Merge pull request #849 from olliewalsh/rabbitmq_cluster_tls

Configure rabbitmq inter-node TLS

Author: openshift-merge-bot[bot]

pkg/openstack/rabbitmq.go

@@ -9,6 +9,7 @@ import (
 	networkv1 "github.com/openstack-k8s-operators/infra-operator/apis/network/v1beta1"
 	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/configmap"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/ocp"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
@@ -22,6 +23,7 @@ import (
 
 	corev1beta1 "github.com/openstack-k8s-operators/openstack-operator/apis/core/v1beta1"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/ptr"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -154,17 +156,56 @@ func reconcileRabbitMQ(
 		if err != nil {
 			return mqFailed, ctrl.Result{}, err
 		}
+		clusterNodeTLSArgs := "-proto_dist inet_tls -ssl_dist_optfile /etc/rabbitmq/inter-node-tls.config"
 		if fipsEnabled {
-			fipsModeStr := "-crypto fips_mode true"
-
-			envVars = append(envVars, corev1.EnvVar{
-				Name:  "RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS",
-				Value: fipsModeStr,
-			}, corev1.EnvVar{
-				Name:  "RABBITMQ_CTL_ERL_ARGS",
-				Value: fipsModeStr,
-			})
+			clusterNodeTLSArgs += " -crypto fips_mode true"
 		}
+
+		envVars = append(envVars, corev1.EnvVar{
+			Name:  "RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS",
+			Value: clusterNodeTLSArgs,
+		}, corev1.EnvVar{
+			Name:  "RABBITMQ_CTL_ERL_ARGS",
+			Value: clusterNodeTLSArgs,
+		})
+	}
+
+	cms := []util.Template{
+		{
+			Name:         fmt.Sprintf("%s-config-data", rabbitmq.Name),
+			Namespace:    rabbitmq.Namespace,
+			Type:         util.TemplateTypeConfig,
+			InstanceType: "rabbitmq",
+			Labels:       map[string]string{},
+			CustomData: map[string]string{
+				"inter_node_tls.config": `[
+  {server, [
+    {cacertfile,"/etc/rabbitmq-tls/ca.crt"},
+    {certfile,"/etc/rabbitmq-tls/tls.crt"},
+    {keyfile,"/etc/rabbitmq-tls/tls.key"},
+    {secure_renegotiate, true},
+    {fail_if_no_peer_cert, true},
+    {verify, verify_peer},
+    {versions, ['tlsv1.2','tlsv1.3']}
+  ]},
+  {client, [
+    {cacertfile,"/etc/rabbitmq-tls/ca.crt"},
+    {certfile,"/etc/rabbitmq-tls/tls.crt"},
+    {keyfile,"/etc/rabbitmq-tls/tls.key"},
+    {secure_renegotiate, true},
+    {verify, verify_peer},
+    {versions, ['tlsv1.2','tlsv1.3']}
+  ]}
+].
+`,
+			},
+		},
+	}
+
+	err := configmap.EnsureConfigMaps(ctx, helper, instance, cms, nil)
+	if err != nil {
+		Log.Error(err, "Unable to create rabbitmq config maps")
+		return mqFailed, ctrl.Result{}, err
 	}
 
 	defaultStatefulSet := rabbitmqv2.StatefulSet{
@@ -197,6 +238,15 @@ func reconcileRabbitMQ(
 
 	hostname := fmt.Sprintf("%s.%s.svc", name, instance.Namespace)
 	hostnameHeadless := fmt.Sprintf("%s-nodes.%s.svc", name, instance.Namespace)
+	hostnames := []string{
+		hostname,
+		fmt.Sprintf("%s.%s", hostname, ClusterInternalDomain),
+		hostnameHeadless,
+		fmt.Sprintf("%s.%s", hostnameHeadless, ClusterInternalDomain),
+	}
+	for i := 0; i < int(*spec.Replicas); i++ {
+		hostnames = append(hostnames, fmt.Sprintf("%s-server-%d.%s-nodes.%s", name, i, name, instance.Namespace))
+	}
 
 	tlsCert := ""
 	commonName := fmt.Sprintf("%s.%s", hostname, ClusterInternalDomain)
@@ -206,14 +256,7 @@ func reconcileRabbitMQ(
 			IssuerName: instance.GetInternalIssuer(),
 			CertName:   fmt.Sprintf("%s-svc", rabbitmq.Name),
 			CommonName: &commonName,
-			Hostnames: []string{
-				hostname,
-				fmt.Sprintf("%s.%s", hostname, ClusterInternalDomain),
-				hostnameHeadless,
-				fmt.Sprintf("%s.%s", hostnameHeadless, ClusterInternalDomain),
-				fmt.Sprintf("*.%s", hostnameHeadless),
-				fmt.Sprintf("*.%s.%s", hostnameHeadless, ClusterInternalDomain),
-			},
+			Hostnames:  hostnames,
 			Subject: &certmgrv1.X509Subject{
 				Organizations: []string{fmt.Sprintf("%s.%s", rabbitmq.Namespace, ClusterInternalDomain)},
 			},
@@ -346,6 +389,34 @@ func reconcileRabbitMQ(
   ]}
 ].
 `
+
+			rabbitmq.Spec.Override.StatefulSet.Spec.Template.Spec.Volumes = []corev1.Volume{
+				{
+					Name: "config-data",
+					VolumeSource: corev1.VolumeSource{
+						ConfigMap: &corev1.ConfigMapVolumeSource{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: fmt.Sprintf("%s-config-data", rabbitmq.Name),
+							},
+							DefaultMode: ptr.To[int32](0o420),
+							Items: []corev1.KeyToPath{
+								{
+									Key:  "inter_node_tls.config",
+									Path: "inter_node_tls.config",
+								},
+							},
+						},
+					},
+				},
+			}
+			rabbitmq.Spec.Override.StatefulSet.Spec.Template.Spec.Containers[0].VolumeMounts = []corev1.VolumeMount{
+				{
+					MountPath: "/etc/rabbitmq/inter-node-tls.config",
+					ReadOnly:  true,
+					Name:      "config-data",
+					SubPath:   "inter_node_tls.config",
+				},
+			}
 		}
 
 		// overrides

tests/functional/base_test.go

@@ -29,6 +29,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	openstackclientv1 "github.com/openstack-k8s-operators/openstack-operator/apis/client/v1beta1"
 	corev1 "github.com/openstack-k8s-operators/openstack-operator/apis/core/v1beta1"
+	rabbitmqv2 "github.com/rabbitmq/cluster-operator/v2/api/v1beta1"
 )
 
 type Names struct {
@@ -455,3 +456,11 @@ func CreateClusterConfigCM() client.Object {
 
 	return cm
 }
+
+func GetRabbitMQCluster(name types.NamespacedName) *rabbitmqv2.RabbitmqCluster {
+	instance := &rabbitmqv2.RabbitmqCluster{}
+	Eventually(func(g Gomega) {
+		g.Expect(k8sClient.Get(ctx, name, instance)).Should(Succeed())
+	}, timeout, interval).Should(Succeed())
+	return instance
+}

tests/functional/openstackoperator_controller_test.go

@@ -546,7 +546,12 @@ var _ = Describe("OpenStackOperator controller", func() {
 				g.Expect(memcached.Spec.Replicas).Should(Equal(ptr.To[int32](1)))
 			}, timeout, interval).Should(Succeed())
 
-			// TODO rabbitmq exists
+			// rabbitmq exists
+			Eventually(func(g Gomega) {
+				rabbitmq := GetRabbitMQCluster(names.RabbitMQName)
+				g.Expect(rabbitmq).Should(Not(BeNil()))
+				g.Expect(rabbitmq.Spec.Replicas).Should(Equal(ptr.To[int32](1)))
+			}, timeout, interval).Should(Succeed())
 
 			// keystone exists
 			Eventually(func(g Gomega) {
@@ -759,14 +764,73 @@ var _ = Describe("OpenStackOperator controller", func() {
 				g.Expect(memcached.Spec.Replicas).Should(Equal(ptr.To[int32](1)))
 			}, timeout, interval).Should(Succeed())
 
-			// TODO rabbitmq exists
+			// rabbitmq exists
+			Eventually(func(g Gomega) {
+				rabbitmq := GetRabbitMQCluster(names.RabbitMQName)
+				g.Expect(rabbitmq).Should(Not(BeNil()))
+				g.Expect(rabbitmq.Spec.Replicas).Should(Equal(ptr.To[int32](1)))
+			}, timeout, interval).Should(Succeed())
 
