Implement X.509 auth between Rabbitmq and Designate Change-Id: Ibda946b558cd2a7c4f5fbcb17a7919d250bc33ff Related-Prod: PROD-22758

commit: b988699b38aa16c7b748d436a9d9d6358236ef81 [log] [tgz]
author: Oleksandr Shyshko <oshyshko@mirantis.com> Fri Sep 21 12:44:35 2018 +0300
committer: Oleksandr Shyshko <oshyshko@mirantis.com> Fri Sep 21 12:45:19 2018 +0300
tree: a8b6a6a1e3ee9292878ec7ca6b31a7faff6b7d9c
parent: bf1664e03d07c098c20ae8bdef7e143b91df763e [diff]
diff --git a/README.rst b/README.rst
index 77e1f3c..b334c4e 100644
--- a/README.rst
+++ b/README.rst

@@ -226,6 +226,33 @@
 You can read more about it here:
     https://docs.openstack.org/security-guide/databases/database-access-control.html
 
+Enable x509 and ssl communication between Designate and Rabbitmq.
+---------------------
+By default communication between Designate and Rabbitmq is unsecure.
+
+.. code-block:: yaml
+
+designate:
+  server:
+    message_queue:
+      x509:
+        enabled: True
+
+You able to set custom certificates in pillar:
+
+.. code-block:: yaml
+
+designate:
+  server:
+    message_queue:
+      x509:
+        cacert: (certificate content)
+        cert: (certificate content)
+        key: (certificate content)
+
+You can read more about it here:
+    https://docs.openstack.org/security-guide/messaging/security.html
+
 Documentation and Bugs
 ======================
 

diff --git a/designate/_ssl/rabbitmq.sls b/designate/_ssl/rabbitmq.sls
new file mode 100644
index 0000000..ffc3c4f
--- /dev/null
+++ b/designate/_ssl/rabbitmq.sls

@@ -0,0 +1,77 @@
+{%- from "designate/map.jinja" import server with context %}
+
+designate_ssl_rabbitmq:
+  test.show_notification:
+    - text: "Running designate._ssl.rabbitmq"
+
+{%- if server.message_queue.get('x509',{}).get('enabled',False) %}
+
+  {%- set ca_file=server.message_queue.x509.ca_file %}
+  {%- set key_file=server.message_queue.x509.key_file %}
+  {%- set cert_file=server.message_queue.x509.cert_file %}
+
+rabbitmq_designate_ssl_x509_ca:
+  {%- if server.message_queue.x509.cacert is defined %}
+  file.managed:
+    - name: {{ ca_file }}
+    - contents_pillar: designate:server:message_queue:x509:cacert
+    - mode: 444
+    - user: designate
+    - group: designate
+    - makedirs: true
+  {%- else %}
+  file.exists:
+    - name: {{ ca_file }}
+  {%- endif %}
+
+rabbitmq_designate_client_ssl_cert:
+  {%- if server.message_queue.x509.cert is defined %}
+  file.managed:
+    - name: {{ cert_file }}
+    - contents_pillar: designate:server:message_queue:x509:cert
+    - mode: 440
+    - user: designate
+    - group: designate
+    - makedirs: true
+  {%- else %}
+  file.exists:
+    - name: {{ cert_file }}
+  {%- endif %}
+
+rabbitmq_designate_client_ssl_private_key:
+  {%- if server.message_queue.x509.key is defined %}
+  file.managed:
+    - name: {{ key_file }}
+    - contents_pillar: designate:server:message_queue:x509:key
+    - mode: 400
+    - user: designate
+    - group: designate
+    - makedirs: true
+  {%- else %}
+  file.exists:
+    - name: {{ key_file }}
+  {%- endif %}
+
+rabbitmq_designate_ssl_x509_set_user_and_group:
+  file.managed:
+    - names:
+      - {{ ca_file }}
+      - {{ cert_file }}
+      - {{ key_file }}
+    - user: designate
+    - group: designate
+
+{% elif server.message_queue.get('ssl',{}).get('enabled',False) %}
+rabbitmq_ca_designate_server:
+  {%- if server.message_queue.ssl.cacert is defined %}
+  file.managed:
+    - name: {{ server.message_queue.ssl.cacert_file }}
+    - contents_pillar: designate:server:message_queue:ssl:cacert
+    - mode: 0444
+    - makedirs: true
+  {%- else %}
+  file.exists:
+    - name: {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
+  {%- endif %}
+
+{%- endif %}

diff --git a/designate/files/pike/designate.conf.Debian b/designate/files/pike/designate.conf.Debian
index 5b856c6..ac3b91b 100644
--- a/designate/files/pike/designate.conf.Debian
+++ b/designate/files/pike/designate.conf.Debian

