From e1990e399fa904679404b7aac8ad9072d9367035 Mon Sep 17 00:00:00 2001 From: "Gupta, Sangeet (sg774j)" Date: Mon, 7 Jun 2021 21:59:00 +0000 Subject: [PATCH] rabbitmq: Set separate for HTTPS Additionally, add TLS to prometheus exporter. Change-Id: I6b46d2274a57d07c9967321abaa1077a1e8b4da2 --- rabbitmq/Chart.yaml | 2 +- rabbitmq/templates/bin/_rabbitmq-test.sh.tpl | 34 ++++++---------- .../bin/_rabbitmq-wait-for-cluster.sh.tpl | 40 +++++++------------ rabbitmq/templates/job-cluster-wait.yaml | 11 ++--- .../prometheus/exporter-deployment.yaml | 20 +++++++++- rabbitmq/templates/pod-test.yaml | 4 -- rabbitmq/templates/service.yaml | 8 +++- rabbitmq/templates/statefulset.yaml | 11 +++-- rabbitmq/values_overrides/tls.yaml | 2 +- releasenotes/notes/rabbitmq.yaml | 1 + 10 files changed, 70 insertions(+), 63 deletions(-) diff --git a/rabbitmq/Chart.yaml b/rabbitmq/Chart.yaml index cf689202a..55e8cc806 100644 --- a/rabbitmq/Chart.yaml +++ b/rabbitmq/Chart.yaml @@ -15,6 +15,6 @@ apiVersion: v1 appVersion: v3.7.26 description: OpenStack-Helm RabbitMQ name: rabbitmq -version: 0.1.9 +version: 0.1.10 home: https://github.com/rabbitmq/rabbitmq-server ... diff --git a/rabbitmq/templates/bin/_rabbitmq-test.sh.tpl b/rabbitmq/templates/bin/_rabbitmq-test.sh.tpl index c719b3a45..46abf3ec9 100644 --- a/rabbitmq/templates/bin/_rabbitmq-test.sh.tpl +++ b/rabbitmq/templates/bin/_rabbitmq-test.sh.tpl @@ -32,27 +32,19 @@ set -x function rabbitmqadmin_authed () { set +x - if [ -n "$RABBITMQ_X509" ] - then - rabbitmqadmin \ - --ssl \ - --ssl-disable-hostname-verification \ - --ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \ - --ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \ - --ssl-key-file="/etc/rabbitmq/certs/tls.key" \ - --host="${RABBIT_HOSTNAME}" \ - --port="${RABBIT_PORT}" \ - --username="${RABBITMQ_ADMIN_USERNAME}" \ - --password="${RABBITMQ_ADMIN_PASSWORD}" \ - ${@} - else - rabbitmqadmin \ - --host="${RABBIT_HOSTNAME}" \ - --port="${RABBIT_PORT}" \ - --username="${RABBITMQ_ADMIN_USERNAME}" \ - --password="${RABBITMQ_ADMIN_PASSWORD}" \ - $@ - fi + rabbitmqadmin \ +{{- if .Values.manifests.certificates }} + --ssl \ + --ssl-disable-hostname-verification \ + --ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \ + --ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \ + --ssl-key-file="/etc/rabbitmq/certs/tls.key" \ +{{- end }} + --host="${RABBIT_HOSTNAME}" \ + --port="${RABBIT_PORT}" \ + --username="${RABBITMQ_ADMIN_USERNAME}" \ + --password="${RABBITMQ_ADMIN_PASSWORD}" \ + ${@} set -x } diff --git a/rabbitmq/templates/bin/_rabbitmq-wait-for-cluster.sh.tpl b/rabbitmq/templates/bin/_rabbitmq-wait-for-cluster.sh.tpl index 047c404d8..215e5b905 100644 --- a/rabbitmq/templates/bin/_rabbitmq-wait-for-cluster.sh.tpl +++ b/rabbitmq/templates/bin/_rabbitmq-wait-for-cluster.sh.tpl @@ -31,31 +31,21 @@ RABBITMQ_ADMIN_PASSWORD=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $ set -ex function rabbitmqadmin_authed () { - if [ -n "$RABBITMQ_X509" ] - then - set +x - rabbitmqadmin \ - --ssl \ - --ssl-disable-hostname-verification \ - --ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \ - --ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \ - --ssl-key-file="/etc/rabbitmq/certs/tls.key" \ - --host="${RABBIT_HOSTNAME}" \ - --port="${RABBIT_PORT}" \ - --username="${RABBITMQ_ADMIN_USERNAME}" \ - --password="${RABBITMQ_ADMIN_PASSWORD}" \ - ${@} - set -x - else - set +x - rabbitmqadmin \ - --host="${RABBIT_HOSTNAME}" \ - --port="${RABBIT_PORT}" \ - --username="${RABBITMQ_ADMIN_USERNAME}" \ - --password="${RABBITMQ_ADMIN_PASSWORD}" \ - $@ - set -x - fi + set +x + rabbitmqadmin \ +{{- if .Values.manifests.certificates }} + --ssl \ + --ssl-disable-hostname-verification \ + --ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \ + --ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \ + --ssl-key-file="/etc/rabbitmq/certs/tls.key" \ +{{- end }} + --host="${RABBIT_HOSTNAME}" \ + --port="${RABBIT_PORT}" \ + --username="${RABBITMQ_ADMIN_USERNAME}" \ + --password="${RABBITMQ_ADMIN_PASSWORD}" \ + ${@} + set -x } function active_rabbit_nodes () { diff --git a/rabbitmq/templates/job-cluster-wait.yaml b/rabbitmq/templates/job-cluster-wait.yaml index 049792915..948fada2e 100644 --- a/rabbitmq/templates/job-cluster-wait.yaml +++ b/rabbitmq/templates/job-cluster-wait.yaml @@ -17,6 +17,11 @@ limitations under the License. {{- $serviceAccountName := print .Release.Name "-cluster-wait" }} {{ tuple $envAll "cluster_wait" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} + +{{- $protocol := "http" }} +{{- if $envAll.Values.manifests.certificates }} +{{- $protocol = "https" }} +{{- end }} --- apiVersion: batch/v1 kind: Job @@ -68,13 +73,9 @@ spec: {{ dict "envAll" $envAll "application" "cluster_wait" "container" "rabbitmq_cluster_wait" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: - name: RABBITMQ_ADMIN_CONNECTION - value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }} + value: {{ tuple "oslo_messaging" "internal" "user" $protocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }} - name: RABBIT_REPLICA_COUNT value: {{ $envAll.Values.pod.replicas.server | quote }} -{{- if $envAll.Values.manifests.certificates }} - - name: RABBITMQ_X509 - value: "REQUIRE X509" -{{- end }} command: - /tmp/rabbitmq-wait-for-cluster.sh volumeMounts: diff --git a/rabbitmq/templates/monitoring/prometheus/exporter-deployment.yaml b/rabbitmq/templates/monitoring/prometheus/exporter-deployment.yaml index 362188404..7d8557145 100644 --- a/rabbitmq/templates/monitoring/prometheus/exporter-deployment.yaml +++ b/rabbitmq/templates/monitoring/prometheus/exporter-deployment.yaml @@ -24,6 +24,12 @@ httpGet: {{- $rcControllerName := printf "%s-%s" $envAll.Release.Name "rabbitmq-exporter" }} {{ tuple $envAll "prometheus_rabbitmq_exporter" $rcControllerName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} + +{{- $protocol := "http" }} +{{- if $envAll.Values.manifests.certificates }} +{{- $protocol = "https" }} +{{- end }} + --- apiVersion: apps/v1 kind: Deployment @@ -67,7 +73,7 @@ spec: - name: RABBIT_TIMEOUT value: "{{ .Values.conf.rabbitmq_exporter.rabbit_timeout }}" - name: RABBIT_URL - value: http://{{ tuple "oslo_messaging" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}:15672 + value: {{ printf "%s" $protocol }}://{{ tuple "oslo_messaging" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}:{{ tuple "oslo_messaging" "internal" $protocol . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - name: RABBIT_USER valueFrom: secretKeyRef: @@ -92,4 +98,16 @@ spec: value: {{ $envAll.Values.conf.prometheus_exporter.include_queues | default ".*" | quote }} - name: RABBIT_EXPORTERS value: {{ $envAll.Values.conf.prometheus_exporter.rabbit_exporters | default "overview,exchange,node,queue" | quote }} +{{- if $envAll.Values.manifests.certificates }} + - name: CAFILE + value: "/etc/rabbitmq/certs/ca.crt" + - name: CERTFILE + value: "/etc/rabbitmq/certs/tls.crt" + - name: KEYFILE + value: "/etc/rabbitmq/certs/tls.key" + volumeMounts: +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.oslo_messaging.server.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + volumes: +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.oslo_messaging.