Mark Goddard 761ea9a333 Support TLS encryption of RabbitMQ client-server traffic
This change adds support for encryption of communication between
OpenStack services and RabbitMQ. Server certificates are supported, but
currently client certificates are not.

The kolla-ansible certificates command has been updated to support
generating certificates for RabbitMQ for development and testing.

RabbitMQ TLS is enabled in the all-in-one source CI jobs, or when
The Zuul 'tls_enabled' variable is true.

Change-Id: I4f1d04150fb2b5af085b762890092f87ae6076b5
Implements: blueprint message-queue-ssl-support
2020-09-17 12:05:44 +01:00

69 lines
1.8 KiB
Django/Jinja

[DEFAULT]
debug = {{ qinling_logging_debug }}
log_dir = /var/log/kolla/qinling
transport_url = {{ rpc_transport_url }}
{% if service_name == 'qinling-api' %}
[api]
port = {{ qinling_api_port }}
host = {{ api_interface_address }}
{% endif %}
{% if service_name == 'qinling-engine' %}
[engine]
host = {{ api_interface_address }}
{% endif %}
[database]
connection = mysql+pymysql://{{ qinling_database_user }}:{{ qinling_database_password }}@{{ qinling_database_address }}/{{ qinling_database_name }}
max_retries = -1
[keystone_authtoken]
www_authenticate_uri = {{ keystone_internal_url }}/v3
auth_url = {{ keystone_admin_url }}
auth_type = password
project_domain_name = {{ default_project_domain_name }}
user_domain_name = {{ default_user_domain_name }}
project_name = service
username = {{ qinling_keystone_user }}
password = {{ qinling_keystone_password }}
region_name = {{ openstack_region_name }}
cafile = {{ openstack_cacert }}
memcache_security_strategy = ENCRYPT
memcache_secret_key = {{ memcache_secret_key }}
memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
[storage]
file_system_dir = /var/lib/qinling/package
[etcd]
{% if enable_etcd | bool %}
host = {{ api_interface_address }}
port = {{ etcd_client_port }}
protocol = {{ etcd_protocol }}
{% endif %}
[oslo_messaging_notifications]
transport_url = {{ notify_transport_url }}
{% if enable_ceilometer | bool %}
driver = messagingv2
topics = notifications
{% else %}
driver = noop
{% endif %}
{% if om_enable_rabbitmq_tls | bool %}
[oslo_messaging_rabbit]
ssl = true
ssl_ca_file = {{ om_rabbitmq_cacert }}
{% endif %}
{% if qinling_policy_file is defined %}
[oslo_policy]
policy_file = {{ qinling_policy_file }}
{% endif %}
[oslo_middleware]
enable_proxy_headers_parsing = True