From 2dc83fdde7d9a7efe378730e480efbdbdde997db Mon Sep 17 00:00:00 2001 From: "Haider, Nafiz (nh532m)" Date: Wed, 13 Jan 2021 17:21:56 -0600 Subject: [PATCH] feat(tls): Enable TLS for OpenStack RabbitMQ Enable TLS for Openstack RabbitMQ upstream Co-authored-by: Sangeet Gupta Change-Id: I7c08d41b212bc5095facf5f5823521fbfa4d3c47 --- helm-toolkit/Chart.yaml | 2 +- .../manifests/_job-rabbit-init.yaml.tpl | 15 +++++++++ .../templates/scripts/_rabbit-init.sh.tpl | 27 +++++++++++---- rabbitmq/Chart.yaml | 2 +- .../bin/_rabbitmq-wait-for-cluster.sh.tpl | 33 ++++++++++++++----- rabbitmq/templates/certificates.yaml | 17 ++++++++++ rabbitmq/templates/configmap-etc.yaml | 12 +++++-- rabbitmq/templates/job-cluster-wait.yaml | 6 ++++ rabbitmq/templates/statefulset.yaml | 2 ++ rabbitmq/values.yaml | 10 +++++- rabbitmq/values_overrides/tls.yaml | 30 +++++++++++++++++ releasenotes/notes/helm-toolkit.yaml | 1 + releasenotes/notes/rabbitmq.yaml | 1 + 13 files changed, 139 insertions(+), 19 deletions(-) create mode 100644 rabbitmq/templates/certificates.yaml create mode 100644 rabbitmq/values_overrides/tls.yaml diff --git a/helm-toolkit/Chart.yaml b/helm-toolkit/Chart.yaml index c5808b856..8ff554dfa 100644 --- a/helm-toolkit/Chart.yaml +++ b/helm-toolkit/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Helm-Toolkit name: helm-toolkit -version: 0.2.14 +version: 0.2.15 home: https://docs.openstack.org/openstack-helm icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png sources: diff --git a/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl index 558f9e4a3..55740322a 100644 --- a/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl +++ b/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl @@ -24,6 +24,9 @@ limitations under the License. {{- $backoffLimit := index . "backoffLimit" | default "1000" -}} {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} {{- $serviceUserPretty := $serviceUser | replace "_" "-" -}} +{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} {{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }} {{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} @@ -73,6 +76,9 @@ spec: mountPath: /tmp/rabbit-init.sh subPath: rabbit-init.sh readOnly: true +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- end }} env: - name: RABBITMQ_ADMIN_CONNECTION valueFrom: @@ -87,6 +93,12 @@ spec: {{- if $envAll.Values.conf.rabbitmq }} - name: RABBITMQ_AUXILIARY_CONFIGURATION value: {{ toJson $envAll.Values.conf.rabbitmq | quote }} +{{- end }} +{{- if $envAll.Values.manifests.certificates }} + - name: RABBITMQ_X509 + value: "REQUIRE X509" + - name: USER_CERT_PATH + value: {{ $tlsPath | quote }} {{- end }} volumes: - name: pod-tmp @@ -101,4 +113,7 @@ spec: name: {{ $configMapBin | quote }} defaultMode: 0555 {{- end }} +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} {{- end -}} diff --git a/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl index 4e0b6aaa2..87872d6ff 100644 --- a/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl +++ b/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl @@ -47,12 +47,27 @@ RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \ RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}" function rabbitmqadmin_cli () { - rabbitmqadmin \ - --host="${RABBIT_HOSTNAME}" \ - --port="${RABBIT_PORT}" \ - --username="${RABBITMQ_ADMIN_USERNAME}" \ - --password="${RABBITMQ_ADMIN_PASSWORD}" \ - ${@} + if [ -n "$RABBITMQ_X509" ] + then + rabbitmqadmin \ + --ssl \ + --ssl-disable-hostname-verification \ + --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \ + --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \ + --ssl-key-file="${USER_CERT_PATH}/tls.key" \ + --host="${RABBIT_HOSTNAME}" \ + --port="${RABBIT_PORT}" \ + --username="${RABBITMQ_ADMIN_USERNAME}" \ + --password="${RABBITMQ_ADMIN_PASSWORD}" \ + ${@} + else + rabbitmqadmin \ + --host="${RABBIT_HOSTNAME}" \ + --port="${RABBIT_PORT}" \ + --username="${RABBITMQ_ADMIN_USERNAME}" \ + --password="${RABBITMQ_ADMIN_PASSWORD}" \ + ${@} + fi } echo "Managing: User: ${RABBITMQ_USERNAME}" diff --git a/rabbitmq/Chart.yaml b/rabbitmq/Chart.yaml index 06b977499..9033893a2 