Code Review / apex-puppet-tripleo.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 193d275)
Enable TLS for rabbitmq's replication traffic
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>
Mon, 28 Aug 2017 06:07:16 +0000 (09:07 +0300)
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>
Tue, 5 Sep 2017 09:38:27 +0000 (09:38 +0000)
This follows the RabbitMQ docs [1] for enabling TLS for the replication
traffic. It reuses the certificate that rabbitmq already has.

Unfortunately, pacemaker uses the shortname for the rabbitmq nodes, so
we are not able to do proper verification of the certificates, since we
can't allocate a certificate for shortnames. So, until pacemaker can
track the rabbit nodes through their FQDNs, we don't set any verification
options.

[1] https://www.rabbitmq.com/clustering-ssl.html

Depends on: https://github.com/voxpupuli/puppet-rabbitmq/pull/574

bp tls-via-certmonger
Co-Authored-By: Alex Schultz <aschultz@redhat.com>
Change-Id: I265c89cb8898a6da78a606664a22c50f5e57a847
(cherry picked from commit 52404b85dc140d9ddc4605365454df0e052ee2cb)

manifests/profile/base/rabbitmq.pp patch | blob | history

diff --git a/manifests/profile/base/rabbitmq.pp b/manifests/profile/base/rabbitmq.pp
index fbe5113..9f5819a 100644 (file)
--- a/manifests/profile/base/rabbitmq.pp
+++ b/manifests/profile/base/rabbitmq.pp
@@ -93,9 +93,19 @@ class tripleo::profile::base::rabbitmq (
   if $enable_internal_tls {
     $tls_certfile = $certificate_specs['service_certificate']
     $tls_keyfile = $certificate_specs['service_key']
+    $cert_option = "-ssl_dist_opt server_certfile ${tls_certfile}"
+    $key_option = "-ssl_dist_opt server_keyfile ${tls_keyfile}"
+    $secure_renegotiate = '-ssl_dist_opt server_secure_renegotiate true -ssl_dist_opt client_secure_renegotiate true'
+
+    $rabbitmq_additional_erl_args = "\"${cert_option} ${key_option} ${secure_renegotiate}\""
+    $environment_real = merge($environment, {
+      'RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS' => $rabbitmq_additional_erl_args,
+      'RABBITMQ_CTL_ERL_ARGS' => $rabbitmq_additional_erl_args
+    })
   } else {
     $tls_certfile = undef
     $tls_keyfile = undef
+    $environment_real = $environment
   }
 
   if $inet_dist_interface {
@@ -116,7 +126,7 @@ class tripleo::profile::base::rabbitmq (
         cluster_nodes           => $nodes,
         config_kernel_variables => $real_kernel_variables,
         config_variables        => $config_variables,
-        environment_variables   => $environment,
+        environment_variables   => $environment_real,
         # TLS options
         ssl_cert                => $tls_certfile,
         ssl_key                 => $tls_keyfile,