[ssl] allow to manage content of certs/keys files
Allow to use two ways of certs/keys files management:
1) via specifing a path of a file:
ssl:
key_file: /etc/rabbitmq/ssl/key.pem
2) via specifing a path and content of a file:
ssl:
key: text
key_file: /etc/rabbitmq/ssl/key.pem
The files management via authority must be removed as an unused.
Change-Id: Icdc8783449cf8ac1283f107861564b6ad36230ec
diff --git a/README.rst b/README.rst
index 6a33d56..6a8a131 100644
--- a/README.rst
+++ b/README.rst
@@ -102,7 +102,21 @@
Enable TLS support
------------------
-The certs and private key passing:
+To enable support of TLS for rabbitmq-server you need to provide a path to cacert, server cert and private key :
+
+.. code-block:: yaml
+
+ rabbitmq:
+ server:
+ enabled: true
+ ...
+ ssl:
+ enabled: True
+ key_file: /etc/rabbitmq/ssl/key.pem
+ cert_file: /etc/rabbitmq/ssl/cert.pem
+ ca_file: /etc/rabbitmq/ssl/ca.pem
+
+To manage content of these files you can either use the following options:
.. code-block:: yaml
@@ -113,23 +127,27 @@
ssl:
enabled: True
- cacert_chain: |
- -----BEGIN CERTIFICATE-----
- ...
- -----END CERTIFICATE-------
-
+ key_file: /etc/rabbitmq/ssl/key.pem
key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-------
+ ca_file: /etc/rabbitmq/ssl/ca.pem
+ cacert_chain: |
+ -----BEGIN CERTIFICATE-----
+ ...
+ -----END CERTIFICATE-------
+
+ cert_file: /etc/rabbitmq/ssl/cert.pem
cert: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-------
-Also you can pass them via specifing a name of ca authority at salt master:
+Or you can use the `salt.minion.cert` salt state which
+creates all required files according to defined reclass model [1]. In this case you need just to enable ssl and nothing more:
.. code-block:: yaml
@@ -139,11 +157,6 @@
...
ssl:
enabled: True
- authority: CA_Authority_Name
-
-In this case keys and certs will be pulled from:
-
-`salt://pki/{{ authority }}/certs/{ rabbitmq.{cert|key} | ca.cert }`
--
@@ -157,6 +170,11 @@
ssl:
port: 5671
+
+1. https://github.com/Mirantis/reclass-system-salt-model/tree/master/salt/minion/cert/rabbitmq
+
+
+
Usage
=====
diff --git a/metadata/service/server/cluster.yml b/metadata/service/server/cluster.yml
index c669993..e8c28a9 100644
--- a/metadata/service/server/cluster.yml
+++ b/metadata/service/server/cluster.yml
@@ -2,6 +2,7 @@
- rabbitmq
classes:
- service.rabbitmq.support
+
parameters:
rabbitmq:
server:
diff --git a/metadata/service/server/local.yml b/metadata/service/server/local.yml
index eac1368..1aed5e7 100644
--- a/metadata/service/server/local.yml
+++ b/metadata/service/server/local.yml
@@ -2,6 +2,7 @@
- rabbitmq
classes:
- service.rabbitmq.support
+
parameters:
_param:
rabbitmq_admin_user: admin
diff --git a/metadata/service/server/single.yml b/metadata/service/server/single.yml
index 8312696..aa664fb 100644
--- a/metadata/service/server/single.yml
+++ b/metadata/service/server/single.yml
@@ -2,6 +2,7 @@
- rabbitmq
classes:
- service.rabbitmq.support
+
parameters:
_param:
rabbitmq_admin_user: admin
diff --git a/metadata/service/server/ssl.yml b/metadata/service/server/ssl.yml
new file mode 100644
index 0000000..16ffcf7
--- /dev/null
+++ b/metadata/service/server/ssl.yml
@@ -0,0 +1,10 @@
+# defaults paths to certificates and keys of rabbitmq server
+
+parameters:
+ rabbitmq:
+ server:
+ ssl:
+ key_file: /etc/rabbitmq/ssl/key.pem
+ cert_file: /etc/rabbitmq/ssl/cert.pem
+ all_file: /etc/rabbitmq/ssl/all_file.pem
+ ca_file: /etc/rabbitmq/ssl/ca.pem
\ No newline at end of file
diff --git a/rabbitmq/files/rabbitmq.config b/rabbitmq/files/rabbitmq.config
