Allow access to RabbitMQ management plugin over network

This change introduces the new RabbitmqEnableManagementAccess parameter so that operators can expose management plugin to specific network to monitor status over network. Change-Id: I09c62af87481e131c26c9d5f9faa16be349347b0
2021-04-17 00:02:53 +09:00 · 2021-04-17 00:02:53 +09:00 · 31674339d8
parent ba6700467a
commit 31674339d8
2 changed files with 23 additions and 5 deletions
--- a/deployment/rabbitmq/rabbitmq-container-puppet.yaml
+++ b/deployment/rabbitmq/rabbitmq-container-puppet.yaml
@ -101,6 +101,10 @@ parameters:
    default: ''
    description: Override the private key size used when creating the
                 certificate for this service
+  RabbitmqEnableManagementAccess:
+    type: boolean
+    default: false
+    description: Allow access to RabbitMQ management plugin over network

 parameter_groups:
 - label: deprecated
@ -134,10 +138,14 @@ outputs:
      firewall_rules:
        '109 rabbitmq':
          dport:
-            - 4369
-            - 5672
-            - 25672
-            - 25673-25683
+            list_concat:
+              - - 4369
+                - 5672
+                - 25672
+                - 25673-25683
+              - if:
+                - {get_param: RabbitmqEnableManagementAccess}
+                - - 15672
      monitoring_subscription: {get_param: MonitoringSubscriptionRabbitmq}
      # RabbitMQ plugins initialization occurs on every node
      config_settings:
@ -213,7 +221,16 @@ outputs:
          - rabbitmq::admin_enable: false
            rabbitmq::management_enable: true
            rabbitmq::use_config_file_for_plugins: true
-            rabbitmq::management_ip_address: 127.0.0.1
+            rabbitmq::management_ip_address:
+              if:
+                - {get_param: RabbitmqEnableManagementAccess}
+                - str_replace:
+                    template:
+                      "%{hiera('$NETWORK')}"
+                    params:
+                      $NETWORK: {get_param: [ServiceNetMap, RabbitmqManagementNetwork]}
+                - 127.0.0.1
+            rabbitmq::management_port: 15672
            rabbitmq::config_management_variables:
              rates_mode: none
          - if:
--- a/network/service_net_map.j2.yaml
+++ b/network/service_net_map.j2.yaml
@ -65,6 +65,7 @@ parameters:
      OsloMessagingRpcNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }}
      OsloMessagingNotifyNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }}
      RabbitmqNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }}
+      RabbitmqManagementNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }}
      QdrNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }}
      RedisNetwork: {{ _service_nets.get('internal_api', 'ctlplane') }}
      GaneshaNetwork: {{ _service_nets.get('storage_nfs', 'ctlplane') }}