scenario002: deploy RabbitMQ with SSL

* Manage Puppet OpenStack CI CA and create a common certificate,
  auto-signed.
* Configure RabbitMQ to activate SSL on scenario002
* Configure OpenStack services that run on scenario002 to connect to
  RabbitMQ using SSL protocol.

Change-Id: Ic435078472ba4e0e0eaf04a64e5bcb7aabba7b3d

README.md

@@ -33,6 +33,7 @@ scenario](#All-In-One).
 
 |     -      | scenario001 | scenario002 | scenario003 | scenario-aio |
 |:----------:|:-----------:|:-----------:|:-----------:|:-------------:
+| ssl        |     no      |      yes    |      no     |      no      |
 | keystone   |      X      |       X     |       X     |       X      |
 | glance     |     rbd     |     swift   |     file    |     file     |
 | nova       |     rbd     |       X     |       X     |       X      |

files/puppet_openstack.pem

@@ -0,0 +1,49 @@
+-----BEGIN CERTIFICATE-----
+MIIDhTCCAm2gAwIBAgIJAO2foCrPQj0dMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV
+BAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxFDASBgNVBAcMC1F1ZWJlYy1DaXR5MRIw
+EAYDVQQKDAlPcGVuU3RhY2sxDzANBgNVBAsMBlB1cHBldDAeFw0xNjAyMjcyMzQ2
+NTdaFw0xNzAyMjYyMzQ2NTdaMFkxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWVi
+ZWMxFDASBgNVBAcMC1F1ZWJlYy1DaXR5MRIwEAYDVQQKDAlPcGVuU3RhY2sxDzAN
+BgNVBAsMBlB1cHBldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM8p
+3kUc+sKhB0/9G42EEcyAJeHbi6l96phKdu63k17xSCP6KetLVI3FXZ/NbHvXMrGZ
+45Z4UV47uChdI0T7rB4Thi5OgKRxKVMeCC38D7xnS4VX2HpLC+r/CMnDxPKMoZRF
+ua0r2aSY59268T2fXjNz9l5RUTTXJxdjMVDg0C4QQEnoRyeprmepRU8Nh7CINjl6
+IFmDDuyjVQFBDO4V2NN3T6tJwHmsn0ac2+3bvVKeov7T+tPv7dIFqgBVYKoPrzb6
+B/J3+h4gLV5cNJkkCX9X8Xo9T1WteHtQGPz4IKy7mpRyn3vICqK3ztknqeh6JjVm
+8vCfVgLw0M1nIFATKnECAwEAAaNQME4wHQYDVR0OBBYEFKc3gtxGBHMCwxwtE30a
+Ig5+A1w8MB8GA1UdIwQYMBaAFKc3gtxGBHMCwxwtE30aIg5+A1w8MAwGA1UdEwQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggEBABWJOH+ehGGjZrycXeFjs0ypnCpDtLNi
+PQhAOuoaejR/4MU801qRB+AGxjn+/pzm7t39hpdNRj+Vgx7BNOR6RmtMH68TCIzT
+xFKV8T55nH9DjwlSwKDtB5oqnODL7nIJ0Gi/kQBoopOfTUPBYLQZVR/m+7PF3m0I
+epdZr+NE5Qm10LEQ+v0vlmtyoDhQ2ettgJxFXURWKMq4600c6+dtGWAJlx0aN7Bb
+JSpU/bGgNxLunGR545G6y9iQsi1YwjVJyBSPBIjwnQZKshPELuhmrk18eHIRW0QD
+uMJ9kPyLU1r43CNNeWux0nsoyG72NAJKRIaOqIy9EPXTxjeTsYz/2Ts=
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDPKd5FHPrCoQdP
+/RuNhBHMgCXh24upfeqYSnbut5Ne8Ugj+inrS1SNxV2fzWx71zKxmeOWeFFeO7go
+XSNE+6weE4YuToCkcSlTHggt/A+8Z0uFV9h6Swvq/wjJw8TyjKGURbmtK9mkmOfd
+uvE9n14zc/ZeUVE01ycXYzFQ4NAuEEBJ6Ecnqa5nqUVPDYewiDY5eiBZgw7so1UB
+QQzuFdjTd0+rScB5rJ9GnNvt271SnqL+0/rT7+3SBaoAVWCqD682+gfyd/oeIC1e
+XDSZJAl/V/F6PU9VrXh7UBj8+CCsu5qUcp97yAqit87ZJ6noeiY1ZvLwn1YC8NDN
+ZyBQEypxAgMBAAECggEAF9jB9UK4ut6+cL66BThGtDusIKudEA2mi5FGz4PiOvOb
+UkjhumwZd5hYhqSm8Dp9Y2RLhm6jLy3ArSTLgo1V6sBkmb//nu5Hy4GRf3mcdhuN
+3fOWv70TyiFBabhXW3RExUShcwWxL/lJ94QlcOp/dXzLx1+k8Wgy38ZTTvQSArs3
+IWVR/MAAwD0CKPijn3qZX804BTAGpuQRvqAmZ5Ysg9NI6F9zKdnPvjA3q0rKE1x9
+i3SnWN93r0fspH8XtOdb7qX/5NjYWbSSdN+rjgLP7ATugjO/J94eFdPcpDVHCyb5
+UKdkQ6f8W4bDCYJfXcbamR7G8zAcJU+SLllH0dkUgQKBgQDstd3Gl2rpVG8x4/JU
+LxyhVhXU59lNZpdCGDcYKV5m37LvApkgYNSBptyq1x3F4dt/NbvZ4o15Jacmbasq
+l1qSP9c/1VRjZwhLjhgAtfJPxKvjqvL/hg3RBoK9hm3n5fkjtsVYse+1xYTcwTBh
+EIf5Evyyr8s4mrrvAf3Pz2tOlQKBgQDgC5wrQBfDKqZQBpDdcbwuMInDoBVmndgz
+ZU9IZDAcpDtk4N94au6YDw5y8Bv8Y8e5XpoR0wUMvcG9hLFl/QVw6yAdzZJx+st0
+50UAqFb80qsnW5DZU2GOWMY3FUmAKNQ64f8YQ1I5DfVerIzWRsSOUrDU9E4HgVTY
+6BH2RFuhbQKBgQC14AsWErOnsiN5zu4b9tLlt9IwczAJA6GGvDpgyzBolMrUUEe9
+lAjT0ZTNg1mx+JcBSBUdFbCj++VRZoRUxlRl+L13o38inUDHZNdWfHZBChkUZf4t
+jR/CkmEUJF0ACDiEU2OQga9wF+K9B4cXnW8MVqVo2h+oT2MAT6Rn7rRBfQKBgQCO
+ljT8vZyh5AnWkmct182Io/F5Y+9a0IghJY/QpZqND+SQ7iCq9XsFoUdz1OYquaIJ
+knCBeYgUNMwRflqcauxEkg9tiEB0c8V6kBk1Mu2xl62/raHA/jTvMAZuVgjiHJn9
+I4mC+o1grEaFy1ESqhU78tqBnT3vvtqt9PxBe/3I/QKBgQCxiTa8UVbCEsaeuZaU
+v2Q/Ca6xaBPXNFG5zQzElyDT7xGqo1LrQcOZijiY39bGg4O+9jVlkWpu3nfdOYc6
+LnM5U/5/2mNa4qmO/ntypQJBuAYHvEKwZnNp0jRB7XHiqenrkMCMfxABbPO1Yksj
+NvVFs8W/3TAiZXoZVqKttZuE9g==
+-----END PRIVATE KEY-----

fixtures/scenario002.pp

@@ -15,17 +15,29 @@
 #
 
 include ::openstack_integration
-include ::openstack_integration::rabbitmq
+include ::openstack_integration::cacert
+class { '::openstack_integration::rabbitmq':
+  ssl => true,
+}
 include ::openstack_integration::mysql
 include ::openstack_integration::keystone
 class { '::openstack_integration::glance':
   backend => 'swift',
+  ssl     => true,
+}
+class { '::openstack_integration::neutron':
+  ssl => true,
+}
+class { '::openstack_integration::nova':
+  ssl => true,
+}
+class { '::openstack_integration::cinder':
+  ssl => true,
 }
-include ::openstack_integration::neutron
-include ::openstack_integration::nova
-include ::openstack_integration::cinder
 include ::openstack_integration::swift
-include ::openstack_integration::ironic
+class { '::openstack_integration::ironic':
+  ssl => true,
+}
 include ::openstack_integration::mongodb
 include ::openstack_integration::provision
 

manifests/cacert.pp

@@ -0,0 +1,20 @@
+class openstack_integration::cacert {
+
+  include ::openstack_integration::params
+
+  file { $::openstack_integration::params::cert_path:
+    ensure                  => present,
+    owner                   => 'root',
+    group                   => 'root',
+    mode                    => '0444',
+    source                  => 'puppet:///modules/openstack_integration/puppet_openstack.pem',
+    selinux_ignore_defaults => true,
+    replace                 => true,
+  }
+  exec { 'update-ca-certificates':
+    command     => $::openstack_integration::params::update_ca_certs_cmd,
+    subscribe   => File[$::openstack_integration::params::cert_path],
+    refreshonly => true,
+  }
+
+}

manifests/cinder.pp

@@ -5,10 +5,21 @@
 #   Can be 'iscsi' or 'rbd'.
 #   Defaults to 'iscsi'.
 #
+# [*ssl*]
+#   (optional) Boolean to enable or not SSL.
+#   Defaults to false.
+#
 class openstack_integration::cinder (
   $backend = 'iscsi',
+  $ssl     = false,
 ) {
 
