Add RabbitMQ mgmt UI through HAProxy

Backgroud: Bug Requests ability to access RabbitMQ management UI through HAproxy Approach: --Add rabbitmq ui port 15672 to HAProxy --DO NOT Add monitoring user by default, instead key on existence of rabbitmw_monitoring_userid in user_variables.yml --ADD user_variables.yml update per above with explanation --Add "monitoring" user to rabbitmq for monitoring with "monitoring" user tag --Add monitoring user passwd var to user_secrets --Add features: release note Closes-Bug: 1446434 Change-Id: Idaf02cad6bb292d02f1cf6a733dbbc6ff4b4435e
2016-05-17 18:46:38 +00:00 · 2016-05-17 18:46:38 +00:00 · b5b2bb9af4
commit b5b2bb9af4
parent 50983b0381
5 changed files with 50 additions and 0 deletions
--- a/etc/openstack_deploy/user_secrets.yml
+++ b/etc/openstack_deploy/user_secrets.yml
@ -22,6 +22,7 @@

 ## Rabbitmq Options
 rabbitmq_cookie_token:
+rabbitmq_monitoring_password:

 ## Tokens
 memcached_encryption_key:
--- a/etc/openstack_deploy/user_variables.yml
+++ b/etc/openstack_deploy/user_variables.yml
@ -108,6 +108,12 @@ debug: false
 # is highly recommended for securing the contents of RabbitMQ messages.
 # rabbitmq_use_ssl: false

+# RabbitMQ management plugin is enabled by default, the guest user has been
+# removed for security reasons and a new userid 'monitoring' has been created
+# with the 'monitoring' user tag. In order to modify the userid, uncomment the
+# following and change 'monitoring' to your userid of choice.
+# rabbitmq_monitoring_userid: monitoring
+

 ## Additional pinning generator that will allow for more packages to be pinned as you see fit.
 ## All pins allow for package and versions to be defined. Be careful using this as versions
--- a/playbooks/rabbitmq-install.yml
+++ b/playbooks/rabbitmq-install.yml
@ -69,3 +69,17 @@
      tags:
        - "rabbitmq-rsyslog-client"
        - "rsyslog-client"
+
+- name: Ensure rabbitmq user for monitoring GUI
+  hosts: rabbitmq_all[0]
+  user: root
+  tasks:
+    - name: Create rabbitmq user for monitoring GUI
+      rabbitmq_user:
+         user: "{{ rabbitmq_monitoring_userid|default('monitoring') }}"
+         password: "{{ rabbitmq_monitoring_password }}"
+         state: "present"
+         tags: "monitoring"
+      when: rabbitmq_monitoring_password is defined
+      tags:
+        - "rabbitmq_monitoring_user"
--- a/playbooks/vars/configs/haproxy_config.yml
+++ b/playbooks/vars/configs/haproxy_config.yml
@ -201,3 +201,15 @@ haproxy_service_configs:
      haproxy_balance_type: http
      haproxy_backend_options:
        - "httpchk HEAD /"
+  - service:
+      haproxy_service_name: rabbitmq_mgmt
+      haproxy_backend_nodes: "{{ groups['rabbitmq'] | default([]) }}"
+      haproxy_ssl: "{{ haproxy_ssl }}"
+      haproxy_port: 15672
+      haproxy_balance_type: http
+      haproxy_backend_options:
+        - "httpchk HEAD /"
+      haproxy_whitelist_networks:
+        - 192.168.0.0/16
+        - 172.16.0.0/12
+        - 10.0.0.0/8
--- a/releasenotes/notes/rabbitmw-management-ui-haproxy-e9f9ec0343484f2d.yaml
+++ b/releasenotes/notes/rabbitmw-management-ui-haproxy-e9f9ec0343484f2d.yaml
@ -0,0 +1,17 @@
+---
+features:
+  - The RabbitMQ Management UI is now available
+    through HAProxy on port 15672. The default
+    userid is ``monitoring``. This user can be
+    modified by changing the parameter
+    ``rabbitmq_monitoring_userid`` in the file
+    ``user_variables.yml``. Please note that ACLs
+    have been added to this HAProxy service by
+    default, such that it may only be accessed by
+    common internal clients.  Reference
+    ``playbooks/vars/configs/haproxy_config.yml``
+upgrade:
+  - The variable ``rabbitmq_monitoring_password``
+    has been added to ``user_secrets.yml``. If
+    this variable does not exist, the RabbitMQ
+    monitoring user will not be created.