Implement X.509 auth between Rabbitmq and Cinder
Related-Prod: PROD-22757
Change-Id: I52de12e7d846bcb2a1e261026c9965933a712a3d
diff --git a/cinder/_ssl/rabbitmq.sls b/cinder/_ssl/rabbitmq.sls
new file mode 100644
index 0000000..ac8ee82
--- /dev/null
+++ b/cinder/_ssl/rabbitmq.sls
@@ -0,0 +1,87 @@
+{% from "cinder/map.jinja" import controller, volume with context %}
+
+{%- if controller.enabled == True %}
+ {%- set cinder_msg = controller.message_queue %}
+ {%- set cinder_cacert = controller.cacert_file %}
+ {%- set role = 'controller' %}
+{%- else %}
+ {%- set cinder_msg = volume.message_queue %}
+ {%- set cinder_cacert = volume.cacert_file %}
+ {%- set role = 'volume' %}
+{%- endif %}
+
+cinder_{{ role }}_ssl_rabbitmq:
+ test.show_notification:
+ - text: "Running cinder._ssl.rabbitmq"
+
+{%- if cinder_msg.get('x509',{}).get('enabled',False) %}
+
+ {%- set ca_file=cinder_msg.x509.ca_file %}
+ {%- set key_file=cinder_msg.x509.key_file %}
+ {%- set cert_file=cinder_msg.x509.cert_file %}
+
+rabbitmq_cinder_{{ role }}_ssl_x509_ca:
+ {%- if cinder_msg.x509.cacert is defined %}
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: cinder:{{ role }}:message_queue:x509:cacert
+ - mode: 444
+ - user: cinder
+ - group: cinder
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ ca_file }}
+ {%- endif %}
+
+rabbitmq_cinder_{{ role }}_client_ssl_cert:
+ {%- if cinder_msg.x509.cert is defined %}
+ file.managed:
+ - name: {{ cert_file }}
+ - contents_pillar: cinder:{{ role }}:message_queue:x509:cert
+ - mode: 440
+ - user: cinder
+ - group: cinder
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ cert_file }}
+ {%- endif %}
+
+rabbitmq_cinder_{{ role }}_client_ssl_private_key:
+ {%- if cinder_msg.x509.key is defined %}
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: cinder:{{ role }}:message_queue:x509:key
+ - mode: 400
+ - user: cinder
+ - group: cinder
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ key_file }}
+ {%- endif %}
+
+rabbitmq_cinder_{{ role }}_ssl_x509_set_user_and_group:
+ file.managed:
+ - names:
+ - {{ ca_file }}
+ - {{ cert_file }}
+ - {{ key_file }}
+ - user: cinder
+ - group: cinder
+
+{% elif cinder_msg.get('ssl',{}).get('enabled',False) %}
+rabbitmq_ca_cinder_{{ role }}_client:
+ {%- if cinder_msg.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ cinder_msg.ssl.cacert_file }}
+ - contents_pillar: cinder:{{ role }}:message_queue:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ cinder_msg.ssl.get('cacert_file', cinder_cacert) }}
+ {%- endif %}
+
+{%- endif %}
diff --git a/cinder/controller.sls b/cinder/controller.sls
index 8dffd36..ac31298 100644
--- a/cinder/controller.sls
+++ b/cinder/controller.sls
@@ -8,6 +8,7 @@
{%- endif %}
- cinder.db.offline_sync
- cinder._ssl.controller_mysql
+ - cinder._ssl.rabbitmq
{%- set user = controller %}
{%- include "cinder/user.sls" %}
@@ -21,6 +22,7 @@
- names: {{ controller.pkgs }}
- require_in:
- sls: cinder._ssl.controller_mysql
+ - sls: cinder._ssl.rabbitmq
- sls: cinder.db.offline_sync
/etc/cinder/cinder.conf:
@@ -33,6 +35,7 @@
- require:
- pkg: cinder_controller_packages
- sls: cinder._ssl.controller_mysql
+ - sls: cinder._ssl.rabbitmq
- require_in:
- sls: cinder.db.offline_sync
@@ -45,6 +48,7 @@
- require:
- pkg: cinder_controller_packages
- sls: cinder._ssl.controller_mysql
+ - sls: cinder._ssl.rabbitmq
- require_in:
- sls: cinder.db.offline_sync
@@ -101,6 +105,7 @@
- require:
- pkg: cinder_controller_packages
- sls: cinder._ssl.controller_mysql
+ - sls: cinder._ssl.rabbitmq
- require_in:
- sls: cinder.db.offline_sync
{%- if controller.logging.log_handlers.get('fluentd', {}).get('enabled', False) %}
@@ -230,6 +235,7 @@
- service: cinder_api_service_dead
- sls: cinder.db.offline_sync
- sls: cinder._ssl.controller_mysql
+ - sls: cinder._ssl.rabbitmq
- watch:
{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca_cinder_controller
@@ -252,6 +258,7 @@
- pkg: cinder_controller_packages
- sls: cinder.db.offline_sync
- sls: cinder._ssl.controller_mysql
+ - sls: cinder._ssl.rabbitmq
- watch:
{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca_cinder_controller
@@ -284,6 +291,7 @@
- pkg: cinder_controller_packages
- sls: cinder.db.offline_sync
- sls: cinder._ssl.controller_mysql
+ - sls: cinder._ssl.rabbitmq
- watch:
{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca_cinder_controller
diff --git a/cinder/files/pike/cinder.conf.controller.Debian b/cinder/files/pike/cinder.conf.controller.Debian
index 5501ae8..25acf4d 100644
--- a/cinder/files/pike/cinder.conf.controller.Debian
+++ b/cinder/files/pike/cinder.conf.controller.Debian
@@ -164,13 +164,19 @@
[oslo_messaging_rabbit]
rabbit_use_ssl=true
-{%- if controller.message_queue.ssl.version is defined %}
+ {%- if controller.message_queue.ssl.version is defined %}
kombu_ssl_version = {{ controller.message_queue.ssl.version }}
-{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+ {%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
kombu_ssl_version = TLSv1_2
-{%- endif %}
+ {%- endif %}
+ {%- if controller.message_queue.get('x509',{}).get('enabled', False) %}
+kombu_ssl_ca_certs = {{ controller.message_queue.x509.ca_file }}
+kombu_ssl_keyfile = {{ controller.message_queue.x509.key_file }}
+kombu_ssl_certfile = {{ controller.message_queue.x509.cert_file }}
+ {%- else %}
kombu_ssl_ca_certs = {{ controller.message_queue.ssl.get('cacert_file', controller.cacert_file) }}
+ {%- endif %}
{%- endif %}
diff --git a/cinder/files/pike/cinder.conf.volume.Debian b/cinder/files/pike/cinder.conf.volume.Debian
index c88948b..b9dcbfb 100644
--- a/cinder/files/pike/cinder.conf.volume.Debian
+++ b/cinder/files/pike/cinder.conf.volume.Debian
@@ -149,13 +149,19 @@
[oslo_messaging_rabbit]
rabbit_use_ssl=true
-{%- if volume.message_queue.ssl.version is defined %}
+ {%- if volume.message_queue.ssl.version is defined %}
kombu_ssl_version = {{ volume.message_queue.ssl.version }}
-{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+ {%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
kombu_ssl_version = TLSv1_2
-{%- endif %}
+ {%- endif %}
+ {%- if volume.message_queue.get('x509',{}).get('enabled', False) %}
+kombu_ssl_ca_certs = {{ volume.message_queue.x509.ca_file }}
+kombu_ssl_keyfile = {{ volume.message_queue.x509.key_file }}
+kombu_ssl_certfile = {{ volume.message_queue.x509.cert_file }}
+ {%- else %}
kombu_ssl_ca_certs = {{ volume.message_queue.ssl.get('cacert_file', volume.cacert_file) }}
+ {%- endif %}
{%- endif %}
[keystone_authtoken]
diff --git a/cinder/volume.sls b/cinder/volume.sls
index b8b26de..57bb23e 100644
--- a/cinder/volume.sls
+++ b/cinder/volume.sls
@@ -4,6 +4,7 @@
include:
- cinder._ssl.volume_mysql
+ - cinder._ssl.rabbitmq
{%- if not pillar.cinder.get('controller', {}).get('enabled', False) %}
{%- set user = volume %}
@@ -15,6 +16,7 @@
- names: {{ volume.pkgs }}
- require_in:
- sls: cinder._ssl.volume_mysql
+ - sls: cinder._ssl.rabbitmq
/var/lock/cinder:
file.directory:
@@ -53,6 +55,7 @@
- group: cinder
- require:
- sls: cinder._ssl.volume_mysql
+ - sls: cinder._ssl.rabbitmq
- pkg: cinder_volume_packages
/etc/cinder/api-paste.ini:
@@ -83,6 +86,7 @@
{%- endif %}
- require:
- sls: cinder._ssl.volume_mysql
+ - sls: cinder._ssl.rabbitmq
- watch:
{%- if volume.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca_cinder_volume
@@ -162,6 +166,7 @@
{%- endif %}
- require:
- sls: cinder._ssl.volume_mysql
+ - sls: cinder._ssl.rabbitmq
- watch:
{%- if volume.message_queue.get('ssl',{}).get('enabled', False) %}
- file: rabbitmq_ca_cinder_volume