Add missing parts for rabbitmq ssl configuration
With this patch cacert/ssl chiphers will be configured correctly.
Change-Id: Ie69c3fd53135174f73b15fb7bc50b5a5fe189bb4
diff --git a/.kitchen.yml b/.kitchen.yml
index ab515bc..bcbff46 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -90,5 +90,16 @@
common:
version: <%= ENV['OS_VERSION'] || 'pike' %>
+ - name: server_cluster_ssl
+ provisioner:
+ pillars-from-files:
+ manila.sls: tests/pillar/server_cluster_ssl.sls
+ pillars:
+ release.sls:
+ manila:
+ common:
+ version: <%= ENV['OS_VERSION'] || 'pike' %>
+
+
# vim: ft=yaml sw=2 ts=2 sts=2 tw=125
diff --git a/.travis.yml b/.travis.yml
index 8bb51f4..8cfa3da 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -21,10 +21,12 @@
- PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 OS_VERSION=pike SUITE=server_single
- PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 OS_VERSION=pike SUITE=share_nexenta
- PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 OS_VERSION=pike SUITE=share_glusterfs
+ - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2016.3 OS_VERSION=pike SUITE=server_cluster_ssl
- PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2017.7 OS_VERSION=pike SUITE=server_cluster
- PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2017.7 OS_VERSION=pike SUITE=server_single
- PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2017.7 OS_VERSION=pike SUITE=share_nexenta
- PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2017.7 OS_VERSION=pike SUITE=share_glusterfs
+ - PLATFORM=epcim/salt-formulas:saltstack-ubuntu-xenial-salt-2017.7 OS_VERSION=pike SUITE=server_cluster_ssl
before_script:
- set -o pipefail
diff --git a/manila/files/pike/_database.conf b/manila/files/pike/_database.conf
index 1533395..184d3df 100644
--- a/manila/files/pike/_database.conf
+++ b/manila/files/pike/_database.conf
@@ -1 +1 @@
-connection = {{ _database.engine }}+pymysql://{{ _database.user }}:{{ _database.password }}@{{ _database.host }}/{{ _database.name }}?charset=utf8{%- if _database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ _database.ssl.get('cacert_file', _database.cacert_file) }}{% endif %}
+connection = {{ _database.engine }}+pymysql://{{ _database.user }}:{{ _database.password }}@{{ _database.host }}/{{ _database.name }}?charset=utf8{%- if _database.get('ssl',{}).get('enabled',False) %}&ssl_ca={{ _database.ssl.cacert_file }}{% endif %}
diff --git a/manila/files/pike/_oslo_messaging_rabbit.conf b/manila/files/pike/_oslo_messaging_rabbit.conf
new file mode 100644
index 0000000..5fd6a82
--- /dev/null
+++ b/manila/files/pike/_oslo_messaging_rabbit.conf
@@ -0,0 +1,9 @@
+{%- if _message_queue.get('ssl',{}).get('enabled', False) -%}
+rabbit_use_ssl=true
+{%- if _message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ _message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+kombu_ssl_ca_certs = {{ _message_queue.ssl.cacert_file }}
+{%- endif %}
diff --git a/manila/files/pike/manila.conf b/manila/files/pike/manila.conf
index 0e26030..c8ed3cf 100644
--- a/manila/files/pike/manila.conf
+++ b/manila/files/pike/manila.conf
@@ -86,9 +86,14 @@
{%- endif %}
[database]
-{% set _database = cfg.database %}
+{%- set _database = cfg.database %}
{%- if _database.ssl is defined and 'cacert_file' not in _database.get('ssl', {}).keys() %}{% do _database['ssl'].update({'cacert_file': cfg.cacert_file}) %}{% endif %}
-{%- include "manila/files/"+ cfg.version +"/_database.conf" %}
+{% include "manila/files/"+ cfg.version +"/_database.conf" %}
+
+[oslo_messaging_rabbit]
+{%- set _message_queue = cfg.message_queue %}
+{%- if _message_queue.ssl is defined and 'cacert_file' not in _message_queue.get('ssl', {}).keys() %}{% do _message_queue['ssl'].update({'cacert_file': cfg.cacert_file}) %}{% endif %}
+{% include "manila/files/"+ cfg.version +"/_oslo_messaging_rabbit.conf" %}
[keystone_authtoken]
diff --git a/tests/pillar/server_cluster_ssl.sls b/tests/pillar/server_cluster_ssl.sls
new file mode 100644
index 0000000..425de7f
--- /dev/null
+++ b/tests/pillar/server_cluster_ssl.sls
@@ -0,0 +1,79 @@
+manila:
+ api:
+ region: RegionOne
+ enabled: true
+ version: pike
+ bind:
+ host: 127.0.0.1
+ port: 8977
+ identity:
+ engine: keystone
+ host: 127.0.0.1
+ port: 35357
+ tenant: service
+ user: manila
+ password: misterio
+ endpoint_type: internalURL
+ database:
+ engine: mysql
+ ssl:
+ enabled: true
+ host: 127.0.0.1
+ port: 3306
+ name: manila
+ user: manila
+ password: misterio
+ cache:
+ engine: memcached
+ members:
+ - host: 127.0.0.1
+ - host: 127.0.0.1
+ - host: 127.0.0.1
+ message_queue:
+ engine: rabbitmq
+ ssl:
+ enabled: true
+ host: '127.0.0.1'
+ port: 5671
+ user: openstack
+ password: workshop
+ virtual_host: '/openstack'
+apache:
+ server:
+ enabled: true
+ default_mpm: event
+ mpm:
+ prefork:
+ enabled: true
+ servers:
+ start: 5
+ spare:
+ min: 2
+ max: 10
+ max_requests: 0
+ max_clients: 20
+ limit: 20
+ site:
+ manila:
+ enabled: false
+ available: true
+ type: wsgi
+ name: manila
+ host:
+ name: manila.ci.local
+ address: 127.0.0.1
+ port: 8041
+ log:
+ custom:
+ format: >-
+ %v:%p %{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %D %O \"%{Referer}i\" \"%{User-Agent}i\"
+ wsgi:
+ daemon_process: manila-api
+ processes: 2
+ threads: 10
+ user: manila
+ group: manila
+ display_name: '%{GROUP}'
+ script_alias: '/ /usr/bin/manila-api'
+ application_group: '%{GLOBAL}'
+ authorization: 'On'