From 76423fd42a1136279ab2aa51f53adbee477062b0 Mon Sep 17 00:00:00 2001
From: John Eckersberg <jeckersb@redhat.com>
Date: Mon, 5 May 2014 16:20:49 -0400
Subject: [PATCH] Add RabbitMQ SSL support

Change-Id: I6efe4819fb703ea815de259cb91b2ee50f51a0e3
---
 manifests/init.pp                    | 56 ++++++++++++++++++++++++++++
 spec/classes/ceilometer_init_spec.rb | 42 +++++++++++++++++++++
 2 files changed, 98 insertions(+)

diff --git a/manifests/init.pp b/manifests/init.pp
index 4f35bb3..09eae73 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -37,6 +37,23 @@
 #    password to connect to the rabbit_server. Optional. Defaults to empty.
 #  [*rabbit_virtual_host*]
 #    virtualhost to use. Optional. Defaults to '/'
+#  [*rabbit_use_ssl*]
+#    (optional) Connect over SSL for RabbitMQ
+#    Defaults to false
+#  [*kombu_ssl_ca_certs*]
+#    (optional) SSL certification authority file (valid only if SSL enabled).
+#    Defaults to undef
+#  [*kombu_ssl_certfile*]
+#    (optional) SSL cert file (valid only if SSL enabled).
+#    Defaults to undef
+#  [*kombu_ssl_keyfile*]
+#    (optional) SSL key file (valid only if SSL enabled).
+#    Defaults to undef
+#  [*kombu_ssl_version*]
+#    (optional) SSL version to use (valid only if SSL enabled).
+#    Valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be
+#    available on some distributions.
+#    Defaults to 'SSLv3'
 #
 # [*qpid_hostname*]
 # [*qpid_port*]
@@ -70,6 +87,11 @@ class ceilometer(
   $rabbit_userid       = 'guest',
   $rabbit_password     = '',
   $rabbit_virtual_host = '/',
+  $rabbit_use_ssl      = false,
+  $kombu_ssl_ca_certs  = undef,
+  $kombu_ssl_certfile  = undef,
+  $kombu_ssl_keyfile   = undef,
+  $kombu_ssl_version   = 'SSLv3',
   $qpid_hostname = 'localhost',
   $qpid_port = 5672,
   $qpid_username = 'guest',
@@ -151,6 +173,40 @@ class ceilometer(
         'DEFAULT/rabbit_userid'          : value => $rabbit_userid;
         'DEFAULT/rabbit_password'        : value => $rabbit_password;
         'DEFAULT/rabbit_virtual_host'    : value => $rabbit_virtual_host;
+        'DEFAULT/rabbit_use_ssl'         : value => $rabbit_use_ssl;
+      }
+
+      if $rabbit_use_ssl {
+        if $kombu_ssl_ca_certs {
+          ceilometer_config { 'DEFAULT/kombu_ssl_ca_certs': value => $kombu_ssl_ca_certs }
+        } else {
+          ceilometer_config { 'DEFAULT/kombu_ssl_ca_certs': ensure => absent}
+        }
+
+        if $kombu_ssl_certfile {
+          ceilometer_config { 'DEFAULT/kombu_ssl_certfile': value => $kombu_ssl_certfile }
+        } else {
+          ceilometer_config { 'DEFAULT/kombu_ssl_certfile': ensure => absent}
+        }
+
+        if $kombu_ssl_keyfile {
+          ceilometer_config { 'DEFAULT/kombu_ssl_keyfile': value => $kombu_ssl_keyfile }
+        } else {
+          ceilometer_config { 'DEFAULT/kombu_ssl_keyfile': ensure => absent}
+        }
+
+        if $kombu_ssl_version {
+          ceilometer_config { 'DEFAULT/kombu_ssl_version': value => $kombu_ssl_version }
+        } else {
+          ceilometer_config { 'DEFAULT/kombu_ssl_version': ensure => absent}
+        }
+      } else {
+        ceilometer_config {
+          'DEFAULT/kombu_ssl_ca_certs': ensure => absent;
+          'DEFAULT/kombu_ssl_certfile': ensure => absent;
+          'DEFAULT/kombu_ssl_keyfile':  ensure => absent;
+          'DEFAULT/kombu_ssl_version':  ensure => absent;
+        }
       }
   }
 
diff --git a/spec/classes/ceilometer_init_spec.rb b/spec/classes/ceilometer_init_spec.rb
index 5572858..67423e6 100644
--- a/spec/classes/ceilometer_init_spec.rb
+++ b/spec/classes/ceilometer_init_spec.rb
@@ -37,6 +37,7 @@ describe 'ceilometer' do
     context 'with rabbit_host parameter' do
       before { params.merge!( rabbit_params ) }
       it_configures 'a ceilometer base installation'
+      it_configures 'rabbit with SSL support'
       it_configures 'rabbit without HA support (with backward compatibility)'
     end
 
@@ -44,12 +45,14 @@ describe 'ceilometer' do
       context 'with one server' do
         before { params.merge!( rabbit_params ).merge!( :rabbit_hosts => ['127.0.0.1:5672'] ) }
         it_configures 'a ceilometer base installation'
+        it_configures 'rabbit with SSL support'
         it_configures 'rabbit without HA support (without backward compatibility)'
       end
 
       context 'with multiple servers' do
         before { params.merge!( rabbit_params ).merge!( :rabbit_hosts => ['rabbit1:5672', 'rabbit2:5672'] ) }
         it_configures 'a ceilometer base installation'
+        it_configures 'rabbit with SSL support'
         it_configures 'rabbit with HA support'
       end
     end
@@ -208,6 +211,45 @@ describe 'ceilometer' do
     it { should contain_ceilometer_config('DEFAULT/rabbit_ha_queues').with_value('true') }
   end
 
+  shared_examples_for 'rabbit with SSL support' do
+    context "with default parameters" do
+      it { should contain_ceilometer_config('DEFAULT/rabbit_use_ssl').with_value('false') }
+      it { should contain_ceilometer_config('DEFAULT/kombu_ssl_ca_certs').with_ensure('absent') }
+      it { should contain_ceilometer_config('DEFAULT/kombu_ssl_certfile').with_ensure('absent') }
+      it { should contain_ceilometer_config('DEFAULT/kombu_ssl_keyfile').with_ensure('absent') }
+      it { should contain_ceilometer_config('DEFAULT/kombu_ssl_version').with_ensure('absent') }
+    end
+
+    context "with SSL enabled" do
+      before { params.merge!( :rabbit_use_ssl => 'true' ) }
+      it { should contain_ceilometer_config('DEFAULT/rabbit_use_ssl').with_value('true') }
+      it { should contain_ceilometer_config('DEFAULT/kombu_ssl_ca_certs').with_ensure('absent') }
+      it { should contain_ceilometer_config('DEFAULT/kombu_ssl_certfile').with_ensure('absent') }
+      it { should contain_ceilometer_config('DEFAULT/kombu_ssl_keyfile').with_ensure('absent') }
+      it { should contain_ceilometer_config('DEFAULT/kombu_ssl_version').with_value('SSLv3') }
+
+      context "with ca_certs" do
+        before { params.merge!( :kombu_ssl_ca_certs => '/path/to/ca.crt' ) }
+        it { should contain_ceilometer_config('DEFAULT/kombu_ssl_ca_certs').with_value('/path/to/ca.crt') }
+      end
+
+      context "with certfile" do
+        before { params.merge!( :kombu_ssl_certfile => '/path/to/cert.crt' ) }
+        it { should contain_ceilometer_config('DEFAULT/kombu_ssl_certfile').with_value('/path/to/cert.crt') }
+      end
+
+      context "with keyfile" do
+        before { params.merge!( :kombu_ssl_keyfile => '/path/to/cert.key' ) }
+        it { should contain_ceilometer_config('DEFAULT/kombu_ssl_keyfile').with_value('/path/to/cert.key') }
+      end
+
+      context "with version" do
+        before { params.merge!( :kombu_ssl_version => 'TLSv1' ) }
+        it { should contain_ceilometer_config('DEFAULT/kombu_ssl_version').with_value('TLSv1') }
+      end
+    end
+  end
+
   shared_examples_for 'qpid support' do
     context("with default parameters") do
       it { should contain_ceilometer_config('DEFAULT/qpid_reconnect').with_value(true) }
-- 
2.45.2