openstack/puppet-tripleo
Code Issues Proposed changes

Enable TLS for rabbitmq's replication traffic

Browse Source 
This follows the RabbitMQ docs [1] for enabling TLS for the replication
traffic. It reuses the certificate that rabbitmq already has.

Unfortunately, pacemaker uses the shortname for the rabbitmq nodes, so
we are not able to do proper verification of the certificates, since we
can't allocate a certificate for shortnames. So, until pacemaker can
track the rabbit nodes through their FQDNs, we don't set any verification
options.

[1] https://www.rabbitmq.com/clustering-ssl.html

Depends on: https://github.com/voxpupuli/puppet-rabbitmq/pull/574

bp tls-via-certmonger
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
Change-Id: I265c89cb8898a6da78a606664a22c50f5e57a847
This commit is contained in:
Juan Antonio Osorio Robles 2017-08-28 09:07:16 +03:00
parent 0384443835
commit 52404b85dc
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
manifests/profile/base/rabbitmq.pp
View File

@ -93,9 +93,19 @@ class tripleo::profile::base::rabbitmq (
if $enable_internal_tls {
$tls_certfile = $certificate_specs['service_certificate']
$tls_keyfile = $certificate_specs['service_key']
$cert_option = "-ssl_dist_opt server_certfile ${tls_certfile}"
$key_option = "-ssl_dist_opt server_keyfile ${tls_keyfile}"
$secure_renegotiate = '-ssl_dist_opt server_secure_renegotiate true -ssl_dist_opt client_secure_renegotiate true'
$rabbitmq_additional_erl_args = "\"${cert_option} ${key_option} ${secure_renegotiate}\""
$environment_real = merge($environment, {
'RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS' => $rabbitmq_additional_erl_args,
'RABBITMQ_CTL_ERL_ARGS' => $rabbitmq_additional_erl_args
})
} else {
$tls_certfile = undef
$tls_keyfile = undef
$environment_real = $environment
}
if $inet_dist_interface {
@ -116,7 +126,7 @@ class tripleo::profile::base::rabbitmq (
cluster_nodes => $nodes,
config_kernel_variables => $real_kernel_variables,
config_variables => $config_variables,
environment_variables => $environment,
environment_variables => $environment_real,
# TLS options
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,