Adding TLS encryption to Mcollective

[andrewklau]

Do not merge, currently untested, will try to test next week.

[andrewklau]

Works well so far with a single host deployment, following the same puppet ca certs that get provisioned from a foreman install.

[andrewklau]

@detiber @sdodson Is there anything you guys think I need to change/add?

[sdodson]

I'll do some functional testing of this after lunch, we'd like to get this and a few other things merged to wrap up another release to puppet forge.

[andrewklau]

@sdodson I tested this again today and looks like the earlier issues you mentioned should be fixed. Let me know if you want anything else changed.

nvm, the file check doesn't seem to work.

[andrewklau]

After further tests, none of my attempts seem to work as the certs exist on the client, making it hard to do an actual check the file exists. Only way I could think of is doing something like this:

exec { 'check msgserver_tls_key': command => '/bin/false', unless => "/usr/bin/test -e ${::openshift_origin::msgserver_tls_key}", }

I'm not too sure how that can be chained either. Moreover, someone could pass msgserver_tls_key = 'puppet://....' which again would break. As you want to get this merged for the next version, I'll revert it back to my original test of checking the variable is defined. Also if the file doesn't exist, activemq_keystores.pp will also complain.

Let me know if you perhaps would have a better way, I perhaps may be overlooking something.

[andrewklau]

I have tested this with aio in all three (enabled, disabled and strict) and they appear to work as expected.

I don't have the resources right now to test an enabled mode of tls_enabled msgserver and standard mcollective client/server

[detiber]

:+1:

[sdodson]

Confirmed in a two host config with both enabled and strict options. Minimal config, assuming puppet certificates exist, is simply msgserver_tls_enabled => 'strict' or 'enabled'. Thanks for the excellet PR and patience while I tested.

:+1: