SSL Completed

Author: eye0fra

README.adoc

@@ -1,71 +1,7 @@
 # AMQ Broker Operator Helm Enhancement
 
 The aim is to automate the creation of the AMQ Broker Custom Resources and at the same time enhance the broker.xml with a configuration that is not yet available in the operator.
-The helm chart keeps in sync the custom resources and the broker.xml.
-
-. Install Operator to specific namespace on the cluster
-.. This can be provided by the cluster-admin as namespaced installation and should give the right role to manage the AMQ Broker CRD.
-+
-NOTE: You cannot create more than one broker deployment in a given OpenShift project by deploying multiple broker Custom Resource (CR) instances. However, when you have created a broker deployment in a project, you can deploy multiple CR instances for addresses. https://access.redhat.com/documentation/en-us/red_hat_amq/7.7/html-single/deploying_amq_broker_on_openshift/index#con-br-operator-deployment-notes_broker-ocp[Reference].
-. [pre-install hook] Restore AMQ Broker Operator
-. [install/upgrade] Create kind: ActiveMQArtemis
-. [install/upgrade] Deploy custom broker xml.
-. [post-install hook] Shutdown the AMQ Broker Operator
-. [post-install hook] Adopt the AMQ Broker resource to Helm:
-+
-[source,yaml]
-------
-annotations:
-  meta.helm.sh/release-name: release-name
-  meta.helm.sh/release-namespace: namespace-name
-labels:
-  app.kubernetes.io/managed-by: Helm
-------
-. [post install] Adjust AMQ Broker Stateful set to use the custom broker xml. Possible 3 ways:
-.. Set BROKER_XML environment variable with your custom broker.xml.
-.. Mount ConfigMap resources hosting any custom configuration file.
-.. Use S2I procedure with more customization requirements. footnote:[ActiveMQArtemis allows you to override the amq broker images]
-. [test] Verify the installation is correct.
-
-NOTE: A pre-hook install image requires oc client `quay.io/openshift/origin-cli:4.6` and running with edit role on the specific namespace.
-
-## Important
-
-* In AMQ Broker 7.7, if you want to configure any of the following items, you must add the appropriate configuration to the main CR instance before deploying the CR for the first time.
-** Address settings
-** The size of the Persistent Volume Claim (PVC) required by each broker in a deployment for persistent storage
-** Limits and requests for memory and CPU for each broker in a deployment
-* During an active scaling event, any further changes that you apply are queued by the Operator and executed only when scaling is complete. For example, suppose that you scale the size of your deployment down from four brokers to one. Then, while scaledown is taking place, you also change the values of the broker administrator user name and password. In this case, the Operator queues the user name and password changes until the deployment is running with one active broker.
-* All CR changes – apart from changing the size of your deployment, or changing the value of the expose attribute for acceptors, connectors, or the console – cause existing brokers to be restarted. If you have multiple brokers in your deployment, only one broker restarts at a time.
-
-* To configure address and queue settings for broker deployments on OpenShift Container Platform, you add configuration to an addressSettings section of the main Custom Resource (CR) instance for the broker deployment. This contrasts with standalone deployments on Linux or Windows, for which you add configuration to an address-settings element in the broker.xml configuration file.
-* The format used for the names of configuration items differs between OpenShift Container Platform and standalone broker deployments. For OpenShift Container Platform deployments, configuration item names are in camel case, for example, defaultQueueRoutingType. By contrast, configuration item names for standalone deployments are in lower case and use a dash (-) separator, for example, default-queue-routing-type.
-
-The following table shows some further examples of this naming difference.
-
-.Naming difference
-[cols="5,5",options=header]
-|===
-
-| Configuration item for standalone broker deployment	
-| Configuration item for OpenShift broker deployment
-
-| address-full-policy
-| addressFullPolicy
-
-| auto-create-queues
-| autoCreateQueues
-
-| default-queue-routing-type
-| defaultQueueRoutingType
-
-| last-value-queue
-| lastValueQueue
-
-|===
-
-* Addresses are created by the AMQ Broker Operator using Artemis Jolokia and MBean.
-
+The helm chart keeps in sync the custom resources and the custom broker.xml.
 
 ## Prerequisites
 
@@ -101,26 +37,75 @@ The following table shows some further examples of this naming difference.
 | DONE
 
 | SSL Selfsigned Implementation
-| TODO
+| DONE
 
-| Make sure that the operator creates the Addresses and probably we are able to reuse it. `<address-setting match="None">`
-| TODO
+| Test with External Client Implementation
+| DONE
+
+| Keystore and Truststore Password
+| DONE
+
+| SSL Custom CA Implementation, NOTE: if you create the certificate early it should work
+| https://github.com/openlab-red/amq-broker-operator-helm/issues/2[#2]
+
+| User Management
+| https://github.com/openlab-red/amq-broker-operator-helm/issues/3[#3]
 
 | Bridge and Diverts Implementation
-| TODO
+| https://github.com/openlab-red/amq-broker-operator-helm/issues/1[#1]
 
 | Network Policy
-| TODO
-
-| Test with External Client Implementation
-| TODO
+| https://github.com/openlab-red/amq-broker-operator-helm/issues/4[#4]
 
-| SSL Custom CA Implementation
+| Make sure that the operator creates all the Addresses
 | TODO
 
 | High Availability and How scale down controller actives without the operator.
 | TODO
 
 | Migrate one standalone broker
 | TODO
-|===
+|===
+
+## Pseudo Code
+
+. Install Operator to specific namespace on the cluster
+.. This can be provided by the cluster-admin as namespaced installation and should give the right role to manage the AMQ Broker CRD.
++
+NOTE: You cannot create more than one broker deployment in a given OpenShift project by deploying multiple broker Custom Resource (CR) instances. However, when you have created a broker deployment in a project, you can deploy multiple CR instances for addresses. https://access.redhat.com/documentation/en-us/red_hat_amq/7.7/html-single/deploying_amq_broker_on_openshift/index#con-br-operator-deployment-notes_broker-ocp[Reference].
+. [pre-install hook] Restore AMQ Broker Operator
+. [install/upgrade] Create kind: ActiveMQArtemis and ActiveMQArtemisAddress
+. [install/upgrade] Create Config Map with custom broker xml.
+. [post-install hook] Shutdown the AMQ Broker Operator
+. [post-install hook] Adoptthe AMQ Broker resource to Helm:
++
+[source,yaml]
+------
+annotations:
+  meta.helm.sh/release-name: release-name
+  meta.helm.sh/release-namespace: namespace-name
+labels:
+  app.kubernetes.io/managed-by: Helm
+------
+. [post install] Adjust AMQ Broker Stateful set to use the custom broker xml.
+.. Set BROKER_XML environment variable with your custom broker.xml.
+. [test] Verify the installation is correct.
+
+NOTE: A *-hook install image requires oc client `quay.io/openshift/origin-cli:4.6` and running with edit role on the specific namespace.
+
+## Important
+
+* In AMQ Broker 7.7, if you want to configure any of the following items, you must add the appropriate configuration to the main CR instance before deploying the CR for the first time.
+** Address settings
+** The size of the Persistent Volume Claim (PVC) required by each broker in a deployment for persistent storage
+** Limits and requests for memory and CPU for each broker in a deployment
+* During an active scaling event, any further changes that you apply are queued by the Operator and executed only when scaling is complete. For example, suppose that you scale the size of your deployment down from four brokers to one. Then, while scaledown is taking place, you also change the values of the broker administrator user name and password. In this case, the Operator queues the user name and password changes until the deployment is running with one active broker.
+* All CR changes – apart from changing the size of your deployment, or changing the value of the expose attribute for acceptors, connectors, or the console – cause existing brokers to be restarted. If you have multiple brokers in your deployment, only one broker restarts at a time.
+* To configure address and queue settings for broker deployments on OpenShift Container Platform, you add configuration to an addressSettings section of the main Custom Resource (CR) instance for the broker deployment. This contrasts with standalone deployments on Linux or Windows, for which you add configuration to an address-settings element in the broker.xml configuration file.
+* The format used for the names of configuration items differs between OpenShift Container Platform and standalone broker deployments. For OpenShift Container Platform deployments, configuration item names are in camel case, for example, defaultQueueRoutingType. By contrast, configuration item names for standalone deployments are in lower case and use a dash (-) separator, for example, default-queue-routing-type.
+* Addresses are created by the AMQ Broker Operator using Artemis Jolokia and MBean.
+
+## Reference
+
+* https://access.redhat.com/documentation/en-us/red_hat_amq/7.7/html-single/deploying_amq_broker_on_openshift/index#con-br-configuring-broker-certificate-for-hostname-verification_broker-ocp
+

amq-broker/templates/_helpers.tpl

@@ -71,10 +71,38 @@ Route  <broker-name>-<acceptor-name>-<replica>-svc-rte
 svc.cluster.local
 */}}
 {{- define "amq-broker.gen-certs" -}}
-{{- $altNames := list ( printf "%s-*-svc-rte-%s.%s" (include "amq-broker.fullname" .) .Release.Namespace .Values.clusterDomain ) ( printf "%s-*-svc.%s.svc" (include "amq-broker.fullname" .) .Release.Namespace ) -}}
+{{- $cn:= printf "%s-*-svc-rte-%s.%s" (include "amq-broker.fullname" .) .Release.Namespace .Values.clusterDomain -}}
+{{- $altNames := list $cn ( printf "%s-*-svc.%s.svc" (include "amq-broker.fullname" .) .Release.Namespace ) -}}
 {{- $ca := genCA "amq-broker-ca" 365 -}}
-{{- $cert := genSignedCert ( include "amq-broker.fullname" . ) nil $altNames 365 $ca -}}
+{{- $cert := genSignedCert $cn  nil $altNames 365 $ca -}}
 tls.crt: {{ $cert.Cert | b64enc }}
 tls.key: {{ $cert.Key | b64enc }}
 ca.crt: {{ $ca.Cert | b64enc }}
 {{- end -}}
+
+
+{{/*
+Generate acceptors broker.xml
+*/}}
+{{- define "amq-broker.acceptors" -}}
+{{- $fullName := ( include "amq-broker.fullname" . ) -}}
+{{ range .Values.acceptors }}
+{{- $acceptor := . -}}
+{{- with $ }}
+<acceptor name="{{ $acceptor.name }}">tcp://${BROKER_IP}:{{ $acceptor.port }}?protocols=
+{{- if eq $acceptor.protocols "all" -}}
+AMQP,CORE,HORNETQ,MQTT,OPENWIRE,STOMP
+{{- else -}}
+{{- upper $acceptor.protocols -}}
+{{- end -}}
+{{- if $acceptor.sslEnabled -}}
+;sslEnabled=true;keyStorePath=/etc/{{ $fullName }}-all-secret-volume/broker.ks;keyStorePassword={{ .Values.keyStorePassword }};trustStorePath=/etc/{{ $fullName }}-all-secret-volume/client.ts;trustStorePassword={{ .Values.trustStorePassword }};
+{{- else -}}
+;
+{{- end -}}
+tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;useEpoll=true;amqpCredits=1000;amqpMinCredits=300</acceptor>
+{{- end -}}
+{{- end }}
+{{- end }}
+
+

amq-broker/templates/activeamqartemis.yaml

@@ -12,8 +12,7 @@ spec:
   adminPassword: {{ .Values.adminPassword }}
   adminUser: {{ .Values.adminUser }}
   console:
-    expose: true
-    sslEnabled: false
+    {{- toYaml .Values.console | nindent 4 }}
   deploymentPlan:
     image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
     journalType: nio

amq-broker/templates/configmap.yaml

@@ -44,18 +44,12 @@ data:
             <critical-analyzer-policy>HALT</critical-analyzer-policy>
 
             <connectors>
+                <!-- Connector used to be announced through cluster connections and notifications -->
                 <connector name="artemis">tcp://${BROKER_IP}:61616</connector>
             </connectors>
 
             <acceptors>
-            {{- range .Values.acceptors }}
-                {{ if eq .protocols "all" }}
-                <acceptor name="{{ .name }}">tcp://${BROKER_IP}:{{ .port }}?protocols=AMQP,CORE,HORNETQ,MQTT,OPENWIRE,STOMP;tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;useEpoll=true;amqpCredits=1000;amqpMinCredits=300</acceptor>
-                {{ else }}
-                <acceptor name="{{ .name }}">tcp://${BROKER_IP}:{{ .port }}?protocols={{ upper .protocols }};tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;useEpoll=true;amqpCredits=1000;amqpMinCredits=300</acceptor>
-                {{ end }}
-            {{- end }}
-                <!-- acceptor name="all">tcp://${BROKER_IP}:61617?protocols=AMQP,CORE,HORNETQ,MQTT,OPENWIRE,STOMP;sslEnabled=true;keyStorePath=/etc/tls-secret-volume/broker.ks;keyStorePassword=changeit;trustStorePath=/etc/tls-secret-volume/client.ts;trustStorePassword=changeit;sslProvider=JDK;tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;useEpoll=true;amqpCredits=1000;amqpMinCredits=300</acceptor -->
+                {{- include "amq-broker.acceptors" . | nindent 16 }}
                 <acceptor name="scaleDown">tcp://${BROKER_IP}:61616?protocols=CORE;tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;useEpoll=true;amqpCredits=1000;amqpMinCredits=300</acceptor>
             </acceptors>
 

amq-broker/templates/post-install.yaml

@@ -19,9 +19,45 @@ spec:
     spec:
       serviceAccountName: {{ include "amq-broker.serviceAccountName" . }}
       restartPolicy: Never
+      initContainers:
+      - name: keytool
+        image: "{{ .Values.keytool.image.repository }}:{{ .Values.keytool.image.tag }}"
+        imagePullPolicy: "{{ .Values.keytool.image.pullPolicy }}"
+        command:
+        - /bin/bash
+        - '-c'
+        - |
+            #!/bin/bash
+
+            {{ range .Values.acceptors }}
+            {{- $acceptor := . -}}
+            {{- with $ }}
+            {{- if $acceptor.sslEnabled -}}
+
+            cd /opt/pki/{{ $acceptor.name }}
+            mkdir -p ../java/{{ $acceptor.name }}
+
+            RANDFILE=/tmp/.rnd openssl pkcs12 -export -in tls.crt -inkey tls.key -chain -CAfile ca.crt -name broker -password pass:{{ .Values.keyStorePassword | quote }} -out ../java/{{ $acceptor.name }}/broker.ks
+
+            keytool -keystore ../java/{{ $acceptor.name }}/client.ts -storepass {{ .Values.trustStorePassword  | quote }} -noprompt -alias broker -import -file tls.crt
+
+            {{- end }}
+            {{- end }}
+            {{- end }}
+            exit 0
+        volumeMounts:
+        {{ range .Values.acceptors }}
+        {{- if .sslEnabled -}}
+        - name: {{ .name }}
+          mountPath: /opt/pki/{{ .name }}
+        {{- end }}
+        {{- end }}
+        - name: pki
+          mountPath: /opt/pki
       containers:
       - name: post-install
-        image: "quay.io/openshift/origin-cli:4.6"
+        image: "{{ .Values.oc.image.repository }}:{{ .Values.oc.image.tag }}"
+        imagePullPolicy: "{{ .Values.oc.image.pullPolicy }}"
         command:
         - /bin/bash
         - '-c'
@@ -30,6 +66,34 @@ spec:
 
             export AMQ_BROKER={{ include "amq-broker.fullname" . }}-ss
 
+            {{ range .Values.acceptors }}
+            {{- $acceptor := . -}}
+            {{- with $ }}
+            {{- if $acceptor.sslEnabled -}}
+
+            cd /opt/pki/java/{{ $acceptor.name }}
+            
+            export BROKER_KS=$(base64 broker.ks -w0)
+            export CLIENT_TS=$(base64 client.ts -w0)
+            
+            oc patch secret {{ include "amq-broker.fullname" . }}-{{ $acceptor.name }}-secret -p "
+            data:
+              broker.ks: |
+                ${BROKER_KS}
+              client.ts: |
+                ${CLIENT_TS}
+            "
+
+            oc secrets link sa/amq-broker-operator {{ include "amq-broker.fullname" . }}-{{ $acceptor.name }}-secret
+
+            {{- end }}
+            {{- end }}
+            {{- end }}
+            
+            # TODO: Wait until the operator finish to apply all the changes (broker and addresses)
+            # Reconcile
+            sleep 1m
+
             # Wait the rollout of AMQ Broker Statefulset
             oc rollout status sts/$AMQ_BROKER -w
             
@@ -46,11 +110,21 @@ spec:
         volumeMounts:
         - name: kustomize
           mountPath: /opt/config
+        - name: pki
+          mountPath: /opt/pki
       volumes:
+      - name: pki
+        emptyDir: {}
       - name: kustomize
         configMap:
           name: {{ include "amq-broker.fullname" . }}
-
-            
-
-
+      {{ range .Values.acceptors }}
+      {{- $acceptor := . -}}
+      {{- with $ }}
+      {{- if $acceptor.sslEnabled -}}
+      - name: {{ $acceptor.name }}
+        secret:
+          secretName: {{ include "amq-broker.fullname" . }}-{{ $acceptor.name }}-secret
+      {{- end }}
+      {{- end }}
+      {{- end }}

amq-broker/templates/pre-install.yaml

@@ -21,17 +21,20 @@ spec:
       restartPolicy: Never
       containers:
       - name: pre-install
-        image: "quay.io/openshift/origin-cli:4.6"
+        image: "{{ .Values.oc.image.repository }}:{{ .Values.oc.image.tag }}"
         command:
         - /bin/bash
         - '-c'
         - |
             #!/bin/bash
             
+            export AMQ_BROKER={{ include "amq-broker.fullname" . }}-ss
+
             # Scale Up the Operator
             oc scale --replicas=1 deployments/amq-broker-operator
 
-            oc rollout status deployments/amq-broker-operator -w 
+            oc rollout status deployments/amq-broker-operator -w --timeout=1m
+
 
 
 

…q-broker/templates/edit-rolebinding.yaml amq-broker/templates/rolebinding.yamlamq-broker/templates/edit-rolebinding.yaml renamed to amq-broker/templates/rolebinding.yaml amq-broker/templates/edit-rolebinding.yaml renamed to amq-broker/templates/rolebinding.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.serviceAccount.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -13,4 +14,5 @@ roleRef:
   name: edit
 subjects:
 - kind: ServiceAccount
-  name: {{ include "amq-broker.serviceAccountName" . }}
+  name: {{ include "amq-broker.serviceAccountName" . }}
+{{- end }}