From af88d1ff570a171db9333cb8e5dde8ac7092c871 Mon Sep 17 00:00:00 2001 From: William Yardley Date: Thu, 14 Nov 2024 11:36:26 -0800 Subject: [PATCH] Update to EPP templates and other minor fixes after resolving conflicts - Switch to EPP templates - Alphasort --- REFERENCE.md | 18 +-- data/common.yaml | 1 - manifests/init.pp | 4 +- spec/classes/rabbitmq_spec.rb | 2 +- templates/rabbitmq.config.epp | 13 ++ templates/rabbitmq.config.erb | 223 ---------------------------------- 6 files changed, 25 insertions(+), 236 deletions(-) delete mode 100644 templates/rabbitmq.config.erb diff --git a/REFERENCE.md b/REFERENCE.md index a59c0cb5a..ccb0f54d9 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -264,6 +264,7 @@ The following parameters are available in the `rabbitmq` class: * [`ssl_cacert`](#-rabbitmq--ssl_cacert) * [`ssl_cert`](#-rabbitmq--ssl_cert) * [`ssl_cert_password`](#-rabbitmq--ssl_cert_password) +* [`ssl_client_renegotiation`](#-rabbitmq--ssl_client_renegotiation) * [`ssl_depth`](#-rabbitmq--ssl_depth) * [`ssl_dhfile`](#-rabbitmq--ssl_dhfile) * [`ssl_erl_dist`](#-rabbitmq--ssl_erl_dist) @@ -278,7 +279,6 @@ The following parameters are available in the `rabbitmq` class: * [`ssl_management_fail_if_no_peer_cert`](#-rabbitmq--ssl_management_fail_if_no_peer_cert) * [`ssl_port`](#-rabbitmq--ssl_port) * [`ssl_reuse_sessions`](#-rabbitmq--ssl_reuse_sessions) -* [`ssl_client_renegotiation`](#-rabbitmq--ssl_client_renegotiation) * [`ssl_secure_renegotiate`](#-rabbitmq--ssl_secure_renegotiate) * [`ssl_stomp_port`](#-rabbitmq--ssl_stomp_port) * [`ssl_verify`](#-rabbitmq--ssl_verify) @@ -883,6 +883,14 @@ Password used when generating CSR. Default value: `undef` +##### `ssl_client_renegotiation` + +Data type: `Optional[Boolean]` + +Allow ssl client renegotiation + +Default value: `undef` + ##### `ssl_depth` Data type: `Optional[Integer]` @@ -996,14 +1004,6 @@ Reuse ssl sessions Default value: `true` -##### `ssl_client_renegotiation` - -Data type: `Optional[Boolean]` - -Allow ssl client renegotiation - -Default value: `undef` - ##### `ssl_secure_renegotiate` Data type: `Boolean` diff --git a/data/common.yaml b/data/common.yaml index be65797d8..4803c767c 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -62,7 +62,6 @@ rabbitmq::ssl_fail_if_no_peer_cert: false rabbitmq::ssl_management_verify: 'verify_none' rabbitmq::ssl_management_fail_if_no_peer_cert: false rabbitmq::ssl_versions: ~ -rabbitmq::ssl_client_renegotiation: ~ rabbitmq::ssl_secure_renegotiate: true rabbitmq::ssl_reuse_sessions: true rabbitmq::ssl_honor_cipher_order: true diff --git a/manifests/init.pp b/manifests/init.pp index e6240b7e2..0e9790ed2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -263,6 +263,8 @@ # Cert to use for SSL. # @param ssl_cert_password # Password used when generating CSR. +# @param ssl_client_renegotiation +# Allow ssl client renegotiation # @param ssl_depth # SSL verification depth. # @param ssl_dhfile @@ -291,8 +293,6 @@ # SSL port for RabbitMQ # @param ssl_reuse_sessions # Reuse ssl sessions -# @param ssl_client_renegotiation -# Allow ssl client renegotiation # @param ssl_secure_renegotiate # Use ssl secure renegotiate # @param ssl_stomp_port diff --git a/spec/classes/rabbitmq_spec.rb b/spec/classes/rabbitmq_spec.rb index 1b755afc4..2af8a0524 100644 --- a/spec/classes/rabbitmq_spec.rb +++ b/spec/classes/rabbitmq_spec.rb @@ -1195,7 +1195,7 @@ end # tlsv1.3 not supported on older RMQ/Erlang with this distro - describe 'ssl options with ssl version tlsv1.3', unless: facts[:osfamily] == 'RedHat' do + describe 'ssl options with ssl version tlsv1.3' do let(:params) do { ssl: true, ssl_port: 3141, diff --git a/templates/rabbitmq.config.epp b/templates/rabbitmq.config.epp index c70c6b865..be71d1187 100644 --- a/templates/rabbitmq.config.epp +++ b/templates/rabbitmq.config.epp @@ -77,7 +77,12 @@ <%- if $rabbitmq::config::ssl_dhfile {-%> {dhfile, "<%= $rabbitmq::config::ssl_dhfile %>"}, <%- } -%> + <%- if !$rabbitmq::config::ssl_versions or !('tlsv1.3' in $rabbitmq::config::ssl_versions) {-%> + <%- if $rabbitmq::config::ssl_client_renegotiation != undef {-%> + {client_renegotiation,<%= $rabbitmq::config::ssl_client_renegotiation %>}, + <%- } -%> {secure_renegotiate,<%= $rabbitmq::config::ssl_secure_renegotiate %>}, + <%- } -%> {reuse_sessions,<%= $rabbitmq::config::ssl_reuse_sessions %>}, {honor_cipher_order,<%= $rabbitmq::config::ssl_honor_cipher_order %>}, {verify,<%= $rabbitmq::config::ssl_verify %>}, @@ -150,6 +155,14 @@ <%- } -%> {certfile, "<%= $rabbitmq::config::ssl_management_cert %>"}, {keyfile, "<%= $rabbitmq::config::ssl_management_key %>"}, + <%- if !$rabbitmq::config::ssl_versions or !('tlsv1.3' in $rabbitmq::config::ssl_versions) {-%> + <%- if $rabbitmq::config::ssl_client_renegotiation != undef {-%> + {client_renegotiation,<%= $rabbitmq::config::ssl_client_renegotiation %>}, + <%- } -%> + {secure_renegotiate,<%= $rabbitmq::config::ssl_secure_renegotiate %>}, + <%- } -%> + {reuse_sessions,<%= $rabbitmq::config::ssl_reuse_sessions %>}, + {honor_cipher_order,<%= $rabbitmq::config::ssl_honor_cipher_order %>}, {verify,<%= $rabbitmq::config::ssl_management_verify %>}, {fail_if_no_peer_cert,<%= $rabbitmq::config::ssl_management_fail_if_no_peer_cert %>} <%- if $rabbitmq::config::ssl_versions {-%> diff --git a/templates/rabbitmq.config.erb b/templates/rabbitmq.config.erb deleted file mode 100644 index d3c280e1c..000000000 --- a/templates/rabbitmq.config.erb +++ /dev/null @@ -1,223 +0,0 @@ -% This file managed by Puppet -% Template Path: <%= @module_name %>/templates/rabbitmq.config -[ -<%- -if @ssl_ciphers && @ssl_ciphers.size > 0 - ssl_ciphers = @ssl_ciphers.map do |cipher| - if cipher.split(',').size > 1 - "{#{cipher}}" - else - "\"#{cipher}\"" - end - end.join(",\n ") -else - ssl_ciphers = nil -end --%> -<%- if @ssl and @ssl_versions -%> - {ssl, [{versions, [<%= @ssl_versions.sort.map { |v| "'#{v}'" }.join(', ') %>]}]}, -<%- end -%> - {rabbit, [ -<%- if @heartbeat -%> - {heartbeat, <%=@heartbeat%>}, -<% end -%> - {loopback_users, [<%= @loopback_users.map { |u| "<<\"#{u}\">>" }.join(', ') %>]}, -<% if @auth_backends -%> - {auth_backends, [<%= @auth_backends.map { |v| "#{v}" }.join(', ') %>]}, -<% elsif @ldap_auth -%> - {auth_backends, [rabbit_auth_backend_internal, rabbit_auth_backend_ldap]}, -<% end -%> -<% if @config_cluster -%> - {cluster_nodes, {[<%= @cluster_nodes.map { |n| "\'rabbit@#{n}\'" }.join(', ') %>], <%= @cluster_node_type %>}}, - {cluster_partition_handling, <%= @cluster_partition_handling %>}, -<% end -%> - {tcp_listen_options, [ - <%- unless @config_ranch -%> - binary, - {packet, raw}, - {reuseaddr, true}, - <%- end -%> - <%- if @tcp_keepalive -%> - {keepalive, true}, - <%- end -%> - <%- if @tcp_backlog -%> - {backlog, <%= @tcp_backlog %>}, - <%- end -%> - <%- if @tcp_sndbuf -%> - {sndbuf, <%= @tcp_sndbuf %>}, - <%- end -%> - <%- if @tcp_recbuf -%> - {recbuf, <%= @tcp_recbuf %>}, - <%- end -%> - {nodelay, true}, - {linger, {true, 0}}, - {exit_on_close, false} - ]}, -<%- if @collect_statistics_interval -%> - {collect_statistics_interval, <%= @collect_statistics_interval %>}, -<%- end -%> -<%- if @ssl_only -%> - {tcp_listeners, []}, -<%- elsif @interface -%> - {tcp_listeners, [{"<%= @interface%>", <%= @port %>}]}, -<%- end -%> -<%- if @ssl -%> - <%- if @ssl_interface -%> - {ssl_listeners, [{"<%= @ssl_interface%>", <%= @ssl_port %>}]}, - <%- else -%> - {ssl_listeners, [<%= @ssl_port %>]}, - <%- end -%> - {ssl_options, [ - <%- if @ssl_cacert -%> - {cacertfile,"<%= @ssl_cacert %>"}, - <%- end -%> - {certfile,"<%= @ssl_cert %>"}, - {keyfile,"<%= @ssl_key %>"}, - <%- if @ssl_cert_password -%> - {password, "<%= @ssl_cert_password %>"}, - <%- end -%> - <%- if @ssl_depth -%> - {depth,<%= @ssl_depth %>}, - <%- end -%> - <%- if @ssl_dhfile -%> - {dhfile, "<%= @ssl_dhfile %>"}, - <%- end -%> - <%- if !@ssl_versions || !@ssl_versions.include?('tlsv1.3') -%> - <%- if defined?(@ssl_client_renegotiation) -%> - {client_renegotiation,<%= @ssl_client_renegotiation %>}, - <%- end -%> - {secure_renegotiate,<%= @ssl_secure_renegotiate %>}, - <%- end -%> - {reuse_sessions,<%= @ssl_reuse_sessions %>}, - {honor_cipher_order,<%= @ssl_honor_cipher_order %>}, - {verify,<%= @ssl_verify %>}, - {fail_if_no_peer_cert,<%= @ssl_fail_if_no_peer_cert %>} - <%- if @ssl_versions -%> - ,{versions, [<%= @ssl_versions.sort.map { |v| "'#{v}'" }.join(', ') %>]} - <%- end -%> - <%- if @ssl_ciphers and @ssl_ciphers.size > 0 -%> - ,{ciphers,[ - <%= ssl_ciphers %> - ]} - <%- end -%> - <%- if @ssl_crl_check != 'false' -%> - ,{crl_check,<%= @ssl_crl_check %>} - <%- end -%> - <%- if @ssl_crl_cache_hash_dir -%> - ,{crl_cache, {ssl_crl_hash_dir, {internal, [{dir, "<%= @ssl_crl_cache_hash_dir %>"}]}}} - <%- end -%> - <%- if @ssl_crl_cache_http_timeout -%> - ,{crl_cache, {ssl_crl_cache, {internal, [{http, <%= @ssl_crl_cache_http_timeout %>}]}}} - <%- end -%> - ]}, -<%- end -%> -<% if scope['rabbitmq::config_variables'] -%> -<%- scope['rabbitmq::config_variables'].keys.sort.each do |key| -%> - {<%= key %>, <%= scope['rabbitmq::config_variables'][key] %>}, -<%- end -%> -<%- end -%> - {default_user, <<"<%= @default_user %>">>}, - {default_pass, <<"<%= @default_pass %>">>} - ]}<% if @config_kernel_variables -%>, - {kernel, [ - <%= @config_kernel_variables.sort.map{|k,v| "{#{k}, #{v}}"}.join(",\n ") %> - ]} -<%- end -%> -<%- if @admin_enable or @management_enable or !