Rabbitmq vhost and user support #320
Conversation
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/43a7be44149e4a80a82fc6b816e9f29b ✔️ openstack-meta-content-provider-master SUCCESS in 2h 24m 19s |
|
recheck |
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/fcb50a37da904b558dc9d03f6c6b6eb0 ✔️ openstack-meta-content-provider-master SUCCESS in 2h 08m 29s |
|
recheck |
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/ee8b8635fe8241a7aae1b57c091777e0 ✔️ openstack-meta-content-provider-master SUCCESS in 1h 31m 19s |
lmiccini
force-pushed
the
rabbitmq_vhosts
branch
from
e216e40 to
8133c4d
Compare
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/5deaf237b4c84f9394a94fed49bfe09c ✔️ openstack-meta-content-provider-master SUCCESS in 2h 53m 25s |
amoralej
left a comment
amoralej
left a comment
There was a problem hiding this comment.
I'd like to also modify the kuttl tests to cover the new parameters. You can use the existing kuttl tests, i.e. the watcher-notification or some other, watcher-topology, etc... to test non-default values for the new spec params.
I also left some inline comments.
| description: Name of the cluster | ||
| minLength: 1 | ||
| type: string | ||
| user: |
There was a problem hiding this comment.
im not sure if this makes seense either.
the reaosin i say that is when i filed https://issues.redhat.com/browse/OSPRH-92 orgianly it was also covering rothation of the rabbit mq password
it was scoped down to only the db for GA but
the intent was to intoduce a messaging busss account CR following the mariadb CR patthern to allow password rotation while having 2 active password/users
to do that we would need to generate a new user/password password pair so that the old pass word can remain active after the contolplane has rotaited to allow time of for the edpm deployment.
inother words we cannot have the user be part of this struct unless rabbit supprot having 2 active password for the same user.
There was a problem hiding this comment.
Thanks for the feedback. The way credentials rotation can be achieved is by simply switching the user in the cr, so you could start from "user-old" and switch to "user-new". Both credentials will be valid until a human admin decides to manually remove the unused one. We did not implement auto cleanup as it would break edpm nodes, plus we want to allow rolling back to old credentials if required.
There was a problem hiding this comment.
that seams messy vs the dedicated maria db account where the db is account is removed when the account CR is removed and we use a finalsize to prevent tis deletion until all usage of it is remvoed form all the crs that refence it.
are there plans to model the rabbit acocunts as CRDs in a similar way?
watcher does nto have any edpm compoents so its less relenvet for this PR but it a factor for nova
ideally we shoudl not have human operators direcly interacting with rabbit.
so my suggestion is to replace user with an account name which fence a rabbit account opbejct like the database account CRD.
the rotation woudl basically happen the way you suggest you create a new account obejct which will be reconsiled by the infra operator and update the value in the service template which will propagate to the service operator to reconisle.
during that reconsiliation they will remove there finaliser form the old account CR and add it to the new one.
once teh human has completed the edpm deploy ment they will delete the old account cr.
the infra operator would hten remove that user and password form rabit.
if they want to revert at any point before they do that delete they just need to revert the refence rabbit account object.
There was a problem hiding this comment.
That's how it has been implemented already. Human operators only have to specify the username and a rabbitmquser crd is created for them, similarly to the db account. Finalizers are also moved to the new account and removed from the old one for rotation purposes. See openstack-k8s-operators/infra-operator@f4eab21 .
There was a problem hiding this comment.
the db account have to be created seperalty and then the name of the account passed in
so this is not workign the saem. unless this is the name of the rabbitmquer cr not the username.
if we have a rabbitmquser CRD then we shoudl be takign the name of the rabbitmquser CR here not the user name ot have this work the same as the db password.
can you make that change?
There was a problem hiding this comment.
