rabbitmq: Set separate for HTTPS
Additionally, add TLS to prometheus exporter. Change-Id: I6b46d2274a57d07c9967321abaa1077a1e8b4da2
This commit is contained in:
parent
c8dbd3d47d
commit
e1990e399f
@ -15,6 +15,6 @@ apiVersion: v1
|
|||||||
appVersion: v3.7.26
|
appVersion: v3.7.26
|
||||||
description: OpenStack-Helm RabbitMQ
|
description: OpenStack-Helm RabbitMQ
|
||||||
name: rabbitmq
|
name: rabbitmq
|
||||||
version: 0.1.9
|
version: 0.1.10
|
||||||
home: https://github.com/rabbitmq/rabbitmq-server
|
home: https://github.com/rabbitmq/rabbitmq-server
|
||||||
...
|
...
|
||||||
|
@ -32,27 +32,19 @@ set -x
|
|||||||
|
|
||||||
function rabbitmqadmin_authed () {
|
function rabbitmqadmin_authed () {
|
||||||
set +x
|
set +x
|
||||||
if [ -n "$RABBITMQ_X509" ]
|
rabbitmqadmin \
|
||||||
then
|
{{- if .Values.manifests.certificates }}
|
||||||
rabbitmqadmin \
|
--ssl \
|
||||||
--ssl \
|
--ssl-disable-hostname-verification \
|
||||||
--ssl-disable-hostname-verification \
|
--ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \
|
||||||
--ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \
|
--ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \
|
||||||
--ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \
|
--ssl-key-file="/etc/rabbitmq/certs/tls.key" \
|
||||||
--ssl-key-file="/etc/rabbitmq/certs/tls.key" \
|
{{- end }}
|
||||||
--host="${RABBIT_HOSTNAME}" \
|
--host="${RABBIT_HOSTNAME}" \
|
||||||
--port="${RABBIT_PORT}" \
|
--port="${RABBIT_PORT}" \
|
||||||
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
||||||
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
||||||
${@}
|
${@}
|
||||||
else
|
|
||||||
rabbitmqadmin \
|
|
||||||
--host="${RABBIT_HOSTNAME}" \
|
|
||||||
--port="${RABBIT_PORT}" \
|
|
||||||
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
|
||||||
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
|
||||||
$@
|
|
||||||
fi
|
|
||||||
set -x
|
set -x
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -31,31 +31,21 @@ RABBITMQ_ADMIN_PASSWORD=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $
|
|||||||
set -ex
|
set -ex
|
||||||
|
|
||||||
function rabbitmqadmin_authed () {
|
function rabbitmqadmin_authed () {
|
||||||
if [ -n "$RABBITMQ_X509" ]
|
set +x
|
||||||
then
|
rabbitmqadmin \
|
||||||
set +x
|
{{- if .Values.manifests.certificates }}
|
||||||
rabbitmqadmin \
|
--ssl \
|
||||||
--ssl \
|
--ssl-disable-hostname-verification \
|
||||||
--ssl-disable-hostname-verification \
|
--ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \
|
||||||
--ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \
|
--ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \
|
||||||
--ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \
|
--ssl-key-file="/etc/rabbitmq/certs/tls.key" \
|
||||||
--ssl-key-file="/etc/rabbitmq/certs/tls.key" \
|
{{- end }}
|
||||||
--host="${RABBIT_HOSTNAME}" \
|
--host="${RABBIT_HOSTNAME}" \
|
||||||
--port="${RABBIT_PORT}" \
|
--port="${RABBIT_PORT}" \
|
||||||
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
||||||
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
||||||
${@}
|
${@}
|
||||||
set -x
|
set -x
|
||||||
else
|
|
||||||
set +x
|
|
||||||
rabbitmqadmin \
|
|
||||||
--host="${RABBIT_HOSTNAME}" \
|
|
||||||
--port="${RABBIT_PORT}" \
|
|
||||||
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
|
||||||
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
|
||||||
$@
|
|
||||||
set -x
|
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function active_rabbit_nodes () {
|
function active_rabbit_nodes () {
|
||||||
|
@ -17,6 +17,11 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- $serviceAccountName := print .Release.Name "-cluster-wait" }}
|
{{- $serviceAccountName := print .Release.Name "-cluster-wait" }}
|
||||||
{{ tuple $envAll "cluster_wait" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
{{ tuple $envAll "cluster_wait" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
|
|
||||||
|
{{- $protocol := "http" }}
|
||||||
|
{{- if $envAll.Values.manifests.certificates }}
|
||||||
|
{{- $protocol = "https" }}
|
||||||
|
{{- end }}
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
@ -68,13 +73,9 @@ spec:
|
|||||||
{{ dict "envAll" $envAll "application" "cluster_wait" "container" "rabbitmq_cluster_wait" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
{{ dict "envAll" $envAll "application" "cluster_wait" "container" "rabbitmq_cluster_wait" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
env:
|
env:
|
||||||
- name: RABBITMQ_ADMIN_CONNECTION
|
- name: RABBITMQ_ADMIN_CONNECTION
|
||||||
value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
|
value: {{ tuple "oslo_messaging" "internal" "user" $protocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
|
||||||
- name: RABBIT_REPLICA_COUNT
|
- name: RABBIT_REPLICA_COUNT
|
||||||
value: {{ $envAll.Values.pod.replicas.server | quote }}
|
value: {{ $envAll.Values.pod.replicas.server | quote }}
|
||||||
{{- if $envAll.Values.manifests.certificates }}
|
|
||||||
- name: RABBITMQ_X509
|
|
||||||
value: "REQUIRE X509"
|
|
||||||
{{- end }}
|
|
||||||
command:
|
command:
|
||||||
- /tmp/rabbitmq-wait-for-cluster.sh
|
- /tmp/rabbitmq-wait-for-cluster.sh
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
|
@ -24,6 +24,12 @@ httpGet:
|
|||||||
|
|
||||||
{{- $rcControllerName := printf "%s-%s" $envAll.Release.Name "rabbitmq-exporter" }}
|
{{- $rcControllerName := printf "%s-%s" $envAll.Release.Name "rabbitmq-exporter" }}
|
||||||
{{ tuple $envAll "prometheus_rabbitmq_exporter" $rcControllerName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
{{ tuple $envAll "prometheus_rabbitmq_exporter" $rcControllerName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
|
|
||||||
|
{{- $protocol := "http" }}
|
||||||
|
{{- if $envAll.Values.manifests.certificates }}
|
||||||
|
{{- $protocol = "https" }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
@ -67,7 +73,7 @@ spec:
|
|||||||
- name: RABBIT_TIMEOUT
|
- name: RABBIT_TIMEOUT
|
||||||
value: "{{ .Values.conf.rabbitmq_exporter.rabbit_timeout }}"
|
value: "{{ .Values.conf.rabbitmq_exporter.rabbit_timeout }}"
|
||||||
- name: RABBIT_URL
|
- name: RABBIT_URL
|
||||||
value: http://{{ tuple "oslo_messaging" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}:15672
|
value: {{ printf "%s" $protocol }}://{{ tuple "oslo_messaging" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}:{{ tuple "oslo_messaging" "internal" $protocol . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
- name: RABBIT_USER
|
- name: RABBIT_USER
|
||||||
valueFrom:
|
valueFrom:
|
||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
@ -92,4 +98,16 @@ spec:
|
|||||||
value: {{ $envAll.Values.conf.prometheus_exporter.include_queues | default ".*" | quote }}
|
value: {{ $envAll.Values.conf.prometheus_exporter.include_queues | default ".*" | quote }}
|
||||||
- name: RABBIT_EXPORTERS
|
- name: RABBIT_EXPORTERS
|
||||||
value: {{ $envAll.Values.conf.prometheus_exporter.rabbit_exporters | default "overview,exchange,node,queue" | quote }}
|
value: {{ $envAll.Values.conf.prometheus_exporter.rabbit_exporters | default "overview,exchange,node,queue" | quote }}
|
||||||
|
{{- if $envAll.Values.manifests.certificates }}
|
||||||
|
- name: CAFILE
|
||||||
|
value: "/etc/rabbitmq/certs/ca.crt"
|
||||||
|
- name: CERTFILE
|
||||||
|
value: "/etc/rabbitmq/certs/tls.crt"
|
||||||
|
- name: KEYFILE
|
||||||
|
value: "/etc/rabbitmq/certs/tls.key"
|
||||||
|
volumeMounts:
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.oslo_messaging.server.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
|
volumes:
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.oslo_messaging.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -51,10 +51,6 @@ spec:
|
|||||||
value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
|
value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
|
||||||
- name: RABBIT_REPLICA_COUNT
|
- name: RABBIT_REPLICA_COUNT
|
||||||
value: {{ $envAll.Values.pod.replicas.server | quote }}
|
value: {{ $envAll.Values.pod.replicas.server | quote }}
|
||||||
{{- if $envAll.Values.manifests.certificates }}
|
|
||||||
- name: RABBITMQ_X509
|
|
||||||
value: "REQUIRE X509"
|
|
||||||
{{- end }}
|
|
||||||
command:
|
command:
|
||||||
- /tmp/rabbitmq-test.sh
|
- /tmp/rabbitmq-test.sh
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
|
@ -14,6 +14,10 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if .Values.manifests.service }}
|
{{- if .Values.manifests.service }}
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
|
{{- $protocol := "http" }}
|
||||||
|
{{- if $envAll.Values.manifests.certificates }}
|
||||||
|
{{- $protocol = "https" }}
|
||||||
|
{{- end }}
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
@ -26,8 +30,8 @@ spec:
|
|||||||
name: amqp
|
name: amqp
|
||||||
- port: {{ add (tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup") 20000 }}
|
- port: {{ add (tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup") 20000 }}
|
||||||
name: clustering
|
name: clustering
|
||||||
- port: {{ tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
- port: {{ tuple "oslo_messaging" "internal" $protocol . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
name: http
|
name: {{ printf "%s" $protocol }}
|
||||||
selector:
|
selector:
|
||||||
{{ tuple $envAll "rabbitmq" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
{{ tuple $envAll "rabbitmq" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
@ -34,6 +34,11 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- $rcControllerName := printf "%s-%s" $envAll.Release.Name "rabbitmq" }}
|
{{- $rcControllerName := printf "%s-%s" $envAll.Release.Name "rabbitmq" }}
|
||||||
{{ tuple $envAll "rabbitmq" $rcControllerName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
{{ tuple $envAll "rabbitmq" $rcControllerName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
|
|
||||||
|
{{- $protocol := "http" }}
|
||||||
|
{{- if $envAll.Values.manifests.certificates }}
|
||||||
|
{{- $protocol = "https" }}
|
||||||
|
{{- end }}
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: RoleBinding
|
kind: RoleBinding
|
||||||
@ -173,9 +178,9 @@ spec:
|
|||||||
command:
|
command:
|
||||||
- /tmp/rabbitmq-start.sh
|
- /tmp/rabbitmq-start.sh
|
||||||
ports:
|
ports:
|
||||||
- name: http
|
- name: {{ printf "%s" $protocol }}
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
containerPort: {{ tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
containerPort: {{ tuple "oslo_messaging" "internal" $protocol . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
- name: amqp
|
- name: amqp
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
containerPort: {{ tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
containerPort: {{ tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
@ -202,7 +207,7 @@ spec:
|
|||||||
- name: RABBITMQ_ERLANG_COOKIE
|
- name: RABBITMQ_ERLANG_COOKIE
|
||||||
value: "{{ $envAll.Values.endpoints.oslo_messaging.auth.erlang_cookie }}"
|
value: "{{ $envAll.Values.endpoints.oslo_messaging.auth.erlang_cookie }}"
|
||||||
- name: PORT_HTTP
|
- name: PORT_HTTP
|
||||||
value: "{{ tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
|
value: "{{ tuple "oslo_messaging" "internal" $protocol . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
|
||||||
- name: PORT_AMPQ
|
- name: PORT_AMPQ
|
||||||
value: "{{ tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
|
value: "{{ tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
|
||||||
- name: PORT_CLUSTERING
|
- name: PORT_CLUSTERING
|
||||||
|
@ -23,7 +23,7 @@ endpoints:
|
|||||||
kind: ClusterIssuer
|
kind: ClusterIssuer
|
||||||
port:
|
port:
|
||||||
https:
|
https:
|
||||||
default: 15672
|
default: 15680
|
||||||
public: 443
|
public: 443
|
||||||
manifests:
|
manifests:
|
||||||
certificates: true
|
certificates: true
|
||||||
|
@ -9,4 +9,5 @@ rabbitmq:
|
|||||||
- 0.1.7 Adding TLS logic to rabbitmq
|
- 0.1.7 Adding TLS logic to rabbitmq
|
||||||
- 0.1.8 Make helm test work with TLS
|
- 0.1.8 Make helm test work with TLS
|
||||||
- 0.1.9 Use full image ref for docker official images
|
- 0.1.9 Use full image ref for docker official images
|
||||||
|
- 0.1.10 Set separate for HTTPS
|
||||||
...
|
...
|
||||||
|
Loading…
Reference in New Issue
Block a user