feat(tls): Enable TLS for OpenStack RabbitMQ

Enable TLS for Openstack RabbitMQ upstream

Co-authored-by: Sangeet Gupta <sg774j@att.com>

Change-Id: I7c08d41b212bc5095facf5f5823521fbfa4d3c47

helm-toolkit/Chart.yaml

@@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Helm-Toolkit
 name: helm-toolkit
-version: 0.2.14
+version: 0.2.15
 home: https://docs.openstack.org/openstack-helm
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
 sources:

helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl

@@ -24,6 +24,9 @@ limitations under the License.
 {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
 {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
 {{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
 
 {{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
 {{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
@@ -73,6 +76,9 @@ spec:
               mountPath: /tmp/rabbit-init.sh
               subPath: rabbit-init.sh
               readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
           env:
           - name: RABBITMQ_ADMIN_CONNECTION
             valueFrom:
@@ -87,6 +93,12 @@ spec:
 {{- if $envAll.Values.conf.rabbitmq }}
           - name: RABBITMQ_AUXILIARY_CONFIGURATION
             value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+          - name: RABBITMQ_X509
+            value: "REQUIRE X509"
+          - name: USER_CERT_PATH
+            value: {{ $tlsPath | quote }}
 {{- end }}
       volumes:
         - name: pod-tmp
@@ -101,4 +113,7 @@ spec:
             name: {{ $configMapBin | quote }}
             defaultMode: 0555
 {{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
 {{- end -}}

helm-toolkit/templates/scripts/_rabbit-init.sh.tpl

@@ -47,12 +47,27 @@ RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
 RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
 
 function rabbitmqadmin_cli () {
-  rabbitmqadmin \
-    --host="${RABBIT_HOSTNAME}" \
-    --port="${RABBIT_PORT}" \
-    --username="${RABBITMQ_ADMIN_USERNAME}" \
-    --password="${RABBITMQ_ADMIN_PASSWORD}" \
-    ${@}
+  if [ -n "$RABBITMQ_X509" ]
+  then
+    rabbitmqadmin \
+      --ssl \
+      --ssl-disable-hostname-verification \
+      --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+      --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+      --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  else
+    rabbitmqadmin \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+  fi
 }
 
 echo "Managing: User: ${RABBITMQ_USERNAME}"

rabbitmq/Chart.yaml

@@ -15,6 +15,6 @@ apiVersion: v1
 appVersion: v3.7.26
 description: OpenStack-Helm RabbitMQ
 name: rabbitmq
-version: 0.1.6
+version: 0.1.7
 home: https://github.com/rabbitmq/rabbitmq-server
 ...

rabbitmq/templates/bin/_rabbitmq-wait-for-cluster.sh.tpl

@@ -31,14 +31,31 @@ RABBITMQ_ADMIN_PASSWORD=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $
 set -ex
 
 function rabbitmqadmin_authed () {
-  set +x
-  rabbitmqadmin \
-    --host="${RABBIT_HOSTNAME}" \
-    --port="${RABBIT_PORT}" \
-    --username="${RABBITMQ_ADMIN_USERNAME}" \
-    --password="${RABBITMQ_ADMIN_PASSWORD}" \
-    $@
-  set -x
+  if [ -n "$RABBITMQ_X509" ]
+  then
+    set +x
+    rabbitmqadmin \
+      --ssl \
+      --ssl-disable-hostname-verification \
+      --ssl-ca-cert-file="/etc/rabbitmq/certs/ca.crt" \
+      --ssl-cert-file="/etc/rabbitmq/certs/tls.crt" \
+      --ssl-key-file="/etc/rabbitmq/certs/tls.key" \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      ${@}
+    set -x
+  else
+    set +x
+    rabbitmqadmin \
+      --host="${RABBIT_HOSTNAME}" \
+      --port="${RABBIT_PORT}" \
+      --username="${RABBITMQ_ADMIN_USERNAME}" \
+      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+      $@
+    set -x
+  fi
 }
 
 function active_rabbit_nodes () {

rabbitmq/templates/certificates.yaml

@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.certificates -}}
+{{ dict "envAll" . "service" "oslo_messaging" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end -}}

rabbitmq/templates/configmap-etc.yaml

@@ -36,9 +36,14 @@ limitations under the License.
 {{- $_ := print "kubernetes.default.svc." $envAll.Values.endpoints.cluster_domain_suffix | set $envAll.Values.conf.rabbitmq.cluster_formation.k8s "host" -}}
 {{- end -}}
 
+{{- if .Values.manifests.certificates }}
+{{- $_ := print "none" | set $envAll.Values.conf.rabbitmq.listeners "tcp" -}}
+{{- $_ := tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set $envAll.Values.conf.rabbitmq.listeners "ssl.1" -}}
+{{- $_ := tuple "oslo_messaging" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set $envAll.Values.conf.rabbitmq "management.ssl.port" -}}
+{{- else }}
 {{- $_ := print ":::" ( tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup") | set $envAll.Values.conf.rabbitmq.listeners.tcp "1" -}}
-
-{{- $_ := tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set $envAll.Values.conf.rabbitmq "management.listener.port" -}}
+{{- $_ := tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set $envAll.Values.conf.rabbit_additonal_conf "management.listener.port" -}}
+{{- end }}
 
 ---
 apiVersion: v1
@@ -50,6 +55,9 @@ data:
 {{ tuple "etc/_enabled_plugins.tpl" . | include  "helm-toolkit.utils.template" | indent 4 }}
   rabbitmq.conf: |
 {{ include "rabbitmq.utils.to_rabbit_config" $envAll.Values.conf.rabbitmq | indent 4 }}
+{{- if not .Values.manifests.certificates }}
+{{ include "rabbitmq.utils.to_rabbit_config" $envAll.Values.conf.rabbit_additonal_conf | indent 4 }}
+{{- end }}
 
 {{- $erlvm_scheduler_num := include "get_erlvm_scheduler_num" .Values.pod.resources.server.limits.cpu }}
 {{- $erlvm_scheduler_conf := printf "+S %s:%s" $erlvm_scheduler_num $erlvm_scheduler_num }}

rabbitmq/templates/job-cluster-wait.yaml

@@ -71,6 +71,10 @@ spec:
               value: {{ tuple "oslo_messaging" "internal" "user" "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
             - name: RABBIT_REPLICA_COUNT
               value: {{ $envAll.Values.pod.replicas.server | quote }}
+{{- if $envAll.Values.manifests.certificates }}
+            - name: RABBITMQ_X509
+              value: "REQUIRE X509"
+{{- end }}
           command:
             - /tmp/rabbitmq-wait-for-cluster.sh
           volumeMounts:
@@ -82,6 +86,7 @@ spec:
               readOnly: true
             - name: rabbitmq-data
               mountPath: /var/lib/rabbitmq
+{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_messaging.server.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
       volumes:
         - name: pod-tmp
           emptyDir: {}
@@ -95,4 +100,5 @@ spec:
           secret:
             secretName: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }}
             defaultMode: 0444
+{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_messaging.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}

rabbitmq/templates/statefulset.yaml

@@ -254,6 +254,7 @@ spec:
               subPath: erl_inetrc
               readOnly: true
 {{- end }}
+{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_messaging.server.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
       volumes:
         - name: pod-tmp
           emptyDir: {}
@@ -269,6 +270,7 @@ spec:
           secret:
             secretName: {{ printf "%s-%s" $envAll.Release.Name "erlang-cookie" | quote }}
             defaultMode: 0444
+{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.oslo_messaging.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
         {{- if not $envAll.Values.volume.enabled }}
         - name: rabbitmq-data
         {{- if .Values.volume.use_local_path.enabled }}

rabbitmq/values.yaml

@@ -189,11 +189,12 @@ conf:
     queue_master_locator: min-masters
     loopback_users.guest: "false"
     management.load_definitions: "/var/lib/rabbitmq/definitions.json"
+  rabbit_additonal_conf:
+    # This confinguration is used for non TLS deployments
     management.listener.ip: "::"
     management.listener.port: null
   rabbitmq_exporter:
     rabbit_timeout: 30
-
 dependencies:
   dynamic:
     common:
@@ -249,6 +250,12 @@ network:
       annotations:
         nginx.ingress.kubernetes.io/rewrite-target: /
 
+secrets:
+  tls:
+    oslo_messaging:
+      server:
+        internal: rabbitmq-tls-direct
+
 # typically overridden by environmental
 # values, but should include all endpoints
 # required by this chart
@@ -360,6 +367,7 @@ volume:
   size: 256Mi
 
 manifests:
+  certificates: false
   configmap_bin: true
   configmap_etc: true
   config_ipv6: false

rabbitmq/values_overrides/tls.yaml

@@ -0,0 +1,30 @@
+---
+conf:
+  rabbitmq:
+    ssl_options:
+      cacertfile: "/etc/rabbitmq/certs/ca.crt"
+      certfile: "/etc/rabbitmq/certs/tls.crt"
+      keyfile: "/etc/rabbitmq/certs/tls.key"
+      verify: verify_peer
+      fail_if_no_peer_cert: false
+    management:
+      ssl:
+        cacertfile: "/etc/rabbitmq/certs/ca.crt"
+        certfile: "/etc/rabbitmq/certs/tls.crt"
+        keyfile: "/etc/rabbitmq/certs/tls.key"
+endpoints:
+  oslo_messaging:
+    host_fqdn_override:
+      default:
+        tls:
+          secretName: rabbitmq-tls-direct
+          issuerRef:
+            name: ca-issuer
+            kind: ClusterIssuer
+    port:
+      https:
+        default: 15672
+        public: 443
+manifests:
+  certificates: true
+...

releasenotes/notes/helm-toolkit.yaml

@@ -21,4 +21,5 @@ helm-toolkit:
   - 0.2.12 Remove hook-delete-policy
   - 0.2.13 Modify connection args for s3 bucket creation when TLS is enabled
   - 0.2.14 Remove TLS_OPTION argument from s3 bucket creation job
+  - 0.2.15 Adding TLS rabbitmq logic
 ...

releasenotes/notes/rabbitmq.yaml

@@ -6,4 +6,5 @@ rabbitmq:
   - 0.1.4 Add configurable RABBIT_TIMEOUT parameter
   - 0.1.5 Update Rabbitmq exporter version
   - 0.1.6 Disallow privilege escalation in rabbitmq server container
+  - 0.1.7 Adding TLS logic to rabbitmq
 ...