Enable ssl on rabbitmq/mysql
This patch enabled TLS on rabbitmq/mysql for the following modes:
* virtual-mcp-pike-ssl
* virtual-mcp-pike-ssl-barbican
Change-Id: Ib2346416173e2500586b16e2efa1cc5157b268fa
diff --git a/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/compute.yml b/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/compute.yml
index 65bcbeb..a82008f 100644
--- a/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/compute.yml
+++ b/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/compute.yml
@@ -21,6 +21,12 @@
interface_mtu: 1500
linux_system_codename: xenial
loopback_device_size: 20
+ ceilometer:
+ agent:
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
nova:
compute:
vncproxy_url: http://${_param:cluster_vip_address}:6080
@@ -34,15 +40,36 @@
protocol: https
image:
protocol: https
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
neutron:
compute:
notification:
driver: messagingv2
topics: "notifications"
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
cinder:
volume:
barbican:
enabled: ${_param:barbican_integration_enabled}
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
linux:
network:
interface:
diff --git a/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/control.yml b/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/control.yml
index 9385f96..9c8f440 100644
--- a/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/control.yml
+++ b/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/control.yml
@@ -1,5 +1,7 @@
classes:
- system.salt.minion.cert.proxy
+- system.salt.minion.cert.mysql.server
+- system.salt.minion.cert.rabbitmq_server
- system.linux.system.lowmem
- system.linux.system.repo.mcp.apt_mirantis.glusterfs
- system.linux.system.repo.mcp.apt_mirantis.openstack
@@ -7,6 +9,7 @@
- system.linux.system.repo.mcp.apt_mirantis.saltstack_2016_3
- system.memcached.server.single
- system.rabbitmq.server.cluster
+- service.rabbitmq.server.ssl
- system.rabbitmq.server.vhost.openstack
- system.apache.server.site.manila
- system.apache.server.site.barbican
@@ -30,6 +33,7 @@
- system.heat.server.cluster
- system.designate.server.cluster
- system.galera.server.cluster
+- service.galera.ssl
- system.galera.server.database.cinder
- system.galera.server.database.glance
- system.galera.server.database.heat
@@ -97,6 +101,10 @@
dogtag_pki_token_password: workshop
dogtag_pki_security_domain_password: workshop
dogtag_pki_clone_pkcs12_password: workshop
+ rabbitmq:
+ server:
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
nginx:
server:
site:
@@ -160,9 +168,23 @@
plugin:
dogtag:
port: ${_param:haproxy_dogtag_bind_port}
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
keystone:
server:
admin_email: ${_param:admin_email}
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
designate:
pool_manager:
enabled: ${_param:designate_pool_manager_enabled}
@@ -173,6 +195,13 @@
bind:
api:
address: 127.0.0.1
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
backend:
pdns4:
api_token: ${_param:designate_pdns_api_key}
@@ -211,6 +240,13 @@
protocol: https
registry:
protocol: https
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
heat:
server:
bind:
@@ -222,12 +258,26 @@
address: 127.0.0.1
identity:
protocol: https
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
neutron:
server:
bind:
address: 127.0.0.1
identity:
protocol: https
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
nova:
controller:
networking: dvr
@@ -250,6 +300,13 @@
protocol: https
vncproxy_url: http://${_param:cluster_vip_address}:6080
workers: 1
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
cinder:
controller:
controller:
@@ -261,11 +318,25 @@
host: 127.0.0.1
glance:
protocol: https
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
manila:
common:
identity:
protocol: https
default_share_type: default
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
salt:
minion:
cert:
diff --git a/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/gateway.yml b/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/gateway.yml
index 81e8754..303ff44 100644
--- a/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/gateway.yml
+++ b/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/gateway.yml
@@ -19,6 +19,13 @@
notification:
driver: messagingv2
topics: "notifications"
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
linux:
network:
interface:
diff --git a/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/init.yml b/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/init.yml
index 77c4add..c68096f 100644
--- a/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/init.yml
+++ b/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/init.yml
@@ -216,6 +216,9 @@
ceilometer_agent_default_polling_meters:
- "*"
barbican_integration_enabled: true
+ galera_ssl_enabled: true
+ rabbitmq_ssl_enabled: true
+ rabbitmq_port: 5671 # for non-ssl use 5672 / for ssl 5671
linux:
network:
purge_hosts: true
diff --git a/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/share.yml b/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/share.yml
index 4443276..13b4194 100644
--- a/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/share.yml
+++ b/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/share.yml
@@ -15,3 +15,10 @@
identity:
protocol: https
default_share_type: default
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
diff --git a/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/telemetry.yml b/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/telemetry.yml
index c8fb232..b9ad851 100644
--- a/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/telemetry.yml
+++ b/classes/cluster/virtual-mcp-pike-dvr-ssl-barbican/openstack/telemetry.yml
@@ -115,6 +115,8 @@
common:
database:
host: ${_param:openstack_database_address}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
server:
identity:
protocol: https
@@ -127,6 +129,9 @@
server:
identity:
protocol: https
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
aodh:
server:
bind:
@@ -136,6 +141,13 @@
identity:
protocol: https
host: ${_param:openstack_control_address}
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
ceilometer:
server:
bind:
@@ -145,6 +157,10 @@
identity:
protocol: https
host: ${_param:openstack_control_address}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
haproxy:
proxy:
listen:
diff --git a/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/compute.yml b/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/compute.yml
index 1c34ae7..0ad9af0 100644
--- a/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/compute.yml
+++ b/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/compute.yml
@@ -26,6 +26,12 @@
ipflush_onchange: true
external_interface:
ipflush_onchange: true
+ ceilometer:
+ agent:
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
nova:
compute:
vncproxy_url: http://${_param:cluster_vip_address}:6080
@@ -37,6 +43,13 @@
protocol: https
image:
protocol: https
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
neutron:
compute:
notification:
@@ -53,4 +66,11 @@
backend:
extension:
bagpipe_bgpvpn:
- enabled: True
\ No newline at end of file
+ enabled: True
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
diff --git a/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/control.yml b/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/control.yml
index 2b1b0b8..780ead5 100644
--- a/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/control.yml
+++ b/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/control.yml
@@ -1,5 +1,7 @@
classes:
- system.salt.minion.cert.proxy
+- system.salt.minion.cert.mysql.server
+- system.salt.minion.cert.rabbitmq_server
- system.linux.system.lowmem
- system.linux.system.repo.mcp.apt_mirantis.glusterfs
- system.linux.system.repo.mcp.apt_mirantis.openstack
@@ -7,6 +9,7 @@
- system.linux.system.repo.mcp.apt_mirantis.saltstack_2016_3
- system.memcached.server.single
- system.rabbitmq.server.cluster
+- service.rabbitmq.server.ssl
- system.rabbitmq.server.vhost.openstack
- system.apache.server.site.manila
- system.apache.server.site.nova-placement
@@ -29,6 +32,7 @@
- system.heat.server.cluster
- system.designate.server.cluster
- system.galera.server.cluster
+- service.galera.ssl
- system.galera.server.database.cinder
- system.galera.server.database.glance
- system.galera.server.database.heat
@@ -75,6 +79,10 @@
apache_nova_placement_ssl: ${_param:nginx_proxy_ssl}
apache_cinder_api_address: ${_param:cluster_local_address}
apache_cinder_ssl: ${_param:nginx_proxy_ssl}
+ rabbitmq:
+ server:
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
nginx:
server:
site:
@@ -105,6 +113,13 @@
keystone:
server:
admin_email: ${_param:admin_email}
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
designate:
pool_manager:
enabled: ${_param:designate_pool_manager_enabled}
@@ -115,6 +130,13 @@
bind:
api:
address: 127.0.0.1
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
backend:
pdns4:
api_token: ${_param:designate_pdns_api_key}
@@ -151,6 +173,13 @@
protocol: https
registry:
protocol: https
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
heat:
server:
bind:
@@ -162,6 +191,13 @@
address: 127.0.0.1
identity:
protocol: https
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
neutron:
server:
bind:
@@ -170,6 +206,13 @@
protocol: https
l2gw:
enabled: true
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
nova:
controller:
networking: dvr
@@ -190,6 +233,13 @@
protocol: https
vncproxy_url: http://${_param:cluster_vip_address}:6080
workers: 1
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
cinder:
controller:
identity:
@@ -198,11 +248,25 @@
host: 127.0.0.1
glance:
protocol: https
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
manila:
common:
identity:
protocol: https
default_share_type: default
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
salt:
minion:
cert:
diff --git a/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/gateway.yml b/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/gateway.yml
index a61319c..373433c 100644
--- a/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/gateway.yml
+++ b/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/gateway.yml
@@ -23,6 +23,13 @@
enabled: false
ovsdb_hosts:
ovsdbx: 127.0.0.1:6632
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
linux:
network:
interface:
diff --git a/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/init.yml b/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/init.yml
index e866362..e243ec5 100644
--- a/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/init.yml
+++ b/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/init.yml
@@ -212,6 +212,9 @@
ceilometer_agent_default_polling_interval: 15
ceilometer_agent_default_polling_meters:
- "*"
+ galera_ssl_enabled: true
+ rabbitmq_ssl_enabled: true
+ rabbitmq_port: 5671 # for non-ssl use 5672 / for ssl 5671
linux:
network:
purge_hosts: true
diff --git a/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/share.yml b/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/share.yml
index e144677..26a0a51 100644
--- a/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/share.yml
+++ b/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/share.yml
@@ -24,3 +24,10 @@
identity:
protocol: https
default_share_type: default
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
diff --git a/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/telemetry.yml b/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/telemetry.yml
index 79cfaf0..0b6277f 100644
--- a/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/telemetry.yml
+++ b/classes/cluster/virtual-mcp-pike-dvr-ssl/openstack/telemetry.yml
@@ -115,6 +115,8 @@
common:
database:
host: ${_param:openstack_database_address}
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
server:
identity:
protocol: https
@@ -127,6 +129,9 @@
server:
identity:
protocol: https
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
aodh:
server:
bind:
@@ -136,6 +141,13 @@
identity:
protocol: https
host: ${_param:openstack_control_address}
+ database:
+ ssl:
+ enabled: ${_param:galera_ssl_enabled}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
ceilometer:
server:
bind:
@@ -145,6 +157,10 @@
identity:
protocol: https
host: ${_param:openstack_control_address}
+ message_queue:
+ port: ${_param:rabbitmq_port}
+ ssl:
+ enabled: ${_param:rabbitmq_ssl_enabled}
haproxy:
proxy:
listen: