diff --git a/manifests/config.pp b/manifests/config.pp index af79444..88a7520 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -1,257 +1,261 @@ # Sets all the configuration values for RabbitMQ and creates the directories for # config and ssl. # # @api private class rabbitmq::config { $admin_enable = $rabbitmq::admin_enable $management_enable = $rabbitmq::management_enable $use_config_file_for_plugins = $rabbitmq::use_config_file_for_plugins $cluster_node_type = $rabbitmq::cluster_node_type $cluster_nodes = $rabbitmq::cluster_nodes $config = $rabbitmq::config $config_cluster = $rabbitmq::config_cluster $config_path = $rabbitmq::config_path $config_ranch = $rabbitmq::config_ranch $config_stomp = $rabbitmq::config_stomp $stomp_ensure = $rabbitmq::stomp_ensure $config_shovel = $rabbitmq::config_shovel $config_shovel_statics = $rabbitmq::config_shovel_statics $default_user = $rabbitmq::default_user $default_pass = $rabbitmq::default_pass $env_config = $rabbitmq::env_config $env_config_path = $rabbitmq::env_config_path $erlang_cookie = $rabbitmq::erlang_cookie $interface = $rabbitmq::interface $management_port = $rabbitmq::management_port $management_ssl = $rabbitmq::management_ssl $management_hostname = $rabbitmq::management_hostname $node_ip_address = $rabbitmq::node_ip_address $rabbitmq_user = $rabbitmq::rabbitmq_user $rabbitmq_group = $rabbitmq::rabbitmq_group $rabbitmq_home = $rabbitmq::rabbitmq_home $port = $rabbitmq::port $tcp_keepalive = $rabbitmq::tcp_keepalive $tcp_backlog = $rabbitmq::tcp_backlog $tcp_sndbuf = $rabbitmq::tcp_sndbuf $tcp_recbuf = $rabbitmq::tcp_recbuf $heartbeat = $rabbitmq::heartbeat $service_name = $rabbitmq::service_name $ssl = $rabbitmq::ssl $ssl_only = $rabbitmq::ssl_only $ssl_cacert = $rabbitmq::ssl_cacert $ssl_cert = $rabbitmq::ssl_cert $ssl_key = $rabbitmq::ssl_key $ssl_depth = $rabbitmq::ssl_depth $ssl_cert_password = $rabbitmq::ssl_cert_password $ssl_port = $rabbitmq::ssl_port $ssl_interface = $rabbitmq::ssl_interface $ssl_management_port = $rabbitmq::ssl_management_port $ssl_management_cacert = $rabbitmq::ssl_management_cacert $ssl_management_cert = $rabbitmq::ssl_management_cert $ssl_management_key = $rabbitmq::ssl_management_key $ssl_management_verify = $rabbitmq::ssl_management_verify $ssl_management_fail_if_no_peer_cert = $rabbitmq::ssl_management_fail_if_no_peer_cert $ssl_stomp_port = $rabbitmq::ssl_stomp_port $ssl_verify = $rabbitmq::ssl_verify $ssl_fail_if_no_peer_cert = $rabbitmq::ssl_fail_if_no_peer_cert $ssl_secure_renegotiate = $rabbitmq::ssl_secure_renegotiate $ssl_reuse_sessions = $rabbitmq::ssl_reuse_sessions $ssl_honor_cipher_order = $rabbitmq::ssl_honor_cipher_order $ssl_dhfile = $rabbitmq::ssl_dhfile $ssl_versions = $rabbitmq::ssl_versions $ssl_ciphers = $rabbitmq::ssl_ciphers $ssl_crl_check = $rabbitmq::ssl_crl_check $ssl_crl_cache_hash_dir = $rabbitmq::ssl_crl_cache_hash_dir $ssl_crl_cache_http_timeout = $rabbitmq::ssl_crl_cache_http_timeout $stomp_port = $rabbitmq::stomp_port $stomp_ssl_only = $rabbitmq::stomp_ssl_only $ldap_auth = $rabbitmq::ldap_auth $ldap_server = $rabbitmq::ldap_server $ldap_user_dn_pattern = $rabbitmq::ldap_user_dn_pattern $ldap_other_bind = $rabbitmq::ldap_other_bind $ldap_use_ssl = $rabbitmq::ldap_use_ssl $ldap_port = $rabbitmq::ldap_port $ldap_log = $rabbitmq::ldap_log $ldap_config_variables = $rabbitmq::ldap_config_variables $wipe_db_on_cookie_change = $rabbitmq::wipe_db_on_cookie_change $config_variables = $rabbitmq::config_variables $config_kernel_variables = $rabbitmq::config_kernel_variables $config_management_variables = $rabbitmq::config_management_variables $config_additional_variables = $rabbitmq::config_additional_variables $auth_backends = $rabbitmq::auth_backends $cluster_partition_handling = $rabbitmq::cluster_partition_handling $file_limit = $rabbitmq::file_limit + $oom_score_adj = $rabbitmq::oom_score_adj $collect_statistics_interval = $rabbitmq::collect_statistics_interval $ipv6 = $rabbitmq::ipv6 $inetrc_config = $rabbitmq::inetrc_config $inetrc_config_path = $rabbitmq::inetrc_config_path $ssl_erl_dist = $rabbitmq::ssl_erl_dist $loopback_users = $rabbitmq::loopback_users if $ssl_only { $default_ssl_env_variables = {} } else { $default_ssl_env_variables = { 'NODE_PORT' => $port, 'NODE_IP_ADDRESS' => $node_ip_address, } } # This seems like a sensible default, and I think we have to assign it here # to be safe. Use $node_ip_address (which can also be undef) if # $management_ip_address is not set. if $rabbitmq::management_ip_address { $management_ip_address = $rabbitmq::management_ip_address } else { $management_ip_address = $rabbitmq::node_ip_address } $inetrc_env = { 'export ERL_INETRC' => $inetrc_config_path } # Handle env variables. $_environment_variables = $default_ssl_env_variables + $inetrc_env + $rabbitmq::environment_variables if $ipv6 or $ssl_erl_dist { # must append "-proto_dist inet6_tcp" to any provided ERL_ARGS for # both the server and rabbitmqctl, being careful not to mess up # quoting. If both IPv6 and TLS are enabled, we must use "inet6_tls". # Finally, if only TLS is enabled (no IPv6), the -proto_dist value to use # is "inet_tls". if $ipv6 and $ssl_erl_dist { $proto_dist = 'inet6_tls' $ssl_path = " -pa ${::erl_ssl_path} " } elsif $ssl_erl_dist { $proto_dist = 'inet_tls' $ssl_path = " -pa ${::erl_ssl_path} " } else { $proto_dist = 'inet6_tcp' $ssl_path = '' } $ipv6_or_tls_env = ['SERVER_ADDITIONAL', 'CTL'].reduce( {}) |$memo, $item| { $orig = $_environment_variables["RABBITMQ_${item}_ERL_ARGS"] $munged = $orig ? { # already quoted, keep quoting /^([\'\"])(.*)\1/ => "${1}${2}${ssl_path} -proto_dist ${proto_dist}${1}", # unset, add our own quoted value undef => "\"${ssl_path}-proto_dist ${proto_dist}\"", # previously unquoted value, add quoting default => "\"${orig}${ssl_path} -proto_dist ${proto_dist}\"", } merge($memo, { "RABBITMQ_${item}_ERL_ARGS" => $munged }) } $environment_variables = $_environment_variables + $ipv6_or_tls_env } else { $environment_variables = $_environment_variables } file { '/etc/rabbitmq': ensure => directory, owner => $rabbitmq_user, group => $rabbitmq_group, mode => '2755', } file { '/etc/rabbitmq/ssl': ensure => directory, owner => $rabbitmq_user, group => $rabbitmq_group, mode => '2750', } file { 'rabbitmq.config': ensure => file, path => $config_path, content => template($config), owner => $rabbitmq_user, group => $rabbitmq_group, mode => '0640', } file { 'rabbitmq-env.config': ensure => file, path => $env_config_path, content => template($env_config), owner => $rabbitmq_user, group => $rabbitmq_group, mode => '0640', } file { 'rabbitmq-inetrc': ensure => file, path => $inetrc_config_path, content => template($inetrc_config), owner => $rabbitmq_user, group => $rabbitmq_group, mode => '0640', } if $use_config_file_for_plugins { file { 'enabled_plugins': ensure => file, path => '/etc/rabbitmq/enabled_plugins', content => template('rabbitmq/enabled_plugins.erb'), owner => $rabbitmq_user, group => $rabbitmq_group, mode => '0640', require => File['/etc/rabbitmq'], } } if $admin_enable { file { 'rabbitmqadmin.conf': ensure => file, path => '/etc/rabbitmq/rabbitmqadmin.conf', content => template('rabbitmq/rabbitmqadmin.conf.erb'), owner => $rabbitmq_user, group => $rabbitmq_group, mode => '0640', require => File['/etc/rabbitmq'], } } case $facts['os']['family'] { 'Debian': { file { '/etc/default/rabbitmq-server': ensure => file, content => template('rabbitmq/default.erb'), mode => '0644', owner => '0', group => '0', } } 'RedHat': { file { '/etc/security/limits.d/rabbitmq-server.conf': content => template('rabbitmq/limits.conf'), owner => '0', group => '0', mode => '0644', } } default: {} } if $facts['systemd'] { # systemd fact provided by systemd module systemd::service_limits { "${service_name}.service": selinux_ignore_defaults => ($facts['os']['family'] == 'RedHat'), - limits => { 'LimitNOFILE' => $file_limit }, + limits => { + 'LimitNOFILE' => $file_limit, + 'OOMScoreAdjust' => $oom_score_adj, + }, # The service will be notified when config changes restart_service => false, } } if $erlang_cookie == undef and $config_cluster { fail('You must set the $erlang_cookie value in order to configure clustering.') } elsif $erlang_cookie != undef { rabbitmq_erlang_cookie { "${rabbitmq_home}/.erlang.cookie": content => $erlang_cookie, force => $wipe_db_on_cookie_change, rabbitmq_user => $rabbitmq_user, rabbitmq_group => $rabbitmq_group, rabbitmq_home => $rabbitmq_home, service_name => $service_name, before => File['rabbitmq.config'], } } } diff --git a/manifests/init.pp b/manifests/init.pp index ec7689a..71097b9 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,536 +1,539 @@ # # @summary A module to manage RabbitMQ # # @example Basic usage # include rabbitmq # # @example rabbitmq class # class { 'rabbitmq': # service_manage => false, # port => '5672', # delete_guest_user => true, # } # # @example Offline installation from local mirror: # class { 'rabbitmq': # key_content => template('openstack/rabbit.pub.key'), # package_gpg_key => '/tmp/rabbit.pub.key', # } # # @example Use external package key source for any (apt/rpm) package provider: # class { 'rabbitmq': # package_gpg_key => 'http://www.some_site.some_domain/some_key.pub.key', # } # # @example To use RabbitMQ Environment Variables, use the parameters `environment_variables` e.g.: # class { 'rabbitmq': # port => '5672', # environment_variables => { # 'NODENAME' => 'node01', # 'SERVICENAME' => 'RabbitMQ' # } # } # # @example Change RabbitMQ Config Variables in rabbitmq.config: # class { 'rabbitmq': # port => '5672', # config_variables => { # 'hipe_compile' => true, # 'frame_max' => 131072, # 'log_levels' => "[{connection, info}]" # } # } # # @example Change Erlang Kernel Config Variables in rabbitmq.config # class { 'rabbitmq': # port => '5672', # config_kernel_variables => { # 'inet_dist_listen_min' => 9100, # 'inet_dist_listen_max' => 9105, # } # } # # @example Change Management Plugin Config Variables in rabbitmq.config # class { 'rabbitmq': # config_management_variables => { # 'rates_mode' => 'basic', # } # } # # @example Change Additional Config Variables in rabbitmq.config # class { 'rabbitmq': # config_additional_variables => { # 'autocluster' => '[{consul_service, "rabbit"},{cluster_name, "rabbit"}]', # 'foo' => '[{bar, "baz"}]' # } # } # # This will result in the following config appended to the config file: # {autocluster, [{consul_service, "rabbit"},{cluster_name, "rabbit"}]}, # {foo, [{bar, "baz"}]} # (This is required for the [autocluster plugin](https://github.com/rabbitmq/rabbitmq-autocluster) # # @example Use RabbitMQ clustering facilities # class { 'rabbitmq': # config_cluster => true, # cluster_nodes => ['rabbit1', 'rabbit2'], # cluster_node_type => 'ram', # erlang_cookie => 'A_SECRET_COOKIE_STRING', # wipe_db_on_cookie_change => true, # } # # @param admin_enable # If enabled sets up the management interface/plugin for RabbitMQ. # This also install the rabbitmqadmin command line tool. # @param management_enable # If enabled sets up the management interface/plugin for RabbitMQ. # NOTE: This does not install the rabbitmqadmin command line tool. # @param use_config_file_for_plugins # If enabled the /etc/rabbitmq/enabled_plugins config file is created, # replacing the use of the rabbitmqplugins provider to enable plugins. # @param auth_backends # An array specifying authorization/authentication backend to use. Single quotes should be placed around array entries, # ex. `['{foo, baz}', 'baz']` Defaults to [rabbit_auth_backend_internal], and if using LDAP defaults to [rabbit_auth_backend_internal, # rabbit_auth_backend_ldap]. # @param cluster_node_type # Choose between disc and ram nodes. # @param cluster_nodes # An array of nodes for clustering. # @param cluster_partition_handling # Value to set for `cluster_partition_handling` RabbitMQ configuration variable. # @param collect_statistics_interval # Set the collect_statistics_interval in rabbitmq.config # @param config # The file to use as the rabbitmq.config template. # @param config_additional_variables # Additional config variables in rabbitmq.config # @param config_cluster # Enable or disable clustering support. # @param config_kernel_variables # Hash of Erlang kernel configuration variables to set (see [Variables Configurable in rabbitmq.config](#variables-configurable-in-rabbitmq.config)). # @param config_path # The path to write the RabbitMQ configuration file to. # @param config_ranch # When true, suppress config directives needed for older (<3.6) RabbitMQ versions. # @param config_management_variables # Hash of configuration variables for the [Management Plugin](https://www.rabbitmq.com/management.html). # @param config_stomp # Enable or disable stomp. # @param config_shovel # Enable or disable shovel. # @param config_shovel_statics # Hash of static shovel configurations # @param config_variables # To set config variables in rabbitmq.config # @param default_user # Username to set for the `default_user` in rabbitmq.config. # @param default_pass # Password to set for the `default_user` in rabbitmq.config. # @param delete_guest_user # Controls whether default guest user is deleted. # @param env_config # The template file to use for rabbitmq_env.config. # @param env_config_path # The path to write the rabbitmq_env.config file to. # @param environment_variables # RabbitMQ Environment Variables in rabbitmq_env.config # @param erlang_cookie # The erlang cookie to use for clustering - must be the same between all nodes. This value has no default and must be # set explicitly if using clustering. If you run Pacemaker and you don't want to use RabbitMQ buildin cluster, you can set config_cluster # to 'False' and set 'erlang_cookie'. # @param file_limit # Set rabbitmq file ulimit. Defaults to 16384. Only available on systems with `$::osfamily == 'Debian'` or `$::osfamily == 'RedHat'`. +# @param oom_score_adj +# Set rabbitmq-server process OOM score. Defaults to 0. # @param heartbeat # Set the heartbeat timeout interval, default is unset which uses the builtin server defaults of 60 seconds. Setting this # @param inetrc_config # Template to use for the inetrc config # @param inetrc_config_path # Path of the file to push the inetrc config to. # @param ipv6 # Whether to listen on ipv6 # @param interface # Interface to bind to (sets tcp_listeners parameter). By default, bind to all interfaces # to `0` will disable heartbeats. # @param key_content # Uses content method for Debian OS family. Should be a template for apt::source class. Overrides `package_gpg_key` # behavior, if enabled. Undefined by default. # @param ldap_auth # Set to true to enable LDAP auth. # @param ldap_server # LDAP server or servers to use for auth. # @param ldap_user_dn_pattern # User DN pattern for LDAP auth. # @param ldap_other_bind # How to bind to the LDAP server. Defaults to 'anon'. # @param ldap_config_variables # Hash of other LDAP config variables. # @param ldap_use_ssl # Set to true to use SSL for the LDAP server. # @param ldap_port # Numeric port for LDAP server. # @param ldap_log # Set to true to log LDAP auth. # @param manage_python # If enabled, on platforms that don't provide a Python 2 package by default, ensure that the python package is # installed (for rabbitmqadmin). This will only apply if `admin_enable` and `service_manage` are set. # @param management_hostname # The hostname for the RabbitMQ management interface. # @param management_port # The port for the RabbitMQ management interface. # @param management_ip_address # Allows you to set the IP for management interface to bind to separately. Set to 127.0.0.1 to bind to # localhost only, or 0.0.0.0 to bind to all interfaces. # @param management_ssl # Enable/Disable SSL for the management port. Has an effect only if ssl => true. # @param node_ip_address # Allows you to set the IP for RabbitMQ service to bind to. Set to 127.0.0.1 to bind to localhost only, or 0.0.0.0 # to bind to all interfaces. # @param package_apt_pin # Whether to pin the package to a particular source # @param package_ensure # Determines the ensure state of the package. Set to installed by default, but could be changed to latest. # @param package_gpg_key # RPM package GPG key to import. Uses source method. Should be a URL for Debian/RedHat OS family, or a file name for # RedHat OS family. Set to https://www.rabbitmq.com/rabbitmq-release-signing-key.asc for RedHat OS Family and # https://packagecloud.io/rabbitmq/rabbitmq-server/gpgkey for Debian OS Family by default. Note, that `key_content`, if specified, would # override this parameter for Debian OS family. # @param package_name # Name(s) of the package(s) to install # @param port # The RabbitMQ port. # @param python_package # Name of the package required by rabbitmqadmin. # @param repos_ensure # Ensure that a repo with the official (and newer) RabbitMQ package is configured, along with its signing key. # Defaults to false (use system packages). This does not ensure that soft dependencies (like EPEL on RHEL systems) are present. # It also does not solve the erlang dependency. See https://www.rabbitmq.com/which-erlang.html for a good breakdown of the # different ways of handling the erlang deps. See also https://github.com/voxpupuli/puppet-rabbitmq/issues/788 # @param service_ensure # The state of the service. # @param service_manage # Determines if the service is managed. # @param service_name # The name of the service to manage. # @param service_restart # Default defined in param.pp. Whether to restart the service on config change. # @param ssl # Configures the service for using SSL. # @param ssl_cacert # CA cert path to use for SSL. # @param ssl_cert # Cert to use for SSL. # @param ssl_cert_password # Password used when generating CSR. # @param ssl_depth # SSL verification depth. # @param ssl_dhfile # Use this dhparam file [example: generate with `openssl dhparam -out /etc/rabbitmq/ssl/dhparam.pem 2048` # @param ssl_erl_dist # Whether to use the erlang package's SSL (relies on the ssl_erl_path fact) # @param ssl_honor_cipher_order # Force use of server cipher order # @param ssl_interface # Interface for SSL listener to bind to # @param ssl_key # Key to use for SSL. # @param ssl_only # Configures the service to only use SSL. No cleartext TCP listeners will be created. Requires that ssl => true and # port => undef # @param ssl_management_port # SSL management port. # @param ssl_management_cacert # SSL management cacert. If unset set to ssl_cacert for backwards compatibility. # @param ssl_management_cert # SSL management cert. If unset set to ssl_cert for backwards compatibility. # @param ssl_management_key # SSL management key. If unset set to ssl_key for backwards compatibility. # @param ssl_port # SSL port for RabbitMQ # @param ssl_reuse_sessions # Reuse ssl sessions # @param ssl_secure_renegotiate # Use ssl secure renegotiate # @param ssl_stomp_port # SSL stomp port. # @param ssl_verify # rabbitmq.config SSL verify setting. # @param ssl_fail_if_no_peer_cert # rabbitmq.config `fail_if_no_peer_cert` setting. # @param ssl_management_verify # rabbitmq.config SSL verify setting for rabbitmq_management. # @param ssl_versions # Choose which SSL versions to enable. Example: `['tlsv1.2', 'tlsv1.1']` Note # that it is recommended to disable `sslv3 and `tlsv1` to prevent against # POODLE and BEAST attacks. Please see the # [RabbitMQ SSL](https://www.rabbitmq.com/ssl.html) documentation for more information. # @param ssl_ciphers # Support only a given list of SSL ciphers, using either the Erlang or OpenSSL styles. # Supported ciphers in your install can be listed with: `rabbitmqctl eval 'ssl:cipher_suites().'` # Functionality can be tested with cipherscan or similar tool: https://github.com/mozilla/cipherscan # * Erlang style: `['ecdhe_rsa,aes_256_cbc,sha', 'dhe_rsa,aes_256_cbc,sha']` # * OpenSSL style: `['ECDHE-RSA-AES256-SHA', 'DHE-RSA-AES256-SHA']` # @param ssl_crl_check # Perform CRL (Certificate Revocation List) verification # Please see the [Erlang SSL](https://erlang.org/doc/man/ssl.html#type-crl_check) module documentation for more information. # @param ssl_crl_cache_hash_dir # This setting makes use of a directory where CRLs are stored in files named by the hash of the issuer name. # Please see the [Erlang SSL](https://erlang.org/doc/man/ssl.html#type-crl_cache_opts) module documentation for more information. # @param ssl_crl_cache_http_timeout # This setting enables use of internal CRLs cache and sets HTTP timeout interval on fetching CRLs from distributino URLs defined inside certificate. # Please see the [Erlang SSL](https://erlang.org/doc/man/ssl.html#type-crl_cache_opts) module documentation for more information. # @param stomp_port # The port to use for Stomp. # @param stomp_ssl_only # Configures STOMP to only use SSL. No cleartext STOMP TCP listeners will be created. Requires setting ssl_stomp_port also. # @param stomp_ensure # Enable to install the stomp plugin. # @param tcp_backlog # The size of the backlog on TCP connections. # @param tcp_keepalive # Enable TCP connection keepalive for RabbitMQ service. # @param tcp_recbuf # Corresponds to recbuf in RabbitMQ `tcp_listen_options` # @param tcp_sndbuf # Integer, corresponds to sndbuf in RabbitMQ `tcp_listen_options` # @param wipe_db_on_cookie_change # Boolean to determine if we should DESTROY AND DELETE the RabbitMQ database. # @param rabbitmq_user # OS dependent The system user the rabbitmq daemon runs as. # @param rabbitmq_group # OS dependent The system group the rabbitmq daemon runs as. # @param rabbitmq_home # OS dependent The home directory of the rabbitmq deamon. # @param rabbitmqadmin_package # OS dependent If undef: install rabbitmqadmin via archive, otherwise via package # @param archive_options # Extra options to Archive resource to download rabbitmqadmin file # @param loopback_users # This option configures a list of users to allow access via the loopback interfaces # class rabbitmq ( Boolean $admin_enable = true, Boolean $management_enable = false, Boolean $use_config_file_for_plugins = false, Enum['ram', 'disc'] $cluster_node_type = 'disc', Array $cluster_nodes = [], String $config = 'rabbitmq/rabbitmq.config.erb', Boolean $config_cluster = false, Stdlib::Absolutepath $config_path = '/etc/rabbitmq/rabbitmq.config', Boolean $config_ranch = true, Boolean $config_stomp = false, Boolean $config_shovel = false, Hash $config_shovel_statics = {}, String $default_user = 'guest', String $default_pass = 'guest', Boolean $delete_guest_user = false, String $env_config = 'rabbitmq/rabbitmq-env.conf.erb', Stdlib::Absolutepath $env_config_path = '/etc/rabbitmq/rabbitmq-env.conf', Optional[String] $erlang_cookie = undef, Optional[String] $interface = undef, Optional[String] $management_ip_address = undef, Integer[1, 65535] $management_port = 15672, Boolean $management_ssl = true, Optional[String] $management_hostname = undef, Optional[String] $node_ip_address = undef, Optional[Variant[Numeric, String]] $package_apt_pin = undef, String $package_ensure = 'installed', Optional[String] $package_gpg_key = undef, Variant[String, Array] $package_name = 'rabbitmq', Optional[String] $package_source = undef, Optional[String] $package_provider = undef, Boolean $repos_ensure = false, Boolean $manage_python = true, String $python_package = 'python', String $rabbitmq_user = 'rabbitmq', String $rabbitmq_group = 'rabbitmq', Stdlib::Absolutepath $rabbitmq_home = '/var/lib/rabbitmq', Integer $port = 5672, Boolean $tcp_keepalive = false, Integer $tcp_backlog = 128, Optional[Integer] $tcp_sndbuf = undef, Optional[Integer] $tcp_recbuf = undef, Optional[Integer] $heartbeat = undef, Enum['running', 'stopped'] $service_ensure = 'running', Boolean $service_manage = true, String $service_name = 'rabbitmq', Boolean $ssl = false, Boolean $ssl_only = false, Optional[Stdlib::Absolutepath] $ssl_cacert = undef, Optional[Stdlib::Absolutepath] $ssl_cert = undef, Optional[Stdlib::Absolutepath] $ssl_key = undef, Optional[Integer] $ssl_depth = undef, Optional[String] $ssl_cert_password = undef, Integer[1, 65535] $ssl_port = 5671, Optional[String] $ssl_interface = undef, Integer[1, 65535] $ssl_management_port = 15671, Optional[Stdlib::Absolutepath] $ssl_management_cacert = $ssl_cacert, Optional[Stdlib::Absolutepath] $ssl_management_cert = $ssl_cert, Optional[Stdlib::Absolutepath] $ssl_management_key = $ssl_key, Integer[1, 65535] $ssl_stomp_port = 6164, Enum['verify_none','verify_peer'] $ssl_verify = 'verify_none', Boolean $ssl_fail_if_no_peer_cert = false, Enum['verify_none','verify_peer'] $ssl_management_verify = 'verify_none', Boolean $ssl_management_fail_if_no_peer_cert = false, Optional[Array] $ssl_versions = undef, Boolean $ssl_secure_renegotiate = true, Boolean $ssl_reuse_sessions = true, Boolean $ssl_honor_cipher_order = true, Optional[Stdlib::Absolutepath] $ssl_dhfile = undef, Array $ssl_ciphers = [], Enum['true','false','peer','best_effort'] $ssl_crl_check = 'false', Optional[Stdlib::Absolutepath] $ssl_crl_cache_hash_dir = undef, Optional[Integer] $ssl_crl_cache_http_timeout = undef, Boolean $stomp_ensure = false, Boolean $ldap_auth = false, Variant[String[1],Array[String[1]]] $ldap_server = 'ldap', Optional[String] $ldap_user_dn_pattern = undef, String $ldap_other_bind = 'anon', Boolean $ldap_use_ssl = false, Integer[1, 65535] $ldap_port = 389, Boolean $ldap_log = false, Hash $ldap_config_variables = {}, Integer[1, 65535] $stomp_port = 6163, Boolean $stomp_ssl_only = false, Boolean $wipe_db_on_cookie_change = false, String $cluster_partition_handling = 'ignore', Variant[Integer[-1],Enum['unlimited'],Pattern[/^(infinity|\d+(:(infinity|\d+))?)$/]] $file_limit = 16384, + Integer[-1000, 1000] $oom_score_adj = 0, Hash $environment_variables = { 'LC_ALL' => 'en_US.UTF-8' }, Hash $config_variables = {}, Hash $config_kernel_variables = {}, Hash $config_management_variables = {}, Hash $config_additional_variables = {}, Optional[Array] $auth_backends = undef, Optional[String] $key_content = undef, Optional[Integer] $collect_statistics_interval = undef, Boolean $ipv6 = false, String $inetrc_config = 'rabbitmq/inetrc.erb', Stdlib::Absolutepath $inetrc_config_path = '/etc/rabbitmq/inetrc', Boolean $ssl_erl_dist = false, Optional[String] $rabbitmqadmin_package = undef, Array $archive_options = [], Array $loopback_users = ['guest'], Boolean $service_restart = true, ) { if $ssl_only and ! $ssl { fail('$ssl_only => true requires that $ssl => true') } if $config_stomp and $stomp_ssl_only and ! $ssl_stomp_port { fail('$stomp_ssl_only requires that $ssl_stomp_port be set') } if $ssl_versions { unless $ssl { fail('$ssl_versions requires that $ssl => true') } } if $ssl_crl_check != 'false' { unless $ssl { fail('$ssl_crl_check requires that $ssl => true') } } if $ssl_crl_cache_hash_dir { unless $ssl { fail('$ssl_crl_cache_hash_dir requires that $ssl => true') } if $ssl_crl_check == 'false' { fail('$ssl_crl_cache_http_timeout requires that $ssl_crl_check => true|peer|best_effort') } } if $ssl_crl_cache_http_timeout { unless $ssl { fail('$ssl_crl_cache_http_timeout requires that $ssl => true') } if $ssl_crl_check == 'false' { fail('$ssl_crl_cache_http_timeout requires that $ssl_crl_check => true|peer|best_effort') } } if $repos_ensure { case $facts['os']['family'] { 'RedHat': { contain rabbitmq::repo::rhel Class['rabbitmq::repo::rhel'] -> Class['rabbitmq::install'] } 'Debian': { contain rabbitmq::repo::apt Class['rabbitmq::repo::apt'] -> Class['rabbitmq::install'] } default: { } } } contain rabbitmq::install contain rabbitmq::config contain rabbitmq::service contain rabbitmq::management unless $use_config_file_for_plugins { # NOTE(hjensas): condition on $service_manage to keep current behaviour. # The condition is likely not required because installiton of rabbitmqadmin # is no longer handled here. # TODO: Remove the condition on $service_manage if ($management_enable or $admin_enable) and $service_manage { rabbitmq_plugin { 'rabbitmq_management': ensure => present, notify => Class['rabbitmq::service'], provider => 'rabbitmqplugins', } } if ($stomp_ensure) { rabbitmq_plugin { 'rabbitmq_stomp': ensure => present, notify => Class['rabbitmq::service'], provider => 'rabbitmqplugins', } } if ($ldap_auth) { rabbitmq_plugin { 'rabbitmq_auth_backend_ldap': ensure => present, notify => Class['rabbitmq::service'], provider => 'rabbitmqplugins', } } if ($config_shovel) { rabbitmq_plugin { 'rabbitmq_shovel': ensure => present, notify => Class['rabbitmq::service'], provider => 'rabbitmqplugins', } if ($management_enable or $admin_enable) { rabbitmq_plugin { 'rabbitmq_shovel_management': ensure => present, notify => Class['rabbitmq::service'], provider => 'rabbitmqplugins', } } } } if $admin_enable and $service_manage { include 'rabbitmq::install::rabbitmqadmin' Class['rabbitmq::service'] -> Class['rabbitmq::install::rabbitmqadmin'] Class['rabbitmq::install::rabbitmqadmin'] -> Rabbitmq_exchange<| |> } if ($service_restart) { Class['rabbitmq::config'] ~> Class['rabbitmq::service'] } Class['rabbitmq::install'] -> Class['rabbitmq::config'] -> Class['rabbitmq::service'] -> Class['rabbitmq::management'] # Make sure the various providers have their requirements in place. Class['rabbitmq::install'] -> Rabbitmq_plugin<| |> } diff --git a/spec/classes/rabbitmq_spec.rb b/spec/classes/rabbitmq_spec.rb index e4c4386..2896117 100644 --- a/spec/classes/rabbitmq_spec.rb +++ b/spec/classes/rabbitmq_spec.rb @@ -1,1743 +1,1777 @@ require 'spec_helper' describe 'rabbitmq' do on_supported_os.each do |os, facts| context "on #{os}" do let :facts do facts end name = case facts[:osfamily] when 'Archlinux', 'OpenBSD', 'FreeBSD' 'rabbitmq' else 'rabbitmq-server' end it { is_expected.to compile.with_all_deps } it { is_expected.to contain_class('rabbitmq::install') } it { is_expected.to contain_class('rabbitmq::config').that_notifies('Class[rabbitmq::service]') } it { is_expected.to contain_class('rabbitmq::service') } it { is_expected.to contain_package(name).with_ensure('installed').with_name(name) } if facts[:os]['family'] == 'Suse' it { is_expected.to contain_package('rabbitmq-server-plugins') } end context 'with default params' do it { is_expected.not_to contain_class('rabbitmq::repo::apt') } it { is_expected.not_to contain_apt__source('rabbitmq') } it { is_expected.not_to contain_class('rabbitmq::repo::rhel') } it { is_expected.not_to contain_yumrepo('rabbitmq') } end context 'with service_restart => false' do let(:params) { { service_restart: false } } it { is_expected.not_to contain_class('rabbitmq::config').that_notifies('Class[rabbitmq::service]') } end context 'with repos_ensure => true' do let(:params) { { repos_ensure: true } } if facts[:os]['family'] == 'Debian' it 'includes rabbitmq::repo::apt' do is_expected.to contain_class('rabbitmq::repo::apt'). with_key_source('https://packagecloud.io/rabbitmq/rabbitmq-server/gpgkey'). with_key_content(nil) end it 'adds a repo with default values' do is_expected.to contain_apt__source('rabbitmq'). with_ensure('present'). with_location("https://packagecloud.io/rabbitmq/rabbitmq-server/#{facts[:os]['name'].downcase}"). with_release(nil). with_repos('main') end else it { is_expected.not_to contain_class('rabbitmq::repo::apt') } it { is_expected.not_to contain_apt__souce('rabbitmq') } end if facts[:os]['family'] == 'RedHat' it { is_expected.to contain_class('rabbitmq::repo::rhel') } it 'the repo should be present, and contain the expected values' do is_expected.to contain_yumrepo('rabbitmq'). with_ensure('present'). with_baseurl(%r{https://packagecloud.io/rabbitmq/rabbitmq-server/el/\d+/\$basearch$}). with_gpgkey('https://www.rabbitmq.com/rabbitmq-release-signing-key.asc') end else it { is_expected.not_to contain_class('rabbitmq::repo::rhel') } it { is_expected.not_to contain_yumrepo('rabbitmq') } end end context 'with no pin', if: facts[:os]['family'] == 'Debian' do let(:params) { { repos_ensure: true, package_apt_pin: '' } } if Puppet.version =~ %r{^6} # https://tickets.puppetlabs.com/browse/PUP-9112 and https://tickets.puppetlabs.com/browse/PUP-9180 let(:expected_key_apt_source_key_content) { 'nil' } else let(:expected_key_apt_source_key_content) { ':undef' } end describe 'it sets up an apt::source' do it { is_expected.to contain_apt__source('rabbitmq').with( 'location' => "https://packagecloud.io/rabbitmq/rabbitmq-server/#{facts[:os]['name'].downcase}", 'repos' => 'main', 'key' => "{\"id\"=>\"8C695B0219AFDEB04A058ED8F4E789204D206F89\", \"source\"=>\"https://packagecloud.io/rabbitmq/rabbitmq-server/gpgkey\", \"content\"=>#{expected_key_apt_source_key_content}}" ) } end end context 'with pin', if: facts[:os]['family'] == 'Debian' do let(:params) { { repos_ensure: true, package_apt_pin: '700' } } if Puppet.version =~ %r{^6} # https://tickets.puppetlabs.com/browse/PUP-9112 and https://tickets.puppetlabs.com/browse/PUP-9180 let(:expected_key_apt_source_key_content) { 'nil' } else let(:expected_key_apt_source_key_content) { ':undef' } end describe 'it sets up an apt::source and pin' do it { is_expected.to contain_apt__source('rabbitmq').with( 'location' => "https://packagecloud.io/rabbitmq/rabbitmq-server/#{facts[:os]['name'].downcase}", 'repos' => 'main', 'key' => "{\"id\"=>\"8C695B0219AFDEB04A058ED8F4E789204D206F89\", \"source\"=>\"https://packagecloud.io/rabbitmq/rabbitmq-server/gpgkey\", \"content\"=>#{expected_key_apt_source_key_content}}" ) } it { is_expected.to contain_apt__pin('rabbitmq').with( 'packages' => '*', 'priority' => '700', 'origin' => 'packagecloud.io' ) } end end ['infinity', -1, 1234].each do |value| context "with file_limit => '#{value}'" do let(:params) { { file_limit: value } } if facts[:os]['family'] == 'RedHat' it do is_expected.to contain_file('/etc/security/limits.d/rabbitmq-server.conf'). with_owner('0'). with_group('0'). with_mode('0644'). that_notifies('Class[Rabbitmq::Service]'). with_content("rabbitmq soft nofile #{value}\nrabbitmq hard nofile #{value}\n") end else it { is_expected.not_to contain_file('/etc/security/limits.d/rabbitmq-server.conf') } end if facts[:os]['family'] == 'Debian' it { is_expected.to contain_file('/etc/default/rabbitmq-server').with_content(%r{ulimit -n #{value}}) } else it { is_expected.not_to contain_file('/etc/default/rabbitmq-server') } end if facts[:systemd] selinux_ignore_defaults = facts[:os]['family'] == 'RedHat' it do is_expected.to contain_systemd__service_limits("#{name}.service"). with_selinux_ignore_defaults(selinux_ignore_defaults). with_limits('LimitNOFILE' => value). with_restart_service(false) end else it { is_expected.not_to contain_systemd__service_limits("#{name}.service") } end end end [-42, '-42', 'foo'].each do |value| context "with file_limit => '#{value}'" do let(:params) { { file_limit: value } } it 'does not compile' do expect { catalogue }.to raise_error(Puppet::PreformattedError, %r{Error while evaluating a Resource Statement}) end end end + [-1000, 0, 1000].each do |value| + context "with oom_score_adj => '#{value}'" do + let(:params) { { oom_score_adj: value } } + + if facts[:os]['family'] == 'Debian' + it { is_expected.to contain_file('/etc/default/rabbitmq-server').with_content(/^echo #{value} > \/proc\/\$\$\/oom_score_adj$/) } + else + it { is_expected.not_to contain_file('/etc/default/rabbitmq-server') } + end + + if facts[:systemd] + selinux_ignore_defaults = facts[:os]['family'] == 'RedHat' + + it do + is_expected.to contain_systemd__service_limits("#{name}.service"). + with_limits('OOMScoreAdjust' => value). + with_restart_service(false) + end + else + it { is_expected.not_to contain_systemd__service_limits("#{name}.service") } + end + end + end + + [-2000, 2000, '500', 'foo'].each do |value| + context "with oom_score_adj => '#{value}'" do + let(:params) { { oom_score_adj: value } } + + it 'does not compile' do + expect { catalogue }.to raise_error(Puppet::PreformattedError, %r{Error while evaluating a Resource Statement}) + end + end + end + context 'on systems with systemd', if: facts[:systemd] do it do is_expected.to contain_systemd__service_limits("#{name}.service"). with_restart_service(false) end end context 'on systems without systemd', unless: facts[:systemd] do it { is_expected.not_to contain_systemd__service_limits("#{name}.service") } end context 'with admin_enable set to true' do let(:params) { { admin_enable: true, management_ip_address: '1.1.1.1' } } context 'with service_manage set to true' do let(:params) { { admin_enable: true, management_ip_address: '1.1.1.1', service_manage: true } } context 'with rabbitmqadmin_package set to blub' do let(:params) { { rabbitmqadmin_package: 'blub' } } it 'installs a package called blub' do is_expected.to contain_package('rabbitmqadmin').with_name('blub') end end if facts[:os]['family'] == 'Archlinux' it 'installs a package called rabbitmqadmin' do is_expected.to contain_package('rabbitmqadmin').with_name('rabbitmqadmin') end else it 'we enable the admin interface by default' do is_expected.to contain_class('rabbitmq::install::rabbitmqadmin') is_expected.to contain_rabbitmq_plugin('rabbitmq_management').with( notify: 'Class[Rabbitmq::Service]' ) is_expected.to contain_archive('rabbitmqadmin').with_source('http://1.1.1.1:15672/cli/rabbitmqadmin') end end if %w[RedHat Debian SUSE].include?(facts[:os]['family']) it { is_expected.to contain_package('python') } end if %w[FreeBSD OpenBSD].include?(facts[:os]['family']) it { is_expected.to contain_package('python2') } end end context 'with manage_python false' do let(:params) { { manage_python: false } } it do is_expected.to contain_class('rabbitmq::install::rabbitmqadmin') is_expected.not_to contain_package('python') is_expected.not_to contain_package('python2') end end context 'with $management_ip_address undef and service_manage set to true', unless: facts[:osfamily] == 'Archlinux' do let(:params) { { admin_enable: true, management_ip_address: :undef } } it 'we enable the admin interface by default' do is_expected.to contain_class('rabbitmq::install::rabbitmqadmin') is_expected.to contain_rabbitmq_plugin('rabbitmq_management').with( notify: 'Class[Rabbitmq::Service]' ) is_expected.to contain_archive('rabbitmqadmin').with_source('http://127.0.0.1:15672/cli/rabbitmqadmin') end end context 'with service_manage set to true, node_ip_address = undef, and default user/pass specified', unless: facts[:osfamily] == 'Archlinux' do let(:params) { { admin_enable: true, default_user: 'foobar', default_pass: 'hunter2', node_ip_address: :undef } } it 'we use the correct URL to rabbitmqadmin' do is_expected.to contain_archive('rabbitmqadmin').with( source: 'http://127.0.0.1:15672/cli/rabbitmqadmin', username: 'foobar', password: 'hunter2' ) end end context 'with service_manage set to true and default user/pass specified', unless: facts[:osfamily] == 'Archlinux' do let(:params) { { admin_enable: true, default_user: 'foobar', default_pass: 'hunter2', management_ip_address: '1.1.1.1' } } it 'we use the correct URL to rabbitmqadmin' do is_expected.to contain_archive('rabbitmqadmin').with( source: 'http://1.1.1.1:15672/cli/rabbitmqadmin', username: 'foobar', password: 'hunter2' ) end end context 'with service_manage set to true and archive_options set', unless: facts[:osfamily] == 'Archlinux' do let(:params) do { admin_enable: true, management_ip_address: '1.1.1.1', archive_options: %w[fizz pop] } end it 'we use the correct archive_options to rabbitmqadmin' do is_expected.to contain_archive('rabbitmqadmin').with( source: 'http://1.1.1.1:15672/cli/rabbitmqadmin', download_options: %w[fizz pop] ) end end context 'with service_manage set to true and management port specified', unless: facts[:osfamily] == 'Archlinux' do # note that the 2.x management port is 55672 not 15672 let(:params) { { admin_enable: true, management_port: 55_672, management_ip_address: '1.1.1.1' } } it 'we use the correct URL to rabbitmqadmin' do is_expected.to contain_archive('rabbitmqadmin').with( source: 'http://1.1.1.1:55672/cli/rabbitmqadmin', username: 'guest', password: 'guest' ) end end context 'with ipv6, service_manage set to true and management port specified', unless: facts[:osfamily] == 'Archlinux' do # note that the 2.x management port is 55672 not 15672 let(:params) { { admin_enable: true, management_port: 55_672, management_ip_address: '::1' } } it 'we use the correct URL to rabbitmqadmin' do is_expected.to contain_archive('rabbitmqadmin').with( source: 'http://[::1]:55672/cli/rabbitmqadmin', username: 'guest', password: 'guest' ) end end context 'with service_manage set to false' do let(:params) { { admin_enable: true, service_manage: false } } it 'does nothing' do is_expected.not_to contain_class('rabbitmq::install::rabbitmqadmin') is_expected.not_to contain_rabbitmq_plugin('rabbitmq_management') end end end describe 'manages configuration directory correctly' do it { is_expected.to contain_file('/etc/rabbitmq').with( 'ensure' => 'directory', 'owner' => 'rabbitmq', 'group' => 'rabbitmq', 'mode' => '2755' ) } end describe 'manages configuration file correctly' do it { is_expected.to contain_file('rabbitmq.config').with( 'owner' => 'rabbitmq', 'group' => 'rabbitmq', 'mode' => '0640' ) } end describe 'manages SSL directory correctly' do it { is_expected.to contain_file('/etc/rabbitmq/ssl').with( 'ensure' => 'directory', 'owner' => 'rabbitmq', 'group' => 'rabbitmq', 'mode' => '2750' ) } end describe 'does not contain pre-ranch settings with default config' do it do is_expected.to contain_file('rabbitmq.config'). \ without_content(%r{binary,}). \ without_content(%r{\{packet, raw\},}). \ without_content(%r{\{reuseaddr, true\},}) end end describe 'contains pre-ranch settings with config_ranch