rabbitmq: Set separate for HTTPS
Additionally, add TLS to prometheus exporter. Change-Id: I6b46d2274a57d07c9967321abaa1077a1e8b4da2
This commit is contained in:
parent
c8dbd3d47d
commit
e1990e399f
@ -15,6 +15,6 @@ apiVersion: v1
|
||||
appVersion: v3.7.26
|
||||
description: OpenStack-Helm RabbitMQ
|
||||
name: rabbitmq
|
||||
version: 0.1.9
|
||||
version: 0.1.10
|
||||
home: https://github.com/rabbitmq/rabbitmq-server
|
||||
...
|
||||
|
@ -32,27 +32,19 @@ set -x
|
||||
|
||||
function rabbitmqadmin_authed () {
|
||||
set +x
|
||||
if [ -n "$RABBITMQ_X509" ]
|
||||
then
|
||||
rabbitmqadmin \
|
||||
--ssl \
|
||||
--ssl-disable-hostname-verification \
|
||||
--ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \
|
||||
--ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \
|
||||
--ssl-key-file="/etc/rabbitmq/certs/tls.key" \
|
||||
--host="${RABBIT_HOSTNAME}" \
|
||||
--port="${RABBIT_PORT}" \
|
||||
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
||||
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
||||
${@}
|
||||
else
|
||||
rabbitmqadmin \
|
||||
--host="${RABBIT_HOSTNAME}" \
|
||||
--port="${RABBIT_PORT}" \
|
||||
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
||||
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
||||
$@
|
||||
fi
|
||||
rabbitmqadmin \
|
||||
{{- if .Values.manifests.certificates }}
|
||||
--ssl \
|
||||
--ssl-disable-hostname-verification \
|
||||
--ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \
|
||||
--ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \
|
||||
--ssl-key-file="/etc/rabbitmq/certs/tls.key" \
|
||||
{{- end }}
|
||||
--host="${RABBIT_HOSTNAME}" \
|
||||
--port="${RABBIT_PORT}" \
|
||||
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
||||
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
||||
${@}
|
||||
set -x
|
||||
}
|
||||
|
||||
|
@ -31,31 +31,21 @@ RABBITMQ_ADMIN_PASSWORD=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $
|
||||
set -ex
|
||||
|
||||
function rabbitmqadmin_authed () {
|
||||
if [ -n "$RABBITMQ_X509" ]
|
||||
then
|
||||
set +x
|
||||
rabbitmqadmin \
|
||||
--ssl \
|
||||
--ssl-disable-hostname-verification \
|
||||
--ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \
|
||||
--ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \
|
||||
--ssl-key-file="/etc/rabbitmq/certs/tls.key" \
|
||||
--host="${RABBIT_HOSTNAME}" \
|
||||
--port="${RABBIT_PORT}" \
|
||||
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
||||
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
||||
${@}
|
||||
set -x
|
||||
else
|
||||
set +x
|
||||
rabbitmqadmin \
|
||||
--host="${RABBIT_HOSTNAME}" \
|
||||
--port="${RABBIT_PORT}" \
|
||||
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
||||
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
||||
$@
|
||||
set -x
|
||||
fi
|
||||
set +x
|
||||
rabbitmqadmin \
|
||||
{{- if .Values.manifests.certificates }}
|
||||
--ssl \
|
||||
--ssl-disable-hostname-verification \
|
||||
--ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \
|
||||
--ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \
|
||||
--ssl-key-file="/etc/rabbitmq/certs/tls.key" \
|
||||
{{- end }}
|
||||
--host="${RABBIT_HOSTNAME}" \
|
||||
--port="${RABBIT_PORT}" \
|
||||
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
||||
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
||||
${@}
|
||||
set -x
|
||||
}
|
||||
|
||||
function active_rabbit_nodes () {
|
||||
|
@ -17,6 +17,11 @@ limitations under the License.
|
||||
|
||||
{{- $serviceAccountName := print .Release.Name "-cluster-wait" }}
|
||||
{{ tuple $envAll "cluster_wait" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
|
||||
{{- $protocol := "http" }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- $protocol = "https" }}
|
||||
{{- end }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
@ -68,13 +73,9 @@ spec:
|
||||
{{ dict "envAll" $envAll "application" "cluster_wait" "container" "rabbitmq_cluster_wait" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
env:
|
||||
- name: RABBITMQ_ADMIN_CONNECTION
|
||||
value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
|
||||
value: {{ tuple "oslo_messaging" "internal" "user" $protocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
|
||||
- name: RABBIT_REPLICA_COUNT
|
||||
value: {{ $envAll.Values.pod.replicas.server | quote }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
- name: RABBITMQ_X509
|
||||
value: "REQUIRE X509"
|
||||
{{- end }}
|
||||
command:
|
||||
- /tmp/rabbitmq-wait-for-cluster.sh
|
||||
volumeMounts:
|
||||
|
@ -24,6 +24,12 @@ httpGet:
|
||||
|
||||
{{- $rcControllerName := printf "%s-%s" $envAll.Release.Name "rabbitmq-exporter" }}
|
||||
{{ tuple $envAll "prometheus_rabbitmq_exporter" $rcControllerName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
|
||||
{{- $protocol := "http" }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- $protocol = "https" }}
|
||||
{{- end }}
|
||||
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
@ -67,7 +73,7 @@ spec:
|
||||
- name: RABBIT_TIMEOUT
|
||||
value: "{{ .Values.conf.rabbitmq_exporter.rabbit_timeout }}"
|
||||
- name: RABBIT_URL
|
||||
value: http://{{ tuple "oslo_messaging" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}:15672
|
||||
value: {{ printf "%s" $protocol }}://{{ tuple "oslo_messaging" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}:{{ tuple "oslo_messaging" "internal" $protocol . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
- name: RABBIT_USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
@ -92,4 +98,16 @@ spec:
|
||||
value: {{ $envAll.Values.conf.prometheus_exporter.include_queues | default ".*" | quote }}
|
||||
- name: RABBIT_EXPORTERS
|
||||
value: {{ $envAll.Values.conf.prometheus_exporter.rabbit_exporters | default "overview,exchange,node,queue" | quote }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
- name: CAFILE
|
||||
value: "/etc/rabbitmq/certs/ca.crt"
|
||||
- name: CERTFILE
|
||||
value: "/etc/rabbitmq/certs/tls.crt"
|
||||
- name: KEYFILE
|
||||
value: "/etc/rabbitmq/certs/tls.key"
|
||||
volumeMounts:
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.oslo_messaging.server.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
volumes:
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.oslo_messaging.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -51,10 +51,6 @@ spec:
|
||||
value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
|
||||
- name: RABBIT_REPLICA_COUNT
|
||||
value: {{ $envAll.Values.pod.replicas.server | quote }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
- name: RABBITMQ_X509
|
||||
value: "REQUIRE X509"
|
||||
{{- end }}
|
||||
command:
|
||||
- /tmp/rabbitmq-test.sh
|
||||
volumeMounts:
|
||||
|
@ -14,6 +14,10 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.service }}
|
||||
{{- $envAll := . }}
|
||||
{{- $protocol := "http" }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- $protocol = "https" }}
|
||||
{{- end }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
@ -26,8 +30,8 @@ spec:
|
||||
name: amqp
|
||||
- port: {{ add (tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup") 20000 }}
|
||||
name: clustering
|
||||
- port: {{ tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
name: http
|
||||
- port: {{ tuple "oslo_messaging" "internal" $protocol . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
name: {{ printf "%s" $protocol }}
|
||||
selector:
|
||||
{{ tuple $envAll "rabbitmq" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
{{ end }}
|
||||
|
@ -34,6 +34,11 @@ limitations under the License.
|
||||
|
||||
{{- $rcControllerName := printf "%s-%s" $envAll.Release.Name "rabbitmq" }}
|
||||
{{ tuple $envAll "rabbitmq" $rcControllerName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
|
||||
{{- $protocol := "http" }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- $protocol = "https" }}
|
||||
{{- end }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
@ -173,9 +178,9 @@ spec:
|
||||
command:
|
||||
- /tmp/rabbitmq-start.sh
|
||||
ports:
|
||||
- name: http
|
||||
- name: {{ printf "%s" $protocol }}
|
||||
protocol: TCP
|
||||
containerPort: {{ tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
containerPort: {{ tuple "oslo_messaging" "internal" $protocol . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
- name: amqp
|
||||
protocol: TCP
|
||||
containerPort: {{ tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
@ -202,7 +207,7 @@ spec:
|
||||
- name: RABBITMQ_ERLANG_COOKIE
|
||||
value: "{{ $envAll.Values.endpoints.oslo_messaging.auth.erlang_cookie }}"
|
||||
- name: PORT_HTTP
|
||||
value: "{{ tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
|
||||
value: "{{ tuple "oslo_messaging" "internal" $protocol . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
|
||||
- name: PORT_AMPQ
|
||||
value: "{{ tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
|
||||
- name: PORT_CLUSTERING
|
||||
|
@ -23,7 +23,7 @@ endpoints:
|
||||
kind: ClusterIssuer
|
||||
port:
|
||||
https:
|
||||
default: 15672
|
||||
default: 15680
|
||||
public: 443
|
||||
manifests:
|
||||
certificates: true
|
||||
|
@ -9,4 +9,5 @@ rabbitmq:
|
||||
- 0.1.7 Adding TLS logic to rabbitmq
|
||||
- 0.1.8 Make helm test work with TLS
|
||||
- 0.1.9 Use full image ref for docker official images
|
||||
- 0.1.10 Set separate for HTTPS
|
||||
...
|
||||
|
Loading…
Reference in New Issue
Block a user