From 5d086878a22d7f0c8de88274c2413670a125492a Mon Sep 17 00:00:00 2001 From: Vasyl Saienko Date: Fri, 13 Sep 2024 13:06:38 +0000 Subject: [PATCH] [rabbitmq] Set password for guest user rabbitmq Guest account is enabled by default and has access to all vhosts. Allow to change guest password during rabbitmq configuration. Change-Id: If23ab8d5587b13e628bce5bcb135a367324dca80 --- rabbitmq/Chart.yaml | 2 +- rabbitmq/templates/bin/_rabbitmq-password-hash.py.tpl | 10 +++++++++- rabbitmq/templates/secret-rabbit-admin.yaml | 1 + rabbitmq/templates/statefulset.yaml | 5 +++++ rabbitmq/values.yaml | 2 ++ releasenotes/notes/rabbitmq.yaml | 1 + 6 files changed, 19 insertions(+), 2 deletions(-) diff --git a/rabbitmq/Chart.yaml b/rabbitmq/Chart.yaml index 53d20cc0c..73fce9313 100644 --- a/rabbitmq/Chart.yaml +++ b/rabbitmq/Chart.yaml @@ -15,6 +15,6 @@ apiVersion: v1 appVersion: v3.12.0 description: OpenStack-Helm RabbitMQ name: rabbitmq -version: 0.1.39 +version: 0.1.40 home: https://github.com/rabbitmq/rabbitmq-server ... diff --git a/rabbitmq/templates/bin/_rabbitmq-password-hash.py.tpl b/rabbitmq/templates/bin/_rabbitmq-password-hash.py.tpl index ae7e1099f..79f9b76fb 100644 --- a/rabbitmq/templates/bin/_rabbitmq-password-hash.py.tpl +++ b/rabbitmq/templates/bin/_rabbitmq-password-hash.py.tpl @@ -26,6 +26,7 @@ import re user = os.environ['RABBITMQ_ADMIN_USERNAME'] password = os.environ['RABBITMQ_ADMIN_PASSWORD'] +guest_password = os.environ['RABBITMQ_GUEST_PASSWORD'] output_file = os.environ['RABBITMQ_DEFINITION_FILE'] def hash_rabbit_password(password): @@ -42,7 +43,14 @@ output = { "password_hash": hash_rabbit_password(password), "hashing_algorithm": "rabbit_password_hashing_sha512", "tags": "administrator" - }] + }, + { + "name": "guest", + "password_hash": hash_rabbit_password(guest_password), + "hashing_algorithm": "rabbit_password_hashing_sha512", + "tags": "administrator" + } + ] } if 'RABBITMQ_USERS' in os.environ: diff --git a/rabbitmq/templates/secret-rabbit-admin.yaml b/rabbitmq/templates/secret-rabbit-admin.yaml index 57cc959cd..c80f1bc78 100644 --- a/rabbitmq/templates/secret-rabbit-admin.yaml +++ b/rabbitmq/templates/secret-rabbit-admin.yaml @@ -29,4 +29,5 @@ type: Opaque data: RABBITMQ_ADMIN_USERNAME: {{ $envAll.Values.endpoints.oslo_messaging.auth.user.username | b64enc }} RABBITMQ_ADMIN_PASSWORD: {{ $envAll.Values.endpoints.oslo_messaging.auth.user.password | b64enc }} + RABBITMQ_GUEST_PASSWORD: {{ $envAll.Values.endpoints.oslo_messaging.auth.guest.password | b64enc }} {{- end }} diff --git a/rabbitmq/templates/statefulset.yaml b/rabbitmq/templates/statefulset.yaml index d347d4634..17400d370 100644 --- a/rabbitmq/templates/statefulset.yaml +++ b/rabbitmq/templates/statefulset.yaml @@ -144,6 +144,11 @@ spec: secretKeyRef: name: {{ printf "%s-%s" $envAll.deployment_name "admin-user" | quote }} key: RABBITMQ_ADMIN_PASSWORD + - name: RABBITMQ_GUEST_PASSWORD + valueFrom: + secretKeyRef: + name: {{ printf "%s-%s" $envAll.deployment_name "admin-user" | quote }} + key: RABBITMQ_GUEST_PASSWORD - name: RABBITMQ_DEFINITION_FILE value: "{{ index $envAll.Values.conf.rabbitmq "management.load_definitions" }}" {{- if .Values.conf.users }} diff --git a/rabbitmq/values.yaml b/rabbitmq/values.yaml index 8c8a9fa1e..bc2342fda 100644 --- a/rabbitmq/values.yaml +++ b/rabbitmq/values.yaml @@ -390,6 +390,8 @@ endpoints: user: username: rabbitmq password: password + guest: + password: password hosts: default: rabbitmq # NOTE(portdirect): the public host is only used to the management WUI diff --git a/releasenotes/notes/rabbitmq.yaml b/releasenotes/notes/rabbitmq.yaml index 0b8fb0ac7..10d2523ac 100644 --- a/releasenotes/notes/rabbitmq.yaml +++ b/releasenotes/notes/rabbitmq.yaml @@ -39,4 +39,5 @@ rabbitmq: - 0.1.37 Update rabbitmq readiness/liveness command - 0.1.38 Do not use hardcoded username in rabbitmq chown container - 0.1.39 Allow to bootstrap rabbitmq with initial config + - 0.1.40 Set password for guest user rabbitmq ...