Added SSL parameters for Rabbit

Added rabbit_use_ssl and kombu_* parameters to configure Rabbit over
SSL.

Change-Id: I198a099b33393fa72288510a8d9e8723dea6d105
This commit is contained in:
Arnoud de Jonge 2016-02-01 12:58:06 +00:00
parent 17851d5401
commit 779a18f23c
3 changed files with 153 additions and 20 deletions

View File

@ -70,6 +70,33 @@
# (optional) The RabbitMQ virtual host.
# Defaults to '/'
#
# [*rabbit_use_ssl*]
# (optional) Connect over SSL for RabbitMQ
# Defaults to false
#
# [*kombu_ssl_ca_certs*]
# (optional) SSL certification authority file (valid only if SSL enabled).
# Defaults to $::os_service_default
#
# [*kombu_ssl_certfile*]
# (optional) SSL cert file (valid only if SSL enabled).
# Defaults to $::os_service_default
#
# [*kombu_ssl_keyfile*]
# (optional) SSL key file (valid only if SSL enabled).
# Defaults to $::os_service_default
#
# [*kombu_ssl_version*]
# (optional) SSL version to use (valid only if SSL enabled).
# Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
# available on some distributions.
# Defaults to $::os_service_default
#
# [*kombu_reconnect_delay*]
# (optional) How long to wait before reconnecting in response to an AMQP
# consumer cancel notification.
# Defaults to $::os_service_default
#
# [*notification_driver*]
# (optional) Driver used for issuing notifications
# Defaults to 'messaging'
@ -86,25 +113,31 @@
#
class designate(
$package_ensure = present,
$common_package_name = $::designate::params::common_package_name,
$verbose = undef,
$debug = undef,
$log_dir = undef,
$use_syslog = undef,
$use_stderr = undef,
$log_facility = undef,
$root_helper = 'sudo designate-rootwrap /etc/designate/rootwrap.conf',
$rabbit_host = '127.0.0.1',
$rabbit_port = '5672',
$rabbit_hosts = false,
$rabbit_userid = 'guest',
$rabbit_password = '',
$rabbit_virtual_host = '/',
$notification_driver = 'messaging',
$notification_topics = 'notifications',
$package_ensure = present,
$common_package_name = $::designate::params::common_package_name,
$verbose = undef,
$debug = undef,
$log_dir = undef,
$use_syslog = undef,
$use_stderr = undef,
$log_facility = undef,
$root_helper = 'sudo designate-rootwrap /etc/designate/rootwrap.conf',
$rabbit_host = '127.0.0.1',
$rabbit_port = '5672',
$rabbit_hosts = false,
$rabbit_userid = 'guest',
$rabbit_password = '',
$rabbit_virtual_host = '/',
$rabbit_use_ssl = false,
$kombu_ssl_ca_certs = $::os_service_default,
$kombu_ssl_certfile = $::os_service_default,
$kombu_ssl_keyfile = $::os_service_default,
$kombu_ssl_version = $::os_service_default,
$kombu_reconnect_delay = $::os_service_default,
$notification_driver = 'messaging',
$notification_topics = 'notifications',
#DEPRECATED PARAMETER
$rabbit_virtualhost = undef,
$rabbit_virtualhost = undef,
) inherits designate::params {
if $rabbit_virtualhost {
@ -114,6 +147,19 @@ class designate(
$rabbit_virtual_host_real = $rabbit_virtual_host
}
if !is_service_default($kombu_ssl_ca_certs) and !$rabbit_use_ssl {
fail('The kombu_ssl_ca_certs parameter requires rabbit_use_ssl to be set to true')
}
if !is_service_default($kombu_ssl_certfile) and !$rabbit_use_ssl {
fail('The kombu_ssl_certfile parameter requires rabbit_use_ssl to be set to true')
}
if !is_service_default($kombu_ssl_keyfile) and !$rabbit_use_ssl {
fail('The kombu_ssl_keyfile parameter requires rabbit_use_ssl to be set to true')
}
if (is_service_default($kombu_ssl_certfile) and ! is_service_default($kombu_ssl_keyfile)) or (is_service_default($kombu_ssl_keyfile) and ! is_service_default($kombu_ssl_certfile)) {
fail('The kombu_ssl_certfile and kombu_ssl_keyfile parameters must be used together')
}
include ::designate::logging
exec { 'post-designate_config':
@ -159,6 +205,12 @@ class designate(
'oslo_messaging_rabbit/rabbit_userid' : value => $rabbit_userid;
'oslo_messaging_rabbit/rabbit_password' : value => $rabbit_password, secret => true;
'oslo_messaging_rabbit/rabbit_virtual_host' : value => $rabbit_virtual_host_real;
'oslo_messaging_rabbit/rabbit_use_ssl' : value => $rabbit_use_ssl;
'oslo_messaging_rabbit/kombu_ssl_ca_certs' : value => $kombu_ssl_ca_certs;
'oslo_messaging_rabbit/kombu_ssl_certfile' : value => $kombu_ssl_certfile;
'oslo_messaging_rabbit/kombu_ssl_keyfile' : value => $kombu_ssl_keyfile;
'oslo_messaging_rabbit/kombu_ssl_version' : value => $kombu_ssl_version;
'oslo_messaging_rabbit/kombu_reconnect_delay' : value => $kombu_reconnect_delay;
}
if $rabbit_hosts {

View File

@ -39,12 +39,61 @@ describe 'designate' do
}
end
let :rabbit_use_ssl do
{
:rabbit_host => '127.0.0.1',
:rabbit_port => 5672,
:rabbit_userid => 'guest',
:rabbit_password => '',
:rabbit_virtual_host => '/',
:rabbit_use_ssl => true,
:kombu_ssl_ca_certs => 'ca goes here',
:kombu_ssl_certfile => 'cert goes here',
:kombu_ssl_keyfile => 'key goes here',
:kombu_ssl_version => 'TLSv1',
:kombu_reconnect_delay => '1.0',
}
end
let :rabbit_use_ssl_cert_no_key do
{
:rabbit_host => '127.0.0.1',
:rabbit_port => 5672,
:rabbit_userid => 'guest',
:rabbit_password => '',
:rabbit_virtual_host => '/',
:rabbit_use_ssl => true,
:kombu_ssl_ca_certs => 'ca goes here',
:kombu_ssl_certfile => 'cert goes here',
:kombu_ssl_version => 'TLSv1',
:kombu_reconnect_delay => '1.0',
}
end
let :rabbit_use_ssl_key_no_cert do
{
:rabbit_host => '127.0.0.1',
:rabbit_port => 5672,
:rabbit_userid => 'guest',
:rabbit_password => '',
:rabbit_virtual_host => '/',
:rabbit_use_ssl => true,
:kombu_ssl_ca_certs => 'ca goes here',
:kombu_ssl_keyfile => 'key goes here',
:kombu_ssl_version => 'TLSv1',
:kombu_reconnect_delay => '1.0',
}
end
shared_examples_for 'designate' do
context 'with rabbit_host parameter' do
it_configures 'a designate base installation'
it_configures 'rabbit without HA support'
it_configures 'rabbit with HA support'
it_configures 'rabbit with SSL support'
it_configures 'rabbit with SSL no key'
it_configures 'rabbit with SSL no cert'
end
context 'with custom package name' do
@ -160,13 +209,45 @@ describe 'designate' do
end
shared_examples_for 'rabbit with SSL support' do
before { params.merge!( rabbit_use_ssl ) }
it 'configures rabbit with ssl' do
is_expected.to contain_designate_config('oslo_messaging_rabbit/rabbit_userid').with_value( params[:rabbit_userid] )
is_expected.to contain_designate_config('oslo_messaging_rabbit/rabbit_password').with_value( params[:rabbit_password] )
is_expected.to contain_designate_config('oslo_messaging_rabbit/rabbit_password').with_value( params[:rabbit_password] ).with_secret(true)
is_expected.to contain_designate_config('oslo_messaging_rabbit/rabbit_virtual_host').with_value( params[:rabbit_virtual_host] )
is_expected.to contain_designate_config('oslo_messaging_rabbit/rabbit_use_ssl').with_value( params[:rabbit_use_ssl] )
is_expected.to contain_designate_config('oslo_messaging_rabbit/kombu_ssl_ca_certs').with_value( params[:kombu_ssl_ca_certs] )
is_expected.to contain_designate_config('oslo_messaging_rabbit/kombu_ssl_certfile').with_value( params[:kombu_ssl_certfile] )
is_expected.to contain_designate_config('oslo_messaging_rabbit/kombu_ssl_keyfile').with_value( params[:kombu_ssl_keyfile] )
is_expected.to contain_designate_config('oslo_messaging_rabbit/kombu_ssl_version').with_value( params[:kombu_ssl_version] )
is_expected.to contain_designate_config('oslo_messaging_rabbit/kombu_reconnect_delay').with_value( params[:kombu_reconnect_delay] )
end
end
shared_examples_for 'rabbit with SSL no key' do
before { params.merge!( rabbit_use_ssl_cert_no_key ) }
it 'should fail' do
is_expected.to raise_error(/The kombu_ssl_certfile and kombu_ssl_keyfile parameters must be used together/)
end
end
shared_examples_for 'rabbit with SSL no cert' do
before { params.merge!( rabbit_use_ssl_key_no_cert ) }
it 'should fail' do
is_expected.to raise_error(/The kombu_ssl_certfile and kombu_ssl_keyfile parameters must be used together/)
end
end
shared_examples_for 'rabbit with deprecated option' do
before { params.merge!( rabbit_deprecated_params ) }
it 'configures rabbit' do
is_expected.to contain_designate_config('oslo_messaging_rabbit/rabbit_virtual_host').with_value( params[:rabbit_virtualhost] )
end
end
on_supported_os({

View File

@ -17,7 +17,7 @@ describe 'designate::generic_service' do
end
let :facts do
{ :osfamily => 'Debian' }
OSDefaults.get_facts({ :osfamily => 'Debian' })
end
let :title do