rabbitmq: Set separate for HTTPS

Additionally, add TLS to prometheus exporter.

Change-Id: I6b46d2274a57d07c9967321abaa1077a1e8b4da2
This commit is contained in:
Gupta, Sangeet (sg774j) 2021-06-07 21:59:00 +00:00 committed by Nafiz Haider
parent c8dbd3d47d
commit e1990e399f
10 changed files with 70 additions and 63 deletions

View File

@ -15,6 +15,6 @@ apiVersion: v1
appVersion: v3.7.26
description: OpenStack-Helm RabbitMQ
name: rabbitmq
version: 0.1.9
version: 0.1.10
home: https://github.com/rabbitmq/rabbitmq-server
...

View File

@ -32,27 +32,19 @@ set -x
function rabbitmqadmin_authed () {
set +x
if [ -n "$RABBITMQ_X509" ]
then
rabbitmqadmin \
--ssl \
--ssl-disable-hostname-verification \
--ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \
--ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \
--ssl-key-file="/etc/rabbitmq/certs/tls.key" \
--host="${RABBIT_HOSTNAME}" \
--port="${RABBIT_PORT}" \
--username="${RABBITMQ_ADMIN_USERNAME}" \
--password="${RABBITMQ_ADMIN_PASSWORD}" \
${@}
else
rabbitmqadmin \
--host="${RABBIT_HOSTNAME}" \
--port="${RABBIT_PORT}" \
--username="${RABBITMQ_ADMIN_USERNAME}" \
--password="${RABBITMQ_ADMIN_PASSWORD}" \
$@
fi
rabbitmqadmin \
{{- if .Values.manifests.certificates }}
--ssl \
--ssl-disable-hostname-verification \
--ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \
--ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \
--ssl-key-file="/etc/rabbitmq/certs/tls.key" \
{{- end }}
--host="${RABBIT_HOSTNAME}" \
--port="${RABBIT_PORT}" \
--username="${RABBITMQ_ADMIN_USERNAME}" \
--password="${RABBITMQ_ADMIN_PASSWORD}" \
${@}
set -x
}

View File

@ -31,31 +31,21 @@ RABBITMQ_ADMIN_PASSWORD=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $
set -ex
function rabbitmqadmin_authed () {
if [ -n "$RABBITMQ_X509" ]
then
set +x
rabbitmqadmin \
--ssl \
--ssl-disable-hostname-verification \
--ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \
--ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \
--ssl-key-file="/etc/rabbitmq/certs/tls.key" \
--host="${RABBIT_HOSTNAME}" \
--port="${RABBIT_PORT}" \
--username="${RABBITMQ_ADMIN_USERNAME}" \
--password="${RABBITMQ_ADMIN_PASSWORD}" \
${@}
set -x
else
set +x
rabbitmqadmin \
--host="${RABBIT_HOSTNAME}" \
--port="${RABBIT_PORT}" \
--username="${RABBITMQ_ADMIN_USERNAME}" \
--password="${RABBITMQ_ADMIN_PASSWORD}" \
$@
set -x
fi
set +x
rabbitmqadmin \
{{- if .Values.manifests.certificates }}
--ssl \
--ssl-disable-hostname-verification \
--ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \
--ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \
--ssl-key-file="/etc/rabbitmq/certs/tls.key" \
{{- end }}
--host="${RABBIT_HOSTNAME}" \
--port="${RABBIT_PORT}" \
--username="${RABBITMQ_ADMIN_USERNAME}" \
--password="${RABBITMQ_ADMIN_PASSWORD}" \
${@}
set -x
}
function active_rabbit_nodes () {

View File

@ -17,6 +17,11 @@ limitations under the License.
{{- $serviceAccountName := print .Release.Name "-cluster-wait" }}
{{ tuple $envAll "cluster_wait" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
{{- $protocol := "http" }}
{{- if $envAll.Values.manifests.certificates }}
{{- $protocol = "https" }}
{{- end }}
---
apiVersion: batch/v1
kind: Job
@ -68,13 +73,9 @@ spec:
{{ dict "envAll" $envAll "application" "cluster_wait" "container" "rabbitmq_cluster_wait" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
- name: RABBITMQ_ADMIN_CONNECTION
value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
value: {{ tuple "oslo_messaging" "internal" "user" $protocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
- name: RABBIT_REPLICA_COUNT
value: {{ $envAll.Values.pod.replicas.server | quote }}
{{- if $envAll.Values.manifests.certificates }}
- name: RABBITMQ_X509
value: "REQUIRE X509"
{{- end }}
command:
- /tmp/rabbitmq-wait-for-cluster.sh
volumeMounts:

