Implement X.509 auth between Rabbitmq and Barbican
Change-Id: I04f3102ec7f62f810a538c9a195279eae3e1901e
Related-Prod: PROD-22755
diff --git a/barbican/_ssl/mysql.sls b/barbican/_ssl/mysql.sls
index 086a1dd..0f8f1a9 100644
--- a/barbican/_ssl/mysql.sls
+++ b/barbican/_ssl/mysql.sls
@@ -63,23 +63,23 @@
{% elif server.database.get('ssl',{}).get('enabled',False) %}
- mysql_ca_barbican:
- {%- if server.database.ssl.cacert is defined %}
- file.managed:
- - name: {{ server.database.ssl.cacert_file }}
- - contents_pillar: barbican:server:database:ssl:cacert
- - mode: 0444
- - makedirs: true
- {%- else %}
- file.exists:
- - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
- - watch_in:
- - service: barbican_server_services
- {% if server.get('async_queues_enable', False) %}
- - service: barbican-worker
- {% endif %}
- - require_in:
- - cmd: barbican_syncdb
- {%- endif %}
+mysql_ca_barbican:
+ {%- if server.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.database.ssl.cacert_file }}
+ - contents_pillar: barbican:server:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
+ - watch_in:
+ - service: barbican_server_services
+ {% if server.get('async_queues_enable', False) %}
+ - service: barbican-worker
+ {% endif %}
+ - require_in:
+ - cmd: barbican_syncdb
+ {%- endif %}
{%- endif %}
diff --git a/barbican/_ssl/rabbitmq.sls b/barbican/_ssl/rabbitmq.sls
index 028f43c..2220e36 100644
--- a/barbican/_ssl/rabbitmq.sls
+++ b/barbican/_ssl/rabbitmq.sls
@@ -1,30 +1,76 @@
{%- from "barbican/map.jinja" import server with context %}
-{#
+barbican_ssl_rabbitmq:
+ test.show_notification:
+ - text: "Running barbican._ssl.rabbitmq"
-The state reposible for management of CA certificates for the following
-tls communications paths used by Barbican:
+{%- if server.message_queue.get('x509',{}).get('enabled',False) %}
+ {%- set ca_file=server.message_queue.x509.ca_file %}
+ {%- set key_file=server.message_queue.x509.key_file %}
+ {%- set cert_file=server.message_queue.x509.cert_file %}
-- messaging (RabbitMQ Server): rabbitmq_ca_barbican_server
-- database (MySQL Server): mysql_ca_barbican_server
+rabbitmq_barbican_ssl_x509_ca:
+ {%- if server.message_queue.x509.cacert is defined %}
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: barbican:server:message_queue:x509:cacert
+ - mode: 444
+ - user: barbican
+ - group: barbican
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ ca_file }}
+ {%- endif %}
-#}
+rabbitmq_barbican_client_ssl_cert:
+ {%- if server.message_queue.x509.cert is defined %}
+ file.managed:
+ - name: {{ cert_file }}
+ - contents_pillar: barbican:server:message_queue:x509:cert
+ - mode: 440
+ - user: barbican
+ - group: barbican
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ cert_file }}
+ {%- endif %}
-{%- if server.message_queue.ssl.enabled %}
-rabbitmq_ca_barbican_server:
-{% if server.message_queue.ssl.cacert is defined %}
+rabbitmq_barbican_client_ssl_private_key:
+ {%- if server.message_queue.x509.key is defined %}
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: barbican:server:message_queue:x509:key
+ - mode: 400
+ - user: barbican
+ - group: barbican
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ key_file }}
+ {%- endif %}
+
+rabbitmq_barbican_ssl_x509_set_user_and_group:
+ file.managed:
+ - names:
+ - {{ ca_file }}
+ - {{ cert_file }}
+ - {{ key_file }}
+ - user: barbican
+ - group: barbican
+
+{% elif server.message_queue.get('ssl',{}).get('enabled',False) %}
+
+rabbitmq_ca_barbican:
+ {%- if server.message_queue.ssl.cacert is defined %}
file.managed:
- name: {{ server.message_queue.ssl.cacert_file }}
- contents_pillar: barbican:server:message_queue:ssl:cacert
- mode: 0444
- makedirs: true
-{% else %}
- file.exists:
+ {%- else %}
+ file.exists:
- name: {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
-{% endif %}
- - watch_in:
- - service: barbican_server_services
- {% if server.get('async_queues_enable', False) %}
- - service: barbican-worker
- {% endif %}
-{% endif %}
+ {%- endif %}
+{%- endif %}
diff --git a/barbican/files/pike/barbican.conf.Debian b/barbican/files/pike/barbican.conf.Debian
index 3de0884..b3d6f5b 100644
--- a/barbican/files/pike/barbican.conf.Debian
+++ b/barbican/files/pike/barbican.conf.Debian
@@ -156,14 +156,23 @@
[oslo_messaging_rabbit]
-{%- if server.message_queue.ssl.enabled %}
+{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
rabbit_use_ssl=true
-kombu_ssl_ca_certs = {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
-{%- if server.message_queue.ssl.version is defined %}
+
+ {%- if server.message_queue.ssl.version is defined %}
kombu_ssl_version = {{ server.message_queue.ssl.version }}
-{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+ {%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
kombu_ssl_version = TLSv1_2
-{%- endif %}
+ {%- endif %}
+
+ {%- if server.message_queue.get('x509',{}).get('enabled', False) %}
+kombu_ssl_ca_certs = {{ server.message_queue.x509.ca_file }}
+kombu_ssl_keyfile = {{ server.message_queue.x509.key_file }}
+kombu_ssl_certfile = {{ server.message_queue.x509.cert_file }}
+ {%- else %}
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
+ {%- endif %}
+
{%- endif %}
# Rabbit and HA configuration:
diff --git a/barbican/server.sls b/barbican/server.sls
index c50f10e..ddeca48 100644
--- a/barbican/server.sls
+++ b/barbican/server.sls
@@ -11,6 +11,7 @@
- names: {{ server.pkgs }}
- require_in:
- sls: barbican._ssl.mysql
+ - sls: barbican._ssl.rabbitmq
/etc/barbican/barbican.conf:
file.managed:
@@ -21,6 +22,7 @@
- require:
- pkg: barbican_server_packages
- sls: barbican._ssl.mysql
+ - sls: barbican._ssl.rabbitmq
barbican_syncdb:
cmd.run: