Implement SSL on rabbit/mysql
Change-Id: Idcc514ca0a2187efd373c920c791530873b25c9a
Related-Prod: PROD-26938
(cherry picked from commit 68732c885dfc1faae0d33a23c918d1e71f675090)
diff --git a/octavia/_ssl/mysql.sls b/octavia/_ssl/mysql.sls
new file mode 100644
index 0000000..41f14af
--- /dev/null
+++ b/octavia/_ssl/mysql.sls
@@ -0,0 +1,82 @@
+{%- from "octavia/map.jinja" import api,manager with context %}
+{%- if api.get("enabled", False) %}
+ {%- set server = api %}
+{%- elif manager.get('enabled', False) %}
+ {%- set server = manager %}
+{%- endif %}
+
+octavia_ssl_mysql:
+ test.show_notification:
+ - text: "Running octavia._ssl.mysql"
+
+{%- if server.database.get('x509',{}).get('enabled',False) %}
+
+ {%- set ca_file=server.database.x509.ca_file %}
+ {%- set key_file=server.database.x509.key_file %}
+ {%- set cert_file=server.database.x509.cert_file %}
+
+mysql_octavia_ssl_x509_ca:
+ {%- if server.database.x509.cacert is defined %}
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: octavia:server:database:x509:cacert
+ - mode: 444
+ - user: octavia
+ - group: octavia
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ ca_file }}
+ {%- endif %}
+
+mysql_octavia_client_ssl_cert:
+ {%- if server.database.x509.cert is defined %}
+ file.managed:
+ - name: {{ cert_file }}
+ - contents_pillar: octavia:server:database:x509:cert
+ - mode: 440
+ - user: octavia
+ - group: octavia
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ cert_file }}
+ {%- endif %}
+
+mysql_octavia_client_ssl_private_key:
+ {%- if server.database.x509.key is defined %}
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: octavia:server:database:x509:key
+ - mode: 400
+ - user: octavia
+ - group: octavia
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ key_file }}
+ {%- endif %}
+
+mysql_octavia_ssl_x509_set_user_and_group:
+ file.managed:
+ - names:
+ - {{ ca_file }}
+ - {{ cert_file }}
+ - {{ key_file }}
+ - user: octavia
+ - group: octavia
+
+{% elif server.database.get('ssl',{}).get('enabled',False) %}
+mysql_ca_octavia:
+ {%- if server.database.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.database.ssl.cacert_file }}
+ - contents_pillar: octavia:server:database:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ server.database.ssl.get('cacert_file', server.cacert_file) }}
+ {%- endif %}
+
+{%- endif %}
diff --git a/octavia/_ssl/rabbitmq.sls b/octavia/_ssl/rabbitmq.sls
new file mode 100644
index 0000000..7011be1
--- /dev/null
+++ b/octavia/_ssl/rabbitmq.sls
@@ -0,0 +1,83 @@
+{%- from "octavia/map.jinja" import api,manager with context %}
+
+{%- if api.get("enabled", False) %}
+ {%- set server = api %}
+{%- elif manager.get('enabled', False) %}
+ {%- set server = manager %}
+{%- endif %}
+
+octavia_ssl_rabbitmq:
+ test.show_notification:
+ - text: "Running octavia._ssl.rabbitmq"
+
+{%- if server.message_queue.get('x509',{}).get('enabled',False) %}
+
+ {%- set ca_file=server.message_queue.x509.ca_file %}
+ {%- set key_file=server.message_queue.x509.key_file %}
+ {%- set cert_file=server.message_queue.x509.cert_file %}
+
+rabbitmq_octavia_ssl_x509_ca:
+ {%- if server.message_queue.x509.cacert is defined %}
+ file.managed:
+ - name: {{ ca_file }}
+ - contents_pillar: octavia:server:message_queue:x509:cacert
+ - mode: 444
+ - user: octavia
+ - group: octavia
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ ca_file }}
+ {%- endif %}
+
+rabbitmq_octavia_client_ssl_cert:
+ {%- if server.message_queue.x509.cert is defined %}
+ file.managed:
+ - name: {{ cert_file }}
+ - contents_pillar: octavia:server:message_queue:x509:cert
+ - mode: 440
+ - user: octavia
+ - group: octavia
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ cert_file }}
+ {%- endif %}
+
+rabbitmq_octavia_client_ssl_private_key:
+ {%- if server.message_queue.x509.key is defined %}
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: octavia:server:message_queue:x509:key
+ - mode: 400
+ - user: octavia
+ - group: octavia
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ key_file }}
+ {%- endif %}
+
+rabbitmq_octavia_ssl_x509_set_user_and_group:
+ file.managed:
+ - names:
+ - {{ ca_file }}
+ - {{ cert_file }}
+ - {{ key_file }}
+ - user: octavia
+ - group: octavia
+
+{% elif server.message_queue.get('ssl',{}).get('enabled',False) %}
+rabbitmq_ca_octavia_client:
+ {%- if server.message_queue.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.message_queue.ssl.cacert_file }}
+ - contents_pillar: octavia:server:message_queue:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+ {%- else %}
+ file.exists:
+ - name: {{ server.message_queue.ssl.get('cacert_file', server.cacert_file) }}
+ {%- endif %}
+
+{%- endif %}
diff --git a/octavia/api.sls b/octavia/api.sls
index c429cd0..45c460f 100644
--- a/octavia/api.sls
+++ b/octavia/api.sls
@@ -4,12 +4,16 @@
include:
- octavia.db.offline_sync
+ - octavia._ssl.mysql
+ - octavia._ssl.rabbitmq
octavia_api_packages:
pkg.installed:
- names: {{ api.pkgs }}
- require_in:
- sls: octavia.db.offline_sync
+ - sls: octavia._ssl.mysql
+ - sls: octavia._ssl.rabbitmq
/etc/octavia/octavia_api.conf:
@@ -18,6 +22,8 @@
- template: jinja
- require:
- pkg: octavia_api_packages
+ - sls: octavia._ssl.mysql
+ - sls: octavia._ssl.rabbitmq
- require_in:
- sls: octavia.db.offline_sync
@@ -45,6 +51,8 @@
- file: /etc/octavia/octavia_api.conf
- require:
- sls: octavia.db.offline_sync
+ - sls: octavia._ssl.mysql
+ - sls: octavia._ssl.rabbitmq
{%- endif %}
{%- endif %}
diff --git a/octavia/files/pike/octavia_api.conf b/octavia/files/pike/octavia_api.conf
index 9a70770..0c13df6 100644
--- a/octavia/files/pike/octavia_api.conf
+++ b/octavia/files/pike/octavia_api.conf
@@ -1,4 +1,12 @@
{%- from "octavia/map.jinja" import api with context %}
+
+{%- set connection_x509_ssl_option = '' %}
+{%- if api.database.get('x509',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ api.database.x509.ca_file ~ '&ssl_cert=' ~ api.database.x509.cert_file ~ '&ssl_key=' ~ api.database.x509.key_file %}
+{%- elif api.database.get('ssl',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ api.database.ssl.get('cacert_file', api.cacert_file) %}
+{%- endif %}
+
[DEFAULT]
#
@@ -643,7 +651,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection = {{ api.database.engine }}+pymysql://{{ api.database.user }}:{{ api.database.password }}@{{ api.database.host }}/{{ api.database.name }}?charset=utf8
+connection = {{ api.database.engine }}+pymysql://{{ api.database.user }}:{{ api.database.password }}@{{ api.database.host }}/{{ api.database.name }}?charset=utf8{{ connection_x509_ssl_option|string }}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
@@ -1538,6 +1546,24 @@
#
# From oslo.messaging
#
+{%- if api.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+ {%- if api.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ api.message_queue.ssl.version }}
+ {%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+ {%- endif %}
+
+ {%- if api.message_queue.get('x509',{}).get('enabled', False) %}
+kombu_ssl_ca_certs = {{ api.message_queue.x509.ca_file }}
+kombu_ssl_keyfile = {{ api.message_queue.x509.key_file}}
+kombu_ssl_certfile = {{ api.message_queue.x509.cert_file}}
+ {%- else %}
+kombu_ssl_ca_certs = {{ api.message_queue.ssl.get('cacert_file', api.cacert_file) }}
+ {%- endif %}
+
+{%- endif %}
# Use durable queues in AMQP. (boolean value)
# Deprecated group/name - [DEFAULT]/amqp_durable_queues
diff --git a/octavia/files/pike/octavia_manager.conf b/octavia/files/pike/octavia_manager.conf
index 60e181c..03c57b3 100644
--- a/octavia/files/pike/octavia_manager.conf
+++ b/octavia/files/pike/octavia_manager.conf
@@ -1,5 +1,13 @@
{%- from "octavia/map.jinja" import api with context %}
{%- from "octavia/map.jinja" import manager with context %}
+
+{%- set connection_x509_ssl_option = '' %}
+{%- if manager.database.get('x509',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ manager.database.x509.ca_file ~ '&ssl_cert=' ~ manager.database.x509.cert_file ~ '&ssl_key=' ~ manager.database.x509.key_file %}
