SM-Rabbit-SSL: Add SSL for more cases to rabbitmq

Closes-Bug: #1636306
Closes-Bug: #1635461

1. support external rabbitmq with ssl enabled.
2. added 2 more input variable for openstack rabbitmq-ssl and
contrail-rabbitmq-ssl.
3. remove set_rabbit_tcp_params.py as this can be achieved by sysctl::value.

Change-Id: I7219abf511d6e08b3fbc6206165aa73ccb1ce188

contrail/environment/modules/contrail/manifests/compute/config.pp

@@ -48,7 +48,7 @@
   $glance_management_address = $::contrail::params::os_glance_mgmt_address,
   $host_roles = $::contrail::params::host_roles,
   $neutron_ip_to_use = $::contrail::params::neutron_ip_to_use,
-  $rabbit_use_ssl     = $::contrail::params::rabbit_ssl_support,
+  $rabbit_use_ssl     = $::contrail::params::contrail_amqp_ssl,
   $kombu_ssl_ca_certs = $::contrail::params::kombu_ssl_ca_certs,
   $kombu_ssl_certfile = $::contrail::params::kombu_ssl_certfile,
   $kombu_ssl_keyfile  = $::contrail::params::kombu_ssl_keyfile,
@@ -217,18 +217,8 @@
   }
 
   if ($rabbit_use_ssl) {
-    file {['/etc/rabbitmq','/etc/rabbitmq/ssl']:
-      ensure  => directory,
-    } ->
-    file { '/etc/rabbitmq/ssl/server.pem' :
-      source => "puppet:///ssl_certs/$hostname.pem"
-    } ->
-    file { '/etc/rabbitmq/ssl/server-privkey.pem' :
-      source => "puppet:///ssl_certs/$hostname-privkey.pem"
-    } ->
-    file { '/etc/rabbitmq/ssl/ca-cert.pem' :
-      source => "puppet:///ssl_certs/ca-cert.pem"
-    }
+    contrail::lib::rabbitmq_ssl{'compute_rabbitmq':rabbit_use_ssl => $rabbit_use_ssl}
+
     $nova_params['oslo_messaging_rabbit/kombu_ssl_ca_certs'] = {value => $kombu_ssl_ca_certs }
     $nova_params['oslo_messaging_rabbit/rabbit_use_ssl']     = {value => $rabbit_use_ssl}
     $nova_params['oslo_messaging_rabbit/kombu_ssl_certfile'] = {value => $kombu_ssl_certfile}

contrail/environment/modules/contrail/manifests/config/config.pp

@@ -45,7 +45,7 @@
   $contrail_logoutput = $::contrail::params::contrail_logoutput,
   $host_roles = $::contrail::params::host_roles,
   $config_manage_db = $::contrail::params::config_manage_db,
-  $rabbit_use_ssl     = $::contrail::params::rabbit_ssl_support,
+  $rabbit_use_ssl     = $::contrail::params::contrail_amqp_ssl,
   $kombu_ssl_ca_certs = $::contrail::params::kombu_ssl_ca_certs,
   $kombu_ssl_certfile = $::contrail::params::kombu_ssl_certfile,
   $kombu_ssl_keyfile  = $::contrail::params::kombu_ssl_keyfile,