IIUC, according to the current implementation, services will keep creating a TransporURL object with optionally user and vhost parameters. The rabbitmq operator will create a CR RabbitmqUser and RabbitmqVhost under the hood, will create the watcher transportURL and will add a finalizer on the TransportURL to those two objects. When creating a new user by modifying the MessagingBus.user in Watcher object, the rabbitmq will create a new RabbitmqUser object, will update the TransportURL secret and object, remove the finalizer on the old user and will add the new one.
Then, the OpenStack operator should remove the old RabbitmqUser to delete the old account?
Is that the expected workflow?. IMO, it's an acceptable one, it's different than the one for MariaDB but I don't see an issue with it as soon as it's properly implemented. It's much more consistent and easy to implement that forcing the services to manage the RabbitmqUser creation, etc... which would require changing all the services operators. In this way the workflow is encapsulated in the RabbitMQ operator, which is good.
I have one doubt, what should happen when the user is not setting user and vhost? it will create a user name dynamically and an RabbitMQuser object for it?
There was a problem hiding this comment.
the ablity for the service operator to create the mariadbAccount CR
is the deprecated flow that was ment to be deleted
so i dont think that we shoudl eb creating the RabbitmqUser cr in the watcher operator based on jsut the username.
that specifcliy the part im objectign too.
There was a problem hiding this comment.
for what its worht i kind of see the current propsoal to autocare the user (and password) just bsed on teh user name as a security problem that would prevent use merging this.
bsiclly it provde a very easy way to typo the name have a user created and then not notice this again since it wont show up in the controlplan CR
you would have to expclitly go looking for the RabbitmqUser crs to keep track fo them and manually corralate them.
lmiccini
force-pushed
the
rabbitmq_vhosts
branch
from
8133c4d to
f5abf3f
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/18dac81b57c3435e8ee3c89c8255337d ✔️ openstack-meta-content-provider-master SUCCESS in 4h 47m 04s |
lmiccini
force-pushed
the
rabbitmq_vhosts
branch
4 times, most recently
from
db92d54 to
ff28815
Compare
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/ae2a6a20346043d7b23e2e2dc5675058 ✔️ openstack-meta-content-provider-master SUCCESS in 2h 52m 59s |
lmiccini
force-pushed
the
rabbitmq_vhosts
branch
from
ff28815 to
f749ebf
Compare
Add new messagingBus and notificationsBus interfaces to hold cluster,
user and vhost names for optional usage.
The controller adds these values to the TransportURL create request when present.
Additionally, we migrate RabbitMQ cluster name to RabbitMq config struct
using DefaultRabbitMqConfig from infra-operator to automatically
populate the new Cluster field from legacy RabbitMqClusterName.
Example usage:
spec:
messagingBus:
cluster: rpc-rabbitmq
user: rpc-user
vhost: rpc-vhost
notificationsBus:
cluster: notifications-rabbitmq
user: notifications-user
vhost: notifications-vhost
Jira: https://issues.redhat.com/browse/OSPRH-23882
lmiccini
force-pushed
the
rabbitmq_vhosts
branch
from
f749ebf to
e2c7b37
Compare
|
@lmiccini: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/dab5bd6c4e9c47219f0d96d09cbf2caf ✔️ openstack-meta-content-provider-master SUCCESS in 3h 36m 47s |
| description: Name of the cluster | ||
| minLength: 1 | ||
| type: string | ||
| user: |
There was a problem hiding this comment.
for what its worht i kind of see the current propsoal to autocare the user (and password) just bsed on teh user name as a security problem that would prevent use merging this.
bsiclly it provde a very easy way to typo the name have a user created and then not notice this again since it wont show up in the controlplan CR
you would have to expclitly go looking for the RabbitmqUser crs to keep track fo them and manually corralate them.
4 participants
Add new messagingBus and notificationsBus interfaces to hold cluster, user and vhost names for optional usage.
The controller adds these values to the TransportURL create request when present.
Additionally, we migrate RabbitMQ cluster name to RabbitMq config struct using DefaultRabbitMqConfig from infra-operator to automatically populate the new Cluster field from legacy RabