Enable TLS for rabbitmq's replication traffic

This follows the RabbitMQ docs [1] for enabling TLS for the replication
traffic. It reuses the certificate that rabbitmq already has.

Unfortunately, pacemaker uses the shortname for the rabbitmq nodes, so
we are not able to do proper verification of the certificates, since we
can't allocate a certificate for shortnames. So, until pacemaker can
track the rabbit nodes through their FQDNs, we don't set any verification
options.

[1] https://www.rabbitmq.com/clustering-ssl.html

Depends on: voxpupuli/puppet-rabbitmq#574

bp tls-via-certmonger
Co-Authored-By: Alex Schultz <[email protected]>
Change-Id: I265c89cb8898a6da78a606664a22c50f5e57a847
(cherry picked from commit 52404b8)

manifests/profile/base/rabbitmq.pp

@@ -93,9 +93,19 @@
   if $enable_internal_tls {
     $tls_certfile = $certificate_specs['service_certificate']
     $tls_keyfile = $certificate_specs['service_key']
+    $cert_option = "-ssl_dist_opt server_certfile ${tls_certfile}"
+    $key_option = "-ssl_dist_opt server_keyfile ${tls_keyfile}"
+    $secure_renegotiate = '-ssl_dist_opt server_secure_renegotiate true -ssl_dist_opt client_secure_renegotiate true'
+
+    $rabbitmq_additional_erl_args = "\"${cert_option} ${key_option} ${secure_renegotiate}\""
+    $environment_real = merge($environment, {
+      'RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS' => $rabbitmq_additional_erl_args,
+      'RABBITMQ_CTL_ERL_ARGS' => $rabbitmq_additional_erl_args
+    })
   } else {
     $tls_certfile = undef
     $tls_keyfile = undef
+    $environment_real = $environment
   }
 
   if $inet_dist_interface {
@@ -116,7 +126,7 @@
         cluster_nodes           => $nodes,
         config_kernel_variables => $real_kernel_variables,
         config_variables        => $config_variables,
-        environment_variables   => $environment,
+        environment_variables   => $environment_real,
         # TLS options
         ssl_cert                => $tls_certfile,
         ssl_key                 => $tls_keyfile,