4a1d412f8c
This patch adds a SSL/TLS listener to RabbitMQ without disrupting the existing plaintext TCP listener. Various services that use RabbitMQ will have the option to encrypt messaging traffic with this change. Documentation is included for this change. By default, it will create a self-signed certificate for the user, but users have the option to specify their own existing certificates as well. This makes it easier to bring RabbitMQ (and the services which talk to it) into compliance with PCI DSS 3.1's Requirement 2.2.3. In addition, this change is recommended within the OpenStack Security Guide. Closes-bug: 1496001 Change-Id: I0d29cbb6e963b24f77a8375eba8a8c6a558aaf81
71 lines
2.7 KiB
YAML
71 lines
2.7 KiB
YAML
---
|
|
# Copyright 2014, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Defines that the role will be deployed on a host machine
|
|
is_metal: true
|
|
|
|
rabbitmq_primary_cluster_node: "{{ groups['rabbitmq_all'][0] }}"
|
|
|
|
# Upgrading the RabbitMQ package requires shutting down the cluster. This variable makes upgrading
|
|
# the version an explicit action.
|
|
rabbitmq_upgrade: false
|
|
|
|
# If the user does not want to upgrade but needs to rerun the playbooks for any reason the
|
|
# upgrade/version state can be ignored by setting `rabbitmq_ignore_version_state=true`
|
|
rabbitmq_ignore_version_state: false
|
|
|
|
rabbitmq_package_url: "https://www.rabbitmq.com/releases/rabbitmq-server/v3.5.4/rabbitmq-server_3.5.4-1_all.deb"
|
|
rabbitmq_package_version: "{{ rabbitmq_package_url.split('/')[-1].split('_')[1] }}"
|
|
rabbitmq_package_sha256: "ca9232e91ced691d0b435fac9dfd2d2d6f62ad87f1f02f67523a25622ad68f14"
|
|
rabbitmq_package_path: "/opt/rabbitmq-server.deb"
|
|
|
|
rabbitmq_apt_packages:
|
|
- erlang-nox
|
|
|
|
rabbitmq_pip_packages:
|
|
- python-memcached
|
|
- pycrypto
|
|
|
|
# Name of the rabbitmq cluster
|
|
rabbitmq_cluster_name: rabbitmq_cluster1
|
|
|
|
# Specify a partition recovery strategy (autoheal | pause_minority | ignore)
|
|
rabbitmq_cluster_partition_handling: pause_minority
|
|
|
|
# Rabbitmq open file limits
|
|
rabbitmq_ulimit: 4096
|
|
|
|
# Enable the management plugin in rabbitmq
|
|
rabbitmq_plugins:
|
|
- names: rabbitmq_management
|
|
state: enabled
|
|
|
|
# RabbitMQ SSL support
|
|
rabbitmq_ssl_cert: /etc/ssl/certs/rabbitmq.pem
|
|
rabbitmq_ssl_key: /etc/ssl/private/rabbitmq.key
|
|
rabbitmq_ssl_ca_cert: /etc/ssl/certs/rabbitmq-ca.pem
|
|
|
|
# Set rabbitmq_ssl_self_signed_regen to true if you want to generate a new
|
|
# SSL certificate for RabbitMQ when this playbook runs. You can also change
|
|
# the subject of the self-signed certificate here if you prefer.
|
|
rabbitmq_ssl_self_signed_regen: false
|
|
rabbitmq_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ container_name }}"
|
|
|
|
# Define user-provided SSL certificates in:
|
|
# /etc/openstack_deploy/user_variables.yml
|
|
#rabbitmq_user_ssl_cert: <path to cert on ansible deployment host>
|
|
#rabbitmq_user_ssl_key: <path to cert on ansible deployment host>
|
|
#rabbitmq_user_ssl_ca_cert: <path to cert on ansible deployment host>
|