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} {{- end }} diff --git a/rabbitmq/templates/pod-test.yaml b/rabbitmq/templates/pod-test.yaml index 516ce5041..0dcdd8e81 100644 --- a/rabbitmq/templates/pod-test.yaml +++ b/rabbitmq/templates/pod-test.yaml @@ -51,10 +51,6 @@ spec: value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }} - name: RABBIT_REPLICA_COUNT value: {{ $envAll.Values.pod.replicas.server | quote }} -{{- if $envAll.Values.manifests.certificates }} - - name: RABBITMQ_X509 - value: "REQUIRE X509" -{{- end }} command: - /tmp/rabbitmq-test.sh volumeMounts: diff --git a/rabbitmq/templates/service.yaml b/rabbitmq/templates/service.yaml index d8a710f78..db94afb4b 100644 --- a/rabbitmq/templates/service.yaml +++ b/rabbitmq/templates/service.yaml @@ -14,6 +14,10 @@ limitations under the License. {{- if .Values.manifests.service }} {{- $envAll := . }} +{{- $protocol := "http" }} +{{- if $envAll.Values.manifests.certificates }} +{{- $protocol = "https" }} +{{- end }} --- apiVersion: v1 kind: Service @@ -26,8 +30,8 @@ spec: name: amqp - port: {{ add (tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup") 20000 }} name: clustering - - port: {{ tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - name: http + - port: {{ tuple "oslo_messaging" "internal" $protocol . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + name: {{ printf "%s" $protocol }} selector: {{ tuple $envAll "rabbitmq" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{ end }} diff --git a/rabbitmq/templates/statefulset.yaml b/rabbitmq/templates/statefulset.yaml index 6df75e301..cac3bba10 100644 --- a/rabbitmq/templates/statefulset.yaml +++ b/rabbitmq/templates/statefulset.yaml @@ -34,6 +34,11 @@ limitations under the License. {{- $rcControllerName := printf "%s-%s" $envAll.Release.Name "rabbitmq" }} {{ tuple $envAll "rabbitmq" $rcControllerName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} + +{{- $protocol := "http" }} +{{- if $envAll.Values.manifests.certificates }} +{{- $protocol = "https" }} +{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -173,9 +178,9 @@ spec: command: - /tmp/rabbitmq-start.sh ports: - - name: http + - name: {{ printf "%s" $protocol }} protocol: TCP - containerPort: {{ tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + containerPort: {{ tuple "oslo_messaging" "internal" $protocol . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - name: amqp protocol: TCP containerPort: {{ tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} @@ -202,7 +207,7 @@ spec: - name: RABBITMQ_ERLANG_COOKIE value: "{{ $envAll.Values.endpoints.oslo_messaging.auth.erlang_cookie }}" - name: PORT_HTTP - value: "{{ tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}" + value: "{{ tuple "oslo_messaging" "internal" $protocol . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}" - name: PORT_AMPQ value: "{{ tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}" - name: PORT_CLUSTERING diff --git a/rabbitmq/values_overrides/tls.yaml b/rabbitmq/values_overrides/tls.yaml index b70f4a3d7..b4c241903 100644 --- a/rabbitmq/values_overrides/tls.yaml +++ b/rabbitmq/values_overrides/tls.yaml @@ -23,7 +23,7 @@ endpoints: kind: ClusterIssuer port: https: - default: 15672 + default: 15680 public: 443 manifests: certificates: true diff --git a/releasenotes/notes/rabbitmq.yaml b/releasenotes/notes/rabbitmq.yaml index a4bf9f542..27c653bf6 100644 --- a/releasenotes/notes/rabbitmq.yaml +++ b/releasenotes/notes/rabbitmq.yaml @@ -9,4 +9,5 @@ rabbitmq: - 0.1.7 Adding TLS logic to rabbitmq - 0.1.8 Make helm test work with TLS - 0.1.9 Use full image ref for docker official images + - 0.1.10 Set separate for HTTPS ...