Add ability to configure rsyslog tls encription

Change-Id: Ie2d325830f2c8ff03a4b8f31058e53feb7b62a7d
diff --git a/README.rst b/README.rst
index bd98749..bddc125 100644
--- a/README.rst
+++ b/README.rst
@@ -102,7 +102,7 @@
             rabbitmq:
               File: "/var/log/rabbitmq/*.log"
               Tag: "rabbitmq__"
-              Severitet: "notice"
+              Severity: "notice"
               Facility: "local0"
               PersistStateInterval: "0"
               Ruleset: "myapp_logs"
@@ -117,6 +117,72 @@
           myapp_logs:
             description: 'set $.suffix=re_extract($!metadata!filename, "(.*)/([^/]*[^/.log])", 0, 2, "all.log"); call remote_logs'
 
+Rsyslog service with GNU TLS encryption for forwarding the messages (omfwd module with gtls network stream driver).
+
+.. code-block:: yaml
+
+  rsyslog:
+    client:
+      pkgs:
+        - rsyslog-gnutls
+        - rsyslog
+      run_user: syslog
+      run_group: adm
+      enabled: true
+      certs:
+        /etc/rsyslog.d/key.pem: |
+          -----BEGIN RSA PRIVATE KEY-----
+          -----END RSA PRIVATE KEY-----
+        /etc/rsyslog.d/cert.pem: |
+          -----BEGIN CERTIFICATE-----
+          -----END CERTIFICATE-----
+        /etc/rsyslog.d/ca.pem: |
+          -----BEGIN CERTIFICATE-----
+          -----END CERTIFICATE-----
+      rainerscript:
+        global:
+          defaultNetstreamDriverCAFile: "/etc/rsyslog.d/ca.pem"
+          defaultNetstreamDriverKeyFile: "/etc/rsyslog.d/key.pem"
+          defaultNetstreamDriverCertFile: "/etc/rsyslog.d/cert.pem"
+      output:
+        remote:
+          somehost.domain:
+            action: 'action(type="omfwd" Target="172.16.10.92" Port="20514" Protocol="tcp" streamDriver="gtls" streamDriverauthMode="anon" streamDriverMode="1")'
+            filter: "*.*"
+            enabled: true
+
+Rsyslog service with RELP TLS encryption for forwarding the messages (omrelp module).
+
+.. code-block:: yaml
+
+  rsyslog:
+    client:
+      pkgs:
+        - rsyslog-relp
+        - rsyslog
+      run_user: syslog
+      run_group: adm
+      enabled: true
+      certs:
+        /etc/rsyslog.d/key.pem: |
+          -----BEGIN RSA PRIVATE KEY-----
+          -----END RSA PRIVATE KEY-----
+        /etc/rsyslog.d/cert.pem: |
+          -----BEGIN CERTIFICATE-----
+          -----END CERTIFICATE-----
+        /etc/rsyslog.d/ca.pem: |
+          -----BEGIN CERTIFICATE-----
+          -----END CERTIFICATE-----
+      rainerscript:
+        module:
+          omrelp: {}
+      output:
+        remote:
+          somehost.domain:
+            action: 'action(type="omrelp" target="172.16.10.92" port="20514" tls="on" tls.caCert="/etc/rsyslog.d/ca.pem" tls.myCert="/etc/rsyslog.d/cert.pem" tls.myPrivKey="/etc/rsyslog.d/key.pem" tls.authmode="name" tls.permittedpeer=["remote.example.com"])'
+            filter: "*.*"
+            enabled: true
+
 Custom templates
 ================
 
diff --git a/rsyslog/client.sls b/rsyslog/client.sls
index d84c826..0eb1f42 100644
--- a/rsyslog/client.sls
+++ b/rsyslog/client.sls
@@ -23,6 +23,22 @@
   - watch_in:
     - service: rsyslog_service
 
+{%- for name, content in global.get('certs', {}).iteritems() %}
+
+rsyslog_cert_{{ name | replace('/', '_') }}_client:
+  file.managed:
+  - name: {{ name }}
+  - contents: {{ content | yaml_encode }}
+  - owner: {{ global.run_user }}
+  - group: {{ global.run_group }}
+  - mode: 0400
+  - require:
+    - pkg: rsyslog_packages
+  - watch_in:
+    - service: rsyslog_service
+
+{% endfor %}
+
 {% if global.manage_file_perms is defined and global.manage_file_perms == true %}
 {% for output,type in global.output.file.iteritems() %}
 {{ output }}:
diff --git a/rsyslog/files/rsyslog.default.conf b/rsyslog/files/rsyslog.default.conf
index 5199ccc..36de0e6 100644
--- a/rsyslog/files/rsyslog.default.conf
+++ b/rsyslog/files/rsyslog.default.conf
@@ -43,6 +43,10 @@
 
 {%- set rainerscript = global.get('rainerscript', {}) -%}
 
+{% if rainerscript.global is defined -%}
+global({%- for parameter,value in rainerscript.get('global', {}).iteritems() %} {{parameter}}="{{ value }}"{%- endfor -%})
+{% endif -%}
+
 {%- for mod,parameter in rainerscript.get('module', {}).iteritems() %}
 module(load="{{ mod }}"{%- for name,value in parameter.iteritems() %} {{name}}="{{value}}"{%- endfor -%})
 {%- endfor %}