Merge lp:~vds/charms/trusty/contrail-configuration/TLS_support_for_RabbitMQ_connection into lp:~sdn-charmers/charms/trusty/contrail-configuration/trunk

Proposed by Vincenzo Di Somma
Status: Merged
Merged at revision: 71
Proposed branch: lp:~vds/charms/trusty/contrail-configuration/TLS_support_for_RabbitMQ_connection
Merge into: lp:~sdn-charmers/charms/trusty/contrail-configuration/trunk
Diff against target: 79 lines (+14/-2)
5 files modified
hooks/contrail_configuration_utils.py (+10/-2)
templates/contrail-api.conf (+1/-0)
templates/contrail-device-manager.conf (+1/-0)
templates/contrail-schema.conf (+1/-0)
templates/contrail-svc-monitor.conf (+1/-0)
To merge this branch: bzr merge lp:~vds/charms/trusty/contrail-configuration/TLS_support_for_RabbitMQ_connection
Reviewer Review Type Date Requested Status
Robert Ayres (community) Approve
Review via email: mp+330838@code.launchpad.net

Commit message

Adding support for SSL/TLS connection to the RabittMQ connection.

Description of the change

Adding support for SSL/TLS connection to the RabittMQ connection.

To post a comment you must log in.
Revision history for this message
Robert Ayres (robert-ayres) wrote :

Thanks for the patch!

I'm struggling to make this work in testing atm. This is using trusty + Contrail 3.2.3.

I've generated certs, keys, ca-certs for rabbitmq-server unit and am using the appropriate 'ssl_*' options. I can see RabbitMQ is listening on SSL socket (5671) and the config is pointed at the right certs + keys.

However contrail-api (on contrail-configuration unit) using option 'rabbit_use_ssl = True' won't connect to it.

RabbitMQ logs show:

=ERROR REPORT==== 22-Sep-2017::20:27:43 ===
error on AMQP connection <0.19312.0>: {ssl_upgrade_error,
                                       {certfile,{badmatch,[]}}} (unknown POSIX error)

I've tried combinations of ports (5672, 5671) and 'kombu_ssl_*' options, but nothing gets contrail-api to connect atm.

Are you able to make it work?

The other thing to note in this patch is these contrail-configuration configs should probably also be updated with 'rabbit_use_ssl' option:

contrail-device-manager.conf
contrail-svc-monitor.conf
contrail-schema.conf

review: Needs Fixing
Revision history for this message
Vincenzo Di Somma (vds) wrote :

I've fixed the missing parameter in all the templates. I can't see any error in the log.

Revision history for this message
Robert Ayres (robert-ayres) wrote :

Apologies for the delay.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'hooks/contrail_configuration_utils.py'
2--- hooks/contrail_configuration_utils.py 2017-08-24 03:36:31 +0000
3+++ hooks/contrail_configuration_utils.py 2017-09-25 10:09:39 +0000
4@@ -96,17 +96,25 @@
5 def amqp_ctx():
6 ctxs = []
7 servers = OrderedDict()
8+ ssl = False
9+ port = "5672"
10 for rid in relation_ids("amqp"):
11 for unit in related_units(rid):
12 password = relation_get("password", unit, rid)
13 if not password:
14 continue
15+ ssl_port = relation_get("ssl_port")
16+ if ssl_port:
17+ port = ssl_port
18+ ssl= True
19 ctxs.append({"rabbit_user": "contrail",
20 "rabbit_password": password,
21- "rabbit_vhost": "contrail"})
22+ "rabbit_vhost": "contrail",
23+ "rabbit_use_ssl": ssl,})
24 vip = relation_get("vip", unit, rid)
25+
26 server = (vip if vip \
27- else gethostbyname(relation_get("hostname", unit, rid))) + ":5672"
28+ else gethostbyname(relation_get("hostname", unit, rid))) + ":" + port
29 servers[server] = None
30 ctx = ctxs[0] if ctxs else {}
31 ctx["rabbit_servers"] = servers.keys()
32
33=== modified file 'templates/contrail-api.conf'
34--- templates/contrail-api.conf 2017-06-29 01:54:34 +0000
35+++ templates/contrail-api.conf 2017-09-25 10:09:39 +0000
36@@ -26,6 +26,7 @@
37 rabbit_user = {{ rabbit_user }}
38 rabbit_password = {{ rabbit_password }}
39 rabbit_vhost = {{ rabbit_vhost }}
40+rabbit_use_ssl = {{ rabbit_use_ssl }}
41
42 [KEYSTONE]
43 auth_host = {{ auth_host }}
44
45=== modified file 'templates/contrail-device-manager.conf'
46--- templates/contrail-device-manager.conf 2017-03-29 20:04:12 +0000
47+++ templates/contrail-device-manager.conf 2017-09-25 10:09:39 +0000
48@@ -17,6 +17,7 @@
49 rabbit_user = {{ rabbit_user }}
50 rabbit_password = {{ rabbit_password }}
51 rabbit_vhost = {{ rabbit_vhost }}
52+rabbit_use_ssl = {{ rabbit_use_ssl }}
53
54 [KEYSTONE]
55 admin_user = {{ admin_user }}
56
57=== modified file 'templates/contrail-schema.conf'
58--- templates/contrail-schema.conf 2017-03-29 20:04:12 +0000
59+++ templates/contrail-schema.conf 2017-09-25 10:09:39 +0000
60@@ -15,6 +15,7 @@
61 rabbit_user = {{ rabbit_user }}
62 rabbit_password = {{ rabbit_password }}
63 rabbit_vhost = {{ rabbit_vhost }}
64+rabbit_use_ssl = {{ rabbit_use_ssl }}
65 {%- endif %}
66
67 [KEYSTONE]
68
69=== modified file 'templates/contrail-svc-monitor.conf'
70--- templates/contrail-svc-monitor.conf 2017-03-29 20:04:12 +0000
71+++ templates/contrail-svc-monitor.conf 2017-09-25 10:09:39 +0000
72@@ -21,6 +21,7 @@
73 rabbit_user = {{ rabbit_user }}
74 rabbit_password = {{ rabbit_password }}
75 rabbit_vhost = {{ rabbit_vhost }}
76+rabbit_use_ssl = {{ rabbit_use_ssl }}
77
78 [KEYSTONE]
79 auth_host = {{ auth_host }}

Subscribers

People subscribed via source and target branches