100644 --- a/rabbitmq/Chart.yaml +++ b/rabbitmq/Chart.yaml @@ -15,6 +15,6 @@ apiVersion: v1 appVersion: v3.7.26 description: OpenStack-Helm RabbitMQ name: rabbitmq -version: 0.1.6 +version: 0.1.7 home: https://github.com/rabbitmq/rabbitmq-server ... diff --git a/rabbitmq/templates/bin/_rabbitmq-wait-for-cluster.sh.tpl b/rabbitmq/templates/bin/_rabbitmq-wait-for-cluster.sh.tpl index fbf595e60..047c404d8 100644 --- a/rabbitmq/templates/bin/_rabbitmq-wait-for-cluster.sh.tpl +++ b/rabbitmq/templates/bin/_rabbitmq-wait-for-cluster.sh.tpl @@ -31,14 +31,31 @@ RABBITMQ_ADMIN_PASSWORD=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $ set -ex function rabbitmqadmin_authed () { - set +x - rabbitmqadmin \ - --host="${RABBIT_HOSTNAME}" \ - --port="${RABBIT_PORT}" \ - --username="${RABBITMQ_ADMIN_USERNAME}" \ - --password="${RABBITMQ_ADMIN_PASSWORD}" \ - $@ - set -x + if [ -n "$RABBITMQ_X509" ] + then + set +x + rabbitmqadmin \ + --ssl \ + --ssl-disable-hostname-verification \ + --ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \ + --ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \ + --ssl-key-file="/etc/rabbitmq/certs/tls.key" \ + --host="${RABBIT_HOSTNAME}" \ + --port="${RABBIT_PORT}" \ + --username="${RABBITMQ_ADMIN_USERNAME}" \ + --password="${RABBITMQ_ADMIN_PASSWORD}" \ + ${@} + set -x + else + set +x + rabbitmqadmin \ + --host="${RABBIT_HOSTNAME}" \ + --port="${RABBIT_PORT}" \ + --username="${RABBITMQ_ADMIN_USERNAME}" \ + --password="${RABBITMQ_ADMIN_PASSWORD}" \ + $@ + set -x + fi } function active_rabbit_nodes () { diff --git a/rabbitmq/templates/certificates.yaml b/rabbitmq/templates/certificates.yaml new file mode 100644 index 000000000..d7f88e588 --- /dev/null +++ b/rabbitmq/templates/certificates.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.certificates -}} +{{ dict "envAll" . "service" "oslo_messaging" "type" "internal" | include "helm-toolkit.manifests.certificates" }} +{{- end -}} diff --git a/rabbitmq/templates/configmap-etc.yaml b/rabbitmq/templates/configmap-etc.yaml index cfb46efe2..b9ee9564e 100644 --- a/rabbitmq/templates/configmap-etc.yaml +++ b/rabbitmq/templates/configmap-etc.yaml @@ -36,9 +36,14 @@ limitations under the License. {{- $_ := print "kubernetes.default.svc." $envAll.Values.endpoints.cluster_domain_suffix | set $envAll.Values.conf.rabbitmq.cluster_formation.k8s "host" -}} {{- end -}} +{{- if .Values.manifests.certificates }} +{{- $_ := print "none" | set $envAll.Values.conf.rabbitmq.listeners "tcp" -}} +{{- $_ := tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set $envAll.Values.conf.rabbitmq.listeners "ssl.1" -}} +{{- $_ := tuple "oslo_messaging" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set $envAll.Values.conf.rabbitmq "management.ssl.port" -}} +{{- else }} {{- $_ := print ":::" ( tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup") | set $envAll.Values.conf.rabbitmq.listeners.tcp "1" -}} - -{{- $_ := tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set $envAll.Values.conf.rabbitmq "management.listener.port" -}} +{{- $_ := tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set $envAll.Values.conf.rabbit_additonal_conf "management.listener.port" -}} +{{- end }} --- apiVersion: v1 @@ -50,6 +55,9 @@ data: {{ tuple "etc/_enabled_plugins.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} rabbitmq.conf: | {{ include "rabbitmq.utils.to_rabbit_config" $envAll.Values.conf.rabbitmq | indent 4 }} +{{- if not .Values.manifests.certificates }} +{{ include "rabbitmq.utils.to_rabbit_config" $envAll.Values.conf.rabbit_additonal_conf | indent 4 }} +{{- end }} {{- $erlvm_scheduler_num := include "get_erlvm_scheduler_num" .Values.pod.resources.server.limits.cpu }} {{- $erlvm_scheduler_conf := printf "+S %s:%s" $erlvm_scheduler_num $erlvm_scheduler_num }} diff --git a/rabbitmq/templates/job-cluster-wait.yaml b/rabbitmq/templates/job-cluster-wait.yaml index 9f5b25fbe..049792915 100644 --- a/rabbitmq/templates/job-cluster-wait.yaml +++ b/rabbitmq/templates/job-cluster-wait.yaml @@ -71,6 +71,10 @@ spec: value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }} - name: RABBIT_REPLICA_COUNT value: {{ $envAll.Values.pod.replicas.server | quote }} +{{- if $envAll.Values.manifests.certificates }} + - name: RABBITMQ_X509 + value: "REQUIRE X509" +{{- end }} command: - /tmp/rabbitmq-wait-for-cluster.sh volumeMounts: @@ -82,6 +86,7 @@ spec: readOnly: true - name: rabbitmq-data mountPath: /var/lib/rabbitmq +{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_messaging.server.