Browse Source

Initial support of TLS in RabbitMQ

Depending on security.tls.enabled switch disables or enables secured
communications between RabbitMQ, etcd and the rest of the world.

Change-Id: If9d376a7808e44a4845c78d3d6e4267bfb80848b
Depends-On: I574d64082e77f49024f49aa7b30c4f2f6cc044ac
Depends-On: I3f05ce795beade0af12eb3426df759a1af8806af
Depends-On: Ib4b3ea4da7c1f641b9ab0223226348de5eac94df
Aleksandr Mogylchenko 2 years ago
parent
commit
3c31c9b488

+ 1
- 0
service/files/ca.pem.j2 View File

@@ -0,0 +1 @@
1
+{{ security.tls.ca_cert }}

+ 5
- 0
service/files/rabbitmq-env.conf.j2 View File

@@ -1,3 +1,8 @@
1 1
 NODENAME=rabbit@{{ network_topology["private"]["address"] }}
2 2
 USE_LONGNAME=true
3 3
 LOG_BASE=/var/log/ccp/rabbitmq
4
+{% if security.tls.enabled %}
5
+ERL_SSL_PATH=`erl -eval 'io:format("~p", [code:lib_dir(ssl, ebin)]),halt().' -noshell`
6
+SERVER_ADDITIONAL_ERL_ARGS="-pa $ERL_SSL_PATH -proto_dist inet_tls -ssl_dist_opt server_certfile /opt/ccp/etc/tls/rabbitmq.pem -ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true server_cacertfile /opt/ccp/etc/tls/ca.pem"
7
+CTL_ERL_ARGS="$SERVER_ADDITIONAL_ERL_ARGS"
8
+{% endif %}

+ 19
- 1
service/files/rabbitmq.config.j2 View File

@@ -1,14 +1,28 @@
1 1
 [
2 2
    {rabbit, [
3 3
       {dummy_param_without_comma, true}
4
+     {% if not security.tls.enabled %}
4 5
      ,{tcp_listeners, [
5 6
         {"0.0.0.0", {{ rabbitmq.port.cont }} }
6 7
       ]}
8
+     {% else %}
9
+     ,{tcp_listeners, [] }
10
+     ,{ssl_listeners, [
11
+        {"0.0.0.0", {{ rabbitmq.port.cont }} }
12
+      ]}
13
+     {% endif %}
7 14
      ,{default_user, <<"{{ rabbitmq.user }}">>}
8 15
      ,{default_pass, <<"{{ rabbitmq.password }}">>}
9 16
      ,{loopback_users, []}
10 17
      ,{cluster_partition_handling, pause_minority}
11 18
      ,{queue_master_locator, <<"random">>}
19
+     {% if security.tls.enabled %}
20
+     ,{ssl_options, [{cacertfile,"/opt/ccp/etc/tls/ca.pem"},
21
+                    {certfile,"/opt/ccp/etc/tls/rabbitmq_certificate.pem"},
22
+                    {keyfile,"/opt/ccp/etc/tls/rabbitmq_server_key.pem"},
23
+                    {verify,verify_peer},
24
+                    {fail_if_no_peer_cert,false}]}
25
+     {% endif %}
12 26
    ]}
13 27
   ,{autocluster, [
14 28
       {dummy_param_without_comma, true}
@@ -18,8 +32,12 @@
18 32
      ,{cluster_cleanup, true}
19 33
      ,{cleanup_warn_only, false}
20 34
      ,{etcd_ttl, 15}
35
+    {% if not security.tls.enabled %}
21 36
      ,{etcd_scheme, http}
22
-     ,{etcd_host, "etcd"}
37
+    {% else %}
38
+     ,{etcd_scheme, https}
39
+    {% endif %}
40
+     ,{etcd_host, "{{ address('etcd') }}"}
23 41
      ,{etcd_port, {{ etcd.client_port.cont }}}
24 42
    ]}
25 43
 ].

+ 2
- 0
service/files/rabbitmq_combined.pem.j2 View File

@@ -0,0 +1,2 @@
1
+{{ security.tls.server_key }}
2
+{{ security.tls.server_cert }}

+ 1
- 0
service/files/server-key.pem.j2 View File

@@ -0,0 +1 @@
1
+{{ security.tls.server_key }}

+ 1
- 0
service/files/server.pem.j2 View File

@@ -0,0 +1 @@
1
+{{ security.tls.server_cert }}

+ 24
- 0
service/rabbitmq.yaml View File

@@ -32,6 +32,12 @@ service:
32 32
           - rabbitmq-readiness
33 33
           - rabbitmq-liveness
34 34
           - rabbitmq-check-helpers
35
+        # {% if security.tls.enabled %}
36
+          - server_certificate
37
+          - server_key
38
+          - ca_certificate
39
+          - combined
40
+        # {% endif %}
35 41
       post:
36 42
         - name: create-startup-marker
37 43
           command: "date +%s > /tmp/rabbit-startup-marker"
@@ -61,3 +67,21 @@ files:
61 67
     path: /opt/ccp/bin/rabbitmq-check-helpers.sh
62 68
     content: rabbitmq-check-helpers.sh.j2
63 69
     perm: "644"
70
+# {% if security.tls.enabled %}
71
+  server_certificate:
72
+    path: /opt/ccp/etc/tls/rabbitmq_certificate.pem
73
+    content: server.pem.j2
74
+    perm: "0644"
75
+  server_key:
76
+    path: /opt/ccp/etc/tls/rabbitmq_server_key.pem
77
+    content: server-key.pem.j2
78
+    perm: "0644"
79
+  ca_certificate:
80
+    path: /opt/ccp/etc/tls/ca.pem
81
+    content: ca.pem.j2
82
+    perm: "0644"
83
+  combined:
84
+    path: /opt/ccp/etc/tls/rabbitmq.pem
85
+    content: rabbitmq_combined.pem.j2
86
+    perm: "0644"
87
+# {% endif %}

Loading…
Cancel
Save