Implement X.509 auth between Rabbitmq and Aodh
Change-Id: I21d8036101e41ea6122404354af46caee5a2b7fe
Related-Prod: PROD-22754
diff --git a/aodh/_ssl/rabbitmq.sls b/aodh/_ssl/rabbitmq.sls
new file mode 100644
index 0000000..baea0e4
--- /dev/null
+++ b/aodh/_ssl/rabbitmq.sls
@@ -0,0 +1,77 @@
+{%- from "aodh/map.jinja" import server with context %}
+
+aodh_ssl_rabbitmq:
+ test.show_notification:
+ - text: "Running aodh._ssl.rabbitmq"
+
+{%- if server.message_queue.get('x509',{}).get('enabled',False) %}
+
+ {%- set ca_file=server.message_queue.x509.ca_file %}
+ {%- set key_file=server.message_queue.x509.key_file %}
+ {%- set cert_file=server.message_queue.x509.cert_file %}
+
+rabbitmq_aodh_ssl_x509_ca:
+ {%- if server.message_queue.x509.cacert is defined %}
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: aodh:server:message_queue:x509:cacert
+ - mode: 444
+ - user: aodh
+ - group: aodh
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ ca_file }}
+ {%- endif %}
+
+rabbitmq_aodh_client_ssl_cert:
+ {%- if server.message_queue.x509.cert is defined %}
+ file.managed:
+ - name: {{ cert_file }}
+ - contents_pillar: aodh:server:message_queue:x509:cert
+ - mode: 440
+ - user: aodh
+ - group: aodh
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ cert_file }}
+ {%- endif %}
+
+rabbitmq_aodh_client_ssl_private_key:
+ {%- if server.message_queue.x509.key is defined %}
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: aodh:server:message_queue:x509:key
+ - mode: 400
+ - user: aodh
+ - group: aodh
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ key_file }}
+ {%- endif %}
+
+rabbitmq_aodh_ssl_x509_set_user_and_group:
+ file.managed:
+ - names:
+ - {{ ca_file }}
+ - {{ cert_file }}
+ - {{ key_file }}
+ - user: aodh
+ - group: aodh
+
+{% elif server.message_queue.get('ssl',{}).get('enabled',False) %}
+rabbitmq_ca_aodh:
+ {%- if server.message_queue.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.message_queue.ssl.cacert_file }}
+ - contents_pillar: aodh:server:message_queue:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
+ {%- endif %}
+
+{%- endif %}
diff --git a/aodh/files/pike/aodh.conf.Debian b/aodh/files/pike/aodh.conf.Debian
index d45a10b..e4c9dfb 100644
--- a/aodh/files/pike/aodh.conf.Debian
+++ b/aodh/files/pike/aodh.conf.Debian
@@ -1470,13 +1470,19 @@
{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
rabbit_use_ssl=true
-{%- if server.message_queue.ssl.version is defined %}
+ {%- if server.message_queue.ssl.version is defined %}
kombu_ssl_version = {{ server.message_queue.ssl.version }}
-{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+ {%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
kombu_ssl_version = TLSv1_2
-{%- endif %}
+ {%- endif %}
+ {%- if server.message_queue.get('x509',{}).get('enabled', False) %}
+kombu_ssl_ca_certs = {{ server.message_queue.x509.ca_file }}
+kombu_ssl_keyfile = {{ server.message_queue.x509.key_file }}
+kombu_ssl_certfile = {{ server.message_queue.x509.cert_file }}
+ {%- else %}
kombu_ssl_ca_certs = {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
+ {%- endif %}
{%- endif %}
diff --git a/aodh/server.sls b/aodh/server.sls
index 36e84d7..a51abdc 100644
--- a/aodh/server.sls
+++ b/aodh/server.sls
@@ -7,12 +7,14 @@
include:
- aodh._ssl.mysql
+ - aodh._ssl.rabbitmq
aodh_server_packages:
pkg.installed:
- names: {{ server.pkgs }}
- require_in:
- sls: aodh._ssl.mysql
+ - sls: aodh._ssl.rabbitmq
/etc/aodh/aodh.conf:
file.managed:
@@ -23,6 +25,7 @@
- require:
- pkg: aodh_server_packages
- sls: aodh._ssl.mysql
+ - sls: aodh._ssl.rabbitmq
{% for service_name in server.services %}
{{ service_name }}_default: