RabbitMQ: Add ability to change admin password.
This PS adds the ability to change the admin user credentials and erlang session cookie. To do so requires `--recreate-pods` to be passed to helm on a release upgrade. Change-Id: Ib04ad43a7c303a8ddc31fd0de288a2f7f3294a12 Signed-off-by: Pete Birley <pete@port.direct>
This commit is contained in:
parent
87263a6e3c
commit
0903238e91
23
rabbitmq/templates/bin/_rabbitmq-cookie.sh.tpl
Normal file
23
rabbitmq/templates/bin/_rabbitmq-cookie.sh.tpl
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
set -ex
|
||||||
|
|
||||||
|
cp -vf /run/lib/rabbitmq/.erlang.cookie /var/lib/rabbitmq/.erlang.cookie
|
||||||
|
chown "rabbitmq" /var/lib/rabbitmq/.erlang.cookie
|
||||||
|
chmod 0600 /var/lib/rabbitmq/.erlang.cookie
|
52
rabbitmq/templates/bin/_rabbitmq-password-hash.py.tpl
Normal file
52
rabbitmq/templates/bin/_rabbitmq-password-hash.py.tpl
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
# Copyright 2019 The Openstack-Helm Authors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
# See here for explanation:
|
||||||
|
# http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/2011-May/012765.html
|
||||||
|
|
||||||
|
from __future__ import print_function
|
||||||
|
import base64
|
||||||
|
import json
|
||||||
|
import os
|
||||||
|
import hashlib
|
||||||
|
import struct
|
||||||
|
import sys
|
||||||
|
|
||||||
|
user = os.environ['RABBITMQ_ADMIN_USERNAME']
|
||||||
|
password = os.environ['RABBITMQ_ADMIN_PASSWORD']
|
||||||
|
output_file = os.environ['RABBITMQ_DEFINITION_FILE']
|
||||||
|
|
||||||
|
salt = os.urandom(4)
|
||||||
|
|
||||||
|
tmp0 = salt + password.encode('utf-8')
|
||||||
|
|
||||||
|
tmp1 = hashlib.sha512(tmp0).digest()
|
||||||
|
|
||||||
|
salted_hash = salt + tmp1
|
||||||
|
|
||||||
|
pass_hash = base64.b64encode(salted_hash)
|
||||||
|
|
||||||
|
output = {
|
||||||
|
"users": [{
|
||||||
|
"name": user,
|
||||||
|
"password_hash": pass_hash.decode("utf-8"),
|
||||||
|
"hashing_algorithm": "rabbit_password_hashing_sha512",
|
||||||
|
"tags": "administrator"
|
||||||
|
}]
|
||||||
|
}
|
||||||
|
with open(output_file, 'w') as f:
|
||||||
|
f.write(json.dumps(output))
|
||||||
|
f.close()
|
@ -18,4 +18,4 @@ limitations under the License.
|
|||||||
|
|
||||||
set -ex
|
set -ex
|
||||||
|
|
||||||
exec /docker-entrypoint.sh rabbitmq-server
|
exec rabbitmq-server
|
||||||
|
@ -32,6 +32,10 @@ data:
|
|||||||
{{ tuple "bin/_rabbitmq-liveness.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
{{ tuple "bin/_rabbitmq-liveness.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
rabbitmq-start.sh: |
|
rabbitmq-start.sh: |
|
||||||
{{ tuple "bin/_rabbitmq-start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
{{ tuple "bin/_rabbitmq-start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
rabbitmq-cookie.sh: |
|
||||||
|
{{ tuple "bin/_rabbitmq-cookie.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
rabbitmq-password-hash.py: |
|
||||||
|
{{ tuple "bin/_rabbitmq-password-hash.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
rabbitmq-wait-for-cluster.sh: |
|
rabbitmq-wait-for-cluster.sh: |
|
||||||
{{ tuple "bin/_rabbitmq-wait-for-cluster.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
{{ tuple "bin/_rabbitmq-wait-for-cluster.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
27
rabbitmq/templates/secret-erlang-cookie.yaml
Normal file
27
rabbitmq/templates/secret-erlang-cookie.yaml
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.secret_erlang_cookie }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }}
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
erlang_cookie: {{ $envAll.Values.endpoints.oslo_messaging.auth.erlang_cookie | b64enc -}}
|
||||||
|
{{- end }}
|
28
rabbitmq/templates/secret-rabbit-admin.yaml
Normal file
28
rabbitmq/templates/secret-rabbit-admin.yaml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.secret_admin_user }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }}
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
RABBITMQ_ADMIN_USERNAME: {{ $envAll.Values.endpoints.oslo_messaging.auth.user.username | b64enc }}
|
||||||
|
RABBITMQ_ADMIN_PASSWORD: {{ $envAll.Values.endpoints.oslo_messaging.auth.user.password | b64enc }}
|
||||||
|
{{- end }}
|
@ -77,6 +77,8 @@ spec:
|
|||||||
annotations:
|
annotations:
|
||||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
|
secret-rabbit-admin-hash: {{ tuple "secret-rabbit-admin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
|
secret-erlang-cookie-hash: {{ tuple "secret-erlang-cookie.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
spec:
|
spec:
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
@ -87,6 +89,51 @@ spec:
|
|||||||
{{ $envAll.Values.labels.server.node_selector_key }}: {{ $envAll.Values.labels.server.node_selector_value | quote }}
|
{{ $envAll.Values.labels.server.node_selector_key }}: {{ $envAll.Values.labels.server.node_selector_value | quote }}
|
||||||
initContainers:
|
initContainers:
|
||||||
{{ tuple $envAll "rabbitmq" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
{{ tuple $envAll "rabbitmq" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
|
- name: rabbitmq-password
|
||||||
|
{{ tuple $envAll "rabbitmq_init" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 0
|
||||||
|
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
command:
|
||||||
|
- /tmp/rabbitmq-password-hash.py
|
||||||
|
env:
|
||||||
|
- name: RABBITMQ_ADMIN_USERNAME
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }}
|
||||||
|
key: RABBITMQ_ADMIN_USERNAME
|
||||||
|
- name: RABBITMQ_ADMIN_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }}
|
||||||
|
key: RABBITMQ_ADMIN_PASSWORD
|
||||||
|
- name: RABBITMQ_DEFINITION_FILE
|
||||||
|
value: "{{ index $envAll.Values.conf.rabbitmq "management.load_definitions" }}"
|
||||||
|
volumeMounts:
|
||||||
|
- name: rabbitmq-data
|
||||||
|
mountPath: /var/lib/rabbitmq
|
||||||
|
- name: rabbitmq-bin
|
||||||
|
mountPath: /tmp/rabbitmq-password-hash.py
|
||||||
|
subPath: rabbitmq-password-hash.py
|
||||||
|
readOnly: true
|
||||||
|
- name: rabbitmq-cookie
|
||||||
|
{{ tuple $envAll "rabbitmq" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 0
|
||||||
|
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
command:
|
||||||
|
- /tmp/rabbitmq-cookie.sh
|
||||||
|
volumeMounts:
|
||||||
|
- name: rabbitmq-bin
|
||||||
|
mountPath: /tmp/rabbitmq-cookie.sh
|
||||||
|
subPath: rabbitmq-cookie.sh
|
||||||
|
readOnly: true
|
||||||
|
- name: rabbitmq-data
|
||||||
|
mountPath: /var/lib/rabbitmq
|
||||||
|
- name: rabbitmq-erlang-cookie
|
||||||
|
mountPath: /var/run/lib/rabbitmq/.erlang.cookie
|
||||||
|
subPath: erlang_cookie
|
||||||
|
readOnly: true
|
||||||
{{- if $envAll.Values.volume.chown_on_start }}
|
{{- if $envAll.Values.volume.chown_on_start }}
|
||||||
- name: rabbitmq-perms
|
- name: rabbitmq-perms
|
||||||
{{ tuple $envAll "rabbitmq" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "rabbitmq" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
@ -151,7 +198,13 @@ spec:
|
|||||||
- name: rabbitmq-data
|
- name: rabbitmq-data
|
||||||
mountPath: /var/lib/rabbitmq
|
mountPath: /var/lib/rabbitmq
|
||||||
- name: rabbitmq-bin
|
- name: rabbitmq-bin
|
||||||
mountPath: /tmp
|
mountPath: /tmp/rabbitmq-start.sh
|
||||||
|
subPath: rabbitmq-start.sh
|
||||||
|
readOnly: true
|
||||||
|
- name: rabbitmq-bin
|
||||||
|
mountPath: /tmp/rabbitmq-liveness.sh
|
||||||
|
subPath: rabbitmq-liveness.sh
|
||||||
|
readOnly: true
|
||||||
- name: rabbitmq-etc
|
- name: rabbitmq-etc
|
||||||
mountPath: /etc/rabbitmq/enabled_plugins
|
mountPath: /etc/rabbitmq/enabled_plugins
|
||||||
subPath: enabled_plugins
|
subPath: enabled_plugins
|
||||||
@ -169,6 +222,10 @@ spec:
|
|||||||
configMap:
|
configMap:
|
||||||
name: {{ printf "%s-%s" $envAll.Release.Name "rabbitmq-etc" | quote }}
|
name: {{ printf "%s-%s" $envAll.Release.Name "rabbitmq-etc" | quote }}
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
|
- name: rabbitmq-erlang-cookie
|
||||||
|
secret:
|
||||||
|
secretName: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }}
|
||||||
|
defaultMode: 0444
|
||||||
{{- if not $envAll.Values.volume.enabled }}
|
{{- if not $envAll.Values.volume.enabled }}
|
||||||
- name: rabbitmq-data
|
- name: rabbitmq-data
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
|
@ -34,7 +34,8 @@ labels:
|
|||||||
images:
|
images:
|
||||||
tags:
|
tags:
|
||||||
prometheus_rabbitmq_exporter: docker.io/kbudde/rabbitmq-exporter:v0.21.0
|
prometheus_rabbitmq_exporter: docker.io/kbudde/rabbitmq-exporter:v0.21.0
|
||||||
prometheus_rabbitmq_exporter_helm_tests: docker.io/openstackhelm/heat:newton
|
prometheus_rabbitmq_exporter_helm_tests: docker.io/openstackhelm/heat:ocata
|
||||||
|
rabbitmq_init: docker.io/openstackhelm/heat:ocata
|
||||||
rabbitmq: docker.io/rabbitmq:3.7.4
|
rabbitmq: docker.io/rabbitmq:3.7.4
|
||||||
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
|
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
|
||||||
scripted_test: docker.io/rabbitmq:3.7.4-management
|
scripted_test: docker.io/rabbitmq:3.7.4-management
|
||||||
@ -126,6 +127,7 @@ conf:
|
|||||||
cluster_partition_handling: autoheal
|
cluster_partition_handling: autoheal
|
||||||
queue_master_locator: min-masters
|
queue_master_locator: min-masters
|
||||||
loopback_users.guest: "false"
|
loopback_users.guest: "false"
|
||||||
|
management.load_definitions: "/var/lib/rabbitmq/definitions.json"
|
||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
dynamic:
|
dynamic:
|
||||||
@ -297,6 +299,8 @@ manifests:
|
|||||||
deployment_exporter: true
|
deployment_exporter: true
|
||||||
service_exporter: true
|
service_exporter: true
|
||||||
network_policy: false
|
network_policy: false
|
||||||
|
secret_erlang_cookie: true
|
||||||
|
secret_admin_user: true
|
||||||
service_discovery: true
|
service_discovery: true
|
||||||
service_ingress_management: true
|
service_ingress_management: true
|
||||||
service: true
|
service: true
|
||||||
|
@ -24,6 +24,8 @@ make rabbitmq
|
|||||||
helm upgrade --install rabbitmq ./rabbitmq \
|
helm upgrade --install rabbitmq ./rabbitmq \
|
||||||
--namespace=openstack \
|
--namespace=openstack \
|
||||||
--set pod.replicas.server=3 \
|
--set pod.replicas.server=3 \
|
||||||
|
--recreate-pods \
|
||||||
|
--force \
|
||||||
${OSH_EXTRA_HELM_ARGS} \
|
${OSH_EXTRA_HELM_ARGS} \
|
||||||
${OSH_EXTRA_HELM_ARGS_RABBITMQ}
|
${OSH_EXTRA_HELM_ARGS_RABBITMQ}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user