SSL for communication between cinder and rabbitmq

Spredzy · xbezdick · commit 308d098bbe90 · 2014-06-12T18:01:38.000+02:00
Currently, Cinder can not be configured via Puppet to communicate with rabbitmq using SSL. Most other puppet component already have this feature. This commit enable this feature for Cinder. Conflicts: manifests/init.pp Change-Id: I1525bb1d36d1d49c76e4b42b37ff17f0c5c98f57 (cherry picked from commit 9d081c1)
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -9,6 +9,28 @@
 #   Timeout when db connections should be reaped.
 #   (Optional) Defaults to 3600.
 #
+# [*rabbit_use_ssl*]
+#   (optional) Connect over SSL for RabbitMQ
+#   Defaults to false
+#
+# [*kombu_ssl_ca_certs*]
+#   (optional) SSL certification authority file (valid only if SSL enabled).
+#   Defaults to undef
+#
+# [*kombu_ssl_certfile*]
+#   (optional) SSL cert file (valid only if SSL enabled).
+#   Defaults to undef
+#
+# [*kombu_ssl_keyfile*]
+#   (optional) SSL key file (valid only if SSL enabled).
+#   Defaults to undef
+#
+# [*kombu_ssl_version*]
+#   (optional) SSL version to use (valid only if SSL enabled).
+#   Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
+#   available on some distributions.
+#   Defaults to 'SSLv3'
+#
 # [amqp_durable_queues]
 #   Use durable queues in amqp.
 #   (Optional) Defaults to false.
@@ -63,6 +85,11 @@
   $rabbit_virtual_host         = '/',
   $rabbit_userid               = 'guest',
   $rabbit_password             = false,
+  $rabbit_use_ssl              = false,
+  $kombu_ssl_ca_certs          = undef,
+  $kombu_ssl_certfile          = undef,
+  $kombu_ssl_keyfile           = undef,
+  $kombu_ssl_version           = 'SSLv3',
   $amqp_durable_queues         = false,
   $qpid_hostname               = 'localhost',
   $qpid_port                   = '5672',
@@ -123,6 +150,18 @@
     }
   }
 
+  if $rabbit_use_ssl {
+    if !$kombu_ssl_ca_certs {
+      fail('The kombu_ssl_ca_certs parameter is required when rabbit_use_ssl is set to true')
+    }
+    if !$kombu_ssl_certfile {
+      fail('The kombu_ssl_certfile parameter is required when rabbit_use_ssl is set to true')
+    }
+    if !$kombu_ssl_keyfile {
+      fail('The kombu_ssl_keyfile parameter is required when rabbit_use_ssl is set to true')
+    }
+  }
+
   # this anchor is used to simplify the graph between cinder components by
   # allowing a resource to serve as a point where the configuration of cinder begins
   anchor { 'cinder-start': }
@@ -159,6 +198,7 @@
       'DEFAULT/rabbit_password':     value => $rabbit_password, secret => true;
       'DEFAULT/rabbit_userid':       value => $rabbit_userid;
       'DEFAULT/rabbit_virtual_host': value => $rabbit_virtual_host;
+      'DEFAULT/rabbit_use_ssl':      value => $rabbit_use_ssl;
       'DEFAULT/control_exchange':    value => $control_exchange;
       'DEFAULT/amqp_durable_queues': value => $amqp_durable_queues;
     }
@@ -172,6 +212,23 @@
       cinder_config { 'DEFAULT/rabbit_hosts':     value => "${rabbit_host}:${rabbit_port}" }
       cinder_config { 'DEFAULT/rabbit_ha_queues': value => false }
     }
+
+    if $rabbit_use_ssl {
+      cinder_config {
+        'DEFAULT/kombu_ssl_ca_certs': value => $kombu_ssl_ca_certs;
+        'DEFAULT/kombu_ssl_certfile': value => $kombu_ssl_certfile;
+        'DEFAULT/kombu_ssl_keyfile':  value => $kombu_ssl_keyfile;
+        'DEFAULT/kombu_ssl_version':  value => $kombu_ssl_version;
+      }
+    } else {
+      cinder_config {
+        'DEFAULT/kombu_ssl_ca_certs': ensure => absent;
+        'DEFAULT/kombu_ssl_certfile': ensure => absent;
+        'DEFAULT/kombu_ssl_keyfile':  ensure => absent;
+        'DEFAULT/kombu_ssl_version':  ensure => absent;
+      }
+    }
+
   }
 
   if $rpc_backend == 'cinder.openstack.common.rpc.impl_qpid' {
diff --git a/spec/classes/cinder_spec.rb b/spec/classes/cinder_spec.rb
@@ -178,6 +178,46 @@
     it { should contain_cinder_config('DEFAULT/qpid_sasl_mechanisms').with_value('DIGEST-MD5 GSSAPI PLAIN') }
   end
 
+  describe 'with SSL enabled' do
+    let :params do
+      req_params.merge!({
+        :rabbit_use_ssl     => true,
+        :kombu_ssl_ca_certs => '/path/to/ssl/ca/certs',
+        :kombu_ssl_certfile => '/path/to/ssl/cert/file',
+        :kombu_ssl_keyfile  => '/path/to/ssl/keyfile',
+        :kombu_ssl_version  => 'SSLv3'
+      })
+    end
+
+    it do
+      should contain_cinder_config('DEFAULT/rabbit_use_ssl').with_value('true')
+      should contain_cinder_config('DEFAULT/kombu_ssl_ca_certs').with_value('/path/to/ssl/ca/certs')
+      should contain_cinder_config('DEFAULT/kombu_ssl_certfile').with_value('/path/to/ssl/cert/file')
+      should contain_cinder_config('DEFAULT/kombu_ssl_keyfile').with_value('/path/to/ssl/keyfile')
+      should contain_cinder_config('DEFAULT/kombu_ssl_version').with_value('SSLv3')
+    end
+  end
+
+  describe 'with SSL disabled' do
+    let :params do
+      req_params.merge!({
+        :rabbit_use_ssl     => false,
+        :kombu_ssl_ca_certs => 'undef',
+        :kombu_ssl_certfile => 'undef',
+        :kombu_ssl_keyfile  => 'undef',
+        :kombu_ssl_version  => 'SSLv3'
+      })
+    end
+
+    it do
+      should contain_cinder_config('DEFAULT/rabbit_use_ssl').with_value('false')
+      should contain_cinder_config('DEFAULT/kombu_ssl_ca_certs').with_ensure('absent')
+      should contain_cinder_config('DEFAULT/kombu_ssl_certfile').with_ensure('absent')
+      should contain_cinder_config('DEFAULT/kombu_ssl_keyfile').with_ensure('absent')
+      should contain_cinder_config('DEFAULT/kombu_ssl_version').with_ensure('absent')
+    end
+  end
+
   describe 'with syslog disabled' do
     let :params do
       req_params
