Enable TLS in the internal network for RabbitMQ

This optionally enables TLS for RabbitMQ in the internal network. Note that this leaves enable_internal_tls as undef instead of using the regular default. This is because we don't want to enable this just now, since we first want to pass the necessary hieradata via t-h-t. This will be cleaned in further commits. bp tls-via-certmonger Depends-On: I4f37e77ae12e9582fab7d326ebd4c70127c5445f Depends-On: Ic32b2cb253fa0dc43aad7226b24919b7e588faa9 Change-Id: Ic2a7f877745a0a490ddc9315123bd1180b03c514
2016-06-09 09:33:20 +03:00
parent 03523df5c1
commit 3b6113bf0f
2 changed files with 136 additions and 15 deletions
--- a/manifests/certmonger/rabbitmq.pp
+++ b/manifests/certmonger/rabbitmq.pp
@@ -0,0 +1,79 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::rabbitmq
+#
+# Request a certificate for RabbitMQ and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+#   The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+#   The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+#   The path to the key that will be used for TLS in this service.
+#
+# [*certmonger_ca*]
+#   (Optional) The CA that certmonger will use to generate the certificates.
+#   Defaults to hiera('certmonger_ca', 'local').
+#
+# [*file_owner*]
+#   (Optional) The user which the certificate and key files belong to.
+#   Defaults to 'root'
+#
+# [*principal*]
+#   (Optional) The service principal that is set for the service in kerberos.
+#   Defaults to undef
+#
+class tripleo::certmonger::rabbitmq (
+  $hostname,
+  $service_certificate,
+  $service_key,
+  $certmonger_ca = hiera('certmonger_ca', 'local'),
+  $principal     = undef,
+) {
+  include ::certmonger
+  include ::rabbitmq::params
+
+  $postsave_cmd  = "systemctl restart ${::rabbitmq::params::service_name}"
+  certmonger_certificate { 'rabbitmq' :
+    ensure       => 'present',
+    certfile     => $service_certificate,
+    keyfile      => $service_key,
+    hostname     => $hostname,
+    dnsname      => $hostname,
+    principal    => $principal,
+    postsave_cmd => $postsave_cmd,
+    ca           => $certmonger_ca,
+    wait         => true,
+    require      => Class['::certmonger'],
+  }
+
+  file { $service_certificate :
+    owner   => $::rabbitmq::params::rabbitmq_user,
+    group   => $::rabbitmq::params::rabbitmq_group,
+    require => Certmonger_certificate['rabbitmq'],
+  }
+  file { $service_key :
+    owner   => $::rabbitmq::params::rabbitmq_user,
+    group   => $::rabbitmq::params::rabbitmq_group,
+    require => Certmonger_certificate['rabbitmq'],
+  }
+
+  File[$service_certificate] ~> Service<| title == $::rabbitmq::params::service_name |>
+  File[$service_key] ~> Service<| title == $::rabbitmq::params::service_name |>
+}
--- a/manifests/profile/base/rabbitmq.pp
+++ b/manifests/profile/base/rabbitmq.pp
@@ -18,14 +18,41 @@
 #
 # === Parameters
 #
+# [*certificate_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate
+#   it will create. Note that the certificate nickname must be 'mysql' in
+#   the case of this service.
+#   Example with hiera:
+#     tripleo::profile::base::database::mysql::certificate_specs:
+#       hostname: <overcloud controller fqdn>
+#       service_certificate: <service certificate path>
+#       service_key: <service key path>
+#       principal: "mysql/<overcloud controller fqdn>"
+#   Defaults to {}.
+#
 # [*config_variables*]
 #   (Optional) RabbitMQ environment.
 #   Defaults to hiera('rabbitmq_config_variables').
 #
+# [*enable_internal_tls*]
+#   (Optional) Whether TLS in the internal network is enabled or not.
+#   Defaults to undef
+#
 # [*environment*]
 #   (Optional) RabbitMQ environment.
 #   Defaults to hiera('rabbitmq_environment').
 #
+# [*generate_service_certificates*]
+#   (Optional) Whether or not certmonger will generate certificates for
+#   MySQL. This could be as many as specified by the $certificates_specs
+#   variable.
+#   Defaults to hiera('generate_service_certificate', false).
+#
+# [*inet_dist_interface*]
+#   (Optional) Address to bind the inter-cluster interface
+#   to. It is the inet_dist_use_interface option in the kernel variables
+#   Defaults to hiera('rabbitmq::interface', undef).
+#
 # [*ipv6*]
 #   (Optional) Whether to deploy RabbitMQ on IPv6 network.
 #   Defaults to str2bool(hiera('rabbit_ipv6', false)).
@@ -34,11 +61,6 @@
 #   (Optional) RabbitMQ environment.
 #   Defaults to hiera('rabbitmq_environment').
 #
-# [*inet_dist_interface*]
-#   (Optional) Address to bind the inter-cluster interface
-#   to. It is the inet_dist_use_interface option in the kernel variables
-#   Defaults to hiera('rabbitmq::interface', undef).
-#
 # [*nodes*]
 #   (Optional) Array of host(s) for RabbitMQ nodes.
 #   Defaults to hiera('rabbitmq_node_names', []).
@@ -61,17 +83,31 @@
 #   Defaults to hiera('step')
 #
 class tripleo::profile::base::rabbitmq (
-  $config_variables    = hiera('rabbitmq_config_variables'),
-  $environment         = hiera('rabbitmq_environment'),
-  $ipv6                = str2bool(hiera('rabbit_ipv6', false)),
-  $kernel_variables    = hiera('rabbitmq_kernel_variables'),
-  $inet_dist_interface = hiera('rabbitmq::interface', undef),
-  $nodes               = hiera('rabbitmq_node_names', []),
-  $rabbitmq_pass       = hiera('rabbitmq::default_pass'),
-  $rabbitmq_user       = hiera('rabbitmq::default_user'),
-  $stack_action        = hiera('stack_action'),
-  $step                = hiera('step'),
+  $certificate_specs             = {},
+  $config_variables              = hiera('rabbitmq_config_variables'),
+  $enable_internal_tls           = undef,  # TODO(jaosorior): pass this via t-h-t
+  $environment                   = hiera('rabbitmq_environment'),
+  $generate_service_certificates = hiera('generate_service_certificates', false),
+  $inet_dist_interface           = hiera('rabbitmq::interface', undef),
+  $ipv6                          = str2bool(hiera('rabbit_ipv6', false)),
+  $kernel_variables              = hiera('rabbitmq_kernel_variables'),
+  $nodes                         = hiera('rabbitmq_node_names', []),
+  $rabbitmq_pass                 = hiera('rabbitmq::default_pass'),
+  $rabbitmq_user                 = hiera('rabbitmq::default_user'),
+  $stack_action                  = hiera('stack_action'),
+  $step                          = hiera('step'),
 ) {
+  if $enable_internal_tls {
+    if $generate_service_certificates {
+      ensure_resource('class', 'tripleo::certmonger::rabbitmq', $certificate_specs)
+    }
+    $tls_certfile = $certificate_specs['service_certificate']
+    $tls_keyfile = $certificate_specs['service_key']
+  } else {
+    $tls_certfile = undef
+    $tls_keyfile = undef
+  }
+
  # IPv6 environment, necessary for RabbitMQ.
  if $ipv6 {
    $rabbit_env = merge($environment, {
@@ -100,6 +136,9 @@ class tripleo::profile::base::rabbitmq (
        config_kernel_variables => $real_kernel_variables,
        config_variables        => $config_variables,
        environment_variables   => $rabbit_env,
+        # TLS options
+        ssl_cert                => $tls_certfile,
+        ssl_key                 => $tls_keyfile,
      }
      # when running multi-nodes without Pacemaker
      if $manage_service {
@@ -116,6 +155,9 @@ class tripleo::profile::base::rabbitmq (
        config_kernel_variables => $kernel_variables,
        config_variables        => $config_variables,
        environment_variables   => $rabbit_env,
+        # TLS options
+        ssl_cert                => $tls_certfile,
+        ssl_key                 => $tls_keyfile,
      }
    }
    # In case of HA, starting of rabbitmq-server is managed by pacemaker, because of which, a dependency