RabbitMQ: Add ability to change admin password.
This PS adds the ability to change the admin user credentials and erlang session cookie. To do so requires `--recreate-pods` to be passed to helm on a release upgrade. Change-Id: Ib04ad43a7c303a8ddc31fd0de288a2f7f3294a12 Signed-off-by: Pete Birley <pete@port.direct>
This commit is contained in:
parent
87263a6e3c
commit
0903238e91
23
rabbitmq/templates/bin/_rabbitmq-cookie.sh.tpl
Normal file
23
rabbitmq/templates/bin/_rabbitmq-cookie.sh.tpl
Normal file
@ -0,0 +1,23 @@
|
||||
#!/bin/bash
|
||||
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
set -ex
|
||||
|
||||
cp -vf /run/lib/rabbitmq/.erlang.cookie /var/lib/rabbitmq/.erlang.cookie
|
||||
chown "rabbitmq" /var/lib/rabbitmq/.erlang.cookie
|
||||
chmod 0600 /var/lib/rabbitmq/.erlang.cookie
|
52
rabbitmq/templates/bin/_rabbitmq-password-hash.py.tpl
Normal file
52
rabbitmq/templates/bin/_rabbitmq-password-hash.py.tpl
Normal file
@ -0,0 +1,52 @@
|
||||
#!/usr/bin/env python
|
||||
|
||||
# Copyright 2019 The Openstack-Helm Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# See here for explanation:
|
||||
# http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/2011-May/012765.html
|
||||
|
||||
from __future__ import print_function
|
||||
import base64
|
||||
import json
|
||||
import os
|
||||
import hashlib
|
||||
import struct
|
||||
import sys
|
||||
|
||||
user = os.environ['RABBITMQ_ADMIN_USERNAME']
|
||||
password = os.environ['RABBITMQ_ADMIN_PASSWORD']
|
||||
output_file = os.environ['RABBITMQ_DEFINITION_FILE']
|
||||
|
||||
salt = os.urandom(4)
|
||||
|
||||
tmp0 = salt + password.encode('utf-8')
|
||||
|
||||
tmp1 = hashlib.sha512(tmp0).digest()
|
||||
|
||||
salted_hash = salt + tmp1
|
||||
|
||||
pass_hash = base64.b64encode(salted_hash)
|
||||
|
||||
output = {
|
||||
"users": [{
|
||||
"name": user,
|
||||
"password_hash": pass_hash.decode("utf-8"),
|
||||
"hashing_algorithm": "rabbit_password_hashing_sha512",
|
||||
"tags": "administrator"
|
||||
}]
|
||||
}
|
||||
with open(output_file, 'w') as f:
|
||||
f.write(json.dumps(output))
|
||||
f.close()
|
@ -18,4 +18,4 @@ limitations under the License.
|
||||
|
||||
set -ex
|
||||
|
||||
exec /docker-entrypoint.sh rabbitmq-server
|
||||
exec rabbitmq-server
|
||||
|
@ -32,6 +32,10 @@ data:
|
||||
{{ tuple "bin/_rabbitmq-liveness.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
rabbitmq-start.sh: |
|
||||
{{ tuple "bin/_rabbitmq-start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
rabbitmq-cookie.sh: |
|
||||
{{ tuple "bin/_rabbitmq-cookie.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
rabbitmq-password-hash.py: |
|
||||
{{ tuple "bin/_rabbitmq-password-hash.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
rabbitmq-wait-for-cluster.sh: |
|
||||
{{ tuple "bin/_rabbitmq-wait-for-cluster.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
{{ end }}
|
||||
|
27
rabbitmq/templates/secret-erlang-cookie.yaml
Normal file
27
rabbitmq/templates/secret-erlang-cookie.yaml
Normal file
@ -0,0 +1,27 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.secret_erlang_cookie }}
|
||||
{{- $envAll := . }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }}
|
||||
type: Opaque
|
||||
data:
|
||||
erlang_cookie: {{ $envAll.Values.endpoints.oslo_messaging.auth.erlang_cookie | b64enc -}}
|
||||
{{- end }}
|
28
rabbitmq/templates/secret-rabbit-admin.yaml
Normal file
28
rabbitmq/templates/secret-rabbit-admin.yaml
Normal file
@ -0,0 +1,28 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.secret_admin_user }}
|
||||
{{- $envAll := . }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }}
|
||||
type: Opaque
|
||||
data:
|
||||
RABBITMQ_ADMIN_USERNAME: {{ $envAll.Values.endpoints.oslo_messaging.auth.user.username | b64enc }}
|
||||
RABBITMQ_ADMIN_PASSWORD: {{ $envAll.Values.endpoints.oslo_messaging.auth.user.password | b64enc }}
|
||||
{{- end }}
|
@ -77,6 +77,8 @@ spec:
|
||||
annotations:
|
||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
secret-rabbit-admin-hash: {{ tuple "secret-rabbit-admin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
secret-erlang-cookie-hash: {{ tuple "secret-erlang-cookie.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
spec:
|
||||
securityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
@ -87,6 +89,51 @@ spec:
|
||||
{{ $envAll.Values.labels.server.node_selector_key }}: {{ $envAll.Values.labels.server.node_selector_value | quote }}
|
||||
initContainers:
|
||||
{{ tuple $envAll "rabbitmq" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
- name: rabbitmq-password
|
||||
{{ tuple $envAll "rabbitmq_init" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
command:
|
||||
- /tmp/rabbitmq-password-hash.py
|
||||
env:
|
||||
- name: RABBITMQ_ADMIN_USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }}
|
||||
key: RABBITMQ_ADMIN_USERNAME
|
||||
- name: RABBITMQ_ADMIN_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }}
|
||||
key: RABBITMQ_ADMIN_PASSWORD
|
||||
- name: RABBITMQ_DEFINITION_FILE
|
||||
value: "{{ index $envAll.Values.conf.rabbitmq "management.load_definitions" }}"
|
||||
volumeMounts:
|
||||
- name: rabbitmq-data
|
||||
mountPath: /var/lib/rabbitmq
|
||||
- name: rabbitmq-bin
|
||||
mountPath: /tmp/rabbitmq-password-hash.py
|
||||
subPath: rabbitmq-password-hash.py
|
||||
readOnly: true
|
||||
- name: rabbitmq-cookie
|
||||
{{ tuple $envAll "rabbitmq" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
command:
|
||||
- /tmp/rabbitmq-cookie.sh
|
||||
volumeMounts:
|
||||
- name: rabbitmq-bin
|
||||
mountPath: /tmp/rabbitmq-cookie.sh
|
||||
subPath: rabbitmq-cookie.sh
|
||||
readOnly: true
|
||||
- name: rabbitmq-data
|
||||
mountPath: /var/lib/rabbitmq
|
||||
- name: rabbitmq-erlang-cookie
|
||||
mountPath: /var/run/lib/rabbitmq/.erlang.cookie
|
||||
subPath: erlang_cookie
|
||||
readOnly: true
|
||||
{{- if $envAll.Values.volume.chown_on_start }}
|
||||
- name: rabbitmq-perms
|
||||
{{ tuple $envAll "rabbitmq" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
@ -151,7 +198,13 @@ spec:
|
||||
- name: rabbitmq-data
|
||||
mountPath: /var/lib/rabbitmq
|
||||
- name: rabbitmq-bin
|
||||
mountPath: /tmp
|
||||
mountPath: /tmp/rabbitmq-start.sh
|
||||
subPath: rabbitmq-start.sh
|
||||
readOnly: true
|
||||
- name: rabbitmq-bin
|
||||
mountPath: /tmp/rabbitmq-liveness.sh
|
||||
subPath: rabbitmq-liveness.sh
|
||||
readOnly: true
|
||||
- name: rabbitmq-etc
|
||||
mountPath: /etc/rabbitmq/enabled_plugins
|
||||
subPath: enabled_plugins
|
||||
@ -169,6 +222,10 @@ spec:
|
||||
configMap:
|
||||
name: {{ printf "%s-%s" $envAll.Release.Name "rabbitmq-etc" | quote }}
|
||||
defaultMode: 0444
|
||||
- name: rabbitmq-erlang-cookie
|
||||
secret:
|
||||
secretName: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }}
|
||||
defaultMode: 0444
|
||||
{{- if not $envAll.Values.volume.enabled }}
|
||||
- name: rabbitmq-data
|
||||
emptyDir: {}
|
||||
|
@ -34,7 +34,8 @@ labels:
|
||||
images:
|
||||
tags:
|
||||
prometheus_rabbitmq_exporter: docker.io/kbudde/rabbitmq-exporter:v0.21.0
|
||||
prometheus_rabbitmq_exporter_helm_tests: docker.io/openstackhelm/heat:newton
|
||||
prometheus_rabbitmq_exporter_helm_tests: docker.io/openstackhelm/heat:ocata
|
||||
rabbitmq_init: docker.io/openstackhelm/heat:ocata
|
||||
rabbitmq: docker.io/rabbitmq:3.7.4
|
||||
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
|
||||
scripted_test: docker.io/rabbitmq:3.7.4-management
|
||||
@ -126,6 +127,7 @@ conf:
|
||||
cluster_partition_handling: autoheal
|
||||
queue_master_locator: min-masters
|
||||
loopback_users.guest: "false"
|
||||
management.load_definitions: "/var/lib/rabbitmq/definitions.json"
|
||||
|
||||
dependencies:
|
||||
dynamic:
|
||||
@ -297,6 +299,8 @@ manifests:
|
||||
deployment_exporter: true
|
||||
service_exporter: true
|
||||
network_policy: false
|
||||
secret_erlang_cookie: true
|
||||
secret_admin_user: true
|
||||
service_discovery: true
|
||||
service_ingress_management: true
|
||||
service: true
|
||||
|
@ -24,6 +24,8 @@ make rabbitmq
|
||||
helm upgrade --install rabbitmq ./rabbitmq \
|
||||
--namespace=openstack \
|
||||
--set pod.replicas.server=3 \
|
||||
--recreate-pods \
|
||||
--force \
|
||||
${OSH_EXTRA_HELM_ARGS} \
|
||||
${OSH_EXTRA_HELM_ARGS_RABBITMQ}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user