Merge "Implement X.509 auth between Rabbitmq and Neutron"
diff --git a/neutron/_ssl/rabbitmq.sls b/neutron/_ssl/rabbitmq.sls
new file mode 100644
index 0000000..f7a8727
--- /dev/null
+++ b/neutron/_ssl/rabbitmq.sls
@@ -0,0 +1,91 @@
+{% from "neutron/map.jinja" import server, compute, gateway with context %}
+
+{%- if server.enabled == True %}
+ {%- set neutron_msg = server.get('message_queue', {}) %}
+ {%- set neutron_cacert = server.cacert_file %}
+ {%- set role = 'server' %}
+{%- elif compute.enabled == True %}
+ {%- set neutron_msg = compute.get('message_queue', {}) %}
+ {%- set neutron_cacert = compute.cacert_file %}
+ {%- set role = 'compute' %}
+{%- elif gateway.enabled == True %}
+ {%- set neutron_msg = gateway.get('message_queue', {}) %}
+ {%- set neutron_cacert = gateway.cacert_file %}
+ {%- set role = 'gateway' %}
+{%- endif %}
+
+neutron_{{ role }}_ssl_rabbitmq:
+ test.show_notification:
+ - text: "Running neutron._ssl.rabbitmq"
+
+{%- if neutron_msg.get('x509',{}).get('enabled',False) %}
+
+ {%- set ca_file=neutron_msg.x509.ca_file %}
+ {%- set key_file=neutron_msg.x509.key_file %}
+ {%- set cert_file=neutron_msg.x509.cert_file %}
+
+rabbitmq_neutron_{{ role }}_ssl_x509_ca:
+ {%- if neutron_msg.x509.cacert is defined %}
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: neutron:{{ role }}:message_queue:x509:cacert
+ - mode: 444
+ - user: neutron
+ - group: neutron
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ ca_file }}
+ {%- endif %}
+
+rabbitmq_neutron_{{ role }}_client_ssl_cert:
+ {%- if neutron_msg.x509.cert is defined %}
+ file.managed:
+ - name: {{ cert_file }}
+ - contents_pillar: neutron:{{ role }}:message_queue:x509:cert
+ - mode: 440
+ - user: neutron
+ - group: neutron
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ cert_file }}
+ {%- endif %}
+
+rabbitmq_neutron_{{ role }}_client_ssl_private_key:
+ {%- if neutron_msg.x509.key is defined %}
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: neutron:{{ role }}:message_queue:x509:key
+ - mode: 400
+ - user: neutron
+ - group: neutron
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ key_file }}
+ {%- endif %}
+
+rabbitmq_neutron__ssl_x509_set_user_and_group:
+ file.managed:
+ - names:
+ - {{ ca_file }}
+ - {{ cert_file }}
+ - {{ key_file }}
+ - user: neutron
+ - group: neutron
+
+ {% elif neutron_msg.get('ssl',{}).get('enabled',False) %}
+rabbitmq_ca_neutron_client:
+ {%- if neutron_msg.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ neutron_msg.ssl.cacert_file }}
+ - contents_pillar: neutron:{{ role }}:message_queue:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ neutron_msg.ssl.get('cacert_file', neutron_cacert) }}
+ {%- endif %}
+
+{%- endif %}
diff --git a/neutron/compute.sls b/neutron/compute.sls
index 5e61e6e..c831a37 100644
--- a/neutron/compute.sls
+++ b/neutron/compute.sls
@@ -1,5 +1,15 @@
{% from "neutron/map.jinja" import compute, fwaas with context %}
+
{%- if compute.enabled %}
+include:
+{% if compute.backend.engine == "ml2" %}
+ {% if compute.dvr %}
+ {%- if fwaas.get('enabled', False) %}
+- neutron.fwaas
+ {%- endif %}
+ {%- endif %}
+{%- endif %}
+- neutron._ssl.rabbitmq
{% if compute.backend.engine == "ml2" %}
@@ -8,6 +18,8 @@
pkg.installed:
- names:
- neutron-dhcp-agent
+ - require_in:
+ - sls: neutron._ssl.rabbitmq
neutron_dhcp_agent:
service.running:
@@ -80,7 +92,7 @@
{%- endif %}
- require:
- pkg: ovn_packages
-
+ - sls: neutron._ssl.rabbitmq
{%- endif %}
{%- endif %}