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} volumes: - name: pod-tmp emptyDir: {} @@ -95,4 +100,5 @@ spec: secret: secretName: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }} defaultMode: 0444 +{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_messaging.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- end }} diff --git a/rabbitmq/templates/statefulset.yaml b/rabbitmq/templates/statefulset.yaml index e5739f506..6df75e301 100644 --- a/rabbitmq/templates/statefulset.yaml +++ b/rabbitmq/templates/statefulset.yaml @@ -254,6 +254,7 @@ spec: subPath: erl_inetrc readOnly: true {{- end }} +{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_messaging.server.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} volumes: - name: pod-tmp emptyDir: {} @@ -269,6 +270,7 @@ spec: secret: secretName: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }} defaultMode: 0444 +{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_messaging.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- if not $envAll.Values.volume.enabled }} - name: rabbitmq-data {{- if .Values.volume.use_local_path.enabled }} diff --git a/rabbitmq/values.yaml b/rabbitmq/values.yaml index 037616a4a..991a3faba 100644 --- a/rabbitmq/values.yaml +++ b/rabbitmq/values.yaml @@ -189,11 +189,12 @@ conf: queue_master_locator: min-masters loopback_users.guest: "false" management.load_definitions: "/var/lib/rabbitmq/definitions.json" + rabbit_additonal_conf: + # This confinguration is used for non TLS deployments management.listener.ip: "::" management.listener.port: null rabbitmq_exporter: rabbit_timeout: 30 - dependencies: dynamic: common: @@ -249,6 +250,12 @@ network: annotations: nginx.ingress.kubernetes.io/rewrite-target: / +secrets: + tls: + oslo_messaging: + server: + internal: rabbitmq-tls-direct + # typically overridden by environmental # values, but should include all endpoints # required by this chart @@ -360,6 +367,7 @@ volume: size: 256Mi manifests: + certificates: false configmap_bin: true configmap_etc: true config_ipv6: false diff --git a/rabbitmq/values_overrides/tls.yaml b/rabbitmq/values_overrides/tls.yaml new file mode 100644 index 000000000..b70f4a3d7 --- /dev/null +++ b/rabbitmq/values_overrides/tls.yaml @@ -0,0 +1,30 @@ +--- +conf: + rabbitmq: + ssl_options: + cacertfile: "/etc/rabbitmq/certs/ca.crt" + certfile: "/etc/rabbitmq/certs/tls.crt" + keyfile: "/etc/rabbitmq/certs/tls.key" + verify: verify_peer + fail_if_no_peer_cert: false + management: + ssl: + cacertfile: "/etc/rabbitmq/certs/ca.crt" + certfile: "/etc/rabbitmq/certs/tls.crt" + keyfile: "/etc/rabbitmq/certs/tls.key" +endpoints: + oslo_messaging: + host_fqdn_override: + default: + tls: + secretName: rabbitmq-tls-direct + issuerRef: + name: ca-issuer + kind: ClusterIssuer + port: + https: + default: 15672 + public: 443 +manifests: + certificates: true +... diff --git a/releasenotes/notes/helm-toolkit.yaml b/releasenotes/notes/helm-toolkit.yaml index 363742f8f..a0014c260 100644 --- a/releasenotes/notes/helm-toolkit.yaml +++ b/releasenotes/notes/helm-toolkit.yaml @@ -21,4 +21,5 @@ helm-toolkit: - 0.2.12 Remove hook-delete-policy - 0.2.13 Modify connection args for s3 bucket creation when TLS is enabled - 0.2.14 Remove TLS_OPTION argument from s3 bucket creation job + - 0.2.15 Adding TLS rabbitmq logic ... diff --git a/releasenotes/notes/rabbitmq.yaml b/releasenotes/notes/rabbitmq.yaml index 6bcb71d28..483c2a301 100644 --- a/releasenotes/notes/rabbitmq.yaml +++ b/releasenotes/notes/rabbitmq.yaml @@ -6,4 +6,5 @@ rabbitmq: - 0.1.4 Add configurable RABBIT_TIMEOUT parameter - 0.1.5 Update Rabbitmq exporter version - 0.1.6 Disallow privilege escalation in rabbitmq server container + - 0.1.7 Adding TLS logic to rabbitmq ...