Rabbitmq vhost and user support

Add new messagingBus and notificationsBus interfaces to hold cluster,
user and vhost names for optional usage.
The controller adds these values to the TransportURL create request when present.

Additionally, we migrate RabbitMQ cluster name to RabbitMq config struct
using DefaultRabbitMqConfig from infra-operator to automatically
populate the new Cluster field from legacy RabbitMqClusterName.

Example usage:

  spec:
    messagingBus:
      cluster: rpc-rabbitmq
      user: rpc-user
      vhost: rpc-vhost
    notificationsBus:
      cluster: notifications-rabbitmq
      user: notifications-user
      vhost: notifications-vhost

Finally, we add the rabbitmquser crs to the secret so they can be
stored for dataplane finalizers management and do auto cleanup of orphaned
users after credential rotations.

Jira: https://issues.redhat.com/browse/OSPRH-22697

Author: lmiccini

api/bases/nova.openstack.org_nova.yaml

@@ -540,6 +540,23 @@ spec:
                         MemcachedInstance is the name of the Memcached CR that the services in the cell will use.
                         If defined then this takes precedence over Nova.Spec.MemcachedInstance for this cel
                       type: string
+                    messagingBus:
+                      description: MessagingBus configuration (username, vhost, and
+                        cluster)
+                      properties:
+                        cluster:
+                          description: Name of the cluster
+                          minLength: 1
+                          type: string
+                        user:
+                          description: User - RabbitMQ username
+                          type: string
+                        vhost:
+                          description: Vhost - RabbitMQ vhost name
+                          type: string
+                      required:
+                      - cluster
+                      type: object
                     metadataServiceTemplate:
                       description: |-
                         MetadataServiceTemplate - defines the metadata service dedicated for the
@@ -1340,6 +1357,22 @@ spec:
                 description: MemcachedInstance is the name of the Memcached CR that
                   all nova service will use.
                 type: string
+              messagingBus:
+                description: MessagingBus configuration (username, vhost, and cluster)
+                properties:
+                  cluster:
+                    description: Name of the cluster
+                    minLength: 1
+                    type: string
+                  user:
+                    description: User - RabbitMQ username
+                    type: string
+                  vhost:
+                    description: Vhost - RabbitMQ vhost name
+                    type: string
+                required:
+                - cluster
+                type: object
               metadataContainerImageURL:
                 description: MetadataContainerImageURL
                 type: string
@@ -1648,6 +1681,23 @@ spec:
                   NodeSelector here acts as a default value and can be overridden by service
                   specific NodeSelector Settings.
                 type: object
+              notificationsBus:
+                description: NotificationsBus configuration (username, vhost, and
+                  cluster) for notifications
+                properties:
+                  cluster:
+                    description: Name of the cluster
+                    minLength: 1
+                    type: string
+                  user:
+                    description: User - RabbitMQ username
+                    type: string
+                  vhost:
+                    description: Vhost - RabbitMQ vhost name
+                    type: string
+                required:
+                - cluster
+                type: object
               notificationsBusInstance:
                 description: |-
                   NotificationsBusInstance is the name of the RabbitMqCluster CR to select

api/go.mod

@@ -18,7 +18,6 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
-	github.com/evanphx/json-patch v5.9.11+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
@@ -44,6 +43,7 @@ require (
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.65.0 // indirect
 	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/rabbitmq/cluster-operator/v2 v2.16.0 // indirect
 	github.com/spf13/pflag v1.0.7 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect

api/go.sum

@@ -1,3 +1,4 @@
+github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
 github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -82,6 +83,8 @@ github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20251223124749-e
 github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20251223124749-eedb97238c5f/go.mod h1:ex8ou6/3ms6ovR+CMXD6XhTlNakm1GhB6UZgagVRNW8=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20251230215914-6ba873b49a35 h1:pF3mJ3nwq6r4qwom+rEWZNquZpcQW/iftHlJ1KPIDsk=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20251230215914-6ba873b49a35/go.mod h1:kycZyoe7OZdW1HUghr2nI3N7wSJtNahXf6b/ypD14f4=
+github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec h1:saovr368HPAKHN0aRPh8h8n9s9dn3d8Frmfua0UYRlc=
+github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec/go.mod h1:Nh2NEePLjovUQof2krTAg4JaAoLacqtPTZQXK6izNfg=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=

api/v1beta1/nova_types.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1beta1
 
 import (
+	rabbitmqv1 "github.com/openstack-k8s-operators/infra-operator/apis/rabbitmq/v1beta1"
 	topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1"
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -49,6 +50,10 @@ type NovaSpecCore struct {
 	// communicate.
 	APIMessageBusInstance string `json:"apiMessageBusInstance"`
 
+	// +kubebuilder:validation:Optional
+	// MessagingBus configuration (username, vhost, and cluster)
+	MessagingBus rabbitmqv1.RabbitMqConfig `json:"messagingBus,omitempty"`
+
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:default={cell0: {cellDatabaseAccount: nova-cell0, hasAPIAccess: true}, cell1: {cellDatabaseAccount: nova-cell1, cellDatabaseInstance: openstack-cell1, cellMessageBusInstance: rabbitmq-cell1, hasAPIAccess: true}}
 	// Cells is a mapping of cell names to NovaCellTemplate objects defining
@@ -131,6 +136,10 @@ type NovaSpecCore struct {
 	// Avoid colocating it with RabbitMqClusterName, APIMessageBusInstance or CellMessageBusInstance used for RPC.
 	// For particular Nova cells, notifications cannot be disabled, nor configured differently.
 	NotificationsBusInstance *string `json:"notificationsBusInstance,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// NotificationsBus configuration (username, vhost, and cluster) for notifications
+	NotificationsBus *rabbitmqv1.RabbitMqConfig `json:"notificationsBus,omitempty"`
 }
 
 // NovaSpec defines the desired state of Nova

api/v1beta1/nova_webhook.go

@@ -26,6 +26,7 @@ import (
 	"fmt"
 
 	"github.com/google/go-cmp/cmp"
+	rabbitmqv1 "github.com/openstack-k8s-operators/infra-operator/apis/rabbitmq/v1beta1"
 	service "github.com/openstack-k8s-operators/lib-common/modules/common/service"
 	"github.com/robfig/cron/v3"
 
@@ -88,6 +89,24 @@ func (spec *NovaSpecCore) Default() {
 		spec.APITimeout = novaDefaults.APITimeout
 	}
 
+	// Default MessagingBus.Cluster from APIMessageBusInstance if not already set
+	if spec.MessagingBus.Cluster == "" {
+		spec.MessagingBus.Cluster = spec.APIMessageBusInstance
+	}
+
+	// Default NotificationsBus if NotificationsBusInstance is specified
+	if spec.NotificationsBusInstance != nil && *spec.NotificationsBusInstance != "" {
+		if spec.NotificationsBus == nil {
+			// Initialize empty NotificationsBus - credentials will be created dynamically
+			// to ensure separation from MessagingBus (RPC and notifications should never share credentials)
+			spec.NotificationsBus = &rabbitmqv1.RabbitMqConfig{}
+		}
+		// Default cluster name if not already set
+		if spec.NotificationsBus.Cluster == "" {
+			spec.NotificationsBus.Cluster = *spec.NotificationsBusInstance
+		}
+	}
+
 	for cellName, cellTemplate := range spec.CellTemplates {
 
 		if cellTemplate.MetadataServiceTemplate.Enabled == nil {
@@ -106,6 +125,11 @@ func (spec *NovaSpecCore) Default() {
 			}
 		}
 
+		// Default MessagingBus.Cluster from CellMessageBusInstance if not already set
+		if cellTemplate.MessagingBus.Cluster == "" {
+			cellTemplate.MessagingBus.Cluster = cellTemplate.CellMessageBusInstance
+		}
+
 		// "cellTemplate" is a by-value copy, so we need to re-inject the updated version of it into the map
 		spec.CellTemplates[cellName] = cellTemplate
 	}
@@ -315,7 +339,34 @@ func (spec *NovaSpec) ValidateUpdate(old NovaSpec, basePath *field.Path, namespa
 // expected to be called by the validation webhook in the higher level meta
 // operator
 func (spec *NovaSpecCore) ValidateUpdate(old NovaSpecCore, basePath *field.Path, namespace string) field.ErrorList {
-	errors := spec.ValidateCellTemplates(basePath, namespace)
+	var errors field.ErrorList
+
+	// Reject changes to deprecated messagingBusInstance fields - users should use the new messagingBus fields instead
+	if spec.APIMessageBusInstance != old.APIMessageBusInstance {
+		errors = append(errors, field.Forbidden(
+			basePath.Child("apiMessageBusInstance"),
+			"apiMessageBusInstance is deprecated and cannot be changed. Please use messagingBus.cluster instead"))
+	}
+
+	if spec.NotificationsBusInstance != nil && old.NotificationsBusInstance != nil &&
+		*spec.NotificationsBusInstance != *old.NotificationsBusInstance {
+		errors = append(errors, field.Forbidden(
+			basePath.Child("notificationsBusInstance"),
+			"notificationsBusInstance is deprecated and cannot be changed. Please use notificationsBus.cluster instead"))
+	}
+
+	// Check cell template changes
+	for cellName, cellTemplate := range spec.CellTemplates {
+		if oldCell, exists := old.CellTemplates[cellName]; exists {
+			if cellTemplate.CellMessageBusInstance != oldCell.CellMessageBusInstance {
+				errors = append(errors, field.Forbidden(
+					basePath.Child("cellTemplates").Key(cellName).Child("cellMessageBusInstance"),
+					"cellMessageBusInstance is deprecated and cannot be changed. Please use messagingBus.cluster instead"))
+			}
+		}
+	}
+
+	errors = append(errors, spec.ValidateCellTemplates(basePath, namespace)...)
 	// Validate top-level TopologyRef
 	errors = append(errors, topologyv1.ValidateTopologyRef(
 		spec.TopologyRef, *basePath.Child("topologyRef"), namespace)...)

api/v1beta1/novacell_types.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1beta1
 
 import (
+	rabbitmqv1 "github.com/openstack-k8s-operators/infra-operator/apis/rabbitmq/v1beta1"
 	topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1"
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
@@ -51,6 +52,10 @@ type NovaCellTemplate struct {
 	// communicate in this cell. For cell0 it is unused.
 	CellMessageBusInstance string `json:"cellMessageBusInstance"`
 
+	// +kubebuilder:validation:Optional
+	// MessagingBus configuration (username, vhost, and cluster)
+	MessagingBus rabbitmqv1.RabbitMqConfig `json:"messagingBus,omitempty"`
+
 	// +kubebuilder:validation:Required
 	// HasAPIAccess defines if this Cell is configured to have access to the
 	// API DB and message bus.

api/v1beta1/zz_generated.deepcopy.go

@@ -540,6 +540,23 @@ spec:
                         MemcachedInstance is the name of the Memcached CR that the services in the cell will use.
                         If defined then this takes precedence over Nova.Spec.MemcachedInstance for this cel
                       type: string
+                    messagingBus:
+                      description: MessagingBus configuration (username, vhost, and
+                        cluster)
+                      properties:
+                        cluster:
+                          description: Name of the cluster
+                          minLength: 1
+                          type: string
+                        user:
+                          description: User - RabbitMQ username
+                          type: string
+                        vhost:
+                          description: Vhost - RabbitMQ vhost name
+                          type: string
+                      required:
+                      - cluster
+                      type: object
                     metadataServiceTemplate:
                       description: |-
                         MetadataServiceTemplate - defines the metadata service dedicated for the
@@ -1340,6 +1357,22 @@ spec:
                 description: MemcachedInstance is the name of the Memcached CR that
                   all nova service will use.
                 type: string
+              messagingBus:
+                description: MessagingBus configuration (username, vhost, and cluster)
+                properties:
+                  cluster:
+                    description: Name of the cluster
+                    minLength: 1
+                    type: string
+                  user:
+                    description: User - RabbitMQ username
+                    type: string
+                  vhost:
+                    description: Vhost - RabbitMQ vhost name
+                    type: string
+                required:
+                - cluster
+                type: object
               metadataContainerImageURL:
                 description: MetadataContainerImageURL
                 type: string
@@ -1648,6 +1681,23 @@ spec:
                   NodeSelector here acts as a default value and can be overridden by service
                   specific NodeSelector Settings.
                 type: object
+              notificationsBus:
+                description: NotificationsBus configuration (username, vhost, and
+                  cluster) for notifications
+                properties:
+                  cluster:
+                    description: Name of the cluster
+                    minLength: 1
+                    type: string
+                  user:
+                    description: User - RabbitMQ username
+                    type: string
+                  vhost:
+                    description: Vhost - RabbitMQ vhost name
+                    type: string
+                required:
+                - cluster
+                type: object
               notificationsBusInstance:
                 description: |-
                   NotificationsBusInstance is the name of the RabbitMqCluster CR to select

config/crd/bases/nova.openstack.org_nova.yaml

@@ -110,6 +110,14 @@ const (
 	// the message bus quorum queues configuration
 	QuorumQueuesTemplateKey = "quorum_queues"
 
+	// RabbitmqUserNameSelector is the name of key in the internal Secret for
+	// the RabbitMQUser CR name for the RPC/messaging bus
+	RabbitmqUserNameSelector = "rabbitmq_user_name"
+
+	// NotificationRabbitmqUserNameSelector is the name of key in the internal
+	// Secret for the RabbitMQUser CR name for the notifications bus
+	NotificationRabbitmqUserNameSelector = "notification_rabbitmq_user_name"
+
 	// fields to index to reconcile when change
 	passwordSecretField        = ".spec.secret"
 	caBundleSecretNameField    = ".spec.tls.caBundleSecretName" // #nosec G101