tripleo-heat-templates/deployment/rabbitmq/rabbitmq-container-puppet.yaml
Michele Baldessari f8e7bf2bba Do not set rabbitmq SSL CA certs when InternalTLSCAFile is ''
The undercloud installation sets InternalTLSCAFile to '' when
undercloud_service_certificate is set (done via
I5d7f35194f98b2d5c06a417cac75d52ff646def0 "undercloud: Disable CA path
if user-provided cert is used"). In this case we end up setting
rabbitmq::{ssl_cacert,ssl_management_cacert} to '' which then breaks
puppet-rabbitmq because it verifies that they are absolute paths.

Let's just skip passing them when InternalTLSCAFile is set to
empty.

Depends-On: I4e9801ba3ced734e5aa3fa22df522fab0e84761a
Closes-Bug: #1947776
Change-Id: I16f0fd04e1ae941d09d567eadaeb5bda959099fc
2021-10-19 21:38:13 +02:00

437 lines
18 KiB
YAML

heat_template_version: wallaby
description: >
OpenStack containerized Rabbitmq service
parameters:
ContainerRabbitmqImage:
description: image
type: string
ContainerRabbitmqConfigImage:
description: The container image to use for the rabbitmq config_volume
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. Use
parameter_merge_strategies to merge it with the defaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
RabbitCookie:
type: string
default: ''
hidden: true
EnableInternalTLS:
type: boolean
default: false
RabbitUserName:
default: guest
description: The username for RabbitMQ
type: string
RabbitPassword:
description: The password for RabbitMQ
type: string
hidden: true
RabbitFDLimit:
default: 65536
description: Configures RabbitMQ FD limit
type: number
RabbitTCPBacklog:
default: 4096
description: Configures RabbitMQ maximum TCP Backlog
type: number
RabbitIPv6:
default: false
description: Enable IPv6 in RabbitMQ
type: boolean
RabbitHAQueues:
description:
The number of HA queues to be configured in rabbit. The default is -1 which
translates to "ha-mode all". The special value 0 will be automatically
overridden to CEIL(N/2) where N is the number of nodes running rabbitmq.
default: 0
type: number
RabbitNetTickTime:
description:
The number of seconds to configure the value of the erlang
net_ticktime kernel variable.
default: 15
type: number
RabbitAdditionalErlArgs:
description:
Additional parameters passed to the Erlang subsystem. The string
needs to be enclosed in quotes twice. We default to '+sbwt none
+sbwtdcpu none +sbwtdio none' in order to have the erlang vm be
less busy on spinlocks, but we allow a simple way of overriding
it.
default: "'+sbwt none +sbwtdcpu none +sbwtdio none'"
type: string
MonitoringSubscriptionRabbitmq:
default: 'overcloud-rabbitmq'
type: string
DeployIdentifier:
default: ''
type: string
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
RabbitmqCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
RabbitmqEnableManagementAccess:
type: boolean
default: false
description: Allow access to RabbitMQ management plugin over network
parameter_groups:
- label: deprecated
description: |
The following parameters are deprecated and will be removed. They should not
be relied on for new deployments. If you have concerns regarding deprecated
parameters, please contact the TripleO development team on IRC or the
OpenStack mailing list.
parameters:
- RabbitIPv6
conditions:
is_ipv6:
equals:
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, RabbitmqNetwork]}]}
- 6
key_size_override_set:
not: {equals: [{get_param: RabbitmqCertificateKeySize}, '']}
rabbitmq_cacert_set:
not: {equals: [{get_param: InternalTLSCAFile}, '']}
resources:
ContainersCommon:
type: ../containers-common.yaml
outputs:
role_data:
description: Role data for the Rabbitmq API role.
value:
service_name: rabbitmq
firewall_rules:
'109 rabbitmq':
dport:
list_concat:
- - 4369
- 5672
- 25672
- 25673-25683
- if:
- {get_param: RabbitmqEnableManagementAccess}
- - 15672
monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq}
# RabbitMQ plugins initialization occurs on every node
config_settings:
map_merge:
-
rabbitmq::file_limit: {get_param: RabbitFDLimit}
rabbitmq::default_user: {get_param: RabbitUserName}
rabbitmq::default_pass: {get_param: RabbitPassword}
rabbit_ipv6: {if: [is_ipv6, true, false]}
rabbitmq::delete_guest_user: false
rabbitmq::wipe_db_on_cookie_change: true
rabbitmq::port: 5672
rabbitmq::loopback_users: []
rabbitmq::tcp_backlog: {get_param: RabbitTCPBacklog}
rabbitmq::repos_ensure: false
rabbitmq::tcp_keepalive: true
# https://launchpad.net/bugs/1822673 (lang/lc_all to utf-8 are an elixir requirement)
rabbitmq_environment:
LANG: 'en_US.UTF-8'
LC_ALL: 'en_US.UTF-8'
NODE_PORT: ''
NODE_IP_ADDRESS: ''
RABBITMQ_NODENAME:
str_replace:
template:
"rabbit@%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
RABBITMQ_USE_LONGNAME: 'true'
RABBITMQ_CTL_DIST_PORT_MIN: '25673'
RABBITMQ_CTL_DIST_PORT_MAX: '25683'
'export ERL_EPMD_ADDRESS': "%{hiera('rabbitmq::interface')}"
tripleo::profile::base::rabbitmq::additional_erl_args: {get_param: RabbitAdditionalErlArgs}
rabbitmq_kernel_variables:
inet_dist_listen_min: '25672'
inet_dist_listen_max: '25672'
net_ticktime: {get_param: RabbitNetTickTime}
rabbitmq_config_variables:
cluster_partition_handling: 'ignore'
queue_master_locator: '<<"min-masters">>'
rabbitmq::config_additional_variables:
lager: '[{crash_log_count, 0}, { crash_log_date, ""}, { crash_log_size, 0 }]'
rabbitmq::erlang_cookie: {get_param: RabbitCookie}
# NOTE: bind IP is found in hiera replacing the network name with the
# local node IP for the given network; replacement examples
# (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
rabbitmq::interface:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
rabbitmq::nr_ha_queues: {get_param: RabbitHAQueues}
rabbitmq::ssl: {get_param: EnableInternalTLS}
rabbitmq::ssl_erl_dist: {get_param: EnableInternalTLS}
rabbitmq::ssl_port: 5672
rabbitmq::ssl_depth: 1
rabbitmq::ssl_only: {get_param: EnableInternalTLS}
rabbitmq::ssl_interface:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
# TODO(jaosorior): Remove this once we set a proper default in
# puppet-tripleo
tripleo::profile::base::rabbitmq::enable_internal_tls: {get_param: EnableInternalTLS}
rabbitmq::collect_statistics_interval: 30000
rabbitmq::admin_enable: false
rabbitmq::management_enable: true
rabbitmq::use_config_file_for_plugins: true
rabbitmq::management_ip_address:
if:
- {get_param: RabbitmqEnableManagementAccess}
- str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, RabbitmqManagementNetwork]}
- 127.0.0.1
rabbitmq::management_port: 15672
rabbitmq::config_management_variables:
rates_mode: none
tripleo::certmonger::rabbitmq::postsave_cmd:
if:
- {get_param: EnableInternalTLS}
- true
# Only set CAs then InternalTLSCAFile is not ''
- if:
- rabbitmq_cacert_set
- rabbitmq::ssl_cacert: {get_param: InternalTLSCAFile}
rabbitmq::ssl_management_cacert: {get_param: InternalTLSCAFile}
- if:
- {get_param: EnableInternalTLS}
- tripleo::rabbitmq::service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
tripleo::profile::base::rabbitmq::certificate_specs:
service_certificate: '/etc/pki/tls/certs/rabbitmq.crt'
service_key: '/etc/pki/tls/private/rabbitmq.key'
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: rabbitmq
step_config:
list_join:
- "\n"
- - "['Rabbitmq_policy', 'Rabbitmq_user'].each |String $val| { noop_resource($val) }"
- "include tripleo::profile::base::rabbitmq"
config_image: &rabbitmq_config_image {get_param: ContainerRabbitmqConfigImage}
kolla_config:
/var/lib/kolla/config_files/rabbitmq.json:
command: /usr/lib/rabbitmq/bin/rabbitmq-server
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/rabbitmq
owner: rabbitmq:rabbitmq
recurse: true
- path: /etc/pki/tls/certs/rabbitmq.crt
owner: rabbitmq:rabbitmq
optional: true
- path: /etc/pki/tls/private/rabbitmq.key
owner: rabbitmq:rabbitmq
optional: true
docker_config:
# Kolla_bootstrap runs before permissions set by kolla_config
step_1:
rabbitmq_init_logs:
start_order: 0
detach: false
image: &rabbitmq_image {get_param: ContainerRabbitmqImage}
net: none
privileged: false
user: root
volumes:
- /var/log/containers/rabbitmq:/var/log/rabbitmq
command: ['/bin/bash', '-c', 'chown -R rabbitmq:rabbitmq /var/log/rabbitmq']
rabbitmq_bootstrap:
start_order: 1
detach: false
image: *rabbitmq_image
net: host
privileged: false
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/rabbitmq:/var/lib/kolla/config_files/src:ro
- /var/lib/rabbitmq:/var/lib/rabbitmq
- /var/log/containers/rabbitmq:/var/log/rabbitmq
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro
- /etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
KOLLA_BOOTSTRAP: true
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)
TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier}
RABBITMQ_CLUSTER_COOKIE: {get_param: RabbitCookie}
rabbitmq:
start_order: 2
image: *rabbitmq_image
net: host
privileged: false
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/rabbitmq:/var/lib/kolla/config_files/src:ro
- /var/lib/rabbitmq:/var/lib/rabbitmq:z
- /var/log/containers/rabbitmq:/var/log/rabbitmq:z
- if:
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/rabbitmq.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/rabbitmq.crt:ro
- /etc/pki/tls/private/rabbitmq.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/rabbitmq.key:ro
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
container_puppet_tasks:
# RabbitMQ users and policies initialization occurs only on single node
step_2:
config_volume: 'rabbit_init_tasks'
puppet_tags: 'rabbitmq_policy,rabbitmq_user'
step_config: 'include tripleo::profile::base::rabbitmq'
config_image: *rabbitmq_config_image
volumes:
- /var/lib/config-data/puppet-generated/rabbitmq/etc/rabbitmq/:/etc/rabbitmq/:ro
- /var/lib/rabbitmq:/var/lib/rabbitmq
metadata_settings:
if:
- {get_param: EnableInternalTLS}
- - service: rabbitmq
network: {get_param: [ServiceNetMap, RabbitmqNetwork]}
type: node
deploy_steps_tasks:
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: rabbitmq
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
principal:
str_replace:
template: "rabbitmq/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
run_after: |
container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')
service_crt="/etc/pki/tls/certs/rabbitmq.crt"
service_key="/etc/pki/tls/private/rabbitmq.key"
if echo "$container_name" | grep -q "^rabbitmq-bundle"; then
# lp#1917868: Do not use podman cp with HA containers as they get
# frozen temporarily and that can make pacemaker operation fail.
tar -c "$service_crt" "$service_key" | {{container_cli}} exec -i "$container_name" tar -C / -xv
# no need to update the mount point, because pacemaker
# recreates the container when it's restarted
else
# Refresh the cert at the mount-point
{{container_cli}} cp $service_crt "$container_name:/var/lib/kolla/config_files/src-tls/$service_crt"
# Refresh the key at the mount-point
{{container_cli}} cp $service_key "$container_name:/var/lib/kolla/config_files/src-tls/$service_key"
# Copy the new cert from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt"
# Copy the new key from the mount-point to the real path
{{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key"
fi
# Set appropriate permissions
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_crt"
{{container_cli}} exec -u root "$container_name" chown rabbitmq:rabbitmq "$service_key"
# Trigger a pem cache clear in RabbitMQ to read the new certificates
{{container_cli}} exec "$container_name" rabbitmqctl eval "ssl:clear_pem_cache()."
key_size:
if:
- key_size_override_set
- {get_param: RabbitmqCertificateKeySize}
- {get_param: CertificateKeySize}
ca: ipa
host_prep_tasks:
- name: creat fcontext entry for rabbitmq data
community.general.sefcontext:
target: "/var/lib/rabbitmq(/.*)?"
setype: container_file_t
state: present
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
mode: "{{ item.mode|default(omit) }}"
with_items:
- { 'path': /var/log/containers/rabbitmq, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/rabbitmq, 'setype': container_file_t }
# TODO: Removal of package
upgrade_tasks: []
update_tasks: []
# TODO: Are we sure we want to support this. Rolling update
# without pacemaker may fail. Do we test this ? In any case,
# this is under tripleo_container_manage control so the latest image should be
# pulled in by the deploy steps. Same question for other
# usually managed by pacemaker container.