@config_management_variables.empty? -%>, - {rabbitmq_management, [ - <%- if !@config_management_variables.empty? -%> - <%= @config_management_variables.sort.map{|k,v| "{#{k}, #{v}}"}.join(",\n ") %> - <%- end -%> -<%- if @admin_enable or @management_enable -%> -<%- if !@config_management_variables.empty? -%>,<%-end-%> - {listener, [ -<%- if @ssl && @management_ssl -%> - <%- if @management_ip_address -%> - {ip, "<%= @management_ip_address %>"}, - <%- end -%> - {port, <%= @ssl_management_port %>}, - {ssl, true}, - {ssl_opts, [<%- if @ssl_management_cacert %> - {cacertfile, "<%= @ssl_management_cacert %>"}, - <%- end -%> - {certfile, "<%= @ssl_management_cert %>"}, - {keyfile, "<%= @ssl_management_key %>"}, - <%- if !@ssl_versions || !@ssl_versions.include?('tlsv1.3') -%> - <%- if defined?(@ssl_client_renegotiation) -%> - {client_renegotiation,<%= @ssl_client_renegotiation %>}, - <%- end -%> - {secure_renegotiate,<%= @ssl_secure_renegotiate %>}, - <%- end -%> - {reuse_sessions,<%= @ssl_reuse_sessions %>}, - {honor_cipher_order,<%= @ssl_honor_cipher_order %>}, - {verify,<%= @ssl_management_verify %>}, - {fail_if_no_peer_cert,<%= @ssl_management_fail_if_no_peer_cert %>} - <%- if @ssl_versions -%> - ,{versions, [<%= @ssl_versions.sort.map { |v| "'#{v}'" }.join(', ') %>]} - <%- end -%> - <%- if @ssl_ciphers and @ssl_ciphers.size > 0 -%> - ,{ciphers,[ - <%= ssl_ciphers %> - ]} - <%- end -%> - ]} -<%- else -%> - <%- if @management_ip_address -%> - {ip, "<%= @management_ip_address %>"}, - <%- end -%> - {port, <%= @management_port %>} -<%- end -%> - ]} -<%- end -%> - ]} -<%- end -%> -<% if @config_stomp -%>, -% Configure the Stomp Plugin listening port - {rabbitmq_stomp, [ - <%- if @stomp_ssl_only -%> - {tcp_listeners, []} - <%- else -%> - {tcp_listeners, [<%= @stomp_port %>]} - <%- end -%> - <%- if @ssl && @ssl_stomp_port -%> - , - {ssl_listeners, [<%= @ssl_stomp_port %>]} - <%- end -%> - ]} -<% end -%> -<%- if @ldap_auth -%>, -% Configure the LDAP authentication plugin - {rabbitmq_auth_backend_ldap, [ - {other_bind, <%= @ldap_other_bind %>}, -<% if @ldap_server.class == Array -%> - {servers, <%= @ldap_server %>}, -<% else -%> - {servers, ["<%= @ldap_server %>"]}, -<% end -%> -<% if @ldap_user_dn_pattern -%> - {user_dn_pattern, "<%= @ldap_user_dn_pattern %>"}, -<%- end -%> - {use_ssl, <%= @ldap_use_ssl %>}, - {port, <%= @ldap_port %>}, -<% if @ldap_config_variables -%> -<%- @ldap_config_variables.keys.sort.each do |key| -%> - {<%= key %>, <%= @ldap_config_variables[key] %>}, -<%- end -%> -<%- end -%> - {log, <%= @ldap_log %>} - ]} -<%- end -%> -<%- if @config_shovel and not @config_shovel_statics.empty? -%>, - {rabbitmq_shovel, - [{shovels,[ - <%= @config_shovel_statics.sort.map{|k,v| "{#{k},[#{v}]}"}.join(",\n ") %> - ]}]} -<%- end -%> -<%- if @config_additional_variables and not @config_additional_variables.empty? -%>, -% Additional config -<%- @config_additional_variables.keys.sort.each do |key| -%> - {<%= key %>, <%= @config_additional_variables[key] %>}<%- if key != @config_additional_variables.keys.sort.last %>,<% end %> -<%- end -%> -<%- end -%> -]. -% EOF