Mark Goddard 761ea9a333 Support TLS encryption of RabbitMQ client-server traffic
This change adds support for encryption of communication between
OpenStack services and RabbitMQ. Server certificates are supported, but
currently client certificates are not.

The kolla-ansible certificates command has been updated to support
generating certificates for RabbitMQ for development and testing.

RabbitMQ TLS is enabled in the all-in-one source CI jobs, or when
The Zuul 'tls_enabled' variable is true.

Change-Id: I4f1d04150fb2b5af085b762890092f87ae6076b5
Implements: blueprint message-queue-ssl-support
2020-09-17 12:05:44 +01:00

54 lines
1.7 KiB
Django/Jinja

{
"command": "/usr/sbin/rabbitmq-server",
"config_files": [
{
"source": "{{ container_config_directory }}/rabbitmq-env.conf",
"dest": "/etc/rabbitmq/rabbitmq-env.conf",
"owner": "rabbitmq",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/rabbitmq.conf",
"dest": "/etc/rabbitmq/rabbitmq.conf",
"owner": "rabbitmq",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/erl_inetrc",
"dest": "/etc/rabbitmq/erl_inetrc",
"owner": "rabbitmq",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/definitions.json",
"dest": "/etc/rabbitmq/definitions.json",
"owner": "rabbitmq",
"perm": "0600"
}{% if rabbitmq_enable_tls | bool %},
{
"source": "{{ container_config_directory }}/{{ project_name }}-cert.pem",
"dest": "/etc/rabbitmq/certs/{{ project_name }}-cert.pem",
"owner": "rabbitmq",
"perm": "0600"
},
{
"source": "{{ container_config_directory }}/{{ project_name }}-key.pem",
"dest": "/etc/rabbitmq/certs/{{ project_name }}-key.pem",
"owner": "rabbitmq",
"perm": "0600"
}{% endif %}
],
"permissions": [
{
"path": "/var/lib/rabbitmq",
"owner": "rabbitmq:rabbitmq",
"recurse": true
},
{
"path": "/var/log/kolla/{{ project_name }}",
"owner": "rabbitmq:rabbitmq",
"recurse": true
}
]
}