Implement X.509 auth between Rabbitmq and Nova.compute
Change-Id: I2e308a09ec77dd5afe0d9a18ba1474716f82f795
Related-Prod: PROD-22766
diff --git a/nova/_ssl/rabbitmq.sls b/nova/_ssl/rabbitmq.sls
index 8e236e6..0dc7c6e 100644
--- a/nova/_ssl/rabbitmq.sls
+++ b/nova/_ssl/rabbitmq.sls
@@ -1,6 +1,6 @@
{% from "nova/map.jinja" import controller, compute with context %}
-{%- if controller.enabled == True %}
+{%- if controller.get('enabled') %}
{%- set nova_msg = controller.message_queue %}
{%- set nova_cacert = controller.cacert_file %}
{%- set role = 'controller' %}
@@ -34,7 +34,7 @@
- name: {{ ca_file }}
{%- endif %}
-rabbitmq_nova_{{ role }}_ssl_cert:
+rabbitmq_nova_{{ role }}_client_ssl_cert:
{%- if nova_msg.x509.cert is defined %}
file.managed:
- name: {{ cert_file }}
diff --git a/nova/compute.sls b/nova/compute.sls
index 4cfe44f..bc699cc 100644
--- a/nova/compute.sls
+++ b/nova/compute.sls
@@ -1,6 +1,8 @@
{%- from "nova/map.jinja" import compute with context %}
{%- if compute.get('enabled') %}
+include:
+ - nova._ssl.rabbitmq
nova_compute_packages:
pkg.installed:
@@ -88,6 +90,7 @@
- template: jinja
- require:
- pkg: nova_compute_packages
+ - sls: nova._ssl.rabbitmq
{%- endif %}
{% for service_name in compute.services %}
@@ -137,20 +140,6 @@
{% endfor %}
{% endif %}
-{%- if compute.message_queue.get('ssl',{}).get('enabled',False) %}
-rabbitmq_ca_nova_compute:
-{%- if compute.message_queue.ssl.cacert is defined %}
- file.managed:
- - name: {{ compute.message_queue.ssl.cacert_file }}
- - contents_pillar: nova:compute:message_queue:ssl:cacert
- - mode: 0444
- - makedirs: true
-{%- else %}
- file.exists:
- - name: {{ compute.message_queue.ssl.get('cacert_file', compute.cacert_file) }}
-{%- endif %}
-{%- endif %}
-
{%- if compute.libvirt.get('tls',{}).get('enabled',False) %}
{%- set ca_file=compute.libvirt.tls.get('ca_file') %}
{%- set key_file=compute.libvirt.tls.get('key_file') %}
@@ -267,11 +256,10 @@
service.running:
- enable: true
- names: {{ compute.services }}
+ - require:
+ - sls: nova._ssl.rabbitmq
- watch:
- file: /etc/nova/nova.conf
- {%- if compute.message_queue.get('ssl',{}).get('enabled',False) %}
- - file: rabbitmq_ca_nova_compute
- {%- endif %}
{%- set ident = compute.identity %}
@@ -341,6 +329,7 @@
- nova
- require_in:
- pkg: nova_compute_packages
+ - sls: nova._ssl.rabbitmq
{%- if compute.user is defined %}
- file: /var/lib/nova/.ssh/id_rsa
{%- endif %}
diff --git a/nova/controller.sls b/nova/controller.sls
index 9052c62..f1819fb 100644
--- a/nova/controller.sls
+++ b/nova/controller.sls
@@ -34,20 +34,6 @@
pkg.installed:
- names: {{ controller.pkgs }}
-{%- if controller.message_queue.get('ssl',{}).get('enabled',False) %}
-rabbitmq_ca_nova_controller:
-{%- if controller.message_queue.ssl.cacert is defined %}
- file.managed:
- - name: {{ controller.message_queue.ssl.cacert_file }}
- - contents_pillar: nova:controller:message_queue:ssl:cacert
- - mode: 0444
- - makedirs: true
-{%- else %}
- file.exists:
- - name: {{ controller.message_queue.ssl.get('cacert_file', controller.cacert_file) }}
-{%- endif %}
-{%- endif %}
-
{%- if not salt['user.info']('nova') %}
user_nova:
user.present:
@@ -458,9 +444,6 @@
- watch:
- file: /etc/nova/nova.conf
- file: /etc/nova/api-paste.ini
- {%- if controller.message_queue.get('ssl',{}).get('enabled',False) %}
- - file: rabbitmq_ca_nova_controller
- {%- endif %}
{%- if grains.get('virtual_subtype', None) == "Docker" %}