RabbitMQ: Add ability to change admin password.

This PS adds the ability to change the admin user credentials
and erlang session cookie. To do so requires `--recreate-pods` to
be passed to helm on a release upgrade.

Change-Id: Ib04ad43a7c303a8ddc31fd0de288a2f7f3294a12
Signed-off-by: Pete Birley <pete@port.direct>
This commit is contained in:
Pete Birley 2019-03-18 15:41:24 -05:00 committed by Pete Birley
parent 87263a6e3c
commit 0903238e91
9 changed files with 200 additions and 3 deletions

View File

@ -0,0 +1,23 @@
#!/bin/bash
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
set -ex
cp -vf /run/lib/rabbitmq/.erlang.cookie /var/lib/rabbitmq/.erlang.cookie
chown "rabbitmq" /var/lib/rabbitmq/.erlang.cookie
chmod 0600 /var/lib/rabbitmq/.erlang.cookie

View File

@ -0,0 +1,52 @@
#!/usr/bin/env python
# Copyright 2019 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# See here for explanation:
# http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/2011-May/012765.html
from __future__ import print_function
import base64
import json
import os
import hashlib
import struct
import sys
user = os.environ['RABBITMQ_ADMIN_USERNAME']
password = os.environ['RABBITMQ_ADMIN_PASSWORD']
output_file = os.environ['RABBITMQ_DEFINITION_FILE']
salt = os.urandom(4)
tmp0 = salt + password.encode('utf-8')
tmp1 = hashlib.sha512(tmp0).digest()
salted_hash = salt + tmp1
pass_hash = base64.b64encode(salted_hash)
output = {
"users": [{
"name": user,
"password_hash": pass_hash.decode("utf-8"),
"hashing_algorithm": "rabbit_password_hashing_sha512",
"tags": "administrator"
}]
}
with open(output_file, 'w') as f:
f.write(json.dumps(output))
f.close()

View File

@ -18,4 +18,4 @@ limitations under the License.
set -ex set -ex
exec /docker-entrypoint.sh rabbitmq-server exec rabbitmq-server

View File

@ -32,6 +32,10 @@ data:
{{ tuple "bin/_rabbitmq-liveness.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_rabbitmq-liveness.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
rabbitmq-start.sh: | rabbitmq-start.sh: |
{{ tuple "bin/_rabbitmq-start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_rabbitmq-start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
rabbitmq-cookie.sh: |
{{ tuple "bin/_rabbitmq-cookie.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
rabbitmq-password-hash.py: |
{{ tuple "bin/_rabbitmq-password-hash.py.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
rabbitmq-wait-for-cluster.sh: | rabbitmq-wait-for-cluster.sh: |
{{ tuple "bin/_rabbitmq-wait-for-cluster.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_rabbitmq-wait-for-cluster.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{ end }} {{ end }}

View File

@ -0,0 +1,27 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_erlang_cookie }}
{{- $envAll := . }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }}
type: Opaque
data:
erlang_cookie: {{ $envAll.Values.endpoints.oslo_messaging.auth.erlang_cookie | b64enc -}}
{{- end }}

View File

@ -0,0 +1,28 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_admin_user }}
{{- $envAll := . }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }}
type: Opaque
data:
RABBITMQ_ADMIN_USERNAME: {{ $envAll.Values.endpoints.oslo_messaging.auth.user.username | b64enc }}
RABBITMQ_ADMIN_PASSWORD: {{ $envAll.Values.endpoints.oslo_messaging.auth.user.password | b64enc }}
{{- end }}

View File

@ -77,6 +77,8 @@ spec:
annotations: annotations:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
secret-rabbit-admin-hash: {{ tuple "secret-rabbit-admin.yaml" . | include "helm-toolkit.utils.hash" }}
secret-erlang-cookie-hash: {{ tuple "secret-erlang-cookie.yaml" . | include "helm-toolkit.utils.hash" }}
spec: spec:
securityContext: securityContext:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
@ -87,6 +89,51 @@ spec:
{{ $envAll.Values.labels.server.node_selector_key }}: {{ $envAll.Values.labels.server.node_selector_value | quote }} {{ $envAll.Values.labels.server.node_selector_key }}: {{ $envAll.Values.labels.server.node_selector_value | quote }}
initContainers: initContainers:
{{ tuple $envAll "rabbitmq" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} {{ tuple $envAll "rabbitmq" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
- name: rabbitmq-password
{{ tuple $envAll "rabbitmq_init" | include "helm-toolkit.snippets.image" | indent 10 }}
securityContext:
runAsUser: 0
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command:
- /tmp/rabbitmq-password-hash.py
env:
- name: RABBITMQ_ADMIN_USERNAME
valueFrom:
secretKeyRef:
name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }}
key: RABBITMQ_ADMIN_USERNAME
- name: RABBITMQ_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: {{ printf "%s-%s" $envAll.Release.Name "admin-user" | quote }}
key: RABBITMQ_ADMIN_PASSWORD
- name: RABBITMQ_DEFINITION_FILE
value: "{{ index $envAll.Values.conf.rabbitmq "management.load_definitions" }}"
volumeMounts:
- name: rabbitmq-data
mountPath: /var/lib/rabbitmq
- name: rabbitmq-bin
mountPath: /tmp/rabbitmq-password-hash.py
subPath: rabbitmq-password-hash.py
readOnly: true
- name: rabbitmq-cookie
{{ tuple $envAll "rabbitmq" | include "helm-toolkit.snippets.image" | indent 10 }}
securityContext:
runAsUser: 0
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command:
- /tmp/rabbitmq-cookie.sh
volumeMounts:
- name: rabbitmq-bin
mountPath: /tmp/rabbitmq-cookie.sh
subPath: rabbitmq-cookie.sh
readOnly: true
- name: rabbitmq-data
mountPath: /var/lib/rabbitmq
- name: rabbitmq-erlang-cookie
mountPath: /var/run/lib/rabbitmq/.erlang.cookie
subPath: erlang_cookie
readOnly: true
{{- if $envAll.Values.volume.chown_on_start }} {{- if $envAll.Values.volume.chown_on_start }}
- name: rabbitmq-perms - name: rabbitmq-perms
{{ tuple $envAll "rabbitmq" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "rabbitmq" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -151,7 +198,13 @@ spec:
- name: rabbitmq-data - name: rabbitmq-data
mountPath: /var/lib/rabbitmq mountPath: /var/lib/rabbitmq
- name: rabbitmq-bin - name: rabbitmq-bin
mountPath: /tmp mountPath: /tmp/rabbitmq-start.sh
subPath: rabbitmq-start.sh
readOnly: true
- name: rabbitmq-bin
mountPath: /tmp/rabbitmq-liveness.sh
subPath: rabbitmq-liveness.sh
readOnly: true
- name: rabbitmq-etc - name: rabbitmq-etc
mountPath: /etc/rabbitmq/enabled_plugins mountPath: /etc/rabbitmq/enabled_plugins
subPath: enabled_plugins subPath: enabled_plugins
@ -169,6 +222,10 @@ spec:
configMap: configMap:
name: {{ printf "%s-%s" $envAll.Release.Name "rabbitmq-etc" | quote }} name: {{ printf "%s-%s" $envAll.Release.Name "rabbitmq-etc" | quote }}
defaultMode: 0444 defaultMode: 0444
- name: rabbitmq-erlang-cookie
secret:
secretName: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }}
defaultMode: 0444
{{- if not $envAll.Values.volume.enabled }} {{- if not $envAll.Values.volume.enabled }}
- name: rabbitmq-data - name: rabbitmq-data
emptyDir: {} emptyDir: {}

View File

@ -34,7 +34,8 @@ labels:
images: images:
tags: tags:
prometheus_rabbitmq_exporter: docker.io/kbudde/rabbitmq-exporter:v0.21.0 prometheus_rabbitmq_exporter: docker.io/kbudde/rabbitmq-exporter:v0.21.0
prometheus_rabbitmq_exporter_helm_tests: docker.io/openstackhelm/heat:newton prometheus_rabbitmq_exporter_helm_tests: docker.io/openstackhelm/heat:ocata
rabbitmq_init: docker.io/openstackhelm/heat:ocata
rabbitmq: docker.io/rabbitmq:3.7.4 rabbitmq: docker.io/rabbitmq:3.7.4
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
scripted_test: docker.io/rabbitmq:3.7.4-management scripted_test: docker.io/rabbitmq:3.7.4-management
@ -126,6 +127,7 @@ conf:
cluster_partition_handling: autoheal cluster_partition_handling: autoheal
queue_master_locator: min-masters queue_master_locator: min-masters
loopback_users.guest: "false" loopback_users.guest: "false"
management.load_definitions: "/var/lib/rabbitmq/definitions.json"
dependencies: dependencies:
dynamic: dynamic:
@ -297,6 +299,8 @@ manifests:
deployment_exporter: true deployment_exporter: true
service_exporter: true service_exporter: true
network_policy: false network_policy: false
secret_erlang_cookie: true
secret_admin_user: true
service_discovery: true service_discovery: true
service_ingress_management: true service_ingress_management: true
service: true service: true

View File

@ -24,6 +24,8 @@ make rabbitmq
helm upgrade --install rabbitmq ./rabbitmq \ helm upgrade --install rabbitmq ./rabbitmq \
--namespace=openstack \ --namespace=openstack \
--set pod.replicas.server=3 \ --set pod.replicas.server=3 \
--recreate-pods \
--force \
${OSH_EXTRA_HELM_ARGS} \ ${OSH_EXTRA_HELM_ARGS} \
${OSH_EXTRA_HELM_ARGS_RABBITMQ} ${OSH_EXTRA_HELM_ARGS_RABBITMQ}