Merge "feat(tls): Enable TLS for OpenStack RabbitMQ"
This commit is contained in:
commit
5b2e007d7a
@ -15,7 +15,7 @@ apiVersion: v1
|
|||||||
appVersion: v1.0.0
|
appVersion: v1.0.0
|
||||||
description: OpenStack-Helm Helm-Toolkit
|
description: OpenStack-Helm Helm-Toolkit
|
||||||
name: helm-toolkit
|
name: helm-toolkit
|
||||||
version: 0.2.14
|
version: 0.2.15
|
||||||
home: https://docs.openstack.org/openstack-helm
|
home: https://docs.openstack.org/openstack-helm
|
||||||
icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
|
icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
|
||||||
sources:
|
sources:
|
||||||
|
@ -24,6 +24,9 @@ limitations under the License.
|
|||||||
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
||||||
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
||||||
{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
|
{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
|
||||||
|
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
||||||
|
{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
|
||||||
|
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
|
||||||
|
|
||||||
{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
|
{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
|
||||||
{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
@ -73,6 +76,9 @@ spec:
|
|||||||
mountPath: /tmp/rabbit-init.sh
|
mountPath: /tmp/rabbit-init.sh
|
||||||
subPath: rabbit-init.sh
|
subPath: rabbit-init.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- if $envAll.Values.manifests.certificates }}
|
||||||
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
|
{{- end }}
|
||||||
env:
|
env:
|
||||||
- name: RABBITMQ_ADMIN_CONNECTION
|
- name: RABBITMQ_ADMIN_CONNECTION
|
||||||
valueFrom:
|
valueFrom:
|
||||||
@ -87,6 +93,12 @@ spec:
|
|||||||
{{- if $envAll.Values.conf.rabbitmq }}
|
{{- if $envAll.Values.conf.rabbitmq }}
|
||||||
- name: RABBITMQ_AUXILIARY_CONFIGURATION
|
- name: RABBITMQ_AUXILIARY_CONFIGURATION
|
||||||
value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
|
value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $envAll.Values.manifests.certificates }}
|
||||||
|
- name: RABBITMQ_X509
|
||||||
|
value: "REQUIRE X509"
|
||||||
|
- name: USER_CERT_PATH
|
||||||
|
value: {{ $tlsPath | quote }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
@ -101,4 +113,7 @@ spec:
|
|||||||
name: {{ $configMapBin | quote }}
|
name: {{ $configMapBin | quote }}
|
||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- if $envAll.Values.manifests.certificates }}
|
||||||
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
|
{{- end }}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
@ -47,12 +47,27 @@ RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
|
|||||||
RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
|
RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
|
||||||
|
|
||||||
function rabbitmqadmin_cli () {
|
function rabbitmqadmin_cli () {
|
||||||
rabbitmqadmin \
|
if [ -n "$RABBITMQ_X509" ]
|
||||||
--host="${RABBIT_HOSTNAME}" \
|
then
|
||||||
--port="${RABBIT_PORT}" \
|
rabbitmqadmin \
|
||||||
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
--ssl \
|
||||||
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
--ssl-disable-hostname-verification \
|
||||||
${@}
|
--ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
|
||||||
|
--ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
|
||||||
|
--ssl-key-file="${USER_CERT_PATH}/tls.key" \
|
||||||
|
--host="${RABBIT_HOSTNAME}" \
|
||||||
|
--port="${RABBIT_PORT}" \
|
||||||
|
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
||||||
|
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
||||||
|
${@}
|
||||||
|
else
|
||||||
|
rabbitmqadmin \
|
||||||
|
--host="${RABBIT_HOSTNAME}" \
|
||||||
|
--port="${RABBIT_PORT}" \
|
||||||
|
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
||||||
|
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
||||||
|
${@}
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
echo "Managing: User: ${RABBITMQ_USERNAME}"
|
echo "Managing: User: ${RABBITMQ_USERNAME}"
|
||||||
|
@ -15,6 +15,6 @@ apiVersion: v1
|
|||||||
appVersion: v3.7.26
|
appVersion: v3.7.26
|
||||||
description: OpenStack-Helm RabbitMQ
|
description: OpenStack-Helm RabbitMQ
|
||||||
name: rabbitmq
|
name: rabbitmq
|
||||||
version: 0.1.6
|
version: 0.1.7
|
||||||
home: https://github.com/rabbitmq/rabbitmq-server
|
home: https://github.com/rabbitmq/rabbitmq-server
|
||||||
...
|
...
|
||||||
|
@ -31,14 +31,31 @@ RABBITMQ_ADMIN_PASSWORD=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $
|
|||||||
set -ex
|
set -ex
|
||||||
|
|
||||||
function rabbitmqadmin_authed () {
|
function rabbitmqadmin_authed () {
|
||||||
set +x
|
if [ -n "$RABBITMQ_X509" ]
|
||||||
rabbitmqadmin \
|
then
|
||||||
--host="${RABBIT_HOSTNAME}" \
|
set +x
|
||||||
--port="${RABBIT_PORT}" \
|
rabbitmqadmin \
|
||||||
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
--ssl \
|
||||||
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
--ssl-disable-hostname-verification \
|
||||||
$@
|
--ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \
|
||||||
set -x
|
--ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \
|
||||||
|
--ssl-key-file="/etc/rabbitmq/certs/tls.key" \
|
||||||
|
--host="${RABBIT_HOSTNAME}" \
|
||||||
|
--port="${RABBIT_PORT}" \
|
||||||
|
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
||||||
|
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
||||||
|
${@}
|
||||||
|
set -x
|
||||||
|
else
|
||||||
|
set +x
|
||||||
|
rabbitmqadmin \
|
||||||
|
--host="${RABBIT_HOSTNAME}" \
|
||||||
|
--port="${RABBIT_PORT}" \
|
||||||
|
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
||||||
|
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
||||||
|
$@
|
||||||
|
set -x
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
function active_rabbit_nodes () {
|
function active_rabbit_nodes () {
|
||||||
|
17
rabbitmq/templates/certificates.yaml
Normal file
17
rabbitmq/templates/certificates.yaml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
{{/*
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{ dict "envAll" . "service" "oslo_messaging" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
||||||
|
{{- end -}}
|
@ -36,9 +36,14 @@ limitations under the License.
|
|||||||
{{- $_ := print "kubernetes.default.svc." $envAll.Values.endpoints.cluster_domain_suffix | set $envAll.Values.conf.rabbitmq.cluster_formation.k8s "host" -}}
|
{{- $_ := print "kubernetes.default.svc." $envAll.Values.endpoints.cluster_domain_suffix | set $envAll.Values.conf.rabbitmq.cluster_formation.k8s "host" -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
{{- $_ := print "none" | set $envAll.Values.conf.rabbitmq.listeners "tcp" -}}
|
||||||
|
{{- $_ := tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set $envAll.Values.conf.rabbitmq.listeners "ssl.1" -}}
|
||||||
|
{{- $_ := tuple "oslo_messaging" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set $envAll.Values.conf.rabbitmq "management.ssl.port" -}}
|
||||||
|
{{- else }}
|
||||||
{{- $_ := print ":::" ( tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup") | set $envAll.Values.conf.rabbitmq.listeners.tcp "1" -}}
|
{{- $_ := print ":::" ( tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup") | set $envAll.Values.conf.rabbitmq.listeners.tcp "1" -}}
|
||||||
|
{{- $_ := tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set $envAll.Values.conf.rabbit_additonal_conf "management.listener.port" -}}
|
||||||
{{- $_ := tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set $envAll.Values.conf.rabbitmq "management.listener.port" -}}
|
{{- end }}
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
@ -50,6 +55,9 @@ data:
|
|||||||
{{ tuple "etc/_enabled_plugins.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
{{ tuple "etc/_enabled_plugins.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
rabbitmq.conf: |
|
rabbitmq.conf: |
|
||||||
{{ include "rabbitmq.utils.to_rabbit_config" $envAll.Values.conf.rabbitmq | indent 4 }}
|
{{ include "rabbitmq.utils.to_rabbit_config" $envAll.Values.conf.rabbitmq | indent 4 }}
|
||||||
|
{{- if not .Values.manifests.certificates }}
|
||||||
|
{{ include "rabbitmq.utils.to_rabbit_config" $envAll.Values.conf.rabbit_additonal_conf | indent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
{{- $erlvm_scheduler_num := include "get_erlvm_scheduler_num" .Values.pod.resources.server.limits.cpu }}
|
{{- $erlvm_scheduler_num := include "get_erlvm_scheduler_num" .Values.pod.resources.server.limits.cpu }}
|
||||||
{{- $erlvm_scheduler_conf := printf "+S %s:%s" $erlvm_scheduler_num $erlvm_scheduler_num }}
|
{{- $erlvm_scheduler_conf := printf "+S %s:%s" $erlvm_scheduler_num $erlvm_scheduler_num }}
|
||||||
|
@ -71,6 +71,10 @@ spec:
|
|||||||
value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
|
value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
|
||||||
- name: RABBIT_REPLICA_COUNT
|
- name: RABBIT_REPLICA_COUNT
|
||||||
value: {{ $envAll.Values.pod.replicas.server | quote }}
|
value: {{ $envAll.Values.pod.replicas.server | quote }}
|
||||||
|
{{- if $envAll.Values.manifests.certificates }}
|
||||||
|
- name: RABBITMQ_X509
|
||||||
|
value: "REQUIRE X509"
|
||||||
|
{{- end }}
|
||||||
command:
|
command:
|
||||||
- /tmp/rabbitmq-wait-for-cluster.sh
|
- /tmp/rabbitmq-wait-for-cluster.sh
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
@ -82,6 +86,7 @@ spec:
|
|||||||
readOnly: true
|
readOnly: true
|
||||||
- name: rabbitmq-data
|
- name: rabbitmq-data
|
||||||
mountPath: /var/lib/rabbitmq
|
mountPath: /var/lib/rabbitmq
|
||||||
|
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_messaging.server.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
@ -95,4 +100,5 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }}
|
secretName: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }}
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
|
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_messaging.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -254,6 +254,7 @@ spec:
|
|||||||
subPath: erl_inetrc
|
subPath: erl_inetrc
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_messaging.server.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
@ -269,6 +270,7 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }}
|
secretName: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }}
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
|
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_messaging.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{- if not $envAll.Values.volume.enabled }}
|
{{- if not $envAll.Values.volume.enabled }}
|
||||||
- name: rabbitmq-data
|
- name: rabbitmq-data
|
||||||
{{- if .Values.volume.use_local_path.enabled }}
|
{{- if .Values.volume.use_local_path.enabled }}
|
||||||
|
@ -189,11 +189,12 @@ conf:
|
|||||||
queue_master_locator: min-masters
|
queue_master_locator: min-masters
|
||||||
loopback_users.guest: "false"
|
loopback_users.guest: "false"
|
||||||
management.load_definitions: "/var/lib/rabbitmq/definitions.json"
|
management.load_definitions: "/var/lib/rabbitmq/definitions.json"
|
||||||
|
rabbit_additonal_conf:
|
||||||
|
# This confinguration is used for non TLS deployments
|
||||||
management.listener.ip: "::"
|
management.listener.ip: "::"
|
||||||
management.listener.port: null
|
management.listener.port: null
|
||||||
rabbitmq_exporter:
|
rabbitmq_exporter:
|
||||||
rabbit_timeout: 30
|
rabbit_timeout: 30
|
||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
dynamic:
|
dynamic:
|
||||||
common:
|
common:
|
||||||
@ -249,6 +250,12 @@ network:
|
|||||||
annotations:
|
annotations:
|
||||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
tls:
|
||||||
|
oslo_messaging:
|
||||||
|
server:
|
||||||
|
internal: rabbitmq-tls-direct
|
||||||
|
|
||||||
# typically overridden by environmental
|
# typically overridden by environmental
|
||||||
# values, but should include all endpoints
|
# values, but should include all endpoints
|
||||||
# required by this chart
|
# required by this chart
|
||||||
@ -360,6 +367,7 @@ volume:
|
|||||||
size: 256Mi
|
size: 256Mi
|
||||||
|
|
||||||
manifests:
|
manifests:
|
||||||
|
certificates: false
|
||||||
configmap_bin: true
|
configmap_bin: true
|
||||||
configmap_etc: true
|
configmap_etc: true
|
||||||
config_ipv6: false
|
config_ipv6: false
|
||||||
|
30
rabbitmq/values_overrides/tls.yaml
Normal file
30
rabbitmq/values_overrides/tls.yaml
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
---
|
||||||
|
conf:
|
||||||
|
rabbitmq:
|
||||||
|
ssl_options:
|
||||||
|
cacertfile: "/etc/rabbitmq/certs/ca.crt"
|
||||||
|
certfile: "/etc/rabbitmq/certs/tls.crt"
|
||||||
|
keyfile: "/etc/rabbitmq/certs/tls.key"
|
||||||
|
verify: verify_peer
|
||||||
|
fail_if_no_peer_cert: false
|
||||||
|
management:
|
||||||
|
ssl:
|
||||||
|
cacertfile: "/etc/rabbitmq/certs/ca.crt"
|
||||||
|
certfile: "/etc/rabbitmq/certs/tls.crt"
|
||||||
|
keyfile: "/etc/rabbitmq/certs/tls.key"
|
||||||
|
endpoints:
|
||||||
|
oslo_messaging:
|
||||||
|
host_fqdn_override:
|
||||||
|
default:
|
||||||
|
tls:
|
||||||
|
secretName: rabbitmq-tls-direct
|
||||||
|
issuerRef:
|
||||||
|
name: ca-issuer
|
||||||
|
kind: ClusterIssuer
|
||||||
|
port:
|
||||||
|
https:
|
||||||
|
default: 15672
|
||||||
|
public: 443
|
||||||
|
manifests:
|
||||||
|
certificates: true
|
||||||
|
...
|
@ -21,4 +21,5 @@ helm-toolkit:
|
|||||||
- 0.2.12 Remove hook-delete-policy
|
- 0.2.12 Remove hook-delete-policy
|
||||||
- 0.2.13 Modify connection args for s3 bucket creation when TLS is enabled
|
- 0.2.13 Modify connection args for s3 bucket creation when TLS is enabled
|
||||||
- 0.2.14 Remove TLS_OPTION argument from s3 bucket creation job
|
- 0.2.14 Remove TLS_OPTION argument from s3 bucket creation job
|
||||||
|
- 0.2.15 Adding TLS rabbitmq logic
|
||||||
...
|
...
|
||||||
|
@ -6,4 +6,5 @@ rabbitmq:
|
|||||||
- 0.1.4 Add configurable RABBIT_TIMEOUT parameter
|
- 0.1.4 Add configurable RABBIT_TIMEOUT parameter
|
||||||
- 0.1.5 Update Rabbitmq exporter version
|
- 0.1.5 Update Rabbitmq exporter version
|
||||||
- 0.1.6 Disallow privilege escalation in rabbitmq server container
|
- 0.1.6 Disallow privilege escalation in rabbitmq server container
|
||||||
|
- 0.1.7 Adding TLS logic to rabbitmq
|
||||||
...
|
...
|
||||||
|
Loading…
Reference in New Issue
Block a user