Add RabbitMQ mgmt UI through HAProxy

Backgroud: Bug Requests ability to access
RabbitMQ management UI through HAproxy

Approach:
--Add rabbitmq ui port 15672 to HAProxy
--DO NOT Add monitoring user by default,
instead key on existence of rabbitmw_monitoring_userid
in user_variables.yml
--ADD user_variables.yml update per above with
explanation
--Add "monitoring" user to rabbitmq for monitoring with
"monitoring" user tag
--Add monitoring user passwd var to user_secrets
--Add features: release note

Closes-Bug: 1446434

Change-Id: Idaf02cad6bb292d02f1cf6a733dbbc6ff4b4435e

etc/openstack_deploy/user_secrets.yml

@@ -22,6 +22,7 @@
 
 ## Rabbitmq Options
 rabbitmq_cookie_token:
+rabbitmq_monitoring_password:
 
 ## Tokens
 memcached_encryption_key:

etc/openstack_deploy/user_variables.yml

@@ -108,6 +108,12 @@ debug: false
 # is highly recommended for securing the contents of RabbitMQ messages.
 # rabbitmq_use_ssl: false
 
+# RabbitMQ management plugin is enabled by default, the guest user has been
+# removed for security reasons and a new userid 'monitoring' has been created
+# with the 'monitoring' user tag. In order to modify the userid, uncomment the
+# following and change 'monitoring' to your userid of choice.
+# rabbitmq_monitoring_userid: monitoring
+
 
 ## Additional pinning generator that will allow for more packages to be pinned as you see fit.
 ## All pins allow for package and versions to be defined. Be careful using this as versions

playbooks/rabbitmq-install.yml

@@ -69,3 +69,17 @@
       tags:
         - "rabbitmq-rsyslog-client"
         - "rsyslog-client"
+
+- name: Ensure rabbitmq user for monitoring GUI
+  hosts: rabbitmq_all[0]
+  user: root
+  tasks:
+    - name: Create rabbitmq user for monitoring GUI
+      rabbitmq_user:
+         user: "{{ rabbitmq_monitoring_userid|default('monitoring') }}"
+         password: "{{ rabbitmq_monitoring_password }}"
+         state: "present"
+         tags: "monitoring"
+      when: rabbitmq_monitoring_password is defined
+      tags:
+        - "rabbitmq_monitoring_user"

playbooks/vars/configs/haproxy_config.yml

@@ -201,3 +201,15 @@ haproxy_service_configs:
       haproxy_balance_type: http
       haproxy_backend_options:
         - "httpchk HEAD /"
+  - service:
+      haproxy_service_name: rabbitmq_mgmt
+      haproxy_backend_nodes: "{{ groups['rabbitmq'] | default([]) }}"
+      haproxy_ssl: "{{ haproxy_ssl }}"
+      haproxy_port: 15672
+      haproxy_balance_type: http
+      haproxy_backend_options:
+        - "httpchk HEAD /"
+      haproxy_whitelist_networks:
+        - 192.168.0.0/16
+        - 172.16.0.0/12
+        - 10.0.0.0/8

releasenotes/notes/rabbitmw-management-ui-haproxy-e9f9ec0343484f2d.yaml

@@ -0,0 +1,17 @@
+---
+features:
+  - The RabbitMQ Management UI is now available
+    through HAProxy on port 15672. The default
+    userid is ``monitoring``. This user can be
+    modified by changing the parameter
+    ``rabbitmq_monitoring_userid`` in the file
+    ``user_variables.yml``. Please note that ACLs
+    have been added to this HAProxy service by
+    default, such that it may only be accessed by
+    common internal clients.  Reference
+    ``playbooks/vars/configs/haproxy_config.yml``
+upgrade:
+  - The variable ``rabbitmq_monitoring_password``
+    has been added to ``user_secrets.yml``. If
+    this variable does not exist, the RabbitMQ
+    monitoring user will not be created.