Merge "feat(tls): Enable TLS for OpenStack RabbitMQ"
This commit is contained in:
commit
5b2e007d7a
@ -15,7 +15,7 @@ apiVersion: v1
|
||||
appVersion: v1.0.0
|
||||
description: OpenStack-Helm Helm-Toolkit
|
||||
name: helm-toolkit
|
||||
version: 0.2.14
|
||||
version: 0.2.15
|
||||
home: https://docs.openstack.org/openstack-helm
|
||||
icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
|
||||
sources:
|
||||
|
@ -24,6 +24,9 @@ limitations under the License.
|
||||
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
||||
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
||||
{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
|
||||
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
||||
{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
|
||||
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
|
||||
|
||||
{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
|
||||
{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
@ -73,6 +76,9 @@ spec:
|
||||
mountPath: /tmp/rabbit-init.sh
|
||||
subPath: rabbit-init.sh
|
||||
readOnly: true
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: RABBITMQ_ADMIN_CONNECTION
|
||||
valueFrom:
|
||||
@ -87,6 +93,12 @@ spec:
|
||||
{{- if $envAll.Values.conf.rabbitmq }}
|
||||
- name: RABBITMQ_AUXILIARY_CONFIGURATION
|
||||
value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
|
||||
{{- end }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
- name: RABBITMQ_X509
|
||||
value: "REQUIRE X509"
|
||||
- name: USER_CERT_PATH
|
||||
value: {{ $tlsPath | quote }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
@ -101,4 +113,7 @@ spec:
|
||||
name: {{ $configMapBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- end }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
@ -47,12 +47,27 @@ RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
|
||||
RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
|
||||
|
||||
function rabbitmqadmin_cli () {
|
||||
if [ -n "$RABBITMQ_X509" ]
|
||||
then
|
||||
rabbitmqadmin \
|
||||
--ssl \
|
||||
--ssl-disable-hostname-verification \
|
||||
--ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
|
||||
--ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
|
||||
--ssl-key-file="${USER_CERT_PATH}/tls.key" \
|
||||
--host="${RABBIT_HOSTNAME}" \
|
||||
--port="${RABBIT_PORT}" \
|
||||
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
||||
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
||||
${@}
|
||||
else
|
||||
rabbitmqadmin \
|
||||
--host="${RABBIT_HOSTNAME}" \
|
||||
--port="${RABBIT_PORT}" \
|
||||
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
||||
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
||||
${@}
|
||||
fi
|
||||
}
|
||||
|
||||
echo "Managing: User: ${RABBITMQ_USERNAME}"
|
||||
|
@ -15,6 +15,6 @@ apiVersion: v1
|
||||
appVersion: v3.7.26
|
||||
description: OpenStack-Helm RabbitMQ
|
||||
name: rabbitmq
|
||||
version: 0.1.6
|
||||
version: 0.1.7
|
||||
home: https://github.com/rabbitmq/rabbitmq-server
|
||||
...
|
||||
|
@ -31,6 +31,22 @@ RABBITMQ_ADMIN_PASSWORD=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $
|
||||
set -ex
|
||||
|
||||
function rabbitmqadmin_authed () {
|
||||
if [ -n "$RABBITMQ_X509" ]
|
||||
then
|
||||
set +x
|
||||
rabbitmqadmin \
|
||||
--ssl \
|
||||
--ssl-disable-hostname-verification \
|
||||
--ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \
|
||||
--ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \
|
||||
--ssl-key-file="/etc/rabbitmq/certs/tls.key" \
|
||||
--host="${RABBIT_HOSTNAME}" \
|
||||
--port="${RABBIT_PORT}" \
|
||||
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
||||
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
||||
${@}
|
||||
set -x
|
||||
else
|
||||
set +x
|
||||
rabbitmqadmin \
|
||||
--host="${RABBIT_HOSTNAME}" \
|
||||
@ -39,6 +55,7 @@ function rabbitmqadmin_authed () {
|
||||
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
||||
$@
|
||||
set -x
|
||||
fi
|
||||
}
|
||||
|
||||
function active_rabbit_nodes () {
|
||||
|
17
rabbitmq/templates/certificates.yaml
Normal file
17
rabbitmq/templates/certificates.yaml
Normal file
@ -0,0 +1,17 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{ dict "envAll" . "service" "oslo_messaging" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
||||
{{- end -}}
|
@ -36,9 +36,14 @@ limitations under the License.
|
||||
{{- $_ := print "kubernetes.default.svc." $envAll.Values.endpoints.cluster_domain_suffix | set $envAll.Values.conf.rabbitmq.cluster_formation.k8s "host" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if .Values.manifests.certificates }}
|
||||
{{- $_ := print "none" | set $envAll.Values.conf.rabbitmq.listeners "tcp" -}}
|
||||
{{- $_ := tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set $envAll.Values.conf.rabbitmq.listeners "ssl.1" -}}
|
||||
{{- $_ := tuple "oslo_messaging" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set $envAll.Values.conf.rabbitmq "management.ssl.port" -}}
|
||||
{{- else }}
|
||||
{{- $_ := print ":::" ( tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup") | set $envAll.Values.conf.rabbitmq.listeners.tcp "1" -}}
|
||||
|
||||
{{- $_ := tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set $envAll.Values.conf.rabbitmq "management.listener.port" -}}
|
||||
{{- $_ := tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set $envAll.Values.conf.rabbit_additonal_conf "management.listener.port" -}}
|
||||
{{- end }}
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
@ -50,6 +55,9 @@ data:
|
||||
{{ tuple "etc/_enabled_plugins.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
rabbitmq.conf: |
|
||||
{{ include "rabbitmq.utils.to_rabbit_config" $envAll.Values.conf.rabbitmq | indent 4 }}
|
||||
{{- if not .Values.manifests.certificates }}
|
||||
{{ include "rabbitmq.utils.to_rabbit_config" $envAll.Values.conf.rabbit_additonal_conf | indent 4 }}
|
||||
{{- end }}
|
||||
|
||||
{{- $erlvm_scheduler_num := include "get_erlvm_scheduler_num" .Values.pod.resources.server.limits.cpu }}
|
||||
{{- $erlvm_scheduler_conf := printf "+S %s:%s" $erlvm_scheduler_num $erlvm_scheduler_num }}
|
||||
|
@ -71,6 +71,10 @@ spec:
|
||||
value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
|
||||
- name: RABBIT_REPLICA_COUNT
|
||||
value: {{ $envAll.Values.pod.replicas.server | quote }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
- name: RABBITMQ_X509
|
||||
value: "REQUIRE X509"
|
||||
{{- end }}
|
||||
command:
|
||||
- /tmp/rabbitmq-wait-for-cluster.sh
|
||||
volumeMounts:
|
||||
@ -82,6 +86,7 @@ spec:
|
||||
readOnly: true
|
||||
- name: rabbitmq-data
|
||||
mountPath: /var/lib/rabbitmq
|
||||
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_messaging.server.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
@ -95,4 +100,5 @@ spec:
|
||||
secret:
|
||||
secretName: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }}
|
||||
defaultMode: 0444
|
||||
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_messaging.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end }}
|
||||
|
@ -254,6 +254,7 @@ spec:
|
||||
subPath: erl_inetrc
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_messaging.server.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
@ -269,6 +270,7 @@ spec:
|
||||
secret:
|
||||
secretName: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }}
|
||||
defaultMode: 0444
|
||||
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_messaging.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- if not $envAll.Values.volume.enabled }}
|
||||
- name: rabbitmq-data
|
||||
{{- if .Values.volume.use_local_path.enabled }}
|
||||
|
@ -189,11 +189,12 @@ conf:
|
||||
queue_master_locator: min-masters
|
||||
loopback_users.guest: "false"
|
||||
management.load_definitions: "/var/lib/rabbitmq/definitions.json"
|
||||
rabbit_additonal_conf:
|
||||
# This confinguration is used for non TLS deployments
|
||||
management.listener.ip: "::"
|
||||
management.listener.port: null
|
||||
rabbitmq_exporter:
|
||||
rabbit_timeout: 30
|
||||
|
||||
dependencies:
|
||||
dynamic:
|
||||
common:
|
||||
@ -249,6 +250,12 @@ network:
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
||||
|
||||
secrets:
|
||||
tls:
|
||||
oslo_messaging:
|
||||
server:
|
||||
internal: rabbitmq-tls-direct
|
||||
|
||||
# typically overridden by environmental
|
||||
# values, but should include all endpoints
|
||||
# required by this chart
|
||||
@ -360,6 +367,7 @@ volume:
|
||||
size: 256Mi
|
||||
|
||||
manifests:
|
||||
certificates: false
|
||||
configmap_bin: true
|
||||
configmap_etc: true
|
||||
config_ipv6: false
|
||||
|
30
rabbitmq/values_overrides/tls.yaml
Normal file
30
rabbitmq/values_overrides/tls.yaml
Normal file
@ -0,0 +1,30 @@
|
||||
---
|
||||
conf:
|
||||
rabbitmq:
|
||||
ssl_options:
|
||||
cacertfile: "/etc/rabbitmq/certs/ca.crt"
|
||||
certfile: "/etc/rabbitmq/certs/tls.crt"
|
||||
keyfile: "/etc/rabbitmq/certs/tls.key"
|
||||
verify: verify_peer
|
||||
fail_if_no_peer_cert: false
|
||||
management:
|
||||
ssl:
|
||||
cacertfile: "/etc/rabbitmq/certs/ca.crt"
|
||||
certfile: "/etc/rabbitmq/certs/tls.crt"
|
||||
keyfile: "/etc/rabbitmq/certs/tls.key"
|
||||
endpoints:
|
||||
oslo_messaging:
|
||||
host_fqdn_override:
|
||||
default:
|
||||
tls:
|
||||
secretName: rabbitmq-tls-direct
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
kind: ClusterIssuer
|
||||
port:
|
||||
https:
|
||||
default: 15672
|
||||
public: 443
|
||||
manifests:
|
||||
certificates: true
|
||||
...
|
@ -21,4 +21,5 @@ helm-toolkit:
|
||||
- 0.2.12 Remove hook-delete-policy
|
||||
- 0.2.13 Modify connection args for s3 bucket creation when TLS is enabled
|
||||
- 0.2.14 Remove TLS_OPTION argument from s3 bucket creation job
|
||||
- 0.2.15 Adding TLS rabbitmq logic
|
||||
...
|
||||
|
@ -6,4 +6,5 @@ rabbitmq:
|
||||
- 0.1.4 Add configurable RABBIT_TIMEOUT parameter
|
||||
- 0.1.5 Update Rabbitmq exporter version
|
||||
- 0.1.6 Disallow privilege escalation in rabbitmq server container
|
||||
- 0.1.7 Adding TLS logic to rabbitmq
|
||||
...
|
||||
|
Loading…
Reference in New Issue
Block a user