Implement X.509 auth between Rabbitmq and Ironic
Change-Id: I4d4bc1a1e8f62fda791455af487c3cbb8edaecd8
Related-Prod: PROD-22762
diff --git a/README.rst b/README.rst
index 0efe785..a0bb932 100644
--- a/README.rst
+++ b/README.rst
@@ -137,3 +137,39 @@
You can read more about it here:
https://docs.openstack.org/security-guide/databases/database-access-control.html
+Enable x509 and ssl communication between Ironic and Rabbitmq.
+---------------------
+By default communication between Ironic and Rabbitmq is unsecure.
+
+.. code-block:: yaml
+
+ironic:
+ api:
+ message_queue:
+ x509:
+ enabled: True
+ conductor:
+ message_queue:
+ x509:
+ enabled: True
+
+You able to set custom certificates in pillar:
+
+.. code-block:: yaml
+
+ironic:
+ api:
+ message_queue:
+ x509:
+ cacert: (certificate content)
+ cert: (certificate content)
+ key: (certificate content)
+ conductor:
+ message_queue:
+ x509:
+ cacert: (certificate content)
+ cert: (certificate content)
+ key: (certificate content)
+
+You can read more about it here:
+ https://docs.openstack.org/security-guide/messaging/security.html
diff --git a/ironic/_common.sls b/ironic/_common.sls
index 1cf72ef..446d653 100644
--- a/ironic/_common.sls
+++ b/ironic/_common.sls
@@ -7,6 +7,7 @@
include:
- ironic._ssl.mysql
+ - ironic._ssl.rabbitmq
ironic_common_pkgs:
pkg.installed:
@@ -14,6 +15,7 @@
- install_recommends: False
- require_in:
- sls: ironic._ssl.mysql
+ - sls: ironic._ssl.rabbitmq
/etc/ironic/ironic.conf:
file.managed:
@@ -22,17 +24,4 @@
- require:
- pkg: ironic_common_pkgs
- sls: ironic._ssl.mysql
-
-{%- if ironic.message_queue.get('ssl',{}).get('enabled', False) %}
-rabbitmq_ca_ironic_file:
-{%- if ironic.message_queue.ssl.cacert is defined %}
- file.managed:
- - name: {{ ironic.message_queue.ssl.cacert_file }}
- - contents_pillar: ironic:{{ service_name }}:message_queue:ssl:cacert
- - mode: 0444
- - makedirs: true
-{%- else %}
- file.exists:
- - name: {{ ironic.message_queue.ssl.get('cacert_file', ironic.cacert_file) }}
-{%- endif %}
-{%- endif %}
+ - sls: ironic._ssl.rabbitmq
diff --git a/ironic/_ssl/rabbitmq.sls b/ironic/_ssl/rabbitmq.sls
new file mode 100644
index 0000000..2ce0069
--- /dev/null
+++ b/ironic/_ssl/rabbitmq.sls
@@ -0,0 +1,82 @@
+{%- from "ironic/map.jinja" import api,conductor with context %}
+{%- if api.get("enabled", False) %}
+ {%- set ironic, service_name = api, 'api' %}
+{%- elif conductor.get('enabled', False) %}
+ {%- set ironic, service_name = conductor, 'conductor' %}
+{%- endif %}
+
+ironic_ssl_rabbitmq:
+ test.show_notification:
+ - text: "Running ironic._ssl.rabbitmq"
+
+{%- if ironic.message_queue.get('x509',{}).get('enabled',False) %}
+
+ {%- set ca_file=ironic.message_queue.x509.ca_file %}
+ {%- set key_file=ironic.message_queue.x509.key_file %}
+ {%- set cert_file=ironic.message_queue.x509.cert_file %}
+
+rabbitmq_ironic_ssl_x509_ca:
+ {%- if ironic.message_queue.x509.cacert is defined %}
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: ironic:{{ service_name }}:message_queue:x509:cacert
+ - mode: 444
+ - user: ironic
+ - group: ironic
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ ca_file }}
+ {%- endif %}
+
+rabbitmq_ironic_client_ssl_cert:
+ {%- if ironic.message_queue.x509.cert is defined %}
+ file.managed:
+ - name: {{ cert_file }}
+ - contents_pillar: ironic:{{ service_name }}:message_queue:x509:cert
+ - mode: 440
+ - user: ironic
+ - group: ironic
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ cert_file }}
+ {%- endif %}
+
+rabbitmq_ironic_client_ssl_private_key:
+ {%- if ironic.message_queue.x509.key is defined %}
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: ironic:{{ service_name }}:message_queue:x509:key
+ - mode: 400
+ - user: ironic
+ - group: ironic
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ key_file }}
+ {%- endif %}
+
+rabbitmq_ironic_ssl_x509_set_user_and_group:
+ file.managed:
+ - names:
+ - {{ ca_file }}
+ - {{ cert_file }}
+ - {{ key_file }}
+ - user: ironic
+ - group: ironic
+
+{% elif ironic.message_queue.get('ssl',{}).get('enabled',False) %}
+rabbitmq_ca_ironic_client:
+ {%- if ironic.message_queue.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ ironic.message_queue.ssl.cacert_file }}
+ - contents_pillar: ironic:{{ service_name }}:message_queue:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ ironic.message_queue.ssl.get('cacert_file', ironic.cacert_file) }}
+ {%- endif %}
+
+{%- endif %}
diff --git a/ironic/api.sls b/ironic/api.sls
index 99550f5..b1a6c6c 100644
--- a/ironic/api.sls
+++ b/ironic/api.sls
@@ -22,9 +22,6 @@
- watch:
- file: /etc/ironic/ironic.conf
- file: /etc/ironic/policy.json
- {%- if api.message_queue.get('ssl',{}).get('enabled', False) %}
- - file: rabbitmq_ca_ironic_file
- {%- endif %}
/etc/ironic/policy.json:
file.managed:
@@ -32,5 +29,7 @@
- template: jinja
- require:
- pkg: ironic_api_packages
+ - require_in:
+ - sls: ironic.db.offline_sync
{%- endif %}
diff --git a/ironic/conductor.sls b/ironic/conductor.sls
index 0d109af..edfa3e4 100644
--- a/ironic/conductor.sls
+++ b/ironic/conductor.sls
@@ -19,9 +19,6 @@
- require:
- pkg: ironic_conductor_packages
- sls: ironic._common
- {%- if conductor.message_queue.get('ssl',{}).get('enabled', False) %}
- - file: rabbitmq_ca_ironic_file
- {%- endif %}
ironic_dirs:
file.directory:
diff --git a/ironic/files/pike/ironic.conf b/ironic/files/pike/ironic.conf
index 1c3f16f..5483e60 100644
--- a/ironic/files/pike/ironic.conf
+++ b/ironic/files/pike/ironic.conf
@@ -3096,12 +3096,15 @@
{%- if ironic.message_queue.get('ssl',{}).get('enabled', False) %}
rabbit_use_ssl=true
-{%- if ironic.message_queue.ssl.version is defined %}
+ {%- if ironic.message_queue.ssl.version is defined %}
kombu_ssl_version = {{ ironic.message_queue.ssl.version }}
-{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+ {%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
kombu_ssl_version = TLSv1_2
-{%- endif %}
-
+ {%- endif %}
+ {%- if ironic.message_queue.get('x509',{}).get('enabled', False) %}
+kombu_ssl_keyfile = {{ ironic.message_queue.x509.key_file}}
+kombu_ssl_certfile = {{ ironic.message_queue.x509.cert_file}}
+ {%- endif %}
kombu_ssl_ca_certs = {{ ironic.message_queue.ssl.get('cacert_file', ironic.cacert_file) }}
{%- endif %}