Configure rabbitmq inter-node TLS

olliewalsh · olliewalsh · commit 095609b56043 · 2024-06-12T21:25:24.000+01:00
Based on the example in https://github.com/rabbitmq/cluster-operator/tree/0bc9a2a0d3b360021f02bd6386bbcee371c9d1fd/docs/examples/mtls-inter-node Creates and mounts a configmap with the required config and sets the required args in the env vars. Had to list the individual statefulset hostnames in the cert SAN, rabbitmqctl does not work when wildcards are used. Closes: OSPRH-7110
diff --git a/pkg/openstack/rabbitmq.go b/pkg/openstack/rabbitmq.go
@@ -9,6 +9,7 @@ import (
 	networkv1 "github.com/openstack-k8s-operators/infra-operator/apis/network/v1beta1"
 	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/configmap"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/ocp"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
@@ -22,6 +23,7 @@ import (
 
 	corev1beta1 "github.com/openstack-k8s-operators/openstack-operator/apis/core/v1beta1"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/ptr"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -153,17 +155,56 @@ func reconcileRabbitMQ(
 		if err != nil {
 			return mqFailed, ctrl.Result{}, err
 		}
+		clusterNodeTLSArgs := "-proto_dist inet_tls -ssl_dist_optfile /etc/rabbitmq/inter-node-tls.config"
 		if fipsEnabled {
-			fipsModeStr := "-crypto fips_mode true"
-
-			envVars = append(envVars, corev1.EnvVar{
-				Name:  "RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS",
-				Value: fipsModeStr,
-			}, corev1.EnvVar{
-				Name:  "RABBITMQ_CTL_ERL_ARGS",
-				Value: fipsModeStr,
-			})
+			clusterNodeTLSArgs += " -crypto fips_mode true"
 		}
+
+		envVars = append(envVars, corev1.EnvVar{
+			Name:  "RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS",
+			Value: clusterNodeTLSArgs,
+		}, corev1.EnvVar{
+			Name:  "RABBITMQ_CTL_ERL_ARGS",
+			Value: clusterNodeTLSArgs,
+		})
+	}
+
+	cms := []util.Template{
+		{
+			Name:         fmt.Sprintf("%s-config-data", rabbitmq.Name),
+			Namespace:    rabbitmq.Namespace,
+			Type:         util.TemplateTypeConfig,
+			InstanceType: "rabbitmq",
+			Labels:       map[string]string{},
+			CustomData: map[string]string{
+				"inter_node_tls.config": `[
+  {server, [
+    {cacertfile,"/etc/rabbitmq-tls/ca.crt"},
+    {certfile,"/etc/rabbitmq-tls/tls.crt"},
+    {keyfile,"/etc/rabbitmq-tls/tls.key"},
+    {secure_renegotiate, true},
+    {fail_if_no_peer_cert, true},
+    {verify, verify_peer},
+    {versions, ['tlsv1.2','tlsv1.3']}
+  ]},
+  {client, [
+    {cacertfile,"/etc/rabbitmq-tls/ca.crt"},
+    {certfile,"/etc/rabbitmq-tls/tls.crt"},
+    {keyfile,"/etc/rabbitmq-tls/tls.key"},
+    {secure_renegotiate, true},
+    {verify, verify_peer},
+    {versions, ['tlsv1.2','tlsv1.3']}
+  ]}
+].
+`,
+			},
+		},
+	}
+
+	err := configmap.EnsureConfigMaps(ctx, helper, instance, cms, nil)
+	if err != nil {
+		Log.Error(err, "Unable to create rabbitmq config maps")
+		return mqFailed, ctrl.Result{}, err
 	}
 
 	defaultStatefulSet := rabbitmqv2.StatefulSet{
@@ -196,6 +237,15 @@ func reconcileRabbitMQ(
 
 	hostname := fmt.Sprintf("%s.%s.svc", name, instance.Namespace)
 	hostnameHeadless := fmt.Sprintf("%s-nodes.%s.svc", name, instance.Namespace)
+	hostnames := []string{
+		hostname,
+		fmt.Sprintf("%s.%s", hostname, ClusterInternalDomain),
+		hostnameHeadless,
+		fmt.Sprintf("%s.%s", hostnameHeadless, ClusterInternalDomain),
+	}
+	for i := 0; i < int(*spec.Replicas); i++ {
+		hostnames = append(hostnames, fmt.Sprintf("%s-server-%d.%s-nodes.%s", name, i, name, instance.Namespace))
+	}
 