contrail/environment/modules/contrail/manifests/init.pp

@@ -745,7 +745,9 @@
     $config_manage_db = true,
     $global_controller_ip_list = undef,
     $global_controller_name_list = undef,
-    $rabbit_ssl_support = false
+    $rabbit_ssl_support = false,
+    $config_amqp_use_ssl = undef,
+    $os_amqp_use_ssl = undef,
 ) {
     class { '::contrail::params':
         # Common Parameters
@@ -838,7 +840,9 @@
 	amqp_server_ip =>			hiera(openstack::amqp::server_ip, hiera(contrail::params::amqp_server_ip, $amqp_server_ip)),
         openstack_amqp_ip_list =>               hiera(openstack::amqp::ip_list, hiera(contrail::params::openstack_amqp_ip_list, $openstack_amqp_ip_list)),
         openstack_amqp_port =>                  hiera(openstack::amqp::port, hiera(contrail::params::openstack_amqp_port, $openstack_amqp_port)),
-        rabbit_ssl_support  =>     hiera(openstack::amqp::ssl_enable, $rabbit_ssl_support),
+        rabbit_ssl_support  =>     hiera(contrail::amqp_ssl, $rabbit_ssl_support),
+        config_amqp_ssl     =>     hiera(contrail::config::amqp_use_ssl, $config_amqp_use_ssl),
+        openstack_amqp_ssl  =>     hiera(openstack::amqp::use_ssl, $os_amqp_use_ssl),
 
     os_verbose                => hiera(openstack::verbose, $openstack_verbose),
     os_debug                  => hiera(openstack::debug, $openstack_debug),

contrail/environment/modules/contrail/manifests/lib/rabbitmq_ssl.pp

@@ -0,0 +1,21 @@
+define contrail::lib::rabbitmq_ssl(
+  $rabbit_use_ssl     = $::contrail::params::rabbit_ssl_support,
+  $kombu_ssl_ca_certs = $::contrail::params::kombu_ssl_ca_certs,
+  $kombu_ssl_certfile = $::contrail::params::kombu_ssl_certfile,
+  $kombu_ssl_keyfile  = $::contrail::params::kombu_ssl_keyfile,
+){
+  if ($rabbit_use_ssl) {
+    file {['/etc/rabbitmq','/etc/rabbitmq/ssl']:
+      ensure  => directory,
+    } ->
+    file { $kombu_ssl_certfile:
+      source => "puppet:///ssl_certs/$hostname.pem"
+    } ->
+    file { $kombu_ssl_keyfile :
+      source => "puppet:///ssl_certs/$hostname-privkey.pem"
+    } ->
+    file { $kombu_ssl_ca_certs:
+      source => "puppet:///ssl_certs/ca-cert.pem"
+    }
+  }
+}

contrail/environment/modules/contrail/manifests/params.pp

@@ -763,7 +763,9 @@
     $user_ceph_config,
     $global_controller_ip_list,
     $global_controller_name_list,
-    $rabbit_ssl_support
+    $rabbit_ssl_support,
+    $config_amqp_ssl,
+    $openstack_amqp_ssl,
 ) {
     if (($contrail_internal_vip != '') or
         ($internal_vip != '') or
@@ -866,20 +868,37 @@
     #rabbit host has same logic as config_ip
     $contrail_rabbit_host = $config_ip_to_use
 
-    $contrail_rabbit_ip_list = pick($contrail_amqp_ip_list, $config_ip_list)
-    $contrail_rabbit_port =    pick($contrail_amqp_port, "5672")
+    if (size($contrail_amqp_ip_list) > 0) {
+      $contrail_rabbit_ip_list = $contrail_amqp_ip_list
+    } else {
+      $contrail_rabbit_ip_list = $config_ip_list
+    }
+
+    $contrail_amqp_ssl = pick($config_amqp_ssl, $rabbit_ssl_support)
+    if $contrail_amqp_ssl {
+      $contrail_amqp_ssl_port = "5671"
+    }
+    $contrail_rabbit_port = pick($contrail_amqp_port,
+                                 $contrail_amqp_ssl_port,
+                                 "5672")
 
     if ($openstack_manage_amqp) {
-        $openstack_rabbit_ip_list = $openstack_ip_list
-    } elsif ($openstack_amqp_ip_list != '') {
-        $openstack_rabbit_ip_list = $openstack_amqp_ip_list
-    } elsif ($contrail_amqp_ip_list != '') {
-        $openstack_rabbit_ip_list = $contrail_amqp_ip_list
+      $openstack_rabbit_ip_list = $openstack_ip_list
+    } elsif (size($openstack_amqp_ip_list) > 0 ) {
+      $openstack_rabbit_ip_list = $openstack_amqp_ip_list
+    } elsif (size($contrail_amqp_ip_list) > 0) {
+      $openstack_rabbit_ip_list = $contrail_amqp_ip_list
     } else {
-        $openstack_rabbit_ip_list = $config_ip_list
+      $openstack_rabbit_ip_list = $config_ip_list
     }
 