View File

@ -24,6 +24,12 @@ httpGet:
{{- $rcControllerName := printf "%s-%s" $envAll.Release.Name "rabbitmq-exporter" }}
{{ tuple $envAll "prometheus_rabbitmq_exporter" $rcControllerName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
{{- $protocol := "http" }}
{{- if $envAll.Values.manifests.certificates }}
{{- $protocol = "https" }}
{{- end }}
---
apiVersion: apps/v1
kind: Deployment
@ -67,7 +73,7 @@ spec:
- name: RABBIT_TIMEOUT
value: "{{ .Values.conf.rabbitmq_exporter.rabbit_timeout }}"
- name: RABBIT_URL
value: http://{{ tuple "oslo_messaging" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}:15672
value: {{ printf "%s" $protocol }}://{{ tuple "oslo_messaging" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}:{{ tuple "oslo_messaging" "internal" $protocol . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- name: RABBIT_USER
valueFrom:
secretKeyRef:
@ -92,4 +98,16 @@ spec:
value: {{ $envAll.Values.conf.prometheus_exporter.include_queues | default ".*" | quote }}
- name: RABBIT_EXPORTERS
value: {{ $envAll.Values.conf.prometheus_exporter.rabbit_exporters | default "overview,exchange,node,queue" | quote }}
{{- if $envAll.Values.manifests.certificates }}
- name: CAFILE
value: "/etc/rabbitmq/certs/ca.crt"
- name: CERTFILE
value: "/etc/rabbitmq/certs/tls.crt"
- name: KEYFILE
value: "/etc/rabbitmq/certs/tls.key"
volumeMounts:
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.oslo_messaging.server.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
volumes:
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.oslo_messaging.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
{{- end }}

View File

@ -51,10 +51,6 @@ spec:
value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
- name: RABBIT_REPLICA_COUNT
value: {{ $envAll.Values.pod.replicas.server | quote }}
{{- if $envAll.Values.manifests.certificates }}
- name: RABBITMQ_X509
value: "REQUIRE X509"
{{- end }}
command:
- /tmp/rabbitmq-test.sh
volumeMounts:

View File

@ -14,6 +14,10 @@ limitations under the License.
{{- if .Values.manifests.service }}
{{- $envAll := . }}
{{- $protocol := "http" }}
{{- if $envAll.Values.manifests.certificates }}
{{- $protocol = "https" }}
{{- end }}
---
apiVersion: v1
kind: Service
@ -26,8 +30,8 @@ spec:
name: amqp
- port: {{ add (tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup") 20000 }}
name: clustering
- port: {{ tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
name: http
- port: {{ tuple "oslo_messaging" "internal" $protocol . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
name: {{ printf "%s" $protocol }}
selector:
{{ tuple $envAll "rabbitmq" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
{{ end }}

View File

@ -34,6 +34,11 @@ limitations under the License.
{{- $rcControllerName := printf "%s-%s" $envAll.Release.Name "rabbitmq" }}
{{ tuple $envAll "rabbitmq" $rcControllerName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
{{- $protocol := "http" }}
{{- if $envAll.Values.manifests.certificates }}
{{- $protocol = "https" }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
@ -173,9 +178,9 @@ spec:
command:
- /tmp/rabbitmq-start.sh
ports:
- name: http
- name: {{ printf "%s" $protocol }}
protocol: TCP
containerPort: {{ tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
containerPort: {{ tuple "oslo_messaging" "internal" $protocol . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- name: amqp
protocol: TCP
containerPort: {{ tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
@ -202,7 +207,7 @@ spec:
- name: RABBITMQ_ERLANG_COOKIE
value: "{{ $envAll.Values.endpoints.oslo_messaging.auth.erlang_cookie }}"
- name: PORT_HTTP
value: "{{ tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
value: "{{ tuple "oslo_messaging" "internal" $protocol . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
- name: PORT_AMPQ
value: "{{ tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
- name: PORT_CLUSTERING

View File

@ -23,7 +23,7 @@ endpoints:
kind: ClusterIssuer
port:
https:
default: 15672
default: 15680
public: 443
manifests:
certificates: true

View File

@ -9,4 +9,5 @@ rabbitmq:
- 0.1.7 Adding TLS logic to rabbitmq
- 0.1.8 Make helm test work with TLS
- 0.1.9 Use full image ref for docker official images
- 0.1.10 Set separate for HTTPS
...