qdr: Add SSL support

Change-Id: Ia878bc4a877753bc4784b13bf1c22c22e8324c1f
2021-06-18 11:16:26 -04:00 · 2021-06-18 11:16:26 -04:00 · 423046a6a4
parent 70ffa996f4
commit 423046a6a4
2 changed files with 85 additions and 13 deletions
--- a/manifests/profile/base/qdr.pp
+++ b/manifests/profile/base/qdr.pp
@ -31,6 +31,22 @@
 #   directly because it requires a string and we have a number.
 #   Defaults to 5672
 #
+# [*listener_require_ssl*]
+#   (optional) Require the use of SSL on the connection
+#   Defaults to false
+#
+# [*listener_ssl_cert_db*]
+#   (optional) Path to certificate db
+#   Defaults to undef
+#
+# [*listener_ssl_cert_file*]
+#   (optional) Path to certificat file
+#   Defaults to undef
+#
+# [*listener_ssl_key_file*]
+#   (optional) Path to private key file
+#   Defaults to undef
+#
 # [*qdr_log_enable*]
 #   Log level for the qdrouterd module
 #   Defaults to 'info+'
@ -48,11 +64,22 @@ class tripleo::profile::base::qdr (
  $qdr_username      = undef,
  $qdr_password      = undef,
  $qdr_listener_port = 5672,
+  $listener_require_ssl      = false,
+  $listener_ssl_cert_db      = undef,
+  $listener_ssl_cert_file    = undef,
+  $listener_ssl_key_file     = undef,
  $qdr_log_enable    = 'info+',
  $oslomsg_rpc_hosts = hiera('oslo_messaging_rpc_node_names', undef),
  $step              = Integer(hiera('step')),
 ) {
  $qdr_node_names = $oslomsg_rpc_hosts
+
+  if $listener_require_ssl {
+      $ssl_opts = {'sslProfile' => "Router.${::fqdn}"}
+  } else {
+      $ssl_opts = {}
+  }
+
  if $step >= 1 {
    # For multi-node deployments of the dispatch router, a mesh of
    # inter-router links is created. Bi-directional links must
@ -73,9 +100,10 @@ class tripleo::profile::base::qdr (
        if true in $memo {
          $memo
        } else {
-          $memo + [{'host' => $node,
-                    'role' => 'inter-router',
-                    'port' => '31460'}]
+          $memo + [merge($ssl_opts,
+                    { 'host' => $node,
+                      'role' => 'inter-router',
+                      'port' => '31460'})]
        }
      }
    } - true
@ -87,9 +115,10 @@ class tripleo::profile::base::qdr (

    $extra_listeners = size($qdr_node_names) ? {
      1       => [],
-      default => [{'host' => '0.0.0.0',
-                  'port' => '31460',
-                  'role' => 'inter-router'}],
+      default => [merge($ssl_opts,
+                  { 'host' => '0.0.0.0',
+                    'port' => '31460',
+                    'role' => 'inter-router'})],
    }

    $extra_addresses = [{'prefix'       => 'openstack.org/om/rpc/multicast',
@ -106,13 +135,17 @@ class tripleo::profile::base::qdr (
                        'distribution' => 'balanced'}]

    class { 'qdr':
-      listener_addr   => '0.0.0.0',
-      listener_port   => "${qdr_listener_port}",
-      router_mode     => $router_mode,
-      connectors      => $connectors,
-      extra_listeners => $extra_listeners,
-      extra_addresses => $extra_addresses,
-      log_enable      => "${qdr_log_enable}",
+      listener_addr          => '0.0.0.0',
+      listener_port          => "${qdr_listener_port}",
+      listener_require_ssl   => $listener_require_ssl,
+      listener_ssl_cert_db   => $listener_ssl_cert_db,
+      listener_ssl_cert_file => $listener_ssl_cert_file,
+      listener_ssl_key_file  => $listener_ssl_key_file,
+      router_mode            => $router_mode,
+      connectors             => $connectors,
+      extra_listeners        => $extra_listeners,
+      extra_addresses        => $extra_addresses,
+      log_enable             => "${qdr_log_enable}",
    }

    qdr_user { $qdr_username:
--- a/spec/classes/tripleo_profile_base_qdr_spec.rb
+++ b/spec/classes/tripleo_profile_base_qdr_spec.rb
@ -105,6 +105,45 @@ describe 'tripleo::profile::base::qdr' do
        )
      end
    end
+
+    context 'with step 3 on node3 of multinode with ssl' do
+      before do
+        facts.merge!({
+          :hostname => 'node3.example.com',
+          :fqdn     => 'node3.example.com',
+        })
+        params.merge!({
+          :oslomsg_rpc_hosts => ['node1.example.com','node2.example.com','node3.example.com'],
+          :listener_require_ssl => 'yes',
+        })
+      end
+
+      it 'should set up interior listener with sslProfile and two connectors with sslProfile' do
+        is_expected.to contain_class('qdr').with(
+          # this should be true instead of 'yes', because 'yes' is deprecated,
+          # but until we have rspec-puppet >= 2.7.9 to get:
+          #
+          # https://github.com/rodjek/rspec-puppet/commit/5e6b5e40dd22c5db5a8c7d8f21597d8ba95b1ddc
+          #
+          # Then it will throw a FrozenError.  So just test with 'yes' instead.
+          :listener_require_ssl => 'yes',
+          :router_mode     => 'interior',
+          :extra_listeners => [{'sslProfile' => 'Router.node3.example.com',
+                                'host'       => '0.0.0.0',
+                                'port'       => '31460',
+                                'role'       => 'inter-router'}],
+          :connectors => [
+            {"sslProfile" => "Router.node3.example.com",
+             "host"       => "node1.example.com",
+             "role"       => "inter-router",
+             "port"       => "31460"},
+            {"sslProfile" => "Router.node3.example.com",
+             "host"       => "node2.example.com",
+             "role"       => "inter-router",
+             "port"       => "31460"}],
+        )
+      end
+    end
  end

  on_supported_os.each do |os, facts|