diff --git a/neutron/files/pike/neutron-generic.conf b/neutron/files/pike/neutron-generic.conf
index 9384076..b8d0b90 100644
--- a/neutron/files/pike/neutron-generic.conf
+++ b/neutron/files/pike/neutron-generic.conf
@@ -1539,13 +1539,19 @@
{%- if neutron.message_queue.get('ssl',{}).get('enabled', False) %}
rabbit_use_ssl=true
-{%- if neutron.message_queue.ssl.version is defined %}
+ {%- if neutron.message_queue.ssl.version is defined %}
kombu_ssl_version = {{ neutron.message_queue.ssl.version }}
-{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+ {%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
kombu_ssl_version = TLSv1_2
-{%- endif %}
+ {%- endif %}
+ {%- if neutron.message_queue.get('x509',{}).get('enabled', False) %}
+kombu_ssl_ca_certs = {{ neutron.message_queue.x509.ca_file}}
+kombu_ssl_keyfile = {{ neutron.message_queue.x509.key_file}}
+kombu_ssl_certfile = {{ neutron.message_queue.x509.cert_file}}
+ {%- else %}
kombu_ssl_ca_certs = {{ neutron.message_queue.ssl.get('cacert_file', neutron.cacert_file) }}
+ {%- endif %}
{%- endif %}
# Use durable queues in AMQP. (boolean value)
diff --git a/neutron/files/pike/neutron-server.conf b/neutron/files/pike/neutron-server.conf
index 041dc2b..3844c85 100644
--- a/neutron/files/pike/neutron-server.conf
+++ b/neutron/files/pike/neutron-server.conf
@@ -1669,13 +1669,19 @@
{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
rabbit_use_ssl=true
-{%- if server.message_queue.ssl.version is defined %}
+ {%- if server.message_queue.ssl.version is defined %}
kombu_ssl_version = {{ server.message_queue.ssl.version }}
-{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+ {%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
kombu_ssl_version = TLSv1_2
-{%- endif %}
+ {%- endif %}
+ {%- if server.message_queue.get('x509',{}).get('enabled', False) %}
+kombu_ssl_ca_certs = {{ server.message_queue.x509.ca_file}}
+kombu_ssl_keyfile = {{ server.message_queue.x509.key_file}}
+kombu_ssl_certfile = {{ server.message_queue.x509.cert_file}}
+ {%- else %}
kombu_ssl_ca_certs = {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
+ {%- endif %}
{%- endif %}
# Use durable queues in AMQP. (boolean value)
diff --git a/neutron/gateway.sls b/neutron/gateway.sls
index 9c67327..0927654 100644
--- a/neutron/gateway.sls
+++ b/neutron/gateway.sls
@@ -1,7 +1,8 @@
{% from "neutron/map.jinja" import gateway, fwaas with context %}
-{%- if fwaas.get('enabled', False) %}
include:
+- neutron._ssl.rabbitmq
+{%- if fwaas.get('enabled', False) %}
- neutron.fwaas
{%- endif %}
@@ -9,6 +10,8 @@
neutron_gateway_packages:
pkg.installed:
- names: {{ gateway.pkgs }}
+ - require_in:
+ - sls: neutron._ssl.rabbitmq
{%- if not grains.get('noservices', False) and pillar.haproxy is not defined %}
# NOTE(mpolenchuk): haproxy is used as a replacement for
@@ -28,6 +31,7 @@
- template: jinja
- require:
- pkg: neutron_gateway_packages
+ - sls: neutron._ssl.rabbitmq
{%- endif %}
@@ -147,23 +151,5 @@
{%- if fwaas.get('enabled', False) %}
- file: /etc/neutron/fwaas_driver.ini
{%- endif %}
- {%- if gateway.message_queue.get('ssl',{}).get('enabled', False) %}
- - file: rabbitmq_ca_neutron_gateway
- {%- endif %}
-
-
-{%- if gateway.message_queue.get('ssl',{}).get('enabled', False) %}
-rabbitmq_ca_neutron_gateway:
-{%- if gateway.message_queue.ssl.cacert is defined %}
- file.managed:
- - name: {{ gateway.message_queue.ssl.cacert_file }}
- - contents_pillar: neutron:gateway:message_queue:ssl:cacert
