761ea9a333
This change adds support for encryption of communication between OpenStack services and RabbitMQ. Server certificates are supported, but currently client certificates are not. The kolla-ansible certificates command has been updated to support generating certificates for RabbitMQ for development and testing. RabbitMQ TLS is enabled in the all-in-one source CI jobs, or when The Zuul 'tls_enabled' variable is true. Change-Id: I4f1d04150fb2b5af085b762890092f87ae6076b5 Implements: blueprint message-queue-ssl-support
194 lines
6.2 KiB
YAML
194 lines
6.2 KiB
YAML
---
|
|
- import_role:
|
|
name: service-precheck
|
|
vars:
|
|
service_precheck_services: "{{ rabbitmq_services }}"
|
|
service_name: "{{ project_name }}"
|
|
|
|
- name: Get container facts
|
|
become: true
|
|
kolla_container_facts:
|
|
name:
|
|
- rabbitmq
|
|
- outward_rabbitmq
|
|
register: container_facts
|
|
|
|
- name: Checking free port for RabbitMQ
|
|
wait_for:
|
|
host: "{{ api_interface_address }}"
|
|
port: "{{ rabbitmq_port }}"
|
|
connect_timeout: 1
|
|
timeout: 1
|
|
state: stopped
|
|
when:
|
|
- container_facts['rabbitmq'] is not defined
|
|
- inventory_hostname in groups['rabbitmq']
|
|
|
|
- name: Checking free port for RabbitMQ Management
|
|
wait_for:
|
|
host: "{{ api_interface_address }}"
|
|
port: "{{ rabbitmq_management_port }}"
|
|
connect_timeout: 1
|
|
timeout: 1
|
|
state: stopped
|
|
when:
|
|
- container_facts['rabbitmq'] is not defined
|
|
- inventory_hostname in groups['rabbitmq']
|
|
|
|
- name: Checking free port for RabbitMQ Cluster
|
|
wait_for:
|
|
host: "{{ api_interface_address }}"
|
|
port: "{{ rabbitmq_cluster_port }}"
|
|
connect_timeout: 1
|
|
timeout: 1
|
|
state: stopped
|
|
when:
|
|
- container_facts['rabbitmq'] is not defined
|
|
- inventory_hostname in groups['rabbitmq']
|
|
|
|
- name: Checking free port for RabbitMQ EPMD
|
|
wait_for:
|
|
host: "{{ api_interface_address }}"
|
|
port: "{{ rabbitmq_epmd_port }}"
|
|
connect_timeout: 1
|
|
timeout: 1
|
|
state: stopped
|
|
when:
|
|
- container_facts['rabbitmq'] is not defined
|
|
- inventory_hostname in groups['rabbitmq']
|
|
|
|
- name: Check if all rabbit hostnames are resolvable
|
|
vars:
|
|
nss_database: "{{ 'ahostsv4' if api_address_family == 'ipv4' else 'ahostsv6' }}"
|
|
command: "getent {{ nss_database }} {{ hostvars[item]['ansible_hostname'] }}"
|
|
changed_when: false
|
|
register: rabbitmq_hostnames
|
|
with_items: "{{ groups['rabbitmq'] }}"
|
|
|
|
- name: Check if each rabbit hostname resolves uniquely to the proper IP address
|
|
fail:
|
|
msg: Hostname has to resolve uniquely to the IP address of api_interface
|
|
with_subelements:
|
|
- "{{ rabbitmq_hostnames.results }}"
|
|
- stdout_lines
|
|
when:
|
|
- not item.1 is match('^'+('api' | kolla_address(item.0.item))+'\\b')
|
|
|
|
- name: Check if TLS certificate exists for RabbitMQ
|
|
vars:
|
|
cert: "{{ query('first_found', paths, errors='ignore') }}"
|
|
paths:
|
|
- "{{ kolla_certificates_dir }}/{{ inventory_hostname }}/rabbitmq-cert.pem"
|
|
- "{{ kolla_certificates_dir }}/{{ inventory_hostname }}-cert.pem"
|
|
- "{{ kolla_certificates_dir }}/rabbitmq-cert.pem"
|
|
fail:
|
|
msg: No TLS certificate provided for RabbitMQ.
|
|
when:
|
|
- rabbitmq_enable_tls | bool
|
|
- cert | length == 0
|
|
|
|
- name: Check if TLS key exists for RabbitMQ
|
|
vars:
|
|
key: "{{ query('first_found', paths, errors='ignore') }}"
|
|
paths:
|
|
- "{{ kolla_certificates_dir }}/{{ inventory_hostname }}/rabbitmq-key.pem"
|
|
- "{{ kolla_certificates_dir }}/{{ inventory_hostname }}-key.pem"
|
|
- "{{ kolla_certificates_dir }}/rabbitmq-key.pem"
|
|
fail:
|
|
msg: No TLS key provided for RabbitMQ.
|
|
when:
|
|
- rabbitmq_enable_tls | bool
|
|
- key | length == 0
|
|
|
|
- name: Checking free port for outward RabbitMQ
|
|
wait_for:
|
|
host: "{{ api_interface_address }}"
|
|
port: "{{ outward_rabbitmq_port }}"
|
|
connect_timeout: 1
|
|
state: stopped
|
|
when:
|
|
- enable_outward_rabbitmq | bool
|
|
- inventory_hostname in groups['outward-rabbitmq']
|
|
- container_facts['outward_rabbitmq'] is not defined
|
|
|
|
- name: Checking free port for outward RabbitMQ Management
|
|
wait_for:
|
|
host: "{{ api_interface_address }}"
|
|
port: "{{ outward_rabbitmq_management_port }}"
|
|
connect_timeout: 1
|
|
state: stopped
|
|
when:
|
|
- enable_outward_rabbitmq | bool
|
|
- inventory_hostname in groups['outward-rabbitmq']
|
|
- container_facts['outward_rabbitmq'] is not defined
|
|
|
|
- name: Checking free port for outward RabbitMQ Cluster
|
|
wait_for:
|
|
host: "{{ api_interface_address }}"
|
|
port: "{{ outward_rabbitmq_cluster_port }}"
|
|
connect_timeout: 1
|
|
state: stopped
|
|
when:
|
|
- enable_outward_rabbitmq | bool
|
|
- inventory_hostname in groups['outward-rabbitmq']
|
|
- container_facts['outward_rabbitmq'] is not defined
|
|
|
|
- name: Checking free port for outward RabbitMQ EPMD
|
|
wait_for:
|
|
host: "{{ api_interface_address }}"
|
|
port: "{{ outward_rabbitmq_epmd_port }}"
|
|
connect_timeout: 1
|
|
state: stopped
|
|
when:
|
|
- enable_outward_rabbitmq | bool
|
|
- inventory_hostname in groups['outward-rabbitmq']
|
|
- container_facts['outward_rabbitmq'] is not defined
|
|
|
|
- name: Check if all outward rabbit hostnames are resolvable
|
|
vars:
|
|
nss_database: "{{ 'ahostsv4' if api_address_family == 'ipv4' else 'ahostsv6' }}"
|
|
command: "getent {{ nss_database }} {{ hostvars[item]['ansible_hostname'] }}"
|
|
changed_when: false
|
|
register: outward_rabbitmq_hostnames
|
|
with_items: "{{ groups['outward-rabbitmq'] }}"
|
|
when:
|
|
- enable_outward_rabbitmq | bool
|
|
|
|
- name: Check if each rabbit hostname resolves uniquely to the proper IP address
|
|
fail:
|
|
msg: Hostname has to resolve uniquely to the IP address of api_interface
|
|
with_subelements:
|
|
- "{{ outward_rabbitmq_hostnames.results }}"
|
|
- stdout_lines
|
|
when:
|
|
- enable_outward_rabbitmq | bool
|
|
- not item.1 is match('^'+('api' | kolla_address(item.0.item))+'\\b')
|
|
|
|
- name: Check if TLS certificate exists for outward RabbitMQ
|
|
vars:
|
|
cert: "{{ query('first_found', paths, errors='ignore') }}"
|
|
paths:
|
|
- "{{ kolla_certificates_dir }}/{{ inventory_hostname }}/outward_rabbitmq-cert.pem"
|
|
- "{{ kolla_certificates_dir }}/{{ inventory_hostname }}-cert.pem"
|
|
- "{{ kolla_certificates_dir }}/outward_rabbitmq-cert.pem"
|
|
fail:
|
|
msg: No TLS certificate provided for outward RabbitMQ.
|
|
when:
|
|
- enable_outward_rabbitmq | bool
|
|
- rabbitmq_enable_tls | bool
|
|
- cert | length == 0
|
|
|
|
- name: Check if TLS key exists for outward RabbitMQ
|
|
vars:
|
|
key: "{{ query('first_found', paths, errors='ignore') }}"
|
|
paths:
|
|
- "{{ kolla_certificates_dir }}/{{ inventory_hostname }}/outward_rabbitmq-key.pem"
|
|
- "{{ kolla_certificates_dir }}/{{ inventory_hostname }}-key.pem"
|
|
- "{{ kolla_certificates_dir }}/outward_rabbitmq-key.pem"
|
|
fail:
|
|
msg: No TLS key provided for outward RabbitMQ.
|
|
when:
|
|
- enable_outward_rabbitmq | bool
|
|
- rabbitmq_enable_tls | bool
|
|
- key | length == 0
|