@@ -89,12 +89,18 @@
 
 {%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
 rabbit_use_ssl=true
-{%- if server.message_queue.ssl.version is defined %}
+  {%- if server.message_queue.ssl.version is defined %}
 kombu_ssl_version = {{ server.message_queue.ssl.version }}
-{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+  {%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
 kombu_ssl_version = TLSv1_2
-{%- endif %}
+  {%- endif %}
+  {%- if server.message_queue.get('x509',{}).get('enabled', False) %}
+kombu_ssl_ca_certs = {{ server.message_queue.x509.ca_file}}
+kombu_ssl_keyfile = {{ server.message_queue.x509.key_file}}
+kombu_ssl_certfile = {{ server.message_queue.x509.cert_file}}
+  {%- else %}
 kombu_ssl_ca_certs = {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
+  {%- endif %}
 {%- endif %}
 
 ########################

diff --git a/designate/server.sls b/designate/server.sls
index 9e06037..7d08007 100644
--- a/designate/server.sls
+++ b/designate/server.sls

@@ -5,6 +5,7 @@
 include:
   - designate.db.offline_sync
   - designate._ssl.mysql
+  - designate._ssl.rabbitmq
 
 {%- if server.backend is defined %}
 
@@ -112,6 +113,7 @@
     - require_in:
       - sls: designate.db.offline_sync
       - sls: designate._ssl.mysql
+      - sls: designate._ssl.rabbitmq
 
 /etc/designate/designate.conf:
   file.managed:
@@ -122,6 +124,7 @@
   - require:
     - pkg: designate_server_packages
     - sls: designate._ssl.mysql
+    - sls: designate._ssl.rabbitmq
   - require_in:
     - sls: designate.db.offline_sync
 
@@ -134,6 +137,7 @@
   - require:
     - pkg: designate_server_packages
     - sls: designate._ssl.mysql
+    - sls: designate._ssl.rabbitmq
   - require_in:
     - sls: designate.db.offline_sync
 
@@ -157,11 +161,9 @@
       - sls: designate.db.offline_sync
       - cmd: designate_pool_sync
       - sls: designate._ssl.mysql
+      - sls: designate._ssl.rabbitmq
     - watch:
       - file: /etc/designate/designate.conf
-      {%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
-      - file: rabbitmq_ca_designate_server
-      {%- endif %}
 
 {%- if server.version not in ['liberty', 'juno', 'kilo'] and server.pools is defined %}
 # Since Mitaka it is recommended to use pools.yaml for pools configuration
@@ -186,22 +188,4 @@
 {%- endif %}
 {%- endif %}
 
-{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
-rabbitmq_ca_designate_server:
-{%- if server.message_queue.ssl.cacert is defined %}
-  file.managed:
-    - name: {{ server.message_queue.ssl.cacert_file }}
-    - contents_pillar: designate:server:message_queue:ssl:cacert
-    - mode: 0444
-    - makedirs: true
-    - require_in:
-      - file: /etc/designate/designate.conf
-{%- else %}
-  file.exists:
-   - name: {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
-   - require_in:
-     - file: /etc/designate/designate.conf
-{%- endif %}
-{%- endif %}
-
 {%- endif %}
commit	b988699b38aa16c7b748d436a9d9d6358236ef81	[log] [tgz]
author	Oleksandr Shyshko <oshyshko@mirantis.com>	Fri Sep 21 12:44:35 2018 +0300
committer	Oleksandr Shyshko <oshyshko@mirantis.com>	Fri Sep 21 12:45:19 2018 +0300
tree	a8b6a6a1e3ee9292878ec7ca6b31a7faff6b7d9c
parent	bf1664e03d07c098c20ae8bdef7e143b91df763e [diff]