Skip to content

Commit

Permalink
SSL for communication between neutron and rabbitmq
Browse files Browse the repository at this point in the history 
Currently, Neutron can not be configured via Puppet to communicate with
rabbitmq using SSL. Most other puppet component already have this feature.
This commit enable this feature for Neutron.

Change-Id: Ie7a6218733562c4e89302ced169db6c53efadcf0
  • Loading branch information
@Spredzy
Spredzy committed May 16, 2014
1 parent 66c436b commit f1ae25a
Show file tree
Hide file tree
Showing 2 changed files with 130 additions and 0 deletions.
57 changes: 57 additions & 0 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,28 @@
# multiple RabbitMQ Brokers.
# Defaults to false
#
# [*rabbit_use_ssl*]
# (optional) Connect over SSL for RabbitMQ
# Defaults to false
#
# [*kombu_ssl_ca_certs*]
# (optional) SSL certification authority file (valid only if SSL enabled).
# Defaults to undef
#
# [*kombu_ssl_certfile*]
# (optional) SSL cert file (valid only if SSL enabled).
# Defaults to undef
#
# [*kombu_ssl_keyfile*]
# (optional) SSL key file (valid only if SSL enabled).
# Defaults to undef
#
# [*kombu_ssl_version*]
# (optional) SSL version to use (valid only if SSL enabled).
# Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
# available on some distributions.
# Defaults to 'SSLv3'
#
# [*qpid_hostname*]
# [*qpid_port*]
# [*qpid_username*]
Expand Down Expand Up @@ -164,6 +186,11 @@
$rabbit_port = '5672',
$rabbit_user = 'guest',
$rabbit_virtual_host = '/',
$rabbit_use_ssl = false,
$kombu_ssl_ca_certs = undef,
$kombu_ssl_certfile = undef,
$kombu_ssl_keyfile = undef,
$kombu_ssl_version = 'SSLv3',
$qpid_hostname = 'localhost',
$qpid_port = '5672',
$qpid_username = 'guest',
Expand All @@ -187,6 +214,18 @@

Package['neutron'] -> Neutron_config<||>

if $rabbit_use_ssl {
if !$kombu_ssl_ca_certs {
fail('The kombu_ssl_ca_certs parameter is required when rabbit_use_ssl is set to true')
}
if !$kombu_ssl_certfile {
fail('The kombu_ssl_certfile parameter is required when rabbit_use_ssl is set to true')
}
if !$kombu_ssl_keyfile {
fail('The kombu_ssl_keyfile parameter is required when rabbit_use_ssl is set to true')
}
}

File {
require => Package['neutron'],
owner => 'root',
Expand Down Expand Up @@ -272,7 +311,25 @@
'DEFAULT/rabbit_userid': value => $rabbit_user;
'DEFAULT/rabbit_password': value => $rabbit_password;
'DEFAULT/rabbit_virtual_host': value => $rabbit_virtual_host;
'DEFAULT/rabbit_use_ssl': value => $rabbit_use_ssl;
}

if $rabbit_use_ssl {
neutron_config {
'DEFAULT/kombu_ssl_ca_certs': value => $kombu_ssl_ca_certs;
'DEFAULT/kombu_ssl_certfile': value => $kombu_ssl_certfile;
'DEFAULT/kombu_ssl_keyfile': value => $kombu_ssl_keyfile;
'DEFAULT/kombu_ssl_version': value => $kombu_ssl_version;
}
} else {
neutron_config {
'DEFAULT/kombu_ssl_ca_certs': ensure => absent;
'DEFAULT/kombu_ssl_certfile': ensure => absent;
'DEFAULT/kombu_ssl_keyfile': ensure => absent;
'DEFAULT/kombu_ssl_version': ensure => absent;
}
}

}

if $rpc_backend == 'neutron.openstack.common.rpc.impl_qpid' {
Expand Down
73 changes: 73 additions & 0 deletions spec/classes/neutron_init_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,9 @@

end

it_configures 'with SSL enabled'
it_configures 'with SSL disabled'
it_configures 'with SSL wrongly configured'
it_configures 'with syslog disabled'
it_configures 'with syslog enabled'
it_configures 'with syslog enabled and custom settings'
Expand Down Expand Up @@ -136,6 +139,76 @@
it { should contain_neutron_config('DEFAULT/use_syslog').with_value(false) }
end

shared_examples_for 'with SSL enabled' do
before do
params.merge!(
:rabbit_use_ssl => true,
:kombu_ssl_ca_certs => '/path/to/ssl/ca/certs',
:kombu_ssl_certfile => '/path/to/ssl/cert/file',
:kombu_ssl_keyfile => '/path/to/ssl/keyfile',
:kombu_ssl_version => 'SSLv3'
)
end

it do
should contain_neutron_config('DEFAULT/rabbit_use_ssl').with_value('true')
should contain_neutron_config('DEFAULT/kombu_ssl_ca_certs').with_value('/path/to/ssl/ca/certs')
should contain_neutron_config('DEFAULT/kombu_ssl_certfile').with_value('/path/to/ssl/cert/file')
should contain_neutron_config('DEFAULT/kombu_ssl_keyfile').with_value('/path/to/ssl/keyfile')
should contain_neutron_config('DEFAULT/kombu_ssl_version').with_value('SSLv3')
end
end

shared_examples_for 'with SSL disabled' do
before do
params.merge!(
:rabbit_use_ssl => false,
:kombu_ssl_ca_certs => 'undef',
:kombu_ssl_certfile => 'undef',
:kombu_ssl_keyfile => 'undef',
:kombu_ssl_version => 'SSLv3'
)
end

it do
should contain_neutron_config('DEFAULT/rabbit_use_ssl').with_value('false')
should contain_neutron_config('DEFAULT/kombu_ssl_ca_certs').with_ensure('absent')
should contain_neutron_config('DEFAULT/kombu_ssl_certfile').with_ensure('absent')
should contain_neutron_config('DEFAULT/kombu_ssl_keyfile').with_ensure('absent')
should contain_neutron_config('DEFAULT/kombu_ssl_version').with_ensure('absent')
end
end

shared_examples_for 'with SSL wrongly configured' do
before do
params.merge!(
:rabbit_use_ssl => true,
:kombu_ssl_ca_certs => 'undef',
:kombu_ssl_certfile => 'undef',
:kombu_ssl_keyfile => 'undef'
)
end

context 'without required parameters' do

context 'without kombu_ssl_ca_certs parameter' do
before { params.delete(:kombu_ssl_ca_certs) }
it_raises 'a Puppet::Error', /The kombu_ssl_ca_certs parameter is required when rabbit_use_ssl is set to true/
end

context 'without kombu_ssl_certfile parameter' do
before { params.delete(:kombu_ssl_certfile) }
it_raises 'a Puppet::Error', /The kombu_ssl_certfile parameter is required when rabbit_use_ssl is set to true/
end

context 'without kombu_ssl_keyfile parameter' do
before { params.delete(:kombu_ssl_keyfile) }
it_raises 'a Puppet::Error', /The kombu_ssl_keyfile parameter is required when rabbit_use_ssl is set to true/
end
end

end

shared_examples_for 'with syslog enabled' do
before do
params.merge!(
Expand Down

0 comments on commit f1ae25a

Please sign in to comment.