set to false' do let(:params) { { config_ranch: false } } it do is_expected.to contain_file('rabbitmq.config'). \ with_content(%r{binary,}). \ with_content(%r{\{packet, raw\},}). \ with_content(%r{\{reuseaddr, true\},}) end end context 'configures config_cluster' do let(:params) do { config_cluster: true, cluster_nodes: ['hare-1', 'hare-2'], cluster_node_type: 'ram', wipe_db_on_cookie_change: false } end describe 'with erlang_cookie set' do let(:params) do { config_cluster: true, cluster_nodes: ['hare-1', 'hare-2'], cluster_node_type: 'ram', erlang_cookie: 'TESTCOOKIE', wipe_db_on_cookie_change: true } end it 'contains the rabbitmq_erlang_cookie' do is_expected.to contain_rabbitmq_erlang_cookie('/var/lib/rabbitmq/.erlang.cookie') end end describe 'with erlang_cookie set but without config_cluster' do let(:params) do { config_cluster: false, erlang_cookie: 'TESTCOOKIE' } end it 'contains the rabbitmq_erlang_cookie' do is_expected.to contain_rabbitmq_erlang_cookie('/var/lib/rabbitmq/.erlang.cookie') end end describe 'without erlang_cookie and without config_cluster' do let(:params) do { config_cluster: false } end it 'contains the rabbitmq_erlang_cookie' do is_expected.not_to contain_rabbitmq_erlang_cookie('/var/lib/rabbitmq/.erlang.cookie') end end describe 'and sets appropriate configuration' do let(:params) do { config_cluster: true, cluster_nodes: ['hare-1', 'hare-2'], cluster_node_type: 'ram', erlang_cookie: 'ORIGINAL', wipe_db_on_cookie_change: true } end it 'for cluster_nodes' do is_expected.to contain_file('rabbitmq.config').with('content' => %r{cluster_nodes.*\['rabbit@hare-1', 'rabbit@hare-2'\], ram}) end end end describe 'rabbitmq-env configuration' do context 'with default params' do it 'sets environment variables' do is_expected.to contain_file('rabbitmq-env.config'). \ with_content(%r{ERL_INETRC=/etc/rabbitmq/inetrc}) end end context 'with environment_variables set' do let(:params) do { environment_variables: { 'NODE_IP_ADDRESS' => '1.1.1.1', 'NODE_PORT' => '5656', 'NODENAME' => 'HOSTNAME', 'SERVICENAME' => 'RabbitMQ', 'CONSOLE_LOG' => 'RabbitMQ.debug', 'CTL_ERL_ARGS' => 'verbose', 'SERVER_ERL_ARGS' => 'v', 'SERVER_START_ARGS' => 'debug' } } end it 'sets environment variables' do is_expected.to contain_file('rabbitmq-env.config'). \ with_content(%r{NODE_IP_ADDRESS=1.1.1.1}). \ with_content(%r{NODE_PORT=5656}). \ with_content(%r{NODENAME=HOSTNAME}). \ with_content(%r{SERVICENAME=RabbitMQ}). \ with_content(%r{CONSOLE_LOG=RabbitMQ.debug}). \ with_content(%r{CTL_ERL_ARGS=verbose}). \ with_content(%r{SERVER_ERL_ARGS=v}). \ with_content(%r{SERVER_START_ARGS=debug}) end end end context 'delete_guest_user' do describe 'should do nothing by default' do it { is_expected.not_to contain_rabbitmq_user('guest') } end describe 'delete user when delete_guest_user set' do let(:params) { { delete_guest_user: true } } it 'removes the user' do is_expected.to contain_rabbitmq_user('guest').with( 'ensure' => 'absent', 'provider' => 'rabbitmqctl' ) end end end context 'configuration setting' do describe 'node_ip_address when set' do let(:params) { { node_ip_address: '172.0.0.1' } } it 'sets NODE_IP_ADDRESS to specified value' do is_expected.to contain_file('rabbitmq-env.config'). with_content(%r{NODE_IP_ADDRESS=172\.0\.0\.1}) end end describe 'stomp by default' do it 'does not specify stomp parameters in rabbitmq.config' do is_expected.to contain_file('rabbitmq.config').without('content' => %r{stomp}) end end describe 'stomp when set' do let(:params) { { config_stomp: true, stomp_port: 5679 } } it 'specifies stomp port in rabbitmq.config' do is_expected.to contain_file('rabbitmq.config').with('content' => %r{rabbitmq_stomp.*tcp_listeners, \[5679\]}m) end end describe 'stomp when set ssl port w/o ssl enabled' do let(:params) { { config_stomp: true, stomp_port: 5679, ssl: false, ssl_stomp_port: 5680 } } it 'does not configure ssl_listeners in rabbitmq.config' do is_expected.to contain_file('rabbitmq.config').without('content' => %r{rabbitmq_stomp.*ssl_listeners, \[5680\]}m) end end describe 'stomp when set with ssl' do let(:params) { { config_stomp: true, stomp_port: 5679, ssl: true, ssl_stomp_port: 5680 } } it 'specifies stomp port and ssl stomp port in rabbitmq.config' do is_expected.to contain_file('rabbitmq.config').with('content' => %r{rabbitmq_stomp.*tcp_listeners, \[5679\].*ssl_listeners, \[5680\]}m) end end end describe 'configuring ldap authentication' do let :params do { config_stomp: true, ldap_auth: true, ldap_server: 'ldap.example.com', ldap_user_dn_pattern: 'ou=users,dc=example,dc=com', ldap_other_bind: 'as_user', ldap_use_ssl: false, ldap_port: 389, ldap_log: true, ldap_config_variables: { 'foo' => 'bar' } } end it { is_expected.to contain_rabbitmq_plugin('rabbitmq_auth_backend_ldap') } it 'contains ldap parameters' do verify_contents(catalogue, 'rabbitmq.config', ['[', ' {rabbit, [', ' {auth_backends, [rabbit_auth_backend_internal, rabbit_auth_backend_ldap]},', ' ]}', ' {rabbitmq_auth_backend_ldap, [', ' {other_bind, as_user},', ' {servers, ["ldap.example.com"]},', ' {user_dn_pattern, "ou=users,dc=example,dc=com"},', ' {use_ssl, false},', ' {port, 389},', ' {foo, bar},', ' {log, true}']) end end describe 'configuring ldap authentication' do let :params do { config_stomp: false, ldap_auth: true, ldap_server: 'ldap.example.com', ldap_user_dn_pattern: 'ou=users,dc=example,dc=com', ldap_other_bind: 'as_user', ldap_use_ssl: false, ldap_port: 389, ldap_log: true, ldap_config_variables: { 'foo' => 'bar' } } end it { is_expected.to contain_rabbitmq_plugin('rabbitmq_auth_backend_ldap') } it 'contains ldap parameters' do verify_contents(catalogue, 'rabbitmq.config', ['[', ' {rabbit, [', ' {auth_backends, [rabbit_auth_backend_internal, rabbit_auth_backend_ldap]},', ' ]}', ' {rabbitmq_auth_backend_ldap, [', ' {other_bind, as_user},', ' {servers, ["ldap.example.com"]},', ' {user_dn_pattern, "ou=users,dc=example,dc=com"},', ' {use_ssl, false},', ' {port, 389},', ' {foo, bar},', ' {log, true}']) end end describe 'configuring ldap authentication' do let :params do { config_stomp: false, ldap_auth: true, ldap_server: 'ldap.example.com', ldap_other_bind: 'as_user', ldap_use_ssl: false, ldap_port: 389, ldap_log: true, ldap_config_variables: { 'foo' => 'bar' } } end it { is_expected.to contain_rabbitmq_plugin('rabbitmq_auth_backend_ldap') } it 'does not set user_dn_pattern when none is specified' do verify_contents(catalogue, 'rabbitmq.config', ['[', ' {rabbit, [', ' {auth_backends, [rabbit_auth_backend_internal, rabbit_auth_backend_ldap]},', ' ]}', ' {rabbitmq_auth_backend_ldap, [', ' {other_bind, as_user},', ' {servers, ["ldap.example.com"]},', ' {use_ssl, false},', ' {port, 389},', ' {foo, bar},', ' {log, true}']) content = catalogue.resource('file', 'rabbitmq.config').send(:parameters)[:content] expect(content).not_to include 'user_dn_pattern' end end describe 'configuring ldap authentication' do let :params do { config_stomp: false, ldap_auth: true, ldap_server: ['ldap1.example.com', 'ldap2.example.com'], ldap_other_bind: 'as_user', ldap_use_ssl: false, ldap_port: 389, ldap_log: true, ldap_config_variables: { 'foo' => 'bar' } } end it { is_expected.to contain_rabbitmq_plugin('rabbitmq_auth_backend_ldap') } it 'does not set user_dn_pattern when none is specified' do verify_contents(catalogue, 'rabbitmq.config', ['[', ' {rabbit, [', ' {auth_backends, [rabbit_auth_backend_internal, rabbit_auth_backend_ldap]},', ' ]}', ' {rabbitmq_auth_backend_ldap, [', ' {other_bind, as_user},', ' {servers, ["ldap1.example.com", "ldap2.example.com"]},', ' {use_ssl, false},', ' {port, 389},', ' {foo, bar},', ' {log, true}']) content = catalogue.resource('file', 'rabbitmq.config').send(:parameters)[:content] expect(content).not_to include 'user_dn_pattern' end end describe 'configuring auth_backends' do let :params do { auth_backends: ['{baz, foo}', 'bar'] } end it 'contains auth_backends' do verify_contents(catalogue, 'rabbitmq.config', [' {auth_backends, [{baz, foo}, bar]},']) end end describe 'auth_backends overrides ldap_auth' do let :params do { auth_backends: ['{baz, foo}', 'bar'], ldap_auth: true } end it 'contains auth_backends' do verify_contents(catalogue, 'rabbitmq.config', [' {auth_backends, [{baz, foo}, bar]},']) end end context 'use config file for plugins' do describe 'config_plugins_file: true' do let :params do { use_config_file_for_plugins: true } end it 'does not use rabbitmqplugin provider' do is_expected.not_to contain_rabbitmq_plugin('rabbitmq_management') is_expected.not_to contain_rabbitmq_plugin('rabbitmq_shovel_management') is_expected.not_to contain_rabbitmq_plugin('rabbitmq_stomp') is_expected.not_to contain_rabbitmq_plugin('rabbitmq_auth_backend_ldap') is_expected.not_to contain_rabbitmq_plugin('rabbitmq_shovel') end it 'configures enabled_plugins' do is_expected.to contain_file('enabled_plugins').with_content(%r{\[rabbitmq_management\]\.}) end end describe 'with all plugins enabled admin_enable: false, manamgent_enable: true' do let :params do { use_config_file_for_plugins: true, admin_enable: false, management_enable: true, stomp_ensure: true, ldap_auth: true, config_shovel: true } end it 'does not use rabbitmqplugin provider' do is_expected.not_to contain_rabbitmq_plugin('rabbitmq_management') is_expected.not_to contain_rabbitmq_plugin('rabbitmq_shovel_management') is_expected.not_to contain_rabbitmq_plugin('rabbitmq_stomp') is_expected.not_to contain_rabbitmq_plugin('rabbitmq_auth_backend_ldap') is_expected.not_to contain_rabbitmq_plugin('rabbitmq_shovel') end it 'configures enabled_plugins' do is_expected.to contain_file('enabled_plugins').with_content(%r{rabbitmq_management}) is_expected.to contain_file('enabled_plugins').with_content(%r{rabbitmq_stomp}) is_expected.to contain_file('enabled_plugins').with_content(%r{rabbitmq_auth_backend_ldap}) is_expected.to contain_file('enabled_plugins').with_content(%r{rabbitmq_shovel}) is_expected.to contain_file('enabled_plugins').with_content(%r{rabbitmq_shovel_management}) is_expected.to contain_file('enabled_plugins').with_content(%r{\[rabbitmq_management,rabbitmq_stomp,rabbitmq_auth_backend_ldap,rabbitmq_shovel,rabbitmq_shovel_management\]\.}) end end end describe 'configure management plugin' do let :params do { admin_enable: true, management_enable: false } end it { is_expected.to contain_rabbitmq_plugin('rabbitmq_management') } it 'sets rabbitmq_managment opts to specified values' do is_expected.to contain_file('rabbitmq.config').with_content(%r{rabbitmq_management, \[}) is_expected.to contain_file('rabbitmq.config').with_content(%r{listener, \[}) is_expected.to contain_file('rabbitmq.config').with_content(%r{port, 15672\}}) end describe 'with admin_enable false' do let :params do { admin_enable: false, management_enable: false } end it { is_expected.not_to contain_rabbitmq_plugin('rabbitmq_management') } end describe 'with admin_enable false and management_enable true' do let :params do { admin_enable: false, management_enable: true } end it { is_expected.to contain_rabbitmq_plugin('rabbitmq_management') } it 'sets rabbitmq_managment opts to specified values' do is_expected.to contain_file('rabbitmq.config').with_content(%r{rabbitmq_management, \[}) is_expected.to contain_file('rabbitmq.config').with_content(%r{listener, \[}) is_expected.to contain_file('rabbitmq.config').with_content(%r{port, 15672\}}) end end end describe 'configuring shovel plugin' do let :params do { config_shovel: true } end it { is_expected.to contain_rabbitmq_plugin('rabbitmq_shovel') } it { is_expected.to contain_rabbitmq_plugin('rabbitmq_shovel_management') } describe 'with admin_enable false' do let :params do { config_shovel: true, admin_enable: false } end it { is_expected.not_to contain_rabbitmq_plugin('rabbitmq_shovel_management') } end describe 'with static shovels' do let :params do { config_shovel: true, config_shovel_statics: { 'shovel_first' => '{sources,[{broker,"amqp://"}]}, {destinations,[{broker,"amqp://site1.example.com"}]}, {queue,<<"source_one">>}', 'shovel_second' => '{sources,[{broker,"amqp://"}]}, {destinations,[{broker,"amqp://site2.example.com"}]}, {queue,<<"source_two">>}' } } end it 'generates correct configuration' do verify_contents(catalogue, 'rabbitmq.config', [ ' {rabbitmq_shovel,', ' [{shovels,[', ' {shovel_first,[{sources,[{broker,"amqp://"}]},', ' {destinations,[{broker,"amqp://site1.example.com"}]},', ' {queue,<<"source_one">>}]},', ' {shovel_second,[{sources,[{broker,"amqp://"}]},', ' {destinations,[{broker,"amqp://site2.example.com"}]},', ' {queue,<<"source_two">>}]}', ' ]}]}' ]) end end end describe 'configuring shovel plugin' do let :params do { config_shovel: true } end it { is_expected.to contain_rabbitmq_plugin('rabbitmq_shovel') } it { is_expected.to contain_rabbitmq_plugin('rabbitmq_shovel_management') } describe 'with admin_enable false' do let :params do { config_shovel: true, admin_enable: false } end it { is_expected.not_to contain_rabbitmq_plugin('rabbitmq_shovel_management') } end describe 'with static shovels' do let :params do { config_shovel: true, config_shovel_statics: { 'shovel_first' => '{sources,[{broker,"amqp://"}]}, {destinations,[{broker,"amqp://site1.example.com"}]}, {queue,<<"source_one">>}', 'shovel_second' => '{sources,[{broker,"amqp://"}]}, {destinations,[{broker,"amqp://site2.example.com"}]}, {queue,<<"source_two">>}' } } end it 'generates correct configuration' do verify_contents(catalogue, 'rabbitmq.config', [ ' {rabbitmq_shovel,', ' [{shovels,[', ' {shovel_first,[{sources,[{broker,"amqp://"}]},', ' {destinations,[{broker,"amqp://site1.example.com"}]},', ' {queue,<<"source_one">>}]},', ' {shovel_second,[{sources,[{broker,"amqp://"}]},', ' {destinations,[{broker,"amqp://site2.example.com"}]},', ' {queue,<<"source_two">>}]}', ' ]}]}' ]) end end end describe 'default_user and default_pass set' do let(:params) { { default_user: 'foo', default_pass: 'bar' } } it 'sets default_user and default_pass to specified values' do is_expected.to contain_file('rabbitmq.config').with('content' => %r{default_user, <<"foo">>.*default_pass, <<"bar">>}m) end end describe 'interfaces option with no ssl' do let(:params) do { interface: '0.0.0.0' } end it 'sets ssl options to specified values' do is_expected.to contain_file('rabbitmq.config').with_content(%r{tcp_listeners, \[\{"0.0.0.0", 5672\}\]}) end end describe 'ssl options and mangament_ssl false' do let(:params) do { ssl: true, ssl_port: 3141, ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', ssl_key: '/path/to/key', ssl_secure_renegotiate: true, ssl_reuse_sessions: true, ssl_honor_cipher_order: true, ssl_dhfile: :undef, management_ssl: false, management_port: 13_142 } end it 'sets ssl options to specified values' do is_expected.to contain_file('rabbitmq.config').with_content( %r{ssl_listeners, \[3141\]} ) is_expected.to contain_file('rabbitmq.config').with_content( %r{ssl_options, \[} ) is_expected.to contain_file('rabbitmq.config').with_content( %r{cacertfile,"/path/to/cacert"} ) is_expected.to contain_file('rabbitmq.config').with_content( %r{certfile,"/path/to/cert"} ) is_expected.to contain_file('rabbitmq.config').with_content( %r{keyfile,"/path/to/key"} ) is_expected.to contain_file('rabbitmq.config').with_content( %r{secure_renegotiate,true} ) is_expected.to contain_file('rabbitmq.config').with_content( %r{reuse_sessions,true} ) is_expected.to contain_file('rabbitmq.config').with_content( %r{honor_cipher_order,true} ) is_expected.to contain_file('rabbitmq.config').without_content( %r{dhfile,} ) end it 'sets non ssl port for management port' do is_expected.to contain_file('rabbitmq.config').with_content( %r{port, 13142} ) is_expected.to contain_file('rabbitmqadmin.conf').with_content( %r{port\s=\s13142} ) end end describe 'ssl options and mangament_ssl true' do let(:params) do { ssl: true, ssl_port: 3141, ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', ssl_key: '/path/to/key', ssl_secure_renegotiate: true, ssl_reuse_sessions: true, ssl_honor_cipher_order: true, ssl_dhfile: :undef, management_ssl: true, ssl_management_port: 13_141 } end it 'sets ssl options to specified values' do is_expected.to contain_file('rabbitmq.config').with_content( %r{ssl_listeners, \[3141\]} ) is_expected.to contain_file('rabbitmq.config').with_content( %r{ssl_opts, } ) is_expected.to contain_file('rabbitmq.config').with_content( %r{ssl_options, \[} ) is_expected.to contain_file('rabbitmq.config').with_content( %r{cacertfile,"/path/to/cacert"} ) is_expected.to contain_file('rabbitmq.config').with_content( %r{certfile,"/path/to/cert"} ) is_expected.to contain_file('rabbitmq.config').with_content( %r{keyfile,"/path/to/key"} ) is_expected.to contain_file('rabbitmq.config').with_content( %r{secure_renegotiate,true} ) is_expected.to contain_file('rabbitmq.config').with_content( %r{reuse_sessions,true} ) is_expected.to contain_file('rabbitmq.config').with_content( %r{honor_cipher_order,true} ) is_expected.to contain_file('rabbitmq.config').without_content( %r{dhfile,} ) end it 'sets ssl managment port to specified values' do is_expected.to contain_file('rabbitmq.config').with_content( %r{port, 13141} ) end it 'sets ssl options in the rabbitmqadmin.conf' do is_expected.to contain_file('rabbitmqadmin.conf').with_content( %r{ssl_ca_cert_file\s=\s/path/to/cacert} ) is_expected.to contain_file('rabbitmqadmin.conf').with_content( %r{ssl_cert_file\s=\s/path/to/cert} ) is_expected.to contain_file('rabbitmqadmin.conf').with_content( %r{ssl_key_file\s=\s/path/to/key} ) is_expected.to contain_file('rabbitmqadmin.conf').with_content( %r{hostname\s=\s} ) is_expected.to contain_file('rabbitmqadmin.conf').with_content( %r{port\s=\s13141} ) end end describe 'ssl options' do let(:params) do { ssl: true, ssl_port: 3141, ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', ssl_key: '/path/to/key', ssl_secure_renegotiate: true, ssl_reuse_sessions: true, ssl_honor_cipher_order: true, ssl_dhfile: :undef } end it 'sets ssl options to specified values' do is_expected.to contain_file('rabbitmq.config').with_content( %r{ssl_listeners, \[3141\]} ) is_expected.to contain_file('rabbitmq.config').with_content( %r{ssl_options, \[} ) is_expected.to contain_file('rabbitmq.config').with_content( %r{cacertfile,"/path/to/cacert"} ) is_expected.to contain_file('rabbitmq.config').with_content( %r{certfile,"/path/to/cert"} ) is_expected.to contain_file('rabbitmq.config').with_content( %r{keyfile,"/path/to/key"} ) is_expected.to contain_file('rabbitmq.config').with_content( %r{secure_renegotiate,true} ) is_expected.to contain_file('rabbitmq.config').with_content( %r{reuse_sessions,true} ) is_expected.to contain_file('rabbitmq.config').with_content( %r{honor_cipher_order,true} ) is_expected.to contain_file('rabbitmq.config').without_content( %r{dhfile,} ) end end describe 'ssl options with ssl_interfaces' do let(:params) do { ssl: true, ssl_port: 3141, ssl_interface: '0.0.0.0', ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', ssl_key: '/path/to/key' } end it 'sets ssl options to specified values' do is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_listeners, \[\{"0.0.0.0", 3141\}\]}) is_expected.to contain_file('rabbitmq.config').with_content(%r{cacertfile,"/path/to/cacert"}) is_expected.to contain_file('rabbitmq.config').with_content(%r{certfile,"/path/to/cert"}) is_expected.to contain_file('rabbitmq.config').with_content(%r{keyfile,"/path/to/key}) end end describe 'ssl options with ssl_only' do let(:params) do { ssl: true, ssl_only: true, ssl_port: 3141, ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', ssl_key: '/path/to/key' } end it 'sets ssl options to specified values' do is_expected.to contain_file('rabbitmq.config').with_content(%r{tcp_listeners, \[\]}) is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_listeners, \[3141\]}) is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_options, \[}) is_expected.to contain_file('rabbitmq.config').with_content(%r{cacertfile,"/path/to/cacert"}) is_expected.to contain_file('rabbitmq.config').with_content(%r{certfile,"/path/to/cert"}) is_expected.to contain_file('rabbitmq.config').with_content(%r{keyfile,"/path/to/key}) end it 'does not set TCP listener environment defaults' do is_expected.to contain_file('rabbitmq-env.config'). \ without_content(%r{NODE_PORT=}). \ without_content(%r{NODE_IP_ADDRESS=}) end end describe 'ssl options with ssl_only and ssl_interfaces' do let(:params) do { ssl: true, ssl_only: true, ssl_port: 3141, ssl_interface: '0.0.0.0', ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', ssl_key: '/path/to/key' } end it 'sets ssl options to specified values' do is_expected.to contain_file('rabbitmq.config').with_content(%r{tcp_listeners, \[\]}) is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_listeners, \[\{"0.0.0.0", 3141\}\]}) is_expected.to