 	tlsCert := ""
 	commonName := fmt.Sprintf("%s.%s", hostname, ClusterInternalDomain)
@@ -205,14 +255,7 @@ func reconcileRabbitMQ(
 			IssuerName: instance.GetInternalIssuer(),
 			CertName:   fmt.Sprintf("%s-svc", rabbitmq.Name),
 			CommonName: &commonName,
-			Hostnames: []string{
-				hostname,
-				fmt.Sprintf("%s.%s", hostname, ClusterInternalDomain),
-				hostnameHeadless,
-				fmt.Sprintf("%s.%s", hostnameHeadless, ClusterInternalDomain),
-				fmt.Sprintf("*.%s", hostnameHeadless),
-				fmt.Sprintf("*.%s.%s", hostnameHeadless, ClusterInternalDomain),
-			},
+			Hostnames:  hostnames,
 			Subject: &certmgrv1.X509Subject{
 				Organizations: []string{fmt.Sprintf("%s.%s", rabbitmq.Namespace, ClusterInternalDomain)},
 			},
@@ -345,6 +388,34 @@ func reconcileRabbitMQ(
   ]}
 ].
 `
+
+			rabbitmq.Spec.Override.StatefulSet.Spec.Template.Spec.Volumes = []corev1.Volume{
+				{
+					Name: "config-data",
+					VolumeSource: corev1.VolumeSource{
+						ConfigMap: &corev1.ConfigMapVolumeSource{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: fmt.Sprintf("%s-config-data", rabbitmq.Name),
+							},
+							DefaultMode: ptr.To[int32](0o420),
+							Items: []corev1.KeyToPath{
+								{
+									Key:  "inter_node_tls.config",
+									Path: "inter_node_tls.config",
+								},
+							},
+						},
+					},
+				},
+			}
+			rabbitmq.Spec.Override.StatefulSet.Spec.Template.Spec.Containers[0].VolumeMounts = []corev1.VolumeMount{
+				{
+					MountPath: "/etc/rabbitmq/inter-node-tls.config",
+					ReadOnly:  true,
+					Name:      "config-data",
+					SubPath:   "inter_node_tls.config",
+				},
+			}
 		}
 
 		// overrides
diff --git a/tests/functional/base_test.go b/tests/functional/base_test.go
@@ -29,6 +29,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	openstackclientv1 "github.com/openstack-k8s-operators/openstack-operator/apis/client/v1beta1"
 	corev1 "github.com/openstack-k8s-operators/openstack-operator/apis/core/v1beta1"
+	rabbitmqv2 "github.com/rabbitmq/cluster-operator/v2/api/v1beta1"
 )
 
 type Names struct {
@@ -456,3 +457,11 @@ func CreateClusterConfigCM() client.Object {
 
 	return cm
 }
+
+func GetRabbitMQCluster(name types.NamespacedName) *rabbitmqv2.RabbitmqCluster {
+	instance := &rabbitmqv2.RabbitmqCluster{}
+	Eventually(func(g Gomega) {
+		g.Expect(k8sClient.Get(ctx, name, instance)).Should(Succeed())
+	}, timeout, interval).Should(Succeed())
+	return instance
+}
diff --git a/tests/functional/openstackoperator_controller_test.go b/tests/functional/openstackoperator_controller_test.go
@@ -546,7 +546,12 @@ var _ = Describe("OpenStackOperator controller", func() {
 				g.Expect(memcached.Spec.Replicas).Should(Equal(ptr.To[int32](1)))
 			}, timeout, interval).Should(Succeed())
 
-			// TODO rabbitmq exists
+			// rabbitmq exists
+			Eventually(func(g Gomega) {
+				rabbitmq := GetRabbitMQCluster(names.RabbitMQName)
+				g.Expect(rabbitmq).Should(Not(BeNil()))
+				g.Expect(rabbitmq.Spec.Replicas).Should(Equal(ptr.To[int32](1)))
+			}, timeout, interval).Should(Succeed())
 
 			// keystone exists
 			Eventually(func(g Gomega) {
@@ -759,14 +764,73 @@ var _ = Describe("OpenStackOperator controller", func() {
 				g.Expect(memcached.Spec.Replicas).Should(Equal(ptr.To[int32](1)))
 			}, timeout, interval).Should(Succeed())
 
-			// TODO rabbitmq exists
+			// rabbitmq exists
+			Eventually(func(g Gomega) {
+				rabbitmq := GetRabbitMQCluster(names.RabbitMQName)
+				g.Expect(rabbitmq).Should(Not(BeNil()))
+				g.Expect(rabbitmq.Spec.Replicas).Should(Equal(ptr.To[int32](1)))
+			}, timeout, interval).Should(Succeed())
 
 			// keystone exists
 			Eventually(func(g Gomega) {
 				keystoneAPI := keystone.GetKeystoneAPI(names.KeystoneAPIName)
 				g.Expect(keystoneAPI).Should(Not(BeNil()))
 			}, timeout, interval).Should(Succeed())
 		})
+		Describe("Rabbitmq inter node TLS config", func() {
+			It("should create and mount inter node tls config file", func() {
+				Eventually(func(g Gomega) {
+					cm := th.GetConfigMap(types.NamespacedName{
+						Namespace: names.RabbitMQName.Namespace,
+						Name:      names.RabbitMQName.Name + "-config-data",
+					})
+					g.Expect(cm).ShouldNot(BeNil())
+					g.Expect(cm.Data).Should(HaveKey("inter_node_tls.config"))
+				}, timeout, interval).Should(Succeed())
+				Eventually(func(g Gomega) {
+					rabbitmq := GetRabbitMQCluster(names.RabbitMQName)
+					g.Expect(rabbitmq).Should(Not(BeNil()))
+
+					var vFindings []k8s_corev1.Volume
+					g.Expect(rabbitmq.Spec.Override.StatefulSet.Spec.Template.Spec.Volumes).Should(
+						ContainElement(HaveField("Name", "config-data"), &vFindings),
+					)
+					g.Expect(vFindings[0].VolumeSource.ConfigMap.Items[0]).Should(And(
+						HaveField("Key", "inter_node_tls.config"),
+						HaveField("Path", "inter_node_tls.config"),
+					))
+
+					var vmFindings []k8s_corev1.VolumeMount
+					g.Expect(rabbitmq.Spec.Override.StatefulSet.Spec.Template.Spec.Containers[0].VolumeMounts).Should(
+						ContainElement(HaveField("Name", "config-data"), &vmFindings),
+					)
+					g.Expect(vmFindings[0]).Should(And(
+						HaveField("SubPath", "inter_node_tls.config"),
+						HaveField("MountPath", "/etc/rabbitmq/inter-node-tls.config"),
+					))
+				}, timeout, interval).Should(Succeed())
+			})
+			It("should set the TLS arg env vars", func() {
+				Eventually(func(g Gomega) {
+					rabbitmq := GetRabbitMQCluster(names.RabbitMQName)
+					g.Expect(rabbitmq).Should(Not(BeNil()))
+
+					var findings []k8s_corev1.EnvVar
+					g.Expect(rabbitmq.Spec.Override.StatefulSet.Spec.Template.Spec.Containers[0].Env).Should(
+						ContainElement(HaveField("Name", "RABBITMQ_CTL_ERL_ARGS"), &findings),
+					)
+					g.Expect(findings[0].Value).Should(ContainSubstring(
+						"-proto_dist inet_tls -ssl_dist_optfile /etc/rabbitmq/inter-node-tls.config",
+					))
+					g.Expect(rabbitmq.Spec.Override.StatefulSet.Spec.Template.Spec.Containers[0].Env).Should(
+						ContainElement(HaveField("Name", "RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS"), &findings),
+					)
+					g.Expect(findings[0].Value).Should(ContainSubstring(
+						"-proto_dist inet_tls -ssl_dist_optfile /etc/rabbitmq/inter-node-tls.config",
+					))
+				}, timeout, interval).Should(Succeed())
+			})
+		})
 		// Default route timeouts are set
 		It("should have default timeout for the routes set", func() {
 			OSCtlplane := GetOpenStackControlPlane(names.OpenStackControlplaneName)
@@ -1194,6 +1258,13 @@ var _ = Describe("OpenStackOperator controller", func() {
 				g.Expect(memcached.Spec.Replicas).Should(Equal(ptr.To[int32](1)))
 			}, timeout, interval).Should(Succeed())
 
+			// rabbitmq exists
+			Eventually(func(g Gomega) {
+				rabbitmq := GetRabbitMQCluster(names.RabbitMQName)
+				g.Expect(rabbitmq).Should(Not(BeNil()))
+				g.Expect(rabbitmq.Spec.Replicas).Should(Equal(ptr.To[int32](1)))
+			}, timeout, interval).Should(Succeed())
+
 			// keystone exists
 			Eventually(func(g Gomega) {
 				keystoneAPI := keystone.GetKeystoneAPI(names.KeystoneAPIName)