- - mode: 0444
- - makedirs: true
-{%- else %}
- file.exists:
- - name: {{ gateway.message_queue.ssl.get('cacert_file', gateway.cacert_file) }}
-{%- endif %}
-{%- endif %}
{%- endif %}
diff --git a/neutron/ml2_ovs/init.sls b/neutron/ml2_ovs/init.sls
index b93f18e..87e7e6f 100644
--- a/neutron/ml2_ovs/init.sls
+++ b/neutron/ml2_ovs/init.sls
@@ -17,6 +17,7 @@
- template: jinja
- require:
- pkg: neutron_compute_packages
+ - sls: neutron._ssl.rabbitmq
{% if compute.backend.sriov is defined %}
@@ -55,11 +56,6 @@
{% if compute.dvr %}
- {%- if fwaas.get('enabled', False) %}
-include:
-- neutron.fwaas
- {%- endif %}
-
{%- if not grains.get('noservices', False) and pillar.haproxy is not defined %}
# NOTE(mpolenchuk): haproxy is used as a replacement for
# neutron-ns-metadata-proxy Python implementation starting from Pike
@@ -92,12 +88,9 @@
{%- if fwaas.get('enabled', False) %}
- file: /etc/neutron/fwaas_driver.ini
{% endif %}
- {%- if compute.message_queue.get('ssl',{}).get('enabled', False) %}
- - file: rabbitmq_ca_neutron_compute
- {%- endif %}
- require:
- pkg: neutron_dvr_packages
-
+ - sls: neutron._ssl.rabbitmq
/etc/neutron/l3_agent.ini:
file.managed:
- source: salt://neutron/files/{{ compute.version }}/l3_agent.ini
@@ -217,20 +210,6 @@
{% endif %}
- {%- if compute.message_queue.get('ssl',{}).get('enabled', False) %}
-rabbitmq_ca_neutron_compute:
- {%- if compute.message_queue.ssl.cacert is defined %}
- file.managed:
- - name: {{ compute.message_queue.ssl.cacert_file }}
- - contents_pillar: neutron:compute:message_queue:ssl:cacert
- - mode: 0444
- - makedirs: true
- {%- else %}
- file.exists:
- - name: {{ compute.message_queue.ssl.get('cacert_file', compute.cacert_file) }}
- {%- endif %}
- {%- endif %}
-
{%- endif %}
{%- endif %}
diff --git a/neutron/server.sls b/neutron/server.sls
index 0367eb7..e8782d0 100644
--- a/neutron/server.sls
+++ b/neutron/server.sls
@@ -4,6 +4,7 @@
- neutron.db.offline_sync
- neutron.fwaas
- neutron._ssl.mysql
+ - neutron._ssl.rabbitmq
{%- if server.get('enabled', False) %}
{% if grains.os_family == 'Debian' %}
@@ -36,6 +37,7 @@
- names: {{ server.pkgs }}
- require_in:
- sls: neutron._ssl.mysql
+ - sls: neutron._ssl.rabbitmq
{% if server.backend.engine == "contrail" %}
@@ -68,11 +70,9 @@
{%- endif %}
- require:
- sls: neutron._ssl.mysql
+ - sls: neutron._ssl.rabbitmq
- watch:
- file: /etc/neutron/neutron.conf
- {%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
- - file: rabbitmq_ca_neutron_server
- {%- endif %}
{%- endif %}
@@ -122,6 +122,7 @@
- require:
- pkg: neutron_server_packages
- sls: neutron._ssl.mysql
+ - sls: neutron._ssl.rabbitmq
- require_in:
- sls: neutron.db.offline_sync
@@ -365,11 +366,9 @@
{%- endif %}
- require:
- sls: neutron._ssl.mysql
+ - sls: neutron._ssl.rabbitmq
- watch:
- file: /etc/neutron/neutron.conf
- {%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
- - file: rabbitmq_ca_neutron_server
- {%- endif %}
{%- if grains.get('virtual_subtype', None) == "Docker" %}
@@ -382,19 +381,4 @@
{%- endif %}
-
-{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
-rabbitmq_ca_neutron_server:
-{%- if server.message_queue.ssl.cacert is defined %}
- file.managed:
- - name: {{ server.message_queue.ssl.cacert_file }}
- - contents_pillar: neutron:server:message_queue:ssl:cacert
- - mode: 0444
- - makedirs: true
-{%- else %}
- file.exists:
- - name: {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
-{%- endif %}
-{%- endif %}
-
{%- endif %}