RabbitMQ TLS support
Add ability to use tls for messaging.
PROD-15653
Change-Id: I90146579e9f509c9b3f4ee3585b5a923240804b7
diff --git a/README.rst b/README.rst
index 2255dca..cd6b88a 100644
--- a/README.rst
+++ b/README.rst
@@ -156,6 +156,24 @@
sql_idle_timeout: 180
+Configuring TLS communications
+------------------------------
+
+**RabbitMQ**
+
+.. code-block:: yaml
+
+ barbican:
+ server:
+ message_queue:
+ port: 5671
+ ssl:
+ enabled: True
+ cacert: cert body if the cacert_file does not exists
+ cacert_file: /etc/openstack/rabbitmq-ca.pem
+
+
+
Configuring plugins
-------------------
diff --git a/barbican/_ssl.sls b/barbican/_ssl.sls
new file mode 100644
index 0000000..685a439
--- /dev/null
+++ b/barbican/_ssl.sls
@@ -0,0 +1,29 @@
+{%- from "barbican/map.jinja" import server, system_cacerts_file with context %}
+
+{#
+
+The state reposible for management of CA certificates for the following
+tls communications paths used by Barbican:
+
+- messaging (RabbitMQ Server): rabbitmq_ca_barbican_server
+
+#}
+
+{%- if server.message_queue.ssl.enabled %}
+rabbitmq_ca_barbican_server:
+{% if server.message_queue.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.message_queue.ssl.cacert_file }}
+ - contents_pillar: barbican:server:message_queue:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+{% else %}
+ file.exists:
+ - name: {{ server.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+{% endif %}
+ - watch_in:
+ - service: barbican_server_services
+ {% if server.get('async_queues_enable', False) %}
+ - service: barbican-worker
+ {% endif %}
+{% endif %}
diff --git a/barbican/files/ocata/barbican.conf.Debian b/barbican/files/ocata/barbican.conf.Debian
index 3b2054c..e896d98 100644
--- a/barbican/files/ocata/barbican.conf.Debian
+++ b/barbican/files/ocata/barbican.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "barbican/map.jinja" import server with context -%}
+{%- from "barbican/map.jinja" import server, system_cacerts_file with context -%}
[DEFAULT]
# Show debugging output in logs (sets DEBUG log level output)
#debug = True
@@ -117,17 +117,29 @@
#metadata_encryption_key = <16, 24 or 32 char registry metadata key>
# ================= Queue Options - oslo.messaging ==========================
+{%- set rabbit_port = server.message_queue.get('port', 5671 if server.message_queue.ssl.enabled else 5672) %}
+
{%- if server.message_queue.members is defined %}
transport_url = rabbit://{% for member in server.message_queue.members -%}
- {{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ member.host }}:{{ member.get('port', 5672) }}
+ {{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ member.host }}:{{ member.get('port', rabbit_port) }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
/{{ server.message_queue.virtual_host }}
{%- else %}
-transport_url = rabbit://{{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ server.message_queue.host }}:{{ server.message_queue.port }}/{{ server.message_queue.virtual_host }}
+transport_url = rabbit://{{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ server.message_queue.host }}:{{ rabbit_port }}/{{ server.message_queue.virtual_host }}
{%- endif %}
+
[oslo_messaging_rabbit]
+{%- if server.message_queue.ssl.enabled %}
+rabbit_use_ssl=true
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+{%- if server.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ server.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+{%- endif %}
# Rabbit and HA configuration:
## amqp_durable_queues = True
@@ -606,4 +618,3 @@
# Config Section from which to load plugin specific options (string value)
#auth_section = <None>
-