contain_file('rabbitmq.config').with_content(%r{cacertfile,"/path/to/cacert"}) is_expected.to contain_file('rabbitmq.config').with_content(%r{certfile,"/path/to/cert"}) is_expected.to contain_file('rabbitmq.config').with_content(%r{keyfile,"/path/to/key}) end end describe 'ssl options with specific ssl versions' do let(:params) do { ssl: true, ssl_port: 3141, ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', ssl_key: '/path/to/key', ssl_versions: ['tlsv1.2', 'tlsv1.1'] } end it 'sets ssl options to specified values' do is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_listeners, \[3141\]}) is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_options, \[}) is_expected.to contain_file('rabbitmq.config').with_content(%r{cacertfile,"/path/to/cacert"}) is_expected.to contain_file('rabbitmq.config').with_content(%r{certfile,"/path/to/cert"}) is_expected.to contain_file('rabbitmq.config').with_content(%r{keyfile,"/path/to/key}) is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl, \[\{versions, \['tlsv1.1', 'tlsv1.2'\]\}\]}) is_expected.to contain_file('rabbitmq.config').with_content(%r{versions, \['tlsv1.1', 'tlsv1.2'\]}) end end describe 'ssl options with ssl_versions and not ssl' do let(:params) do { ssl: false, ssl_port: 3141, ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', ssl_key: '/path/to/key', ssl_versions: ['tlsv1.2', 'tlsv1.1'] } end it 'fails' do expect { catalogue }.to raise_error(Puppet::Error, %r{\$ssl_versions requires that \$ssl => true}) end end describe 'ssl options with ssl ciphers (in Erlang [pre-3.7.9] format)' do let(:params) do { ssl: true, ssl_port: 3141, ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', ssl_key: '/path/to/key', ssl_ciphers: ['ecdhe_rsa,aes_256_cbc,sha', 'dhe_rsa,aes_256_cbc,sha'] } end it 'sets ssl ciphers to specified values' do is_expected.to contain_file('rabbitmq.config').with_content(%r{ciphers,\[[[:space:]]+{ecdhe_rsa,aes_256_cbc,sha},[[:space:]]+{dhe_rsa,aes_256_cbc,sha}[[:space:]]+\]}) end end describe 'ssl options with ssl ciphers (in OpenSSL style)' do let(:params) do { ssl: true, ssl_port: 3141, ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', ssl_key: '/path/to/key', ssl_ciphers: ['ECDHE-RSA-AES256-SHA', 'DHE-RSA-AES256-SHA'] } end it 'sets ssl ciphers to specified values' do is_expected.to contain_file('rabbitmq.config').with_content(%r{ciphers,\[[[:space:]]+"ECDHE-RSA-AES256-SHA",[[:space:]]+"DHE-RSA-AES256-SHA"[[:space:]]+\]}) end end describe 'ssl options with ssl_crl_check enabled' do let(:params) do { ssl: true, ssl_port: 3141, ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', ssl_key: '/path/to/key', ssl_crl_check: 'true' } end it 'sets ssl crl check setting to specified value' do is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_check,true}) end end describe 'ssl options with ssl_crl_check and ssl_crl_hash_cache enabled' do let(:params) do { ssl: true, ssl_port: 3141, ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', ssl_key: '/path/to/key', ssl_crl_check: 'true', ssl_crl_cache_hash_dir: '/path/to/crl_cache/dir' } end it 'sets ssl crl check setting to specified value' do is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_check,true}) is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_cache,\s+{ssl_crl_hash_dir,\s+{internal,\s+\[{dir, "/path/to/crl_cache/dir"}\]}}}) end end describe 'ssl options with ssl_crl_check and http cache enabled' do let(:params) do { ssl: true, ssl_port: 3141, ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', ssl_key: '/path/to/key', ssl_crl_check: 'true', ssl_crl_cache_http_timeout: 5000 } end it 'sets ssl crl check setting to specified value' do is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_check,true}) is_expected.to contain_file('rabbitmq.config').with_content(%r{crl_cache,\s+{ssl_crl_cache,\s+{internal,\s+\[{http, 5000}\]}}}) end end describe 'ssl options with ssl_crl_check enabled and not ssl' do let(:params) do { ssl: false, ssl_port: 3141, ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', ssl_key: '/path/to/key', ssl_crl_check: 'true' } end it 'fails' do expect { catalogue }.to raise_error(Puppet::Error, %r{\$ssl_crl_check requires that \$ssl => true}) end end describe 'ssl options with ssl_crl_cache_hash_dir set and not ssl_crl_check' do let(:params) do { ssl: true, ssl_port: 3141, ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', ssl_key: '/path/to/key', ssl_crl_check: 'false', ssl_crl_cache_hash_dir: '/path/to/crl_cache/dir' } end it 'fails' do expect { catalogue }.to raise_error(Puppet::Error, %r{\$ssl_crl_cache_hash_dir requires that \$ssl_crl_check => true|peer|best_effort}) end end describe 'ssl options with ssl_crl_cache_http_timeout set and not ssl_crl_check' do let(:params) do { ssl: true, ssl_port: 3141, ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', ssl_key: '/path/to/key', ssl_crl_check: 'false', ssl_crl_cache_http_timeout: 5000 } end it 'fails' do expect { catalogue }.to raise_error(Puppet::Error, %r{\$ssl_crl_cache_http_timeout requires that \$ssl_crl_check => true|peer|best_effort}) end end describe 'ssl admin options with specific ssl versions' do let(:params) do { ssl: true, ssl_management_port: 5926, ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', ssl_key: '/path/to/key', ssl_versions: ['tlsv1.2', 'tlsv1.1'], admin_enable: true } end it 'sets admin ssl opts to specified values' do is_expected.to contain_file('rabbitmq.config').with_content(%r{rabbitmq_management, \[}) is_expected.to contain_file('rabbitmq.config').with_content(%r{listener, \[}) is_expected.to contain_file('rabbitmq.config').with_content(%r{port, 5926\}}) is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl, true\}}) is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_opts, \[}) is_expected.to contain_file('rabbitmq.config').with_content(%r{cacertfile, "/path/to/cacert"\},}) is_expected.to contain_file('rabbitmq.config').with_content(%r{certfile, "/path/to/cert"\},}) is_expected.to contain_file('rabbitmq.config').with_content(%r{keyfile, "/path/to/key"\}}) is_expected.to contain_file('rabbitmq.config').with_content(%r{,\{versions, \['tlsv1.1', 'tlsv1.2'\]\}}) end end describe 'ssl with ssl_dhfile' do let(:params) do { ssl: true, ssl_interface: '0.0.0.0', ssl_dhfile: '/etc/pki/tls/dh-params.pem' } end it { is_expected.to contain_file('rabbitmq.config').with_content(%r{dhfile, "/etc/pki/tls/dh-params\.pem}) } end describe 'ssl with ssl_dhfile unset' do let(:params) do { ssl: true, ssl_interface: '0.0.0.0', ssl_dhfile: :undef } end it { is_expected.to contain_file('rabbitmq.config').without_content(%r{dhfile,}) } end describe 'ssl with ssl_secure_renegotiate false' do let(:params) do { ssl: true, ssl_interface: '0.0.0.0', ssl_secure_renegotiate: false } end it { is_expected.to contain_file('rabbitmq.config').with_content(%r{secure_renegotiate,false}) } end describe 'ssl with ssl_reuse_sessions false' do let(:params) do { ssl: true, ssl_interface: '0.0.0.0', ssl_reuse_sessions: false } end it { is_expected.to contain_file('rabbitmq.config').with_content(%r{reuse_sessions,false}) } end describe 'ssl with ssl_honor_cipher_order false' do let(:params) do { ssl: true, ssl_interface: '0.0.0.0', ssl_honor_cipher_order: false } end it { is_expected.to contain_file('rabbitmq.config').with_content(%r{honor_cipher_order,false}) } end describe 'ssl admin options' do let(:params) do { ssl: true, ssl_management_port: 3141, ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', ssl_key: '/path/to/key', ssl_management_verify: 'verify_peer', ssl_management_fail_if_no_peer_cert: true, admin_enable: true } end it 'sets rabbitmq_management ssl options to specified values' do is_expected.to contain_file('rabbitmq.config').with_content(%r{rabbitmq_management, \[}) is_expected.to contain_file('rabbitmq.config').with_content(%r{listener, \[}) is_expected.to contain_file('rabbitmq.config').with_content(%r{port, 3141\}}) is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl, true\}}) is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_opts, \[}) is_expected.to contain_file('rabbitmq.config').with_content(%r{verify,verify_peer\},}) is_expected.to contain_file('rabbitmq.config').with_content(%r{fail_if_no_peer_cert,true\}}) is_expected.to contain_file('rabbitmq.config').with_content(%r{cacertfile, "/path/to/cacert"\},}) is_expected.to contain_file('rabbitmq.config').with_content(%r{certfile, "/path/to/cert"\},}) is_expected.to contain_file('rabbitmq.config').with_content(%r{keyfile, "/path/to/key"\}}) end end describe 'admin without ssl' do let(:params) do { ssl: false, management_port: 3141, admin_enable: true } end it 'sets rabbitmq_management options to specified values' do is_expected.to contain_file('rabbitmq.config').with_content(%r{rabbitmq_management, \[}) is_expected.to contain_file('rabbitmq.config').with_content(%r{listener, \[}) is_expected.to contain_file('rabbitmq.config').with_content(%r{port, 3141\}}) end end describe 'ssl admin options' do let(:params) do { ssl: true, ssl_management_port: 3141, ssl_cacert: '/path/to/cacert', ssl_cert: '/path/to/cert', ssl_key: '/path/to/key', admin_enable: true } end it 'sets rabbitmq_management ssl options to specified values' do is_expected.to contain_file('rabbitmq.config').with_content(%r{rabbitmq_management, \[}) is_expected.to contain_file('rabbitmq.config').with_content(%r{listener, \[}) is_expected.to contain_file('rabbitmq.config').with_content(%r{port, 3141\},}) is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl, true\},}) is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_opts, \[}) is_expected.to contain_file('rabbitmq.config').with_content(%r{cacertfile, "/path/to/cacert"\},}) is_expected.to contain_file('rabbitmq.config').with_content(%r{certfile, "/path/to/cert"\},}) is_expected.to contain_file('rabbitmq.config').with_content(%r{keyfile, "/path/to/key"\}}) end end describe 'ssl admin options with dedicated admin-key and -certs' do let(:params) do { ssl: true, ssl_management_port: 3141, ssl_management_cacert: '/path/to/management_cacert', ssl_management_cert: '/path/to/management_cert', ssl_management_key: '/path/to/management_key', admin_enable: true } end it 'sets rabbitmq_management ssl options to specified values' do is_expected.to contain_file('rabbitmq.config').with_content(%r{rabbitmq_management, \[}) is_expected.to contain_file('rabbitmq.config').with_content(%r{listener, \[}) is_expected.to contain_file('rabbitmq.config').with_content(%r{port, 3141\},}) is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl, true\},}) is_expected.to contain_file('rabbitmq.config').with_content(%r{ssl_opts, \[}) is_expected.to contain_file('rabbitmq.config').with_content(%r{cacertfile, "/path/to/management_cacert"\},}) is_expected.to contain_file('rabbitmq.config').with_content(%r{certfile, "/path/to/management_cert"\},}) is_expected.to contain_file('rabbitmq.config').with_content(%r{keyfile, "/path/to/management_key"\}}) end it 'sets ssl options in the rabbitmqadmin.conf' do is_expected.to contain_file('rabbitmqadmin.conf').with_content( %r{ssl_ca_cert_file\s=\s/path/to/management_cacert} ) is_expected.to contain_file('rabbitmqadmin.conf').with_content( %r{ssl_cert_file\s=\s/path/to/management_cert} ) is_expected.to contain_file('rabbitmqadmin.conf').with_content( %r{ssl_key_file\s=\s/path/to/management_key} ) end end describe 'admin without ssl' do let(:params) do { ssl: false, management_port: 3141, admin_enable: true } end it 'sets rabbitmq_management options to specified values' do is_expected.to contain_file('rabbitmq.config'). \ with_content(%r{\{rabbitmq_management, \[}). \ with_content(%r{\{listener, \[}). \ with_content(%r{\{port, 3141\}}) end end describe 'ipv6 enabled' do let(:params) { { ipv6: true } } it 'enables resolver inet6 in inetrc' do is_expected.to contain_file('rabbitmq-inetrc').with_content(%r{{inet6, true}.