-    $openstack_rabbit_port = pick($openstack_amqp_port, "5672")
+    $os_amqp_ssl = pick($openstack_amqp_ssl, $rabbit_ssl_support)
+    if $os_amqp_ssl {
+      $os_amqp_ssl_port = "5671"
+    }
+    $openstack_rabbit_port = pick($openstack_amqp_port,
+                                  $os_amqp_ssl_port,
+                                  "5672")
 
     if ($rabbit_ssl_support) {
       $rabbit_port_real = "5671"

contrail/environment/modules/contrail/manifests/profile/openstack/ceilometer.pp

@@ -18,7 +18,7 @@
   $openstack_rabbit_servers   = $::contrail::params::openstack_rabbit_hosts,
   $controller_mgmt_address    = $::contrail::params::os_controller_mgmt_address,
   $keystone_ip_to_use = $::contrail::params::keystone_ip_to_use,
-  $rabbit_use_ssl     = $::contrail::params::rabbit_ssl_support,
+  $rabbit_use_ssl     = $::contrail::params::os_amqp_ssl,
   $kombu_ssl_ca_certs = $::contrail::params::kombu_ssl_ca_certs,
   $kombu_ssl_certfile = $::contrail::params::kombu_ssl_certfile,
   $kombu_ssl_keyfile  = $::contrail::params::kombu_ssl_keyfile,

contrail/environment/modules/contrail/manifests/profile/openstack/cinder.pp

@@ -17,7 +17,7 @@
   $openstack_rabbit_servers   = $::contrail::params::openstack_rabbit_hosts,
   $keystone_auth_host         = $::contrail::params::os_controller_mgmt_address,
   $glance_management_address  = $::contrail::params::os_glance_mgmt_address,
-  $rabbit_use_ssl     = $::contrail::params::rabbit_ssl_support,
+  $rabbit_use_ssl     = $::contrail::params::os_amqp_ssl,
   $kombu_ssl_ca_certs = $::contrail::params::kombu_ssl_ca_certs,
   $kombu_ssl_certfile = $::contrail::params::kombu_ssl_certfile,
   $kombu_ssl_keyfile  = $::contrail::params::kombu_ssl_keyfile,

contrail/environment/modules/contrail/manifests/profile/openstack/glance.pp

@@ -18,7 +18,7 @@
   $storage_management_address = $::contrail::params::os_glance_mgmt_address,
   $keystone_ip_to_use   = $::contrail::params::keystone_ip_to_use,
   $keystone_region_name = $::contrail::params::keystone_region_name,
-  $rabbit_use_ssl     = $::contrail::params::rabbit_ssl_support,
+  $rabbit_use_ssl     = $::contrail::params::os_amqp_ssl,
   $kombu_ssl_ca_certs = $::contrail::params::kombu_ssl_ca_certs,
   $kombu_ssl_certfile = $::contrail::params::kombu_ssl_certfile,
   $kombu_ssl_keyfile  = $::contrail::params::kombu_ssl_keyfile,

contrail/environment/modules/contrail/manifests/profile/openstack/heat.pp

@@ -20,7 +20,7 @@
   $controller_mgmt_address    = $::contrail::params::os_controller_mgmt_address,
   $openstack_rabbit_servers   = $::contrail::params::openstack_rabbit_hosts,
   $keystone_ip_to_use = $::contrail::params::keystone_ip_to_use,
-  $rabbit_use_ssl     = $::contrail::params::rabbit_ssl_support,
+  $rabbit_use_ssl     = $::contrail::params::os_amqp_ssl,
   $kombu_ssl_ca_certs = $::contrail::params::kombu_ssl_ca_certs,
   $kombu_ssl_certfile = $::contrail::params::kombu_ssl_certfile,
   $kombu_ssl_keyfile  = $::contrail::params::kombu_ssl_keyfile,