diff --git a/barbican/map.jinja b/barbican/map.jinja
index 9bb4730..0b63501 100644
--- a/barbican/map.jinja
+++ b/barbican/map.jinja
@@ -6,6 +6,9 @@
port: 8080
cache:
engine: noop
+ message_queue:
+ ssl:
+ enabled: False
Debian:
pkgs:
- barbican-api
@@ -27,3 +30,4 @@
{%- set server = salt['grains.filter_by'](server_defaults, merge=salt['pillar.get']('barbican:server'), base='default') %}
{%- set client = salt['grains.filter_by'](client_defaults, merge=salt['pillar.get']('barbican:client')) %}
+{%- set system_cacerts_file = salt['grains.filter_by']({'Debian': '/etc/ssl/certs/ca-certificates.crt','RedHat': '/etc/pki/tls/certs/ca-bundle.crt'})%}
diff --git a/barbican/server.sls b/barbican/server.sls
index 936c7e3..3b9da03 100644
--- a/barbican/server.sls
+++ b/barbican/server.sls
@@ -1,6 +1,9 @@
{%- from "barbican/map.jinja" import server with context %}
{%- if server.enabled %}
+include:
+ - barbican._ssl
+
barbican_server_packages:
pkg.installed:
- names: {{ server.pkgs }}
@@ -79,4 +82,5 @@
- service: barbican_server_services
{%- endif %}
+
{%- endif %}
diff --git a/tests/pillar/ssl.sls b/tests/pillar/ssl.sls
new file mode 100644
index 0000000..715b360
--- /dev/null
+++ b/tests/pillar/ssl.sls
@@ -0,0 +1,46 @@
+include:
+ - .control_single
+
+barbican:
+ server:
+ message_queue:
+ port: 5671
+ ssl:
+ # Case #1: specify cacert file and ca cert body explicitly
+ enabled: True
+ cacert_file: /etc/barbican/ssl/rabbitmq_cacert.pem
+ cacert: |
+ -----BEGIN CERTIFICATE-----
+ MIIF0TCCA7mgAwIBAgIJAMHIQpWZYGDTMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
+ BAYTAmN6MRcwFQYDVQQDDA5TYWx0IE1hc3RlciBDQTEPMA0GA1UEBwwGUHJhZ3Vl
+ MREwDwYDVQQKDAhNaXJhbnRpczAeFw0xNzA4MTQxMTI2MDdaFw0yNzA4MTIxMTI2
+ MDdaMEoxCzAJBgNVBAYTAmN6MRcwFQYDVQQDDA5TYWx0IE1hc3RlciBDQTEPMA0G
+ A1UEBwwGUHJhZ3VlMREwDwYDVQQKDAhNaXJhbnRpczCCAiIwDQYJKoZIhvcNAQEB
+ BQADggIPADCCAgoCggIBAL596jeUmim5bo0J52vPylX8xZOCaCvW9wlSYbk143dU
+ x7sqlAbPePvN6jj44BrYV01F4rCn9uxuaFLrbjF4rUDp81F0yMqghwyLmlTgJBOq
+ AMNiEtrBUwmenJPuM55IYeO9OFbPeBvZyqKy2IG18GbK35QE85rOgaEfgDIkVeV9
+ yNB8b+yftn3ebRZCceU5lx/o+w2eQkuyloy1F5QC7U2MhGF2ekLX79s8x+LNlbiO
+ EF1D/FWFor3HY9DwNlg7U99mVID2Bj8lPPt4dW8JDMKkghh+S797l3H6RYKHhIvs
+ wi+50ljhk5nHl+qCooGKuGZ2WokrGXWkoDfrrpl//7FFRPwauoU/akDVfoWYffqx
+ jnvlQFkAlI3S5F/vwJGI1JGvPv5p5uRxPJEeMI0Sp9bVrznHGCgaJyY+vIBoZCwS
+ i0t16gsgeezcu44Y65crv4XNOBKOS+KqvMwdzzukOj9YsYwNnlLly0VvTEdxTwwI
+ 7NopRglUQrLusjZ5wwe23kf07xVxC98e1LRQzR5oEAUKkDrQzjmXBfcV92GrE3s7
+ 1L4dvfXUE1mVxabhBCoS6kO3JQGPK+1LJDIs/F0uVVtOy/oz6mIdV2scCteFRAbm
+ BhfEoVbaYNlUxlNGno2I/HEep4P0DrFPQi0ZmGfvNO6t3EvTSnWcsUL9h55wZ3Pl
+ AgMBAAGjgbkwgbYwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYE
+ FN2inIsMteL9vxR8Lo0yHI+4KaDGMHoGA1UdIwRzMHGAFN2inIsMteL9vxR8Lo0y
+ HI+4KaDGoU6kTDBKMQswCQYDVQQGEwJjejEXMBUGA1UEAwwOU2FsdCBNYXN0ZXIg
+ Q0ExDzANBgNVBAcMBlByYWd1ZTERMA8GA1UECgwITWlyYW50aXOCCQDByEKVmWBg
+ 0zANBgkqhkiG9w0BAQsFAAOCAgEAq8yv5IZWHyZuySpe85GCfdn4VFfSw6O1tdOZ
+ 7PnCNGqkLie3D0X5VIymDkEwSGrvRtAKvtRajej/1/T2lNJNzQaqQObMK9UpXMmu
+ g0qjAjYjbYMRS+4V1FJiyxxqyvE//XO+Jznj3jnF6IDnTYJp3tCUswvUYRSpAErP
+ CwtvBLzPhF9t3W+ElcrgM7UNDPRoVlun0q6FH4WAAKuuqXfJaEbe9XrkR+cBlP4O
+ 7utdveEREw0cONoFtHM/yVwb9ovaitMEA/b6qH286cJ59zXJbhMe7+n9dFlMnAAh
+ WfayyLzlaOjxicGMPcmUMRh9n8fml7bR3mekL1BGZt451kH3+FSfjPpF3hqVqb3c
+ 8LZsCrD10UYUOOQ1zyE8YaeQ6UgNW7LFJlngvNLAZKxRupc0FNGgDTMr8sgdBBeR
+ gH0cp+h4mDusEzYpaPIqci5+UOMelK/SMIYzMtD1ogZp/c9qIGh5nXwRkspHGrtk
+ ay6yizlPyY4QS1dOD/8nhGRbp5OQF1o5ZUtXlnaFHeLK7zl9iddqSvBVUNFdpDz+
+ uVYHAw4O2T7J7ge+gGgmjRPQjW1+O+jFWlSkO+7iFjdIOTZ6tpqYEglh0khgM8b5
+ V0MAVuww51/1DqirRG6Ge/3Sw44eDZID22jjCwLrDH0GSX76cDTe6Bx/WS0Wg7y/
+ /86PB1o=
+ -----END CERTIFICATE-----