}) end context 'without other erl args' do it 'enables inet6 distribution' do is_expected.to contain_file('rabbitmq-env.config'). \ with_content(%r{^RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS="-proto_dist inet6_tcp"$}). \ with_content(%r{^RABBITMQ_CTL_ERL_ARGS="-proto_dist inet6_tcp"$}) end end context 'with other quoted erl args' do let(:params) do { ipv6: true, environment_variables: { 'RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS' => '"some quoted args"', 'RABBITMQ_CTL_ERL_ARGS' => '"other quoted args"' } } end it 'enables inet6 distribution and quote properly' do is_expected.to contain_file('rabbitmq-env.config'). \ with_content(%r{^RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS="some quoted args -proto_dist inet6_tcp"$}). \ with_content(%r{^RABBITMQ_CTL_ERL_ARGS="other quoted args -proto_dist inet6_tcp"$}) end end context 'with other unquoted erl args' do let(:params) do { ipv6: true, environment_variables: { 'RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS' => 'foo', 'RABBITMQ_CTL_ERL_ARGS' => 'bar' } } end it 'enables inet6 distribution and quote properly' do is_expected.to contain_file('rabbitmq-env.config'). \ with_content(%r{^RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS="foo -proto_dist inet6_tcp"$}). \ with_content(%r{^RABBITMQ_CTL_ERL_ARGS="bar -proto_dist inet6_tcp"$}) end end context 'with SSL and without other erl args' do let(:params) do { ipv6: true, ssl_erl_dist: true } end it 'enables inet6 distribution' do is_expected.to contain_file('rabbitmq-env.config'). \ with_content(%r{^RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS=" -pa /usr/lib64/erlang/lib/ssl-7.3.3.1/ebin -proto_dist inet6_tls"$}). \ with_content(%r{^RABBITMQ_CTL_ERL_ARGS=" -pa /usr/lib64/erlang/lib/ssl-7.3.3.1/ebin -proto_dist inet6_tls"$}) end end context 'with SSL and other quoted erl args' do let(:params) do { ipv6: true, ssl_erl_dist: true, environment_variables: { 'RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS' => '"some quoted args"', 'RABBITMQ_CTL_ERL_ARGS' => '"other quoted args"' } } end it 'enables inet6 distribution and quote properly' do is_expected.to contain_file('rabbitmq-env.config'). \ with_content(%r{^RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS="some quoted args -pa /usr/lib64/erlang/lib/ssl-7.3.3.1/ebin -proto_dist inet6_tls"$}). \ with_content(%r{^RABBITMQ_CTL_ERL_ARGS="other quoted args -pa /usr/lib64/erlang/lib/ssl-7.3.3.1/ebin -proto_dist inet6_tls"$}) end end context 'with SSL and with other unquoted erl args' do let(:params) do { ipv6: true, ssl_erl_dist: true, environment_variables: { 'RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS' => 'foo', 'RABBITMQ_CTL_ERL_ARGS' => 'bar' } } end it 'enables inet6 distribution and quote properly' do is_expected.to contain_file('rabbitmq-env.config'). \ with_content(%r{^RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS="foo -pa /usr/lib64/erlang/lib/ssl-7.3.3.1/ebin -proto_dist inet6_tls"$}). \ with_content(%r{^RABBITMQ_CTL_ERL_ARGS="bar -pa /usr/lib64/erlang/lib/ssl-7.3.3.1/ebin -proto_dist inet6_tls"$}) end end end describe 'config_variables options' do let(:params) do { config_variables: { 'hipe_compile' => true, 'vm_memory_high_watermark' => 0.4, 'frame_max' => 131_072, 'collect_statistics' => 'none', 'auth_mechanisms' => "['PLAIN', 'AMQPLAIN']" } } end it 'sets environment variables' do is_expected.to contain_file('rabbitmq.config'). \ with_content(%r{\{hipe_compile, true\}}). \ with_content(%r{\{vm_memory_high_watermark, 0.4\}}). \ with_content(%r{\{frame_max, 131072\}}). \ with_content(%r{\{collect_statistics, none\}}). \ with_content(%r{\{auth_mechanisms, \['PLAIN', 'AMQPLAIN'\]\}}) end end describe 'config_kernel_variables options' do let(:params) do { config_kernel_variables: { 'inet_dist_listen_min' => 9100, 'inet_dist_listen_max' => 9105 } } end it 'sets config variables' do is_expected.to contain_file('rabbitmq.config'). \ with_content(%r{\{inet_dist_listen_min, 9100\}}). \ with_content(%r{\{inet_dist_listen_max, 9105\}}) end end describe 'config_management_variables' do let(:params) do { config_management_variables: { 'rates_mode' => 'none' } } end it 'sets config variables' do is_expected.to contain_file('rabbitmq.config'). \ with_content(%r{\{rates_mode, none\}}) end end describe 'tcp_keepalive enabled' do let(:params) { { tcp_keepalive: true } } it 'sets tcp_listen_options keepalive true' do is_expected.to contain_file('rabbitmq.config'). \ with_content(%r{\{keepalive, true\}}) end end describe 'tcp_keepalive disabled (default)' do it 'does not set tcp_listen_options' do is_expected.to contain_file('rabbitmq.config'). \ without_content(%r{\{keepalive, true\}}) end end describe 'tcp_backlog with default value' do it 'sets tcp_listen_options backlog to 128' do is_expected.to contain_file('rabbitmq.config'). \ with_content(%r{\{backlog, 128\}}) end end describe 'tcp_backlog with non-default value' do let(:params) do { tcp_backlog: 256 } end it 'sets tcp_listen_options backlog to 256' do is_expected.to contain_file('rabbitmq.config'). \ with_content(%r{\{backlog, 256\}}) end end describe 'tcp_sndbuf with default value' do it 'does not set tcp_listen_options sndbuf' do is_expected.to contain_file('rabbitmq.config'). \ without_content(%r{sndbuf}) end end describe 'tcp_sndbuf with non-default value' do let(:params) do { tcp_sndbuf: 128 } end it 'sets tcp_listen_options sndbuf to 128' do is_expected.to contain_file('rabbitmq.config'). \ with_content(%r{\{sndbuf, 128\}}) end end describe 'tcp_recbuf with default value' do it 'does not set tcp_listen_options recbuf' do is_expected.to contain_file('rabbitmq.config'). \ without_content(%r{recbuf}) end end describe 'tcp_recbuf with non-default value' do let(:params) do { tcp_recbuf: 128 } end it 'sets tcp_listen_options recbuf to 128' do is_expected.to contain_file('rabbitmq.config'). \ with_content(%r{\{recbuf, 128\}}) end end describe 'rabbitmq-heartbeat options' do let(:params) { { heartbeat: 60 } } it 'sets heartbeat paramter in config file' do is_expected.to contain_file('rabbitmq.config'). \ with_content(%r{\{heartbeat, 60\}}) end end context 'delete_guest_user' do describe 'should do nothing by default' do it { is_expected.not_to contain_rabbitmq_user('guest') } end describe 'delete user when delete_guest_user set' do let(:params) { { delete_guest_user: true } } it 'removes the user' do is_expected.to contain_rabbitmq_user('guest').with( 'ensure' => 'absent', 'provider' => 'rabbitmqctl' ) end end end describe 'rabbitmq-loopback_users by default' do it 'sets the loopback_users parameter in the config file' do is_expected.to contain_file('rabbitmq.config'). \ with_content(%r{\{loopback_users, \[<<"guest">>\]\}}) end end describe 'rabbitmq-loopback_users allow connections via loopback interfaces' do let(:params) { { loopback_users: [] } } it 'sets the loopback_users parameter in the config file' do is_expected.to contain_file('rabbitmq.config'). \ with_content(%r{\{loopback_users, \[\]\}}) end end describe 'rabbitmq-loopback_users allow connections via loopback interfaces to a group of users' do let(:params) { { loopback_users: %w[user1 user2] } } it 'sets the loopback_users parameter in the config file' do is_expected.to contain_file('rabbitmq.config'). \ with_content(%r{\{loopback_users, \[<<\"user1\">>, <<\"user2\">>\]\}}) end end ## ## rabbitmq::service ## describe 'service with default params' do it { is_expected.to contain_service('rabbitmq-server').with( 'ensure' => 'running', 'enable' => 'true', 'hasstatus' => 'true', 'hasrestart' => 'true', 'name' => name ) } end context 'on systems with systemd', if: facts[:systemd] do it do is_expected.to contain_service('rabbitmq-server'). that_requires('Class[systemd::systemctl::daemon_reload]') end end describe 'service with ensure stopped' do let :params do { service_ensure: 'stopped' } end it { is_expected.to contain_service('rabbitmq-server').with( 'ensure' => 'stopped', 'enable' => false ) } end describe 'service with service_manage equal to false' do let :params do { service_manage: false } end it { is_expected.not_to contain_service('rabbitmq-server') } end end end end diff --git a/templates/default.erb b/templates/default.erb index a2bea95..461f083 100644 --- a/templates/default.erb +++ b/templates/default.erb @@ -1,10 +1,14 @@ # File managed by Puppet. # This file is sourced by /etc/init.d/rabbitmq-server. Its primary # reason for existing is to allow adjustment of system limits for the # rabbitmq-server process. # # Maximum number of open file handles. This will need to be increased # to handle many simultaneous connections. Refer to the system # documentation for ulimit (in man bash) for more information. ulimit -n <%= @file_limit %> + +# OOM score. It sets the score of the init script, but as this value is +# inherited, it also applies to the rabbitmq-server. +echo <%= @oom_score_adj %> > /proc/$$/oom_score_adj