index dd8ed66..5f1352a 100644
--- a/rabbitmq/files/rabbitmq.config
+++ b/rabbitmq/files/rabbitmq.config
@@ -28,7 +28,7 @@
{verify,verify_{{ server.ssl.get('verify', 'peer') }}},
{versions, ['{{ server.ssl.versions | join("', '") }}']},
{%- if server.ssl.ciphers is defined %}
- {ciphers,[ {{ server.ssl.ciphers | join(',') }} ]},
+ {ciphers,[ {{ server.ssl.ciphers | join("', '") }} ]},
{%- endif %}
{fail_if_no_peer_cert,false}]}
@@ -40,7 +40,6 @@
{rabbitmq_management,
[{listener, [{port, {{ server.management.bind.port }} },
{ip, "{{ server.management.bind.address }}" }
-
{%- if server.management.get('ssl', {}).get('enabled', False) %},
{ssl,true},
{ssl_opts, [{cacertfile,"{{ server.ssl.ca_file }}"},
@@ -49,7 +48,7 @@
{verify,verify_{{ server.ssl.get('verify', 'peer') }}},
{versions,[ "{{ server.ssl.versions | join('", "') }}" ]},
{%- if server.ssl.ciphers is defined %}
- {ciphers,[ {{ server.ssl.ciphers | join(',') }} ]},
+ {ciphers,[ {{ server.ssl.ciphers | join("', '") }} ]},
{%- endif %}]}
{%- endif %}
]}]}
diff --git a/rabbitmq/server/service.sls b/rabbitmq/server/service.sls
index 9fff053..363c23b 100644
--- a/rabbitmq/server/service.sls
+++ b/rabbitmq/server/service.sls
@@ -17,17 +17,6 @@
- require:
- pkg: rabbitmq_packages
-{%- if server.ssl is defined %}
-rabbitmq_ssl:
- file.directory:
- - name: /etc/rabbitmq/ssl
- - user: root
- - group: rabbitmq
- - mode: 750
- - require:
- - pkg: rabbitmq_packages
-{%- endif %}
-
{%- if grains.os_family == 'Debian' %}
rabbitmq_default_config:
diff --git a/rabbitmq/server/ssl.sls b/rabbitmq/server/ssl.sls
index b4f5567..84e9aac 100644
--- a/rabbitmq/server/ssl.sls
+++ b/rabbitmq/server/ssl.sls
@@ -2,46 +2,47 @@
{%- if server.ssl.enabled %}
+{%- if server.ssl.cacert_chain is defined %}
rabbitmq_cacertificate:
file.managed:
- name: {{ server.ssl.ca_file }}
- {%- if server.ssl.cacert_chain is defined %}
- contents_pillar: rabbitmq:server:ssl:cacert_chain
- {%- else %}
- - source: salt://pki/{{ server.ssl.authority }}/certs/ca.cert
- {%- endif %}
- - user: root
- - group: rabbitmq
- - mode: 640
+ - mode: 0444
- makedirs: true
+{%- else %}
+rabbitmq_cacertificate:
+ file.exists:
+ - name: {{ server.ssl.ca_file }}
+{%- endif %}
+{%- if server.ssl.cert is defined %}
rabbitmq_certificate:
file.managed:
- name: {{ server.ssl.cert_file }}
- {%- if server.ssl.cert is defined %}
- contents_pillar: rabbitmq:server:ssl:cert
- {%- else %}
- - source: salt://pki/{{ server.ssl.authority }}/certs/rabbitmq.cert
- {%- endif %}
- - user: root
- - group: rabbitmq
- - mode: 640
+ - mode: 0444
- makedirs: true
+{%- else %}
+rabbitmq_certificate:
+ file.exists:
+ - name: {{ server.ssl.cert_file }}
+{%- endif %}
+{%- if server.ssl.key is defined %}
rabbitmq_server_key:
file.managed:
- name: {{ server.ssl.key_file }}
- {%- if server.ssl.key is defined %}
- contents_pillar: rabbitmq:server:ssl:key
- {%- else %}
- - source: salt://pki/{{ server.ssl.authority }}/certs/rabbitmq.key
- {%- endif %}
- user: root
- group: rabbitmq
- - mode: 640
+ - mode: 0440
- makedirs: true
+{%- else %}
+rabbitmq_server_key:
+ file.exists:
+ - name: {{ server.ssl.key_file }}
+{%- endif %}
-# consist of private key and cert
rabbitmq_ssl_all_file:
file.managed:
- name: {{ server.ssl.all_file }}
@@ -49,7 +50,7 @@
- template: jinja
- user: root
- group: rabbitmq
- - mode: 640
+ - mode: 0440
- makedirs: true
- context:
ssl_key_file: {{ server.ssl.key_file }}
@@ -65,7 +66,7 @@
- template: jinja
- user: root
- group: rabbitmq
- - mode: 640
+ - mode: 0440
- makedirs: true
- context:
all_file: {{ server.ssl.all_file }}