From ff3589786926992e0b822779f3c96b7d4e6c5cae Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Mon, 4 Oct 2021 17:42:33 +0200
Subject: [PATCH] Switch to rabbitmq fqdn hostnames and pass proper CA info

With this change we make sure that the 'RABBITMQ_NODENAME' is the fqdn
and that we use it when connecting to the node itself via rabbitmqctl.
We also make sure we set the CA to the one defined in the InternalTLSCAFile
template parameter.

Testing protocol is described in the parent change
("I4f853de3b532b3b5e71d29aa621a2925c3885393")

Related-Bug: #1946374

Depends-On: Ib0236f9c086d520d0a27e3aa8b41927bc7b50c26
Change-Id: I621557a037fbedc5c110f905dbe19290cc92b772
(cherry picked from commit b5ae7f846719fd0b04d12d2bffd383df99e5c34b)
---
 .../rabbitmq/rabbitmq-container-puppet.yaml       | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/deployment/rabbitmq/rabbitmq-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-container-puppet.yaml
index e6d5cd50fb..a2db191a64 100644
--- a/deployment/rabbitmq/rabbitmq-container-puppet.yaml
+++ b/deployment/rabbitmq/rabbitmq-container-puppet.yaml
@@ -101,6 +101,11 @@ parameters:
     default: ''
     description: Override the private key size used when creating the
                  certificate for this service
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
   RabbitmqEnableManagementAccess:
     type: boolean
     default: false
@@ -168,7 +173,13 @@ outputs:
               LC_ALL: 'en_US.UTF-8'
               NODE_PORT: ''
               NODE_IP_ADDRESS: ''
-              RABBITMQ_NODENAME: "rabbit@%{::hostname}"
+              RABBITMQ_NODENAME:
+                str_replace:
+                  template:
+                    "rabbit@%{hiera('fqdn_$NETWORK')}"
+                  params:
+                    $NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
+              RABBITMQ_USE_LONGNAME: 'true'
               RABBITMQ_CTL_DIST_PORT_MIN: '25673'
               RABBITMQ_CTL_DIST_PORT_MAX: '25683'
               'export ERL_EPMD_ADDRESS': "%{hiera('rabbitmq::interface')}"
@@ -201,6 +212,8 @@ outputs:
             rabbitmq::ssl_port: 5672
             rabbitmq::ssl_depth: 1
             rabbitmq::ssl_only: {get_param: EnableInternalTLS}
+            rabbitmq::ssl_cacert: {get_param: InternalTLSCAFile}
+            rabbitmq::ssl_management_cacert: {get_param: InternalTLSCAFile}
             rabbitmq::ssl_interface:
               str_replace:
                 template: