[REFACTOR] Implement X.509 auth between Rabbitmq and Nova
Allows to manage cert and key according to the role enabled
Related-Prod: PROD-22766
Change-Id: I0aa0f49b846e0ec6c3642d32d511c432b041b4a1
diff --git a/nova/_ssl/rabbitmq.sls b/nova/_ssl/rabbitmq.sls
index e3e2ec0..fe08a3b 100644
--- a/nova/_ssl/rabbitmq.sls
+++ b/nova/_ssl/rabbitmq.sls
@@ -1,20 +1,28 @@
{% from "nova/map.jinja" import controller, compute with context %}
-nova_ssl_rabbitmq:
+{%- if controller.enabled == True %}
+ {%- set nova_msg = controller.message_queue %}
+ {%- set role = 'controller' %}
+{%- else %}
+ {%- set nova_msg = compute.message_queue %}
+ {%- set role = 'compute' %}
+{%- endif %}
+
+nova_{{ role }}_ssl_rabbitmq:
test.show_notification:
- text: "Running nova._ssl.rabbitmq"
-{%- if controller.message_queue.get('x509',{}).get('enabled',False) %}
+{%- if nova_msg.get('x509',{}).get('enabled',False) %}
- {%- set ca_file=controller.message_queue.x509.ca_file %}
- {%- set key_file=controller.message_queue.x509.key_file %}
- {%- set cert_file=controller.message_queue.x509.cert_file %}
+ {%- set ca_file=nova_msg.x509.ca_file %}
+ {%- set key_file=nova_msg.x509.key_file %}
+ {%- set cert_file=nova_msg.x509.cert_file %}
-rabbitmq_nova_ssl_x509_ca:
- {%- if controller.message_queue.x509.cacert is defined %}
+rabbitmq_nova_{{ role }}_ssl_x509_ca:
+ {%- if nova_msg.x509.cacert is defined %}
file.managed:
- name: {{ ca_file }}
- - contents_pillar: nova:controller:message_queue:x509:cacert
+ - contents_pillar: nova:{{ role }}:message_queue:x509:cacert
- mode: 444
- user: nova
- group: nova
@@ -24,11 +32,11 @@
- name: {{ ca_file }}
{%- endif %}
-rabbitmq_nova_client_ssl_cert:
- {%- if controller.message_queue.x509.cert is defined %}
+rabbitmq_nova_{{ role }}_ssl_cert:
+ {%- if nova_msg.x509.cert is defined %}
file.managed:
- name: {{ cert_file }}
- - contents_pillar: nova:controller:message_queue:x509:cert
+ - contents_pillar: nova:{{ role }}:message_queue:x509:cert
- mode: 440
- user: nova
- group: nova
@@ -38,11 +46,11 @@
- name: {{ cert_file }}
{%- endif %}
-rabbitmq_nova_client_ssl_private_key:
- {%- if controller.message_queue.x509.key is defined %}
+rabbitmq_nova_{{ role }}_client_ssl_private_key:
+ {%- if nova_msg.x509.key is defined %}
file.managed:
- name: {{ key_file }}
- - contents_pillar: nova:controller:message_queue:x509:key
+ - contents_pillar: nova:{{ role }}:message_queue:x509:key
- mode: 400
- user: nova
- group: nova
@@ -52,7 +60,7 @@
- name: {{ key_file }}
{%- endif %}
-rabbitmq_nova_ssl_x509_set_user_and_group:
+rabbitmq_nova_{{ role }}_ssl_x509_set_user_and_group:
file.managed:
- names:
- {{ ca_file }}
@@ -61,17 +69,17 @@
- user: nova
- group: nova
- {% elif controller.message_queue.get('ssl',{}).get('enabled',False) %}
-rabbitmq_ca_nova_client_controller:
- {%- if controller.message_queue.ssl.cacert is defined %}
+ {% elif nova_msg.get('ssl',{}).get('enabled',False) %}
+rabbitmq_ca_nova_client_{{ role }}:
+ {%- if nova_msg.ssl.cacert is defined %}
file.managed:
- - name: {{ controller.message_queue.ssl.cacert_file }}
- - contents_pillar: nova:controller:message_queue:ssl:cacert
+ - name: {{ nova_msg.ssl.cacert_file }}
+ - contents_pillar: nova:{{ role }}:message_queue:ssl:cacert
- mode: 0444
- makedirs: true
{%- else %}
file.exists:
- - name: {{ controller.message_queue.ssl.get('cacert_file', controller.cacert_file) }}
+ - name: {{ nova_msg.ssl.get('cacert_file', controller.cacert_file) }}
{%- endif %}
{%- endif %}
diff --git a/nova/files/pike/nova-compute.conf.Debian b/nova/files/pike/nova-compute.conf.Debian
index fc34f4c..9c8589a 100644
--- a/nova/files/pike/nova-compute.conf.Debian
+++ b/nova/files/pike/nova-compute.conf.Debian
@@ -8039,13 +8039,23 @@
{%- if compute.message_queue.get('ssl',{}).get('enabled', False) %}
rabbit_use_ssl=true
-{%- if compute.message_queue.ssl.version is defined %}
+ {%- if compute.message_queue.ssl.version is defined %}
kombu_ssl_version = {{ compute.message_queue.ssl.version }}
-{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+ {%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
kombu_ssl_version = TLSv1_2
-{%- endif %}
+ {%- endif %}
+ {%- if compute.message_queue.get('x509',{}).get('enabled', False) %}
+kombu_ssl_ca_certs = {{ compute.message_queue.x509.ca_file}}
+
+kombu_ssl_keyfile = {{ compute.message_queue.x509.key_file}}
+
+kombu_ssl_certfile = {{ compute.message_queue.x509.cert_file}}
+
+ {%- else %}
kombu_ssl_ca_certs = {{ compute.message_queue.ssl.get('cacert_file', compute.cacert_file) }}
+ {%- endif %}
+
{%- endif %}
diff --git a/nova/files/pike/nova-controller.conf.Debian b/nova/files/pike/nova-controller.conf.Debian
index 3137168..1d21f4e 100644
--- a/nova/files/pike/nova-controller.conf.Debian
+++ b/nova/files/pike/nova-controller.conf.Debian
@@ -7998,19 +7998,23 @@
{%- if controller.message_queue.get('ssl',{}).get('enabled', False) %}
rabbit_use_ssl=true
-{%- if controller.message_queue.ssl.version is defined %}
+ {%- if controller.message_queue.ssl.version is defined %}
kombu_ssl_version = {{ controller.message_queue.ssl.version }}
-{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+ {%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
kombu_ssl_version = TLSv1_2
-{%- endif %}
+ {%- endif %}
-kombu_ssl_ca_certs = {{ controller.message_queue.ssl.get('cacert_file', controller.cacert_file) }}
-{%- endif %}
+ {%- if controller.message_queue.get('x509',{}).get('enabled', False) %}
+kombu_ssl_ca_certs = {{ controller.message_queue.x509.ca_file}}
-{%- if controller.message_queue.get('x509',{}).get('enabled', False) %}
kombu_ssl_keyfile = {{ controller.message_queue.x509.key_file}}
kombu_ssl_certfile = {{ controller.message_queue.x509.cert_file}}
+
+ {%- else %}
+kombu_ssl_ca_certs = {{ controller.message_queue.ssl.get('cacert_file', controller.cacert_file) }}
+ {%- endif %}
+
{%- endif %}
[oslo_messaging_zmq]