Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for SSL client cert authentication and server certificate validation when connecting to RabbitMQ #4541

Merged
merged 23 commits into from
Feb 12, 2019
Merged

Support for SSL client cert authentication and server certificate validation when connecting to RabbitMQ #4541

merged 23 commits into from
Feb 12, 2019

Conversation

Kami
Copy link
Member

@Kami Kami commented Feb 8, 2019
edited
Loading

This pull request adds two of the features we were missing for fully secure and verified connections to RabbitMQ message bus:

  • Support for client based certificate authentication
  • Support for verifying server certificate on the client side with the provided CA cert (bundle)

Both of those features were already supported for database (MongoDB) connection, but not for RabbitMQ.

Keep in mind that secure SSL / TLS connections to RabbitMQ were already possible (without verifying server certificate), but that wasn't documented anywhere. StackStorm/st2docs#848 fixed that.

Nice thing is that we can use same naming for those options for database and messaging section (ssl_keyfile, ssl_certfile, ssl_cert_reqes, ssl_ca_certs).

Example config entries:

[messaging]
url = amqp://guest:guest@127.0.0.1:5671/
ssl = True
ssl_keyfile = /home/vagrant/client/private_key.pem
ssl_certfile = /home/vagrant/client/client_certificate.pem
ssl_ca_certs = /home/vagrant/testca/ca_certificate_bundle.pem
ssl_cert_reqs = required

Implementation wise, I needed to refactor some code so we now retrieve a properly configured Connection object in a single centralized place.

TODO

Kami added 2 commits February 7, 2019 19:01
@Kami
Fix invalid / broken comparison.
64a238f
@Kami
Add support for client side certificate authentication and verifying
dd4465a 
server certificate using provided CA bundle for message bus (RabbitMQ)
connections.

Option names are consistent with the same option names for MongoDB.

Update affected code so connection and URLs are only retrieved in a
single place.
@Kami Kami added the rabbitmq label Feb 8, 2019
@Kami Kami added this to the 2.10.2 milestone Feb 8, 2019
arm4b
arm4b reviewed Feb 8, 2019
View reviewed changes
st2common/st2common/transport/publishers.py Outdated
self._publisher = SharedPoolPublishers().get_publisher(urls=urls)
self._exchange = exchange

def publish_create(self, payload):
with Timer(key='amqp.publish.create'):
self._publisher.publish(payload, self._exchange, CREATE_RK)
self._publisher.publgish(payload, self._exchange, CREATE_RK)
Copy link
Member

@arm4b arm4b Feb 8, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Funny typo

@Kami Kami changed the title [WIP] Support for SSL client cert authentication and server certificate validation when connecting to RabbitMQ Support for SSL client cert authentication and server certificate validation when connecting to RabbitMQ Feb 11, 2019
Kami added a commit to StackStorm/st2docs that referenced this pull request Feb 11, 2019
@Kami
Update RabbitMQ config section option for changes in
a4adeda 
StackStorm/st2#4541.
@Kami Kami mentioned this pull request Feb 11, 2019
Merged
@Kami
Copy link
Member Author

Kami commented Feb 11, 2019

@armab @warrenvw Do we already handle CA authority and SSL certificate generation and management somewhere in our kubernetes-ha work?

If we do, it would also be good to eventually utilize it for MongoDB and RabbitMQ connections.

Kami
Kami commented Feb 11, 2019
View reviewed changes
st2common/st2common/transport/announcement.py Outdated

class AnnouncementPublisher(object):
def __init__(self, urls):
def __init__(self, urls=None):
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Connection retrieval and URL handling is now centralized in a single place so there is really no need for this url argument here anymore.

To make the code nicer, I could simply remove it from all those classes.

@arm4b
Copy link
Member

arm4b commented Feb 12, 2019

@Kami No, we don't auto-generate SSL/CA in K8s/HA work, leaving that part for user consideration/configuration.

arm4b
arm4b reviewed Feb 12, 2019
View reviewed changes
tools/config_gen.py
@@ -41,7 +41,7 @@

SKIP_GROUPS = ['api_pecan', 'rbac', 'results_tracker']

# We group auth options together to nake it a bit more clear what applies where
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ROFL 😃

arm4b
arm4b approved these changes Feb 12, 2019
View reviewed changes
Copy link
Member

@arm4b arm4b left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Nake it!

@Kami Kami force-pushed the rabbitmq_connection_ssl_options branch from f091833 to 3b77449 Compare February 12, 2019 16:14
@Kami
Copy link
Member Author

Kami commented Feb 12, 2019

I pushed changes so we now also expose SSL listener when running RabbitMQ on Travis (67fc03f, 3b77449, 922cb23) and added some basic tests which verify that those parameters work as expected (88a6d57).

In the future, we should do the same for MongoDB (we don't have any integration tests for SSL related parameters, just unit ones which are lacking).

NOTE: At the moment we only run those tests on Travis, because RabbitMQ SSL listener is not set up on local vagrant dev VMs.

@Kami Kami force-pushed the rabbitmq_connection_ssl_options branch from 1eaa005 to 0c69ebd Compare February 12, 2019 18:56
@Kami Kami force-pushed the rabbitmq_connection_ssl_options branch from 0c69ebd to 5387ece Compare February 12, 2019 18:59
@Kami Kami force-pushed the rabbitmq_connection_ssl_options branch from 36cbe7a to 44e513e Compare February 12, 2019 19:07
@Kami Kami merged commit 09fc032 into master Feb 12, 2019
@arm4b arm4b deleted the rabbitmq_connection_ssl_options branch February 12, 2019 20:23
@Kami Kami mentioned this pull request Feb 18, 2019
Merged
Kami added a commit to StackStorm/st2docs that referenced this pull request Mar 6, 2019
@Kami
Update RabbitMQ config section option for changes in
f5f17f8 
StackStorm/st2#4541.
cognifloyd added a commit to cognifloyd/st2 that referenced this pull request Feb 21, 2020
@cognifloyd
Enable RabbitMQ SSL tests that need xenial
deedfc3 
These tests were added in StackStorm#4541.
Now that we're on xenial, we can reenable them.

This skips upgrading rabbitmq.

reverts 44e513e
originally added in 5387ece

reverts 922cb23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arm4b arm4b arm4b approved these changes

Assignees
No one assigned
Labels
rabbitmq
Projects
None yet
Milestone
2.10.2
Development

Successfully merging this pull request may close these issues.
2 participants
@Kami @arm4b