+  if $ssl {
+    $rabbit_port = '5671'
+  } else {
+    $rabbit_port = '5672'
+  }
+
   rabbitmq_user { 'cinder':
     admin    => true,
     password => 'an_even_bigger_secret',
@@ -32,8 +43,10 @@ class openstack_integration::cinder (
   class { '::cinder':
     database_connection => 'mysql+pymysql://cinder:cinder@127.0.0.1/cinder?charset=utf8',
     rabbit_host         => '127.0.0.1',
+    rabbit_port         => $rabbit_port,
     rabbit_userid       => 'cinder',
     rabbit_password     => 'an_even_bigger_secret',
+    rabbit_use_ssl      => $ssl,
     verbose             => true,
     debug               => true,
   }

manifests/glance.pp

@@ -5,10 +5,21 @@
 #   Can be 'file', 'swift' or 'rbd'.
 #   Defaults to 'file'.
 #
+# [*ssl*]
+#   (optional) Boolean to enable or not SSL.
+#   Defaults to false.
+#
 class openstack_integration::glance (
   $backend = 'file',
+  $ssl     = false,
 ) {
 
+  if $ssl {
+    $rabbit_port = '5671'
+  } else {
+    $rabbit_port = '5672'
+  }
+
   rabbitmq_user { 'glance':
     admin    => true,
     password => 'an_even_bigger_secret',
@@ -79,7 +90,9 @@ class openstack_integration::glance (
     rabbit_userid       => 'glance',
     rabbit_password     => 'an_even_bigger_secret',
     rabbit_host         => '127.0.0.1',
+    rabbit_port         => $rabbit_port,
     notification_driver => 'messagingv2',
+    rabbit_use_ssl      => $ssl,
   }
 
 }

manifests/ironic.pp

@@ -1,4 +1,18 @@
-class openstack_integration::ironic {
+# Configure the Ironic service
+#
+# [*ssl*]
+#   (optional) Boolean to enable or not SSL.
+#   Defaults to false.
+#
+class openstack_integration::ironic (
+  $ssl = false,
+) {
+
+  if $ssl {
+    $rabbit_port = '5671'
+  } else {
+    $rabbit_port = '5672'
+  }
 
   rabbitmq_user { 'ironic':
     admin    => true,
@@ -18,6 +32,8 @@ class openstack_integration::ironic {
     rabbit_userid       => 'ironic',
     rabbit_password     => 'an_even_bigger_secret',
     rabbit_host         => '127.0.0.1',
+    rabbit_port         => $rabbit_port,
+    rabbit_use_ssl      => $ssl,
     database_connection => 'mysql+pymysql://ironic:ironic@127.0.0.1/ironic?charset=utf8',
     debug               => true,
     verbose             => true,

manifests/neutron.pp

@@ -1,4 +1,18 @@
-class openstack_integration::neutron {
+# Configure the Neutron services
+#
+# [*ssl*]
+#   (optional) Boolean to enable or not SSL.
+#   Defaults to false.
+#
+class openstack_integration::neutron (
+  $ssl = false,
+) {
+
+  if $ssl {
+    $rabbit_port = '5671'
+  } else {
+    $rabbit_port = '5672'
+  }
 
   rabbitmq_user { 'neutron':
     admin    => true,
@@ -24,6 +38,8 @@ class openstack_integration::neutron {
     rabbit_user           => 'neutron',
     rabbit_password       => 'an_even_bigger_secret',
     rabbit_host           => '127.0.0.1',
+    rabbit_port           => $rabbit_port,
+    rabbit_use_ssl        => $ssl,
     allow_overlapping_ips => true,
     core_plugin           => 'ml2',
     service_plugins       => ['router', 'metering', 'firewall'],

manifests/nova.pp

@@ -5,10 +5,21 @@
 #   to use Libvirt RBD backend.
 #   Defaults to false.
 #
+# [*ssl*]
+#   (optional) Boolean to enable or not SSL.
+#   Defaults to false.
+#
 class openstack_integration::nova (
   $libvirt_rbd = false,
+  $ssl         = false,
 ) {
 