 			// keystone exists
 			Eventually(func(g Gomega) {
 				keystoneAPI := keystone.GetKeystoneAPI(names.KeystoneAPIName)
 				g.Expect(keystoneAPI).Should(Not(BeNil()))
 			}, timeout, interval).Should(Succeed())
 		})
+		Describe("Rabbitmq inter node TLS config", func() {
+			It("should create and mount inter node tls config file", func() {
+				Eventually(func(g Gomega) {
+					cm := th.GetConfigMap(types.NamespacedName{
+						Namespace: names.RabbitMQName.Namespace,
+						Name:      names.RabbitMQName.Name + "-config-data",
+					})
+					g.Expect(cm).ShouldNot(BeNil())
+					g.Expect(cm.Data).Should(HaveKey("inter_node_tls.config"))
+				}, timeout, interval).Should(Succeed())
+				Eventually(func(g Gomega) {
+					rabbitmq := GetRabbitMQCluster(names.RabbitMQName)
+					g.Expect(rabbitmq).Should(Not(BeNil()))
+
+					var vFindings []k8s_corev1.Volume
+					g.Expect(rabbitmq.Spec.Override.StatefulSet.Spec.Template.Spec.Volumes).Should(
+						ContainElement(HaveField("Name", "config-data"), &vFindings),
+					)
+					g.Expect(vFindings[0].VolumeSource.ConfigMap.Items[0]).Should(And(
+						HaveField("Key", "inter_node_tls.config"),
+						HaveField("Path", "inter_node_tls.config"),
+					))
+
+					var vmFindings []k8s_corev1.VolumeMount
+					g.Expect(rabbitmq.Spec.Override.StatefulSet.Spec.Template.Spec.Containers[0].VolumeMounts).Should(
+						ContainElement(HaveField("Name", "config-data"), &vmFindings),
+					)
+					g.Expect(vmFindings[0]).Should(And(
+						HaveField("SubPath", "inter_node_tls.config"),
+						HaveField("MountPath", "/etc/rabbitmq/inter-node-tls.config"),
+					))
+				}, timeout, interval).Should(Succeed())
+			})
+			It("should set the TLS arg env vars", func() {
+				Eventually(func(g Gomega) {
+					rabbitmq := GetRabbitMQCluster(names.RabbitMQName)
+					g.Expect(rabbitmq).Should(Not(BeNil()))
+
+					var findings []k8s_corev1.EnvVar
+					g.Expect(rabbitmq.Spec.Override.StatefulSet.Spec.Template.Spec.Containers[0].Env).Should(
+						ContainElement(HaveField("Name", "RABBITMQ_CTL_ERL_ARGS"), &findings),
+					)
+					g.Expect(findings[0].Value).Should(ContainSubstring(
+						"-proto_dist inet_tls -ssl_dist_optfile /etc/rabbitmq/inter-node-tls.config",
+					))
+					g.Expect(rabbitmq.Spec.Override.StatefulSet.Spec.Template.Spec.Containers[0].Env).Should(
+						ContainElement(HaveField("Name", "RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS"), &findings),
+					)
+					g.Expect(findings[0].Value).Should(ContainSubstring(
+						"-proto_dist inet_tls -ssl_dist_optfile /etc/rabbitmq/inter-node-tls.config",
+					))
+				}, timeout, interval).Should(Succeed())
+			})
+		})
 		// Default route timeouts are set
 		It("should have default timeout for the routes set", func() {
 			OSCtlplane := GetOpenStackControlPlane(names.OpenStackControlplaneName)
@@ -1194,6 +1258,13 @@ var _ = Describe("OpenStackOperator controller", func() {
 				g.Expect(memcached.Spec.Replicas).Should(Equal(ptr.To[int32](1)))
 			}, timeout, interval).Should(Succeed())
 
+			// rabbitmq exists
+			Eventually(func(g Gomega) {
+				rabbitmq := GetRabbitMQCluster(names.RabbitMQName)
+				g.Expect(rabbitmq).Should(Not(BeNil()))
+				g.Expect(rabbitmq.Spec.Replicas).Should(Equal(ptr.To[int32](1)))
+			}, timeout, interval).Should(Succeed())
+
 			// keystone exists
 			Eventually(func(g Gomega) {
 				keystoneAPI := keystone.GetKeystoneAPI(names.KeystoneAPIName)