contrail/environment/modules/contrail/manifests/profile/openstack/keystone.pp

@@ -9,7 +9,7 @@
   $allowed_hosts      = $::contrail::params::os_mysql_allowed_hosts,
   $admin_token        = $::contrail::params::os_keystone_admin_token,
   $keystone_ip_to_use = $::contrail::params::keystone_ip_to_use,
-  $rabbit_use_ssl     = $::contrail::params::rabbit_ssl_support,
+  $rabbit_use_ssl     = $::contrail::params::os_amqp_ssl,
   $kombu_ssl_ca_certs = $::contrail::params::kombu_ssl_ca_certs,
   $kombu_ssl_certfile = $::contrail::params::kombu_ssl_certfile,
   $kombu_ssl_keyfile  = $::contrail::params::kombu_ssl_keyfile,

contrail/environment/modules/contrail/manifests/profile/openstack/nova.pp

@@ -23,7 +23,7 @@
   $keystone_ip_to_use         = $::contrail::params::keystone_ip_to_use,
   $keystone_admin_password    = $::contrail::params::keystone_admin_password,
   $config_ip_to_use           = $::contrail::params::config_ip_to_use,
-  $rabbit_use_ssl     = $::contrail::params::rabbit_ssl_support,
+  $rabbit_use_ssl     = $::contrail::params::os_amqp_ssl,
   $kombu_ssl_ca_certs = $::contrail::params::kombu_ssl_ca_certs,
   $kombu_ssl_certfile = $::contrail::params::kombu_ssl_certfile,
   $kombu_ssl_keyfile  = $::contrail::params::kombu_ssl_keyfile,

contrail/environment/modules/contrail/manifests/profile/openstack_controller.pp

@@ -20,7 +20,7 @@
   $openstack_manage_amqp = $::contrail::params::openstack_manage_amqp,
   $openstack_ip_list = $::contrail::params::openstack_ip_list,
   $host_control_ip = $::contrail::params::host_ip,
-  $rabbit_use_ssl     = $::contrail::params::rabbit_ssl_support,
+  $rabbit_use_ssl     = $::contrail::params::os_amqp_ssl,
   $kombu_ssl_ca_certs = $::contrail::params::kombu_ssl_ca_certs,
   $kombu_ssl_certfile = $::contrail::params::kombu_ssl_certfile,
   $kombu_ssl_keyfile  = $::contrail::params::kombu_ssl_keyfile,
@@ -114,22 +114,10 @@
     contain ::contrail::profile::openstack::neutron
     contain ::contrail::profile::openstack::heat
 
-    if ($rabbit_use_ssl) {
-      Package ['contrail-openstack']
-      -> file {['/etc/rabbitmq','/etc/rabbitmq/ssl']:
-        ensure  => directory,
-      } ->
-      file { '/etc/rabbitmq/ssl/server.pem' :
-        source => "puppet:///ssl_certs/$hostname.pem"
-      } ->
-      file { '/etc/rabbitmq/ssl/server-privkey.pem' :
-        source => "puppet:///ssl_certs/$hostname-privkey.pem"
-      } ->
-      file { '/etc/rabbitmq/ssl/ca-cert.pem' :
-        source => "puppet:///ssl_certs/ca-cert.pem"
-      } ->
-      Contrail::Lib::Report_status['openstack_completed']
-    }
+    Package ['contrail-openstack']
+    -> contrail::lib::rabbitmq_ssl{'openstack_rabbitmq':
+         rabbit_use_ssl => $rabbit_use_ssl }
+    -> Contrail::Lib::Report_status['openstack_completed']
 
     if ($::operatingsystem == 'Ubuntu') {
       service { 'supervisor-openstack': enable => true, ensure => running }