murano Core Library, located at *http://git.openstack.org/cgit/openstack/murano/tree/meta/io.murano/Resources/Agent-v1.template*. Take
|
||||
|
@ -61,6 +61,7 @@ Properties:
|
||||
virtual_host: $.string() or '/'
|
||||
ssl: $.bool() or false
|
||||
ca_certs: $.string() or ''
|
||||
insecure: $.bool() or false
|
||||
Usage: Config
|
||||
|
||||
region:
|
||||
|
@ -74,6 +74,7 @@ Methods:
|
||||
"%RABBITMQ_PASSWORD%": $rabbitMqParams.password
|
||||
"%RABBITMQ_VHOST%": $rabbitMqParams.virtual_host
|
||||
"%RABBITMQ_SSL%": str($rabbitMqParams.ssl).toLower()
|
||||
"%RABBITMQ_INSECURE%": str($rabbitMqParams.insecure).toLower()
|
||||
"%RABBITMQ_INPUT_QUEUE%": $.agent.queueName()
|
||||
"%RESULT_QUEUE%": $environment.agentListener.queueName()
|
||||
- $scriptReplacements:
|
||||
|
@ -24,6 +24,9 @@ port = %RABBITMQ_PORT%
|
||||
# Use SSL for RabbitMQ connections (True or False)
|
||||
ssl = %RABBITMQ_SSL%
|
||||
|
||||
# Do not verify SSL certificates
|
||||
insecure = %RABBITMQ_INSECURE%
|
||||
|
||||
# Path to SSL CA certificate or empty to allow self signed server certificate
|
||||
ca_certs = '/etc/murano/certs/ca_certs'
|
||||
|
||||
|
@ -17,7 +17,6 @@
|
||||
This file is about to be deprecated, please use python-muranoclient.
|
||||
*** Deprecation warning ***
|
||||
"""
|
||||
|
||||
import sys
|
||||
import traceback
|
||||
|
||||
|
@ -57,6 +57,10 @@ rabbit_opts = [
|
||||
|
||||
cfg.StrOpt('ca_certs', default='',
|
||||
help='SSL cert file (valid only if SSL enabled).'),
|
||||
|
||||
cfg.BoolOpt('insecure', default=False,
|
||||
help='This option explicitly allows Murano to perform '
|
||||
'"insecure" SSL connections to RabbitMQ'),
|
||||
]
|
||||
|
||||
heat_opts = [
|
||||
|
@ -25,13 +25,19 @@ kombu = patcher.import_patched('kombu')
|
||||
|
||||
class MqClient(object):
|
||||
def __init__(self, login, password, host, port, virtual_host,
|
||||
ssl=False, ca_certs=None):
|
||||
ssl=False, ca_certs=None, insecure=False):
|
||||
ssl_params = None
|
||||
|
||||
if ssl is True:
|
||||
if ssl:
|
||||
cert_reqs = ssl_module.CERT_REQUIRED
|
||||
if insecure:
|
||||
if ca_certs:
|
||||
cert_reqs = ssl_module.CERT_OPTIONAL
|
||||
else:
|
||||
cert_reqs = ssl_module.CERT_NONE
|
||||
ssl_params = {
|
||||
'ca_certs': ca_certs,
|
||||
'cert_reqs': ssl_module.CERT_REQUIRED
|
||||
'cert_reqs': cert_reqs
|
||||
}
|
||||
|
||||
self._connection = kombu.Connection(
|
||||
|
@ -29,6 +29,7 @@ def create_rmq_client():
|
||||
'port': rabbitmq.port,
|
||||
'virtual_host': rabbitmq.virtual_host,
|
||||
'ssl': rabbitmq.ssl,
|
||||
'ca_certs': rabbitmq.ca_certs.strip() or None
|
||||
'ca_certs': rabbitmq.ca_certs.strip() or None,
|
||||
'insecure': rabbitmq.insecure
|
||||
}
|
||||
return mqclient.MqClient(**connection_params)
|
||||
|
Loading…
Reference in New Issue
Block a user