openstack/openstack-helm-infra
Code Issues Proposed changes

feat(tls): Enable TLS for OpenStack RabbitMQ

Browse Source 
Enable TLS for Openstack RabbitMQ upstream

Co-authored-by: Sangeet Gupta <sg774j@att.com>

Change-Id: I7c08d41b212bc5095facf5f5823521fbfa4d3c47
This commit is contained in:
Haider, Nafiz (nh532m) 2021-01-13 17:21:56 -06:00 committed by Gupta, Sangeet (sg774j)
parent bbe6c506af
commit 2dc83fdde7
13 changed files with 139 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
helm-toolkit/Chart.yaml
View File

@ -15,7 +15,7 @@ apiVersion: v1
appVersion: v1.0.0 appVersion: v1.0.0
description: OpenStack-Helm Helm-Toolkit description: OpenStack-Helm Helm-Toolkit
name: helm-toolkit name: helm-toolkit
version: 0.2.14 version: 0.2.15
home: https://docs.openstack.org/openstack-helm home: https://docs.openstack.org/openstack-helm
icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
sources: sources:

15
helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
View File

@ -24,6 +24,9 @@ limitations under the License.
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}} {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}} {{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }} {{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} {{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
@ -73,6 +76,9 @@ spec:
mountPath: /tmp/rabbit-init.sh mountPath: /tmp/rabbit-init.sh
subPath: rabbit-init.sh subPath: rabbit-init.sh
readOnly: true readOnly: true
{{- if $envAll.Values.manifests.certificates }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }}
env: env:
- name: RABBITMQ_ADMIN_CONNECTION - name: RABBITMQ_ADMIN_CONNECTION
valueFrom: valueFrom:
@ -87,6 +93,12 @@ spec:
{{- if $envAll.Values.conf.rabbitmq }} {{- if $envAll.Values.conf.rabbitmq }}
- name: RABBITMQ_AUXILIARY_CONFIGURATION - name: RABBITMQ_AUXILIARY_CONFIGURATION
value: {{ toJson $envAll.Values.conf.rabbitmq | quote }} value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
{{- end }}
{{- if $envAll.Values.manifests.certificates }}
- name: RABBITMQ_X509
value: "REQUIRE X509"
- name: USER_CERT_PATH
value: {{ $tlsPath | quote }}
{{- end }} {{- end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -101,4 +113,7 @@ spec:
name: {{ $configMapBin | quote }} name: {{ $configMapBin | quote }}
defaultMode: 0555 defaultMode: 0555
{{- end }} {{- end }}
{{- if $envAll.Values.manifests.certificates }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
{{- end -}} {{- end -}}

15
helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
View File

@ -47,12 +47,27 @@ RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}" RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
function rabbitmqadmin_cli () { function rabbitmqadmin_cli () {
if [ -n "$RABBITMQ_X509" ]
then
rabbitmqadmin \
--ssl \
--ssl-disable-hostname-verification \
--ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
--ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
--ssl-key-file="${USER_CERT_PATH}/tls.key" \
--host="${RABBIT_HOSTNAME}" \
--port="${RABBIT_PORT}" \
--username="${RABBITMQ_ADMIN_USERNAME}" \
--password="${RABBITMQ_ADMIN_PASSWORD}" \
${@}
else
rabbitmqadmin \ rabbitmqadmin \
--host="${RABBIT_HOSTNAME}" \ --host="${RABBIT_HOSTNAME}" \
--port="${RABBIT_PORT}" \ --port="${RABBIT_PORT}" \
--username="${RABBITMQ_ADMIN_USERNAME}" \ --username="${RABBITMQ_ADMIN_USERNAME}" \
--password="${RABBITMQ_ADMIN_PASSWORD}" \ --password="${RABBITMQ_ADMIN_PASSWORD}" \
${@} ${@}
fi
} }
echo "Managing: User: ${RABBITMQ_USERNAME}" echo "Managing: User: ${RABBITMQ_USERNAME}"

2
rabbitmq/Chart.yaml
View File

@ -15,6 +15,6 @@ apiVersion: v1
appVersion: v3.7.26 appVersion: v3.7.26
description: OpenStack-Helm RabbitMQ description: OpenStack-Helm RabbitMQ
name: rabbitmq name: rabbitmq
version: 0.1.6 version: 0.1.7
home: https://github.com/rabbitmq/rabbitmq-server home: https://github.com/rabbitmq/rabbitmq-server
... ...

17
rabbitmq/templates/bin/_rabbitmq-wait-for-cluster.sh.tpl
View File

@ -31,6 +31,22 @@ RABBITMQ_ADMIN_PASSWORD=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $
set -ex set -ex
function rabbitmqadmin_authed () { function rabbitmqadmin_authed () {
if [ -n "$RABBITMQ_X509" ]
then
set +x
rabbitmqadmin \
--ssl \
--ssl-disable-hostname-verification \
--ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \
--ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \
--ssl-key-file="/etc/rabbitmq/certs/tls.key" \
--host="${RABBIT_HOSTNAME}" \
--port="${RABBIT_PORT}" \
--username="${RABBITMQ_ADMIN_USERNAME}" \
--password="${RABBITMQ_ADMIN_PASSWORD}" \
${@}
set -x
else
set +x set +x
rabbitmqadmin \ rabbitmqadmin \
--host="${RABBIT_HOSTNAME}" \ --host="${RABBIT_HOSTNAME}" \
@ -39,6 +55,7 @@ function rabbitmqadmin_authed () {
--password="${RABBITMQ_ADMIN_PASSWORD}" \ --password="${RABBITMQ_ADMIN_PASSWORD}" \
$@ $@
set -x set -x
fi
} }
function active_rabbit_nodes () { function active_rabbit_nodes () {

17
rabbitmq/templates/certificates.yaml Normal file
View File

@ -0,0 +1,17 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "oslo_messaging" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

12
rabbitmq/templates/configmap-etc.yaml
View File

@ -36,9 +36,14 @@ limitations under the License.
{{- $_ := print "kubernetes.default.svc." $envAll.Values.endpoints.cluster_domain_suffix | set $envAll.Values.conf.rabbitmq.cluster_formation.k8s "host" -}} {{- $_ := print "kubernetes.default.svc." $envAll.Values.endpoints.cluster_domain_suffix | set $envAll.Values.conf.rabbitmq.cluster_formation.k8s "host" -}}
{{- end -}} {{- end -}}
{{- if .Values.manifests.certificates }}
{{- $_ := print "none" | set $envAll.Values.conf.rabbitmq.listeners "tcp" -}}
{{- $_ := tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set $envAll.Values.conf.rabbitmq.listeners "ssl.1" -}}
{{- $_ := tuple "oslo_messaging" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set $envAll.Values.conf.rabbitmq "management.ssl.port" -}}
{{- else }}
{{- $_ := print ":::" ( tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup") | set $envAll.Values.conf.rabbitmq.listeners.tcp "1" -}} {{- $_ := print ":::" ( tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup") | set $envAll.Values.conf.rabbitmq.listeners.tcp "1" -}}
{{- $_ := tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set $envAll.Values.conf.rabbit_additonal_conf "management.listener.port" -}}
{{- $_ := tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set $envAll.Values.conf.rabbitmq "management.listener.port" -}} {{- end }}
--- ---
apiVersion: v1 apiVersion: v1
@ -50,6 +55,9 @@ data:
{{ tuple "etc/_enabled_plugins.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "etc/_enabled_plugins.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
rabbitmq.conf: | rabbitmq.conf: |
{{ include "rabbitmq.utils.to_rabbit_config" $envAll.Values.conf.rabbitmq | indent 4 }} {{ include "rabbitmq.utils.to_rabbit_config" $envAll.Values.conf.rabbitmq | indent 4 }}
{{- if not .Values.manifests.certificates }}
{{ include "rabbitmq.utils.to_rabbit_config" $envAll.Values.conf.rabbit_additonal_conf | indent 4 }}
{{- end }}
{{- $erlvm_scheduler_num := include "get_erlvm_scheduler_num" .Values.pod.resources.server.limits.cpu }} {{- $erlvm_scheduler_num := include "get_erlvm_scheduler_num" .Values.pod.resources.server.limits.cpu }}
{{- $erlvm_scheduler_conf := printf "+S %s:%s" $erlvm_scheduler_num $erlvm_scheduler_num }} {{- $erlvm_scheduler_conf := printf "+S %s:%s" $erlvm_scheduler_num $erlvm_scheduler_num }}

6
rabbitmq/templates/job-cluster-wait.yaml
View File

@ -71,6 +71,10 @@ spec:
value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }} value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
- name: RABBIT_REPLICA_COUNT - name: RABBIT_REPLICA_COUNT
value: {{ $envAll.Values.pod.replicas.server | quote }} value: {{ $envAll.Values.pod.replicas.server | quote }}
{{- if $envAll.Values.manifests.certificates }}
- name: RABBITMQ_X509
value: "REQUIRE X509"
{{- end }}
command: command:
- /tmp/rabbitmq-wait-for-cluster.sh - /tmp/rabbitmq-wait-for-cluster.sh
volumeMounts: volumeMounts:
@ -82,6 +86,7 @@ spec:
readOnly: true readOnly: true
- name: rabbitmq-data - name: rabbitmq-data
mountPath: /var/lib/rabbitmq mountPath: /var/lib/rabbitmq
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_messaging.server.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}
@ -95,4 +100,5 @@ spec:
secret: secret:
secretName: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }} secretName: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }}
defaultMode: 0444 defaultMode: 0444
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_messaging.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }} {{- end }}

2
rabbitmq/templates/statefulset.yaml
View File

@ -254,6 +254,7 @@ spec:
subPath: erl_inetrc subPath: erl_inetrc
readOnly: true readOnly: true
{{- end }} {{- end }}
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_messaging.server.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}
@ -269,6 +270,7 @@ spec:
secret: secret:
secretName: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }} secretName: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }}
defaultMode: 0444 defaultMode: 0444
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_messaging.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- if not $envAll.Values.volume.enabled }} {{- if not $envAll.Values.volume.enabled }}
- name: rabbitmq-data - name: rabbitmq-data
{{- if .Values.volume.use_local_path.enabled }} {{- if .Values.volume.use_local_path.enabled }}

10
rabbitmq/values.yaml
View File

@ -189,11 +189,12 @@ conf:
queue_master_locator: min-masters queue_master_locator: min-masters
loopback_users.guest: "false" loopback_users.guest: "false"
management.load_definitions: "/var/lib/rabbitmq/definitions.json" management.load_definitions: "/var/lib/rabbitmq/definitions.json"
rabbit_additonal_conf:
# This confinguration is used for non TLS deployments
management.listener.ip: "::" management.listener.ip: "::"
management.listener.port: null management.listener.port: null
rabbitmq_exporter: rabbitmq_exporter:
rabbit_timeout: 30 rabbit_timeout: 30
dependencies: dependencies:
dynamic: dynamic:
common: common:
@ -249,6 +250,12 @@ network:
annotations: annotations:
nginx.ingress.kubernetes.io/rewrite-target: / nginx.ingress.kubernetes.io/rewrite-target: /
secrets:
tls:
oslo_messaging:
server:
internal: rabbitmq-tls-direct
# typically overridden by environmental # typically overridden by environmental
# values, but should include all endpoints # values, but should include all endpoints
# required by this chart # required by this chart
@ -360,6 +367,7 @@ volume:
size: 256Mi size: 256Mi
manifests: manifests:
certificates: false
configmap_bin: true configmap_bin: true
configmap_etc: true configmap_etc: true
config_ipv6: false config_ipv6: false

30
rabbitmq/values_overrides/tls.yaml Normal file
View File

@ -0,0 +1,30 @@
---
conf:
rabbitmq:
ssl_options:
cacertfile: "/etc/rabbitmq/certs/ca.crt"
certfile: "/etc/rabbitmq/certs/tls.crt"
keyfile: "/etc/rabbitmq/certs/tls.key"
verify: verify_peer
fail_if_no_peer_cert: false
management:
ssl:
cacertfile: "/etc/rabbitmq/certs/ca.crt"
certfile: "/etc/rabbitmq/certs/tls.crt"
keyfile: "/etc/rabbitmq/certs/tls.key"
endpoints:
oslo_messaging:
host_fqdn_override:
default:
tls:
secretName: rabbitmq-tls-direct
issuerRef:
name: ca-issuer
kind: ClusterIssuer
port:
https:
default: 15672
public: 443
manifests:
certificates: true
...

1
releasenotes/notes/helm-toolkit.yaml
View File

@ -21,4 +21,5 @@ helm-toolkit:
- 0.2.12 Remove hook-delete-policy - 0.2.12 Remove hook-delete-policy
- 0.2.13 Modify connection args for s3 bucket creation when TLS is enabled - 0.2.13 Modify connection args for s3 bucket creation when TLS is enabled
- 0.2.14 Remove TLS_OPTION argument from s3 bucket creation job - 0.2.14 Remove TLS_OPTION argument from s3 bucket creation job
- 0.2.15 Adding TLS rabbitmq logic
... ...

1
releasenotes/notes/rabbitmq.yaml
View File

@ -6,4 +6,5 @@ rabbitmq:
- 0.1.4 Add configurable RABBIT_TIMEOUT parameter - 0.1.4 Add configurable RABBIT_TIMEOUT parameter
- 0.1.5 Update Rabbitmq exporter version - 0.1.5 Update Rabbitmq exporter version
- 0.1.6 Disallow privilege escalation in rabbitmq server container - 0.1.6 Disallow privilege escalation in rabbitmq server container
- 0.1.7 Adding TLS logic to rabbitmq
... ...