RabbitMQ TLS support
Change-Id: I93ead9105820fe7462b7bd9b76d51f89ce5950c6
OSCORE-389
Releases: Mitaka, Ocata
diff --git a/designate/files/mitaka/designate.conf.Debian b/designate/files/mitaka/designate.conf.Debian
index 90d4f8b..62a472c 100644
--- a/designate/files/mitaka/designate.conf.Debian
+++ b/designate/files/mitaka/designate.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "designate/map.jinja" import server with context %}
+{%- from "designate/map.jinja" import server, system_cacerts_file with context %}
[DEFAULT]
# Where an option is commented out, but filled in this shows the default
# value of that option
@@ -59,15 +59,30 @@
rabbit_userid = {{ server.message_queue.user }}
rabbit_password = {{ server.message_queue.password }}
rabbit_virtual_host = {{ server.message_queue.virtual_host }}
-#rabbit_use_ssl = False
+
+{%- set rabbit_port = server.message_queue.get('port', 5671 if server.message_queue.get('ssl',{}).get('enabled', False) else 5672) %}
{%- if server.message_queue.members is defined %}
rabbit_hosts = {% for member in server.message_queue.members -%}
- {{ member.host }}:{{ member.get('port', 5672) }}
+ {{ member.host }}:{{ member.get('port', rabbit_port) }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
{%- else %}
rabbit_host = {{ server.message_queue.host }}
-rabbit_port = {{ server.message_queue.port }}
+rabbit_port = {{ rabbit_port }}
+{%- endif %}
+
+{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+{%- if server.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ server.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+{%- if server.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
{%- endif %}
########################
diff --git a/designate/files/ocata/designate.conf.Debian b/designate/files/ocata/designate.conf.Debian
index 1cc491a..b5ac5dc 100644
--- a/designate/files/ocata/designate.conf.Debian
+++ b/designate/files/ocata/designate.conf.Debian
@@ -1,5 +1,5 @@
-{%- from "designate/map.jinja" import server with context %}
-{%- from "designate/map.jinja" import pool_manager with context %}
+{%- from "designate/map.jinja" import server, pool_manager, system_cacerts_file with context %}
+
[DEFAULT]
# Where an option is commented out, but filled in this shows the default
# value of that option
@@ -61,9 +61,11 @@
rabbit_password = {{ server.message_queue.password }}
rabbit_virtual_host = {{ server.message_queue.virtual_host }}
#rabbit_use_ssl = False
+
+{%- set rabbit_port = server.message_queue.get('port', 5671 if server.message_queue.get('ssl',{}).get('enabled', False) else 5672) %}
{%- if server.message_queue.members is defined %}
rabbit_hosts = {% for member in server.message_queue.members -%}
- {{ member.host }}:{{ member.get('port', 5672) }}
+ {{ member.host }}:{{ member.get('port', rabbit_port) }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
{%- else %}
@@ -71,6 +73,20 @@
rabbit_port = {{ server.message_queue.port }}
{%- endif %}
+{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+{%- if server.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ server.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+{%- if server.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
+{%- endif %}
+
########################
## Service Configuration
########################
diff --git a/designate/map.jinja b/designate/map.jinja
index 5b78e51..70ace07 100644
--- a/designate/map.jinja
+++ b/designate/map.jinja
@@ -1,3 +1,8 @@
+{%- set system_cacerts_file = salt['grains.filter_by']({
+ 'Debian': '/etc/ssl/certs/ca-certificates.crt',
+ 'RedHat': '/etc/pki/tls/certs/ca-bundle.crt'
+})%}
+
{%- set version = salt['pillar.get']('designate:server:version') -%}
{%- set api_address = salt['pillar.get']('designate:server:bind:api:address', '127.0.0.1') -%}
{%- set api_port = salt['pillar.get']('designate:server:bind:api:port', '9001') -%}
diff --git a/designate/server.sls b/designate/server.sls
index fd9e7a0..1228817 100644
--- a/designate/server.sls
+++ b/designate/server.sls
@@ -1,4 +1,4 @@
-{%- from "designate/map.jinja" import server with context %}
+{%- from "designate/map.jinja" import server, system_cacerts_file with context %}
{%- if server.enabled %}
{%- if server.backend is defined %}
@@ -65,6 +65,9 @@
- cmd: designate_pool_sync
- watch:
- file: /etc/designate/designate.conf
+ {%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+ - file: rabbitmq_ca
+ {%- endif %}
{%- endif %}
{%- if server.version not in ['liberty', 'juno', 'kilo'] and server.pools is defined %}
@@ -86,4 +89,19 @@
- file: /etc/designate/pools.yaml
{%- endif %}
{%- endif %}
+
+{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbitmq_ca:
+{%- if server.message_queue.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.message_queue.ssl.cacert_file }}
+ - contents_pillar: designate:server:message_queue:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+{%- else %}
+ file.exists:
+ - name: {{ server.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+{%- endif %}
+{%- endif %}
+
{%- endif %}
diff --git a/tests/pillar/ssl.sls b/tests/pillar/ssl.sls
new file mode 100644
index 0000000..bc033e8
--- /dev/null
+++ b/tests/pillar/ssl.sls
@@ -0,0 +1,9 @@
+include:
+ - .designate_ocata
+
+designate:
+ server:
+ message_queue:
+ port: 5671
+ ssl:
+ enabled: True