Merge "[AMQP] cherrypick ssl fixes from freeipa patches"

packstack/plugins/amqp_002.py

@@ -126,6 +126,21 @@ def initConfig(controller):
          "NEED_CONFIRM": False,
          "CONDITION": False},
 
+        {"CMD_OPTION": "amqp-ssl-cacert-file",
+         "USAGE": ("The filename of the CAcertificate that the AMQP service "
+                   "is going to use for verification"),
+         "PROMPT": ("Enter the filename of the SSL CAcertificate for the AMQP"
+                    " service"),
+         "OPTION_LIST": [],
+         "VALIDATORS": [validators.validate_not_empty],
+         "DEFAULT_VALUE": "/etc/pki/tls/certs/amqp_selfcert.pem",
+         "MASK_INPUT": False,
+         "LOOSE_VALIDATION": True,
+         "CONF_NAME": "CONFIG_AMQP_SSL_CACERT_FILE",
+         "USE_DEFAULT": False,
+         "NEED_CONFIRM": False,
+         "CONDITION": False},
+
         {"CMD_OPTION": "amqp-ssl-cert-file",
          "USAGE": ("The filename of the certificate that the AMQP service "
                    "is going to use"),

packstack/puppet/templates/amqp.pp

@@ -1,9 +1,10 @@
 $amqp = hiera('CONFIG_AMQP_BACKEND')
+$amqp_enable_ssl = hiera('CONFIG_AMQP_ENABLE_SSL')
 
 case $amqp  {
   'qpid': {
     enable_qpid { 'qpid':
-      enable_ssl  => hiera('CONFIG_AMQP_ENABLE_SSL'),
+      enable_ssl  => $amqp_enable_ssl,
       enable_auth => hiera('CONFIG_AMQP_ENABLE_AUTH'),
     }
   }
@@ -19,19 +20,50 @@ define enable_rabbitmq {
     ensure => 'installed',
   }
 
-  class { 'rabbitmq':
-    port                => hiera('CONFIG_AMQP_CLIENTS_PORT'),
-    ssl_management_port => hiera('CONFIG_AMQP_SSL_PORT'),
-    ssl                 => hiera('CONFIG_AMQP_ENABLE_SSL'),
-    ssl_cert            => hiera('CONFIG_AMQP_SSL_CERT_FILE'),
-    ssl_key             => hiera('CONFIG_AMQP_SSL_KEY_FILE'),
-    default_user        => hiera('CONFIG_AMQP_AUTH_USER'),
-    default_pass        => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
-    package_provider    => 'yum',
-    admin_enable        => false,
-    config_variables    => {
+  if $amqp_enable_ssl {
+
+    $kombu_ssl_ca_certs = hiera('CONFIG_AMQP_SSL_CACERT_FILE')
+    $kombu_ssl_keyfile = hiera('CONFIG_AMQP_SSL_KEY_FILE')
+    $kombu_ssl_certfile = hiera('CONFIG_AMQP_SSL_CERT_FILE')
+
+    $files_to_set_owner = [ $kombu_ssl_keyfile, $kombu_ssl_certfile ]
+    file { $files_to_set_owner:
+      owner   => 'rabbitmq',
+      group   => 'rabbitmq',
+      require => Package['rabbitmq-server'],
+      notify  => Service['rabbitmq-server'],
+    }
+
+    class {"rabbitmq":
+      ssl_port                 => hiera('CONFIG_AMQP_SSL_PORT'),
+      ssl_only                 => true,
+      ssl                      => $amqp_enable_ssl,
+      ssl_cacert               => $kombu_ssl_ca_certs,
+      ssl_cert                 => $kombu_ssl_certfile,
+      ssl_key                  => $kombu_ssl_keyfile,
+      default_user             => hiera('CONFIG_AMQP_AUTH_USER'),
+      default_pass             => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
+      package_provider         => 'yum',
+      admin_enable             => false,
+      # FIXME: it's ugly to not to require client certs
+      ssl_fail_if_no_peer_cert => false,
+      config_variables         => {
         'tcp_listen_options' => "[binary,{packet, raw},{reuseaddr, true},{backlog, 128},{nodelay, true},{exit_on_close, false},{keepalive, true}]",
         'loopback_users'     => "[]",
+      }
+    }
+  } else {
+    class {"rabbitmq":
+      port             => hiera('CONFIG_AMQP_CLIENTS_PORT'),
+      ssl              => $amqp_enable_ssl,
+      default_user     => hiera('CONFIG_AMQP_AUTH_USER'),
+      default_pass     => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
+      package_provider => 'yum',
+      admin_enable     => false,
+      config_variables  => {
+        'tcp_listen_options' => "[binary,{packet, raw},{reuseaddr, true},{backlog, 128},{nodelay, true},{exit_on_close, false},{keepalive, true}]",
+        'loopback_users'     => "[]",
+      }
     }
   }
 

packstack/puppet/templates/ceilometer_rabbitmq.pp

@@ -1,9 +1,10 @@
 class { 'ceilometer':
   metering_secret => hiera('CONFIG_CEILOMETER_SECRET'),
-  rabbit_host     => hiera('CONFIG_AMQP_HOST'),
   verbose         => true,
   debug           => hiera('CONFIG_DEBUG_MODE'),
+  rabbit_host     => hiera('CONFIG_AMQP_HOST'),
   rabbit_port     => hiera('CONFIG_AMQP_CLIENTS_PORT'),
+  rabbit_use_ssl  => hiera('CONFIG_AMQP_ENABLE_SSL'),
   rabbit_userid   => hiera('CONFIG_AMQP_AUTH_USER'),
   rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
 }

packstack/puppet/templates/cinder_rabbitmq.pp

@@ -4,6 +4,7 @@ $cinder_rab_cfg_mariadb_host = hiera('CONFIG_MARIADB_HOST')
 class {'cinder':
   rabbit_host         => hiera('CONFIG_AMQP_HOST'),
   rabbit_port         => hiera('CONFIG_AMQP_CLIENTS_PORT'),
+  rabbit_use_ssl      => hiera('CONFIG_AMQP_ENABLE_SSL'),
   rabbit_userid       => hiera('CONFIG_AMQP_AUTH_USER'),
   rabbit_password     => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
   database_connection => "mysql://cinder:${cinder_rab_cfg_cinder_db_pw}@${cinder_rab_cfg_mariadb_host}/cinder",

packstack/puppet/templates/heat_rabbitmq.pp

@@ -9,6 +9,8 @@ class { 'heat':
   keystone_ec2_uri    => "http://${heat_rabbitmq_cfg_ctrl_host}:35357/v2.0",
   rpc_backend         => 'heat.openstack.common.rpc.impl_kombu',
   rabbit_host         => hiera('CONFIG_AMQP_HOST'),
+  rabbit_port         => hiera('CONFIG_AMQP_CLIENTS_PORT'),
+  rabbit_use_ssl      => hiera('CONFIG_AMQP_ENABLE_SSL'),
   rabbit_userid       => hiera('CONFIG_AMQP_AUTH_USER'),
   rabbit_password     => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
   verbose             => true,

packstack/puppet/templates/ironic_rabbitmq.pp

@@ -5,6 +5,7 @@ class { 'ironic':
   rpc_backend         => 'ironic.openstack.common.rpc.impl_kombu',
   rabbit_host         => hiera('CONFIG_AMQP_HOST'),
   rabbit_port         => hiera('CONFIG_AMQP_CLIENTS_PORT'),
+  rabbit_use_ssl      => hiera('CONFIG_AMQP_ENABLE_SSL'),
   rabbit_user         => hiera('CONFIG_AMQP_AUTH_USER'),
   rabbit_password     => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
   database_connection => "mysql://ironic:${ironic_rabbitmq_cfg_ironic_db_pw}@${ironic_rabbitmq_cfg_mariadb_host}/ironic",

packstack/puppet/templates/neutron_rabbitmq.pp

@@ -2,6 +2,7 @@
 class { 'neutron':
   rabbit_host           => hiera('CONFIG_AMQP_HOST'),
   rabbit_port           => hiera('CONFIG_AMQP_CLIENTS_PORT'),
+  rabbit_use_ssl        => hiera('CONFIG_AMQP_ENABLE_SSL'),
   rabbit_user           => hiera('CONFIG_AMQP_AUTH_USER'),
   rabbit_password       => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
   core_plugin           => hiera('CONFIG_NEUTRON_CORE_PLUGIN'),

packstack/puppet/templates/nova_ceilometer_rabbitmq.pp

@@ -2,6 +2,8 @@
 class { 'ceilometer':
     metering_secret => hiera('CONFIG_CEILOMETER_SECRET'),
     rabbit_host     => hiera('CONFIG_AMQP_HOST'),
+    rabbit_port     => hiera('CONFIG_AMQP_CLIENTS_PORT'),
+    rabbit_use_ssl  => hiera('CONFIG_AMQP_ENABLE_SSL'),
     rabbit_userid   => hiera('CONFIG_AMQP_AUTH_USER'),
     rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
     verbose         => true,

packstack/puppet/templates/nova_common_rabbitmq.pp

@@ -14,6 +14,7 @@ class { 'nova':
   glance_api_servers => "${nova_common_rabbitmq_cfg_storage_host}:9292",
   rabbit_host        => hiera('CONFIG_AMQP_HOST'),
   rabbit_port        => hiera('CONFIG_AMQP_CLIENTS_PORT'),
+  rabbit_use_ssl     => hiera('CONFIG_AMQP_ENABLE_SSL'),
   rabbit_userid      => hiera('CONFIG_AMQP_AUTH_USER'),
   rabbit_password    => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
   verbose            => true,

packstack/puppet/templates/sahara_rabbitmq.pp

@@ -1,6 +1,7 @@
 class { 'sahara::notify::rabbitmq':
   rabbit_host     => hiera('CONFIG_AMQP_HOST'),
   rabbit_port     => hiera('CONFIG_AMQP_CLIENTS_PORT'),
+  rabbit_use_ssl  => hiera('CONFIG_AMQP_ENABLE_SSL'),
   rabbit_userid   => hiera('CONFIG_AMQP_AUTH_USER'),
   rabbit_password => hiera('CONFIG_AMQP_AUTH_PASSWORD'),
 }