diff --git a/rabbitmq/templates/bin/_rabbitmq-cookie.sh.tpl b/rabbitmq/templates/bin/_rabbitmq-cookie.sh.tpl new file mode 100644 index 000000000..bb9383d2f --- /dev/null +++ b/rabbitmq/templates/bin/_rabbitmq-cookie.sh.tpl @@ -0,0 +1,23 @@ +#!/bin/bash + +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex + +cp -vf /run/lib/rabbitmq/.erlang.cookie /var/lib/rabbitmq/.erlang.cookie +chown "rabbitmq" /var/lib/rabbitmq/.erlang.cookie +chmod 0600 /var/lib/rabbitmq/.erlang.cookie diff --git a/rabbitmq/templates/bin/_rabbitmq-password-hash.py.tpl b/rabbitmq/templates/bin/_rabbitmq-password-hash.py.tpl new file mode 100644 index 000000000..34d13990f --- /dev/null +++ b/rabbitmq/templates/bin/_rabbitmq-password-hash.py.tpl @@ -0,0 +1,52 @@ +#!/usr/bin/env python + +# Copyright 2019 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# See here for explanation: +# http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/2011-May/012765.html + +from __future__ import print_function +import base64 +import json +import os +import hashlib +import struct +import sys + +user = os.environ['RABBITMQ_ADMIN_USERNAME'] +password = os.environ['RABBITMQ_ADMIN_PASSWORD'] +output_file = os.environ['RABBITMQ_DEFINITION_FILE'] + +salt = os.urandom(4) + +tmp0 = salt + password.encode('utf-8') + +tmp1 = hashlib.sha512(tmp0).digest() + +salted_hash = salt + tmp1 + +pass_hash = base64.b64encode(salted_hash) + +output = { + "users": [{ + "name": user, + "password_hash": pass_hash.decode("utf-8"), + "hashing_algorithm": "rabbit_password_hashing_sha512", + "tags": "administrator" + }] +} +with open(output_file, 'w') as f: + f.write(json.dumps(output)) + f.close() diff --git a/rabbitmq/templates/bin/_rabbitmq-start.sh.tpl b/rabbitmq/templates/bin/_rabbitmq-start.sh.tpl index 98394ddfd..56be4682e 100644 --- a/rabbitmq/templates/bin/_rabbitmq-start.sh.tpl +++ b/rabbitmq/templates/bin/_rabbitmq-start.sh.tpl @@ -18,4 +18,4 @@ limitations under the License. set -ex -exec /docker-entrypoint.sh rabbitmq-server +exec rabbitmq-server diff --git a/rabbitmq/templates/configmap-bin.yaml b/rabbitmq/templates/configmap-bin.yaml index 371bdd06b..26cbef384 100644 --- a/rabbitmq/templates/configmap-bin.yaml +++ b/rabbitmq/templates/configmap-bin.yaml @@ -32,6 +32,10 @@ data: {{ tuple "bin/_rabbitmq-liveness.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} rabbitmq-start.sh: | {{ tuple "bin/_rabbitmq-start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + rabbitmq-cookie.sh: | +{{ tuple "bin/_rabbitmq-cookie.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + rabbitmq-password-hash.py: | +{{ tuple "bin/_rabbitmq-password-hash.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} rabbitmq-wait-for-cluster.sh: | {{ tuple "bin/_rabbitmq-wait-for-cluster.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ end }} diff --git a/rabbitmq/templates/secret-erlang-cookie.yaml b/rabbitmq/templates/secret-erlang-cookie.yaml new file mode 100644 index 000000000..fd114e7b7 --- /dev/null +++ b/rabbitmq/templates/secret-erlang-cookie.yaml @@ -0,0 +1,27 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_erlang_cookie }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }} +type: Opaque +data: + erlang_cookie: {{ $envAll.Values.endpoints.oslo_messaging.auth.erlang_cookie | b64enc -}} +{{- end }} diff --git a/rabbitmq/templates/secret-rabbit-admin.yaml b/rabbitmq/templates/secret-rabbit-admin.yaml new file mode 100644 index 000000000..1721a4728 --- /dev/null +++ b/rabbitmq/templates/secret-rabbit-admin.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_admin_user }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }} +type: Opaque +data: + RABBITMQ_ADMIN_USERNAME: {{ $envAll.Values.endpoints.oslo_messaging.auth.user.username | b64enc }} + RABBITMQ_ADMIN_PASSWORD: {{ $envAll.Values.endpoints.oslo_messaging.auth.user.password | b64enc }} +{{- end }} diff --git a/rabbitmq/templates/statefulset.yaml b/rabbitmq/templates/statefulset.yaml index 17acbc380..b995bc302 100644 --- a/rabbitmq/templates/statefulset.yaml +++ b/rabbitmq/templates/statefulset.yaml @@ -77,6 +77,8 @@ spec: annotations: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} + secret-rabbit-admin-hash: {{ tuple "secret-rabbit-admin.yaml" . | include "helm-toolkit.utils.hash" }} + secret-erlang-cookie-hash: {{ tuple "secret-erlang-cookie.yaml" . | include "helm-toolkit.utils.hash" }} spec: securityContext: readOnlyRootFilesystem: true @@ -87,6 +89,51 @@ spec: {{ $envAll.Values.labels.server.node_selector_key }}: {{ $envAll.Values.labels.server.node_selector_value | quote }} initContainers: {{ tuple $envAll "rabbitmq" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + - name: rabbitmq-password +{{ tuple $envAll "rabbitmq_init" | include "helm-toolkit.snippets.image" | indent 10 }} + securityContext: + runAsUser: 0 +{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /tmp/rabbitmq-password-hash.py + env: + - name: RABBITMQ_ADMIN_USERNAME + valueFrom: + secretKeyRef: + name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }} + key: RABBITMQ_ADMIN_USERNAME + - name: RABBITMQ_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }} + key: RABBITMQ_ADMIN_PASSWORD + - name: RABBITMQ_DEFINITION_FILE + value: "{{ index $envAll.Values.conf.rabbitmq "management.load_definitions" }}" + volumeMounts: + - name: rabbitmq-data + mountPath: /var/lib/rabbitmq + - name: rabbitmq-bin + mountPath: /tmp/rabbitmq-password-hash.py + subPath: rabbitmq-password-hash.py + readOnly: true + - name: rabbitmq-cookie +{{ tuple $envAll "rabbitmq" | include "helm-toolkit.snippets.image" | indent 10 }} + securityContext: + runAsUser: 0 +{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /tmp/rabbitmq-cookie.sh + volumeMounts: + - name: rabbitmq-bin + mountPath: /tmp/rabbitmq-cookie.sh + subPath: rabbitmq-cookie.sh + readOnly: true + - name: rabbitmq-data + mountPath: /var/lib/rabbitmq + - name: rabbitmq-erlang-cookie + mountPath: /var/run/lib/rabbitmq/.erlang.cookie + subPath: erlang_cookie + readOnly: true {{- if $envAll.Values.volume.chown_on_start }} - name: rabbitmq-perms {{ tuple $envAll "rabbitmq" | include "helm-toolkit.snippets.image" | indent 10 }} @@ -151,7 +198,13 @@ spec: - name: rabbitmq-data mountPath: /var/lib/rabbitmq - name: rabbitmq-bin - mountPath: /tmp + mountPath: /tmp/rabbitmq-start.sh + subPath: rabbitmq-start.sh + readOnly: true + - name: rabbitmq-bin + mountPath: /tmp/rabbitmq-liveness.sh + subPath: rabbitmq-liveness.sh + readOnly: true - name: rabbitmq-etc mountPath: /etc/rabbitmq/enabled_plugins subPath: enabled_plugins @@ -169,6 +222,10 @@ spec: configMap: name: {{ printf "%s-%s" $envAll.Release.Name "rabbitmq-etc" | quote }} defaultMode: 0444 + - name: rabbitmq-erlang-cookie + secret: + secretName: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }} + defaultMode: 0444 {{- if not $envAll.Values.volume.enabled }} - name: rabbitmq-data emptyDir: {} diff --git a/rabbitmq/values.yaml b/rabbitmq/values.yaml index 21a0653e0..730b368ec 100644 --- a/rabbitmq/values.yaml +++ b/rabbitmq/values.yaml @@ -34,7 +34,8 @@ labels: images: tags: prometheus_rabbitmq_exporter: docker.io/kbudde/rabbitmq-exporter:v0.21.0 - prometheus_rabbitmq_exporter_helm_tests: docker.io/openstackhelm/heat:newton + prometheus_rabbitmq_exporter_helm_tests: docker.io/openstackhelm/heat:ocata + rabbitmq_init: docker.io/openstackhelm/heat:ocata rabbitmq: docker.io/rabbitmq:3.7.4 dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 scripted_test: docker.io/rabbitmq:3.7.4-management @@ -126,6 +127,7 @@ conf: cluster_partition_handling: autoheal queue_master_locator: min-masters loopback_users.guest: "false" + management.load_definitions: "/var/lib/rabbitmq/definitions.json" dependencies: dynamic: @@ -297,6 +299,8 @@ manifests: deployment_exporter: true service_exporter: true network_policy: false + secret_erlang_cookie: true + secret_admin_user: true service_discovery: true service_ingress_management: true service: true diff --git a/tools/deployment/openstack-support/030-rabbitmq.sh b/tools/deployment/openstack-support/030-rabbitmq.sh index f6fe6c9ab..8de6e71f8 100755 --- a/tools/deployment/openstack-support/030-rabbitmq.sh +++ b/tools/deployment/openstack-support/030-rabbitmq.sh @@ -24,6 +24,8 @@ make rabbitmq helm upgrade --install rabbitmq ./rabbitmq \ --namespace=openstack \ --set pod.replicas.server=3 \ + --recreate-pods \ + --force \ ${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS_RABBITMQ}