+  if $ssl {
+    $rabbit_port = '5671'
+  } else {
+    $rabbit_port = '5672'
+  }
+
   rabbitmq_user { 'nova':
     admin    => true,
     password => 'an_even_bigger_secret',
@@ -36,8 +47,10 @@ class openstack_integration::nova (
     database_connection     => 'mysql+pymysql://nova:nova@127.0.0.1/nova?charset=utf8',
     api_database_connection => 'mysql+pymysql://nova_api:nova@127.0.0.1/nova_api?charset=utf8',
     rabbit_host             => '127.0.0.1',
+    rabbit_port             => $rabbit_port,
     rabbit_userid           => 'nova',
     rabbit_password         => 'an_even_bigger_secret',
+    rabbit_use_ssl          => $ssl,
     glance_api_servers      => 'http://127.0.0.1:9292',
     verbose                 => true,
     debug                   => true,

manifests/params.pp

@@ -0,0 +1,19 @@
+class openstack_integration::params {
+
+  case $::osfamily {
+    'RedHat': {
+      $cacert_path         = '/etc/ssl/certs/ca-bundle.crt'
+      $cert_path           = '/etc/pki/ca-trust/source/anchors/puppet_openstack.crt'
+      $update_ca_certs_cmd = '/usr/bin/update-ca-trust force-enable && /usr/bin/update-ca-trust extract'
+    }
+    'Debian': {
+      $cacert_path         = '/etc/ssl/certs/puppet_openstack.pem'
+      $cert_path           = '/usr/local/share/ca-certificates/puppet_openstack.crt'
+      $update_ca_certs_cmd = '/usr/sbin/update-ca-certificates'
+    }
+    default: {
+      fail("Unsupported osfamily: ${::osfamily} operatingsystem")
+    }
+  }
+
+}

manifests/rabbitmq.pp

@@ -1,4 +1,14 @@
-class openstack_integration::rabbitmq {
+# Configure the RabbitMQ service
+#
+# [*ssl*]
+#   (optional) Boolean to enable or not SSL.
+#   Defaults to false.
+#
+class openstack_integration::rabbitmq (
+  $ssl = false,
+) {
+
+  include ::openstack_integration::params
 
   case $::osfamily {
     'Debian': {
@@ -12,9 +22,33 @@ class openstack_integration::rabbitmq {
     }
   }
 
+  if $ssl {
+    file { '/etc/rabbitmq/ssl/private':
+      ensure                  => directory,
+      owner                   => 'root',
+      mode                    => '0755',
+      selinux_ignore_defaults => true,
+      before                  => File["/etc/rabbitmq/ssl/private/${::fqdn}.pem"],
+    }
+    openstack_integration::ssl_key { 'rabbitmq':
+      key_path => "/etc/rabbitmq/ssl/private/${::fqdn}.pem",
+      require  => File['/etc/rabbitmq/ssl'],
+      notify   => Service['rabbitmq-server'],
+    }
     class { '::rabbitmq':
       delete_guest_user => true,
       package_provider  => $package_provider,
+      ssl               => true,
+      ssl_only          => true,
+      ssl_cacert        => $::openstack_integration::params::cacert_path,
+      ssl_cert          => $::openstack_integration::params::cert_path,
+      ssl_key           => "/etc/rabbitmq/ssl/private/${::fqdn}.pem",
+    }
+  } else {
+    class { '::rabbitmq':
+      delete_guest_user => true,
+      package_provider  => $package_provider,
+    }
   }
   rabbitmq_vhost { '/':
     provider => 'rabbitmqctl',

manifests/ssl_key.pp

@@ -0,0 +1,42 @@
+# Deploy SSL private keys
+#
+# [*key_path*]
+#   (optional) Path of SSL private key
+#   Defaults to undef.
+#
+define openstack_integration::ssl_key(
+  $key_path = undef,
+) {
+  if $key_path == undef {
+    $_key_path  = "/etc/${name}/ssl/private/${::fqdn}.pem"
+  } else {
+    $_key_path = $key_path
+  }
+
+  # If the user isn't providing an unexpected path, create the directory
+  # structure.
+  if $key_path == undef {
+    file { "/etc/${name}/ssl":
+      ensure                  => directory,
+      owner                   => $name,
+      mode                    => '0775',
+      selinux_ignore_defaults => true,
+    }
+    file { "/etc/${name}/ssl/private":
+      ensure                  => directory,
+      owner                   => $name,
+      mode                    => '0755',
+      require                 => File["/etc/${name}/ssl"],
+      selinux_ignore_defaults => true,
+      before                  => File[$_key_path]
+    }
+  }
+
+  file { $_key_path:
+    ensure                  => present,
+    owner                   => $name,
+    source                  => 'puppet:///modules/openstack_integration/puppet_openstack.pem',
+    selinux_ignore_defaults => true,
+    mode                    => '0600',
+  }
+}