+{%- elif manager.database.get('ssl',{}).get('enabled',False) %}
+ {%- set connection_x509_ssl_option = '&ssl_ca=' ~ manager.database.ssl.get('cacert_file', manager.cacert_file) %}
+{%- endif %}
+
[DEFAULT]
#
@@ -691,7 +699,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
-connection = {{ manager.database.engine }}+pymysql://{{ manager.database.user }}:{{ manager.database.password }}@{{ manager.database.host }}/{{ manager.database.name }}?charset=utf8
+connection = {{ manager.database.engine }}+pymysql://{{ manager.database.user }}:{{ manager.database.password }}@{{ manager.database.host }}/{{ manager.database.name }}?charset=utf8{{ connection_x509_ssl_option|string }}
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
@@ -1585,6 +1593,23 @@
#
# From oslo.messaging
#
+{%- if manager.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+ {%- if manager.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ manager.message_queue.ssl.version }}
+ {%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+ {%- endif %}
+
+ {%- if manager.message_queue.get('x509',{}).get('enabled', False) %}
+kombu_ssl_ca_certs = {{ manager.message_queue.x509.ca_file }}
+kombu_ssl_keyfile = {{ manager.message_queue.x509.key_file}}
+kombu_ssl_certfile = {{ manager.message_queue.x509.cert_file}}
+ {%- else %}
+kombu_ssl_ca_certs = {{ manager.message_queue.ssl.get('cacert_file', manager.cacert_file) }}
+ {%- endif %}
+{%- endif %}
# Use durable queues in AMQP. (boolean value)
# Deprecated group/name - [DEFAULT]/amqp_durable_queues
diff --git a/octavia/files/queens/octavia_api.conf b/octavia/files/queens/octavia_api.conf
index d6ba089..9cfac99 100644
--- a/octavia/files/queens/octavia_api.conf
+++ b/octavia/files/queens/octavia_api.conf
@@ -555,6 +555,7 @@
[database]
{%- set _data = api.database %}
+{%- if _data.ssl is defined and 'cacert_file' not in _data.ssl.keys() %}{% do _data['ssl'].update({'cacert_file': api.cacert_file}) %}{% endif %}
{%- include "oslo_templates/files/queens/oslo/_database.conf" %}
[glance]
@@ -961,7 +962,7 @@
# event_stream_transport_url = rabbit://<user>:<pass>@127.0.0.1:5672/<vhost>
# For HA, specify queue nodes in cluster, comma delimited:
# event_stream_transport_url = rabbit://<user>:<pass>@server01,<user>:<pass>@server02/<vhost>
-# event_stream_transport_url =
+# event_stream_transport_url =
[oslo_messaging_amqp]
diff --git a/octavia/files/queens/octavia_manager.conf b/octavia/files/queens/octavia_manager.conf
index 21b446e..99de601 100644
--- a/octavia/files/queens/octavia_manager.conf
+++ b/octavia/files/queens/octavia_manager.conf
@@ -593,6 +593,7 @@
[database]
{%- set _data = manager.database %}
+{%- if _data.ssl is defined and 'cacert_file' not in _data.ssl.keys() %}{% do _data['ssl'].update({'cacert_file': manager.cacert_file}) %}{% endif %}
{%- include "oslo_templates/files/queens/oslo/_database.conf" %}
[glance]
diff --git a/octavia/manager.sls b/octavia/manager.sls
index ed02bfc..567aa5d 100644
--- a/octavia/manager.sls
+++ b/octavia/manager.sls
@@ -1,6 +1,10 @@
{%- from "octavia/map.jinja" import manager with context %}
{%- if manager.enabled %}
+
+include:
+ - octavia._ssl.mysql
+ - octavia._ssl.rabbitmq
{%- set ssh_dir = salt['file.dirname'](manager.ssh.private_key_file) %}
{%- set image_mine_data = salt['mine.get']('glance:client', 'glanceng.get_image_owner_id', 'pillar').values() %}
{%- set network_mine_data = salt['mine.get']('neutron:client', 'list_octavia_networks', 'pillar').values() %}
@@ -19,6 +23,8 @@
- mode: 644
- require:
- pkg: octavia_manager_packages
+ - sls: octavia._ssl.mysql
+ - sls: octavia._ssl.rabbitmq
- context:
amp_image_owner_id: {{ image_mine_data|first }}
amp_boot_network_list: {{ (network_mine_data|first)['networks'][0]['id'] }}
@@ -130,6 +136,9 @@
service.running:
- names: {{ manager.services }}
- enable: true
+ - require:
+ - sls: octavia._ssl.mysql
+ - sls: octavia._ssl.rabbitmq
- watch:
- file: /etc/octavia/octavia_manager.conf
{%- endif %}