Adding TLS encryption to Mcollective

andrewklau · andrewklau · commit 3f25bf1e603a · 2014-12-03T02:53:20.000+11:00
Attempt to split tls_enabled into enabled,disabled,strict

Remove duplication

Add simple certificate file check
diff --git a/Modulefile b/Modulefile
@@ -6,6 +6,7 @@ project_page 'https://github.com/openshift/puppet-openshift_origin'
 source 'git://github.com/openshift/puppet-openshift_origin.git'
 summary 'Module for installing Red Hat Openshift'
 description 'Configures OpenShift broker, nodes and support servers'
+dependency 'puppetlabs/java_ks', '>=1.2.5'
 dependency 'rharrison/lokkit', '>=0.2.0'
 dependency 'puppetlabs/ntp', '>=0.1.0'
 dependency 'puppetlabs/stdlib', '>=2.6.0'
diff --git a/README.asciidoc b/README.asciidoc
@@ -463,6 +463,33 @@ not needed by OpenShift but might be useful in troubleshooting.
 
 Default: scrambled
 
+=== msgserver_tls_enabled
+This configures mcollective and activemq to use end-to-end encryption over TLS.
+Use enabled to support both TLS and non-TLS, or strict to only support TLS.
+
+Default: 'disabled'
+ 
+=== msgserver_tls_keystore_password
+The password used to protect the keystore. It must be greater than 6 characters. This is required.
+
+Default: password
+
+=== msgserver_tls_ca
+Location for certificate ca
+
+Default: /var/lib/puppet/ssl/certs/ca.pem
+
+=== msgserver_tls_cert
+Location for certificate cert
+
+Default: /var/lib/puppet/ssl/certs/${lower_fqdn}.pem
+
+=== msgserver_tls_key
+Location for certificate key
+
+Default: /var/lib/puppet/ssl/private_keys/${lower_fqdn}.pem
+
+
 === mcollective_user
 === mcollective_password
 This is the user and password shared between broker and node for
diff --git a/manifests/activemq_keystores.pp b/manifests/activemq_keystores.pp
@@ -0,0 +1,92 @@
+class openshift_origin::activemq_keystores (
+
+  $ca = $::openshift_origin::msgserver_tls_ca,
+  $cert = $::openshift_origin::msgserver_tls_cert,
+  $private_key = $::openshift_origin::msgserver_tls_key,
+  $keystore_password = $::openshift_origin::msgserver_tls_keystore_password,
+
+
+  $activemq_confdir = '/etc/activemq',
+  $activemq_user = 'activemq',
+) {
+
+  # ----- Restart ActiveMQ if the SSL credentials ever change       -----
+  # ----- Uncomment if you are fully managing ActiveMQ with Puppet. -----
+
+  Package['activemq'] -> Class[$title]
+  Java_ks['activemq_cert:keystore'] ~> Service['activemq']
+  Java_ks['activemq_ca:truststore'] ~> Service['activemq']
+
+
+  # ----- Manage PEM files -----
+
+  File {
+    owner => root,
+    group => root,
+    mode  => 0600,
+  }
+  file {"${activemq_confdir}/ssl_credentials":
+    ensure => directory,
+    mode   => 0700,
+  }
+  file {"${activemq_confdir}/ssl_credentials/activemq_certificate.pem":
+    ensure => file,
+    source => $cert,
+  }
+  file {"${activemq_confdir}/ssl_credentials/activemq_private.pem":
+    ensure => file,
+    source => $private_key,
+  }
+  file {"${activemq_confdir}/ssl_credentials/ca.pem":
+    ensure => file,
+    source => $ca,
+  }
+
+
+  # ----- Manage Keystore Contents -----
+
+  # Each keystore should have a dependency on the PEM files it relies on.
+
+  # Truststore with copy of CA cert
+  java_ks { 'activemq_ca:truststore':
+    ensure       => latest,
+    certificate  => "${activemq_confdir}/ssl_credentials/ca.pem",
+    target       => "${activemq_confdir}/truststore.jks",
+    password     => $keystore_password,
+    trustcacerts => true,
+    require      => File["${activemq_confdir}/ssl_credentials/ca.pem"],
+  }
+
+  # Keystore with ActiveMQ cert and private key
+  java_ks { 'activemq_cert:keystore':
+    ensure       => latest,
+    certificate  => "${activemq_confdir}/ssl_credentials/activemq_certificate.pem",
+    private_key  => "${activemq_confdir}/ssl_credentials/activemq_private.pem",
+    target       => "${activemq_confdir}/keystore.jks",
+    password     => $keystore_password,
+    require      => [
+      File["${activemq_confdir}/ssl_credentials/activemq_private.pem"],
+      File["${activemq_confdir}/ssl_credentials/activemq_certificate.pem"]
+    ],
+  }
+
+
+  # ----- Manage Keystore Files -----
+
+  # Permissions only.
+  # No ensure, source, or content.
+
+  file {"${activemq_confdir}/keystore.jks":
+    owner   => $activemq_user,
+    group   => $activemq_user,
+    mode    => 0600,
+    require => Java_ks['activemq_cert:keystore'],
+  }
+  file {"${activemq_confdir}/truststore.jks":
+    owner   => $activemq_user,
+    group   => $activemq_user,
+    mode    => 0600,
+    require => Java_ks['activemq_ca:truststore'],
+  }
+
+}
diff --git a/manifests/firewall/activemq.pp b/manifests/firewall/activemq.pp
@@ -17,13 +17,24 @@
   if $::openshift_origin::manage_firewall {
     require openshift_origin::firewall
 
+    if $::openshift_origin::msgserver_tls_enabled == 'strict' {
+      $activemq_port = '61614'
+      $activemq_openwire_port = '61617'
+    } elsif $::openshift_origin::msgserver_tls_enabled == 'enabled' {
+      $activemq_port = '61613-61614'
+      $activemq_openwire_port = '61616-61617'
+    } else {
+      $activemq_port = '61613'
+      $activemq_openwire_port = '61616'
+    }
+    
     lokkit::ports { 'ActiveMQ':
-      tcpPorts => [ '61613' ],
+      tcpPorts => [ $activemq_port ],
     }
 
     if $::openshift_origin::msgserver_cluster {
       lokkit::ports { 'ActiveMQ-Openwire':
-        tcpPorts => [ '61616' ],
+        tcpPorts => [ $activemq_openwire_port ],
       }
     }
   }
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -307,6 +307,27 @@
 #   This is the admin password for the ActiveMQ admin console, which is
 #   not needed by OpenShift but might be useful in troubleshooting.
 #
+# [*msgserver_tls_enabled*]
+#   Default: 'disabled'
+#   This configures mcollective and activemq to use end-to-end encryption over TLS.
+#   Use enabled to support both TLS and non-TLS, or strict to only support TLS.
+#
+# [*msgserver_tls_keystore_password*]
+#   Default: password
+#   The password used to protect the keystore. It must be greater than 6 characters. This is required.
+#
+# [*msgserver_tls_ca*]
+#   Default: /var/lib/puppet/ssl/certs/ca.pem
+#   Location for certificate ca
+#
+# [*msgserver_tls_cert*]
+#   Default: /var/lib/puppet/ssl/certs/${lower_fqdn}.pem
+#   Location for certificate cert
+#
+# [*msgserver_tls_key*]
+#   Default: /var/lib/puppet/ssl/private_keys/${lower_fqdn}.pem
+#   Location for certificate key
+#
 # [*mcollective_user*]
 # [*mcollective_password*]
 #   Default: mcollective/marionette
@@ -741,6 +762,7 @@
 class openshift_origin (
   $ose_version                          = undef,
   $ose_unsupported                      = false,
+  $lower_fqdn                           = $openshift_origin::params::lower_fqdn,
   $roles                                = ['broker','node','msgserver','datastore','nameserver'],
   $install_method                       = 'yum',
   $parallel_deployment                  = false,
@@ -808,6 +830,11 @@
   $mcollective_cluster_members          = undef,
   $msgserver_password                   = 'changeme',
   $msgserver_admin_password             = inline_template('<%= require "securerandom"; SecureRandom.base64 %>'),
+  $msgserver_tls_enabled                = 'disabled',
+  $msgserver_tls_keystore_password      = 'password',
+  $msgserver_tls_ca                     = "/var/lib/puppet/ssl/certs/ca.pem",
+  $msgserver_tls_cert                   = inline_template('<%= "/var/lib/puppet/ssl/certs/#{fqdn.downcase}.pem" %>'),
+  $msgserver_tls_key                    = inline_template('<%= "/var/lib/puppet/ssl/private_keys/#{fqdn.downcase}.pem" %>'),
   $mcollective_user                     = 'mcollective',
   $mcollective_password                 = 'marionette',
   $mongodb_admin_user                   = 'admin',
diff --git a/manifests/mcollective_client.pp b/manifests/mcollective_client.pp
@@ -31,6 +31,16 @@
     $pool_size = '1'
   }
 
+  if ($::openshift_origin::msgserver_tls_enabled == 'enabled' or $::openshift_origin::msgserver_tls_enabled == 'strict') {
+    if ($::openshift_origin::msgserver_tls_ca != '') and ($::openshift_origin::msgserver_tls_key != '') and ($::openshift_origin::msgserver_tls_cert != '') {
+      $tls_certs_provided = true
+    } else { $tls_certs_provided = false }
+  }
+
+  if ($::openshift_origin::msgserver_tls_enabled == 'strict' and $tls_certs_provided == false) {
+    fail 'Valid certificate file locations are required when msgserver_tls_enabled is in strict mode.'
+  }
+  
   file { 'mcollective client config':
     ensure  => present,
     path    => "${::openshift_origin::params::ruby_scl_path_prefix}/etc/mcollective/client.cfg",
diff --git a/manifests/mcollective_server.pp b/manifests/mcollective_server.pp
@@ -37,7 +37,17 @@
     ensure  => 'directory',
     require => Package['mcollective'],
   }
+  
+  if ($::openshift_origin::msgserver_tls_enabled == 'enabled' or $::openshift_origin::msgserver_tls_enabled == 'strict') {
+    if ($::openshift_origin::msgserver_tls_ca != '') and ($::openshift_origin::msgserver_tls_key != '') and ($::openshift_origin::msgserver_tls_cert != '') {
+      $tls_certs_provided = true
+    } else { $tls_certs_provided = false }
+  }
 
+  if ($::openshift_origin::msgserver_tls_enabled == 'strict' and $tls_certs_provided == false) {
+    fail 'Valid certificate file locations are required when msgserver_tls_enabled is in strict mode.'
+  }
+  
   file { 'mcollective server config':
     ensure  => present,
     path    => "${::openshift_origin::params::ruby_scl_path_prefix}/etc/mcollective/server.cfg",
diff --git a/manifests/msgserver.pp b/manifests/msgserver.pp
@@ -52,6 +52,18 @@
     require => Package['activemq'],
   }
 
+  if ($::openshift_origin::msgserver_tls_enabled == 'enabled') or ($::openshift_origin::msgserver_tls_enabled == 'strict') { 
+    if ($::openshift_origin::msgserver_tls_ca != '') and ($::openshift_origin::msgserver_tls_key != '') and ($::openshift_origin::msgserver_tls_cert != '') {
+      anchor { 'openshift_origin::msgserver_keystores_begin': } -> 
+      class { 'openshift_origin::activemq_keystores' : } ->
+      anchor { 'openshift_origin::msgserver_keystores_end': }
+    
+      $activemq_openwire_port = '61617'
+    } else { fail 'Valid certificate file locations are required when msgserver_tls_enabled is in strict or enabled mode.' }
+  } else { 
+    $activemq_openwire_port = '61616'
+  }
+
   if $::openshift_origin::msgserver_cluster {
     $activemq_config_template_real = 'openshift_origin/activemq/activemq-network.xml.erb'
   } else {
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -35,4 +35,5 @@
   $repos_base = $::operatingsystem ? {
     default  => 'https://mirror.openshift.com/pub/origin-server/nightly/rhel-6',
   }
+
 }
diff --git a/templates/activemq/activemq-network.xml.erb b/templates/activemq/activemq-network.xml.erb
@@ -69,10 +69,10 @@
 
 	<networkConnectors>
 <% @cluster_remote_members.each do |cluster_remote_member| -%>
-		<networkConnector name="<%= scope.lookupvar('::openshift_origin::msgserver_fqdn') %>-<%= cluster_remote_member %>-topic" uri="static:(tcp://<%= cluster_remote_member %>:61616)" userName="amquser" password="<%= scope.lookupvar('::openshift_origin::msgserver_password') %>">
+		<networkConnector name="<%= scope.lookupvar('::openshift_origin::msgserver_fqdn') %>-<%= cluster_remote_member %>-topic" uri="static:(tcp://<%= cluster_remote_member %>:<%= @activemq_openwire_port %>)" userName="amquser" password="<%= scope.lookupvar('::openshift_origin::msgserver_password') %>">
 			<excludedDestinations><queue physicalName=">" /></excludedDestinations>
 		</networkConnector>
-		<networkConnector name="<%= scope.lookupvar('::openshift_origin::msgserver_fqdn') %>-<%= cluster_remote_member %>-queue" uri="static:(tcp://<%= cluster_remote_member %>:61616)" userName="amquser" password="<%= scope.lookupvar('::openshift_origin::msgserver_password') %>"
+		<networkConnector name="<%= scope.lookupvar('::openshift_origin::msgserver_fqdn') %>-<%= cluster_remote_member %>-queue" uri="static:(tcp://<%= cluster_remote_member %>:<%= @activemq_openwire_port %>)" userName="amquser" password="<%= scope.lookupvar('::openshift_origin::msgserver_password') %>"
 			conduitSubscriptions="false">
 			<excludedDestinations><topic physicalName=">" /></excludedDestinations>
 		</networkConnector>
@@ -137,15 +137,30 @@
             </systemUsage>
         </systemUsage>
 
+        <% if scope.lookupvar('::openshift_origin::msgserver_tls_enabled') == 'enabled' or scope.lookupvar('::openshift_origin::msgserver_tls_enabled') == 'strict' %>
+        <sslContext>
+          <sslContext
+             keyStore="keystore.jks" keyStorePassword="<%= scope.lookupvar('::openshift_origin::msgserver_tls_keystore_password') %>"
+             trustStore="truststore.jks" trustStorePassword="<%= scope.lookupvar('::openshift_origin::msgserver_tls_keystore_password') %>"
+          />
+        </sslContext>
+        <% end %>
+        
         <!--
             The transport connectors expose ActiveMQ over a given protocol to
             clients and other brokers. For more information, see:
 
             http://activemq.apache.org/configuring-transports.html
         -->
         <transportConnectors>
-            <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
-            <transportConnector name="stomp" uri="stomp://0.0.0.0:61613"/>
+          <% if scope.lookupvar('::openshift_origin::msgserver_tls_enabled') != 'disabled' %>
+          <transportConnector name="openwire+ssl" uri="tcp://0.0.0.0:61617?needClientAuth=true&amp;transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"/>
+          <transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:61614?needClientAuth=true&amp;transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"/>
+          <% end %>
+          <% if scope.lookupvar('::openshift_origin::msgserver_tls_enabled') != 'strict' %>
+          <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
+          <transportConnector name="stomp" uri="stomp://0.0.0.0:61613"/>
+          <% end %>
         </transportConnectors>
 
     </broker>
diff --git a/templates/activemq/activemq.xml.erb b/templates/activemq/activemq.xml.erb
@@ -153,15 +153,30 @@
             </systemUsage>
         </systemUsage>
 
+        <% if scope.lookupvar('::openshift_origin::msgserver_tls_enabled') == 'enabled' or scope.lookupvar('::openshift_origin::msgserver_tls_enabled') == 'strict' %>
+        <sslContext>
+          <sslContext
+             keyStore="keystore.jks" keyStorePassword="<%= scope.lookupvar('::openshift_origin::msgserver_tls_keystore_password') %>"
+             trustStore="truststore.jks" trustStorePassword="<%= scope.lookupvar('::openshift_origin::msgserver_tls_keystore_password') %>"
+          />
+        </sslContext>
+        <% end %>
+
         <!--
             The transport connectors expose ActiveMQ over a given protocol to
             clients and other brokers. For more information, see:
 
             http://activemq.apache.org/configuring-transports.html
         -->
         <transportConnectors>
-            <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
-            <transportConnector name="stomp" uri="stomp://0.0.0.0:61613"/>
+          <% if scope.lookupvar('::openshift_origin::msgserver_tls_enabled') != 'disabled' %>
+          <transportConnector name="openwire+ssl" uri="tcp://0.0.0.0:61617?needClientAuth=true&amp;transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"/>
+          <transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:61614?needClientAuth=true&amp;transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"/>
+          <% end %>
+          <% if scope.lookupvar('::openshift_origin::msgserver_tls_enabled') != 'strict' %>
+          <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
+          <transportConnector name="stomp" uri="stomp://0.0.0.0:61613"/>
+          <% end %>
         </transportConnectors>
 
     </broker>
diff --git a/templates/mcollective/mcollective-client.cfg.erb b/templates/mcollective/mcollective-client.cfg.erb
@@ -16,13 +16,34 @@ plugin.activemq.pool.size = <%= @pool_size %>
 <% if scope.lookupvar('::openshift_origin::msgserver_cluster') then
 @cluster_members.each_with_index do |cluster_member, index| -%>
 plugin.activemq.pool.<%= index + 1%>.host = <%= cluster_member %>
-plugin.activemq.pool.<%= index + 1%>.port = 61613
 plugin.activemq.pool.<%= index + 1%>.user = <%= scope.lookupvar('::openshift_origin::mcollective_user') %>
 plugin.activemq.pool.<%= index + 1%>.password = <%= scope.lookupvar('::openshift_origin::mcollective_password') %>
+
+  <% if (scope.lookupvar('::openshift_origin::msgserver_tls_enabled') == 'enabled' and @tls_certs_provided == true) or scope.lookupvar('::openshift_origin::msgserver_tls_enabled') == 'strict' -%>
+  plugin.activemq.pool.<%= index + 1%>.port = 61614
+  plugin.activemq.pool.<%= index + 1%>.ssl = true
+  plugin.activemq.pool.<%= index + 1%>.ssl.ca = <%= scope.lookupvar('::openshift_origin::msgserver_tls_ca') %>
+  plugin.activemq.pool.<%= index + 1%>.ssl.key = <%= scope.lookupvar('::openshift_origin::msgserver_tls_key') %>
+  plugin.activemq.pool.<%= index + 1%>.ssl.cert = <%= scope.lookupvar('::openshift_origin::msgserver_tls_cert') %>
+  <% else %>
+  plugin.activemq.pool.<%= index + 1%>.port = 61613
+  <% end %>
+
 <% end -%>
+
 <% else -%>
-plugin.activemq.pool.1.host = <%= scope.lookupvar('::openshift_origin::msgserver_fqdn') %>
-plugin.activemq.pool.1.port = 61613
+plugin.activemq.pool.1.host = <%= scope.lookupvar('::openshift_origin::msgserver_hostname') %>
 plugin.activemq.pool.1.user = <%= scope.lookupvar('::openshift_origin::mcollective_user') %>
 plugin.activemq.pool.1.password = <%= scope.lookupvar('::openshift_origin::mcollective_password') %>
+
+  <% if (scope.lookupvar('::openshift_origin::msgserver_tls_enabled') == 'enabled' and @tls_certs_provided == true) or scope.lookupvar('::openshift_origin::msgserver_tls_enabled') == 'strict' -%>
+  plugin.activemq.pool.1.port = 61614
+  plugin.activemq.pool.1.ssl = true
+  plugin.activemq.pool.1.ssl.ca = <%= scope.lookupvar('::openshift_origin::msgserver_tls_ca') %>
+  plugin.activemq.pool.1.ssl.key = <%= scope.lookupvar('::openshift_origin::msgserver_tls_key') %>
+  plugin.activemq.pool.1.ssl.cert = <%= scope.lookupvar('::openshift_origin::msgserver_tls_cert') %>
+  <% else -%>  
+  plugin.activemq.pool.1.port = 61613
+  <% end -%>
+
 <% end -%>
diff --git a/templates/mcollective/mcollective-server.cfg.erb b/templates/mcollective/mcollective-server.cfg.erb

Original file line number	Diff line number	Diff line change
`@@ -35,4 +35,5 @@`
`35`	`35`	`$repos_base = $::operatingsystem ? {`
`36`	`36`	`default => 'https://mirror.openshift.com/pub/origin-server/nightly/rhel-6',`
`37`	`37`	`}`
	`38`	`+`
`38`	`39`	`}`