openstack
/
openstack-helm-infra
Code Issues Proposed changes

rabbitmq: Set separate for HTTPS 

Additionally, add TLS to prometheus exporter.

Change-Id: I6b46d2274a57d07c9967321abaa1077a1e8b4da2
This commit is contained in:
Gupta, Sangeet (sg774j) 2021-06-07 21:59:00 +00:00 committed by Nafiz Haider
parent c8dbd3d47d
commit e1990e399f
10 changed files with 70 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rabbitmq/Chart.yaml
View File

@ -15,6 +15,6 @@ apiVersion: v1
appVersion: v3.7.26
description: OpenStack-Helm RabbitMQ
name: rabbitmq
version: 0.1.9
version: 0.1.10
home: https://github.com/rabbitmq/rabbitmq-server
...

34
rabbitmq/templates/bin/_rabbitmq-test.sh.tpl
View File

@ -32,27 +32,19 @@ set -x
function rabbitmqadmin_authed () {
set +x
if [ -n "$RABBITMQ_X509" ]
then
rabbitmqadmin \
--ssl \
--ssl-disable-hostname-verification \
--ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \
--ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \
--ssl-key-file="/etc/rabbitmq/certs/tls.key" \
--host="${RABBIT_HOSTNAME}" \
--port="${RABBIT_PORT}" \
--username="${RABBITMQ_ADMIN_USERNAME}" \
--password="${RABBITMQ_ADMIN_PASSWORD}" \
${@}
else
rabbitmqadmin \
--host="${RABBIT_HOSTNAME}" \
--port="${RABBIT_PORT}" \
--username="${RABBITMQ_ADMIN_USERNAME}" \
--password="${RABBITMQ_ADMIN_PASSWORD}" \
$@
fi
rabbitmqadmin \
{{- if .Values.manifests.certificates }}
--ssl \
--ssl-disable-hostname-verification \
--ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \
--ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \
--ssl-key-file="/etc/rabbitmq/certs/tls.key" \
{{- end }}
--host="${RABBIT_HOSTNAME}" \
--port="${RABBIT_PORT}" \
--username="${RABBITMQ_ADMIN_USERNAME}" \
--password="${RABBITMQ_ADMIN_PASSWORD}" \
${@}
set -x
}

40
rabbitmq/templates/bin/_rabbitmq-wait-for-cluster.sh.tpl
View File

@ -31,31 +31,21 @@ RABBITMQ_ADMIN_PASSWORD=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $
set -ex
function rabbitmqadmin_authed () {
if [ -n "$RABBITMQ_X509" ]
then
set +x
rabbitmqadmin \
--ssl \
--ssl-disable-hostname-verification \
--ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \
--ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \
--ssl-key-file="/etc/rabbitmq/certs/tls.key" \
--host="${RABBIT_HOSTNAME}" \
--port="${RABBIT_PORT}" \
--username="${RABBITMQ_ADMIN_USERNAME}" \
--password="${RABBITMQ_ADMIN_PASSWORD}" \
${@}
set -x
else
set +x
rabbitmqadmin \
--host="${RABBIT_HOSTNAME}" \
--port="${RABBIT_PORT}" \
--username="${RABBITMQ_ADMIN_USERNAME}" \
--password="${RABBITMQ_ADMIN_PASSWORD}" \
$@
set -x
fi
set +x
rabbitmqadmin \
{{- if .Values.manifests.certificates }}
--ssl \
--ssl-disable-hostname-verification \
--ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \
--ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \
--ssl-key-file="/etc/rabbitmq/certs/tls.key" \
{{- end }}
--host="${RABBIT_HOSTNAME}" \
--port="${RABBIT_PORT}" \
--username="${RABBITMQ_ADMIN_USERNAME}" \
--password="${RABBITMQ_ADMIN_PASSWORD}" \
${@}
set -x
}
function active_rabbit_nodes () {

11
rabbitmq/templates/job-cluster-wait.yaml
View File

@ -17,6 +17,11 @@ limitations under the License.
{{- $serviceAccountName := print .Release.Name "-cluster-wait" }}
{{ tuple $envAll "cluster_wait" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
{{- $protocol := "http" }}
{{- if $envAll.Values.manifests.certificates }}
{{- $protocol = "https" }}
{{- end }}
---
apiVersion: batch/v1
kind: Job
@ -68,13 +73,9 @@ spec:
{{ dict "envAll" $envAll "application" "cluster_wait" "container" "rabbitmq_cluster_wait" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: RABBITMQ_ADMIN_CONNECTION
value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
value: {{ tuple "oslo_messaging" "internal" "user" $protocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
- name: RABBIT_REPLICA_COUNT
value: {{ $envAll.Values.pod.replicas.server | quote }}
{{- if $envAll.Values.manifests.certificates }}
- name: RABBITMQ_X509
value: "REQUIRE X509"
{{- end }}
command:
- /tmp/rabbitmq-wait-for-cluster.sh
volumeMounts:

20
rabbitmq/templates/monitoring/prometheus/exporter-deployment.yaml
View File

@ -24,6 +24,12 @@ httpGet:
{{- $rcControllerName := printf "%s-%s" $envAll.Release.Name "rabbitmq-exporter" }}
{{ tuple $envAll "prometheus_rabbitmq_exporter" $rcControllerName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
{{- $protocol := "http" }}
{{- if $envAll.Values.manifests.certificates }}
{{- $protocol = "https" }}
{{- end }}
---
apiVersion: apps/v1
kind: Deployment
@ -67,7 +73,7 @@ spec:
- name: RABBIT_TIMEOUT
value: "{{ .Values.conf.rabbitmq_exporter.rabbit_timeout }}"
- name: RABBIT_URL
value: http://{{ tuple "oslo_messaging" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}:15672
value: {{ printf "%s" $protocol }}://{{ tuple "oslo_messaging" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}:{{ tuple "oslo_messaging" "internal" $protocol . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- name: RABBIT_USER
valueFrom:
secretKeyRef:
@ -92,4 +98,16 @@ spec:
value: {{ $envAll.Values.conf.prometheus_exporter.include_queues | default ".*" | quote }}
- name: RABBIT_EXPORTERS
value: {{ $envAll.Values.conf.prometheus_exporter.rabbit_exporters | default "overview,exchange,node,queue" | quote }}
{{- if $envAll.Values.manifests.certificates }}
- name: CAFILE
value: "/etc/rabbitmq/certs/ca.crt"
- name: CERTFILE
value: "/etc/rabbitmq/certs/tls.crt"
- name: KEYFILE
value: "/etc/rabbitmq/certs/tls.key"
volumeMounts:
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.oslo_messaging.server.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
volumes:
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.oslo_messaging.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
{{- end }}

4
rabbitmq/templates/pod-test.yaml
View File

@ -51,10 +51,6 @@ spec:
value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
- name: RABBIT_REPLICA_COUNT
value: {{ $envAll.Values.pod.replicas.server | quote }}
{{- if $envAll.Values.manifests.certificates }}
- name: RABBITMQ_X509
value: "REQUIRE X509"
{{- end }}
command:
- /tmp/rabbitmq-test.sh
volumeMounts:

8
rabbitmq/templates/service.yaml
View File

@ -14,6 +14,10 @@ limitations under the License.
{{- if .Values.manifests.service }}
{{- $envAll := . }}
{{- $protocol := "http" }}
{{- if $envAll.Values.manifests.certificates }}
{{- $protocol = "https" }}
{{- end }}
---
apiVersion: v1
kind: Service
@ -26,8 +30,8 @@ spec:
name: amqp
- port: {{ add (tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup") 20000 }}
name: clustering
- port: {{ tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
name: http
- port: {{ tuple "oslo_messaging" "internal" $protocol . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
name: {{ printf "%s" $protocol }}
selector:
{{ tuple $envAll "rabbitmq" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{ end }}

11
rabbitmq/templates/statefulset.yaml
View File

@ -34,6 +34,11 @@ limitations under the License.
{{- $rcControllerName := printf "%s-%s" $envAll.Release.Name "rabbitmq" }}
{{ tuple $envAll "rabbitmq" $rcControllerName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
{{- $protocol := "http" }}
{{- if $envAll.Values.manifests.certificates }}
{{- $protocol = "https" }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
@ -173,9 +178,9 @@ spec:
command:
- /tmp/rabbitmq-start.sh
ports:
- name: http
- name: {{ printf "%s" $protocol }}
protocol: TCP
containerPort: {{ tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
containerPort: {{ tuple "oslo_messaging" "internal" $protocol . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- name: amqp
protocol: TCP
containerPort: {{ tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
@ -202,7 +207,7 @@ spec:
- name: RABBITMQ_ERLANG_COOKIE
value: "{{ $envAll.Values.endpoints.oslo_messaging.auth.erlang_cookie }}"
- name: PORT_HTTP
value: "{{ tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
value: "{{ tuple "oslo_messaging" "internal" $protocol . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
- name: PORT_AMPQ
value: "{{ tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
- name: PORT_CLUSTERING

2
rabbitmq/values_overrides/tls.yaml
View File

@ -23,7 +23,7 @@ endpoints:
kind: ClusterIssuer
port:
https:
default: 15672
default: 15680
public: 443
manifests:
certificates: true

1
releasenotes/notes/rabbitmq.yaml
View File

@ -9,4 +9,5 @@ rabbitmq:
- 0.1.7 Adding TLS logic to rabbitmq
- 0.1.8 Make helm test work with TLS
- 0.1.9 Use full image ref for docker official images
- 0.1.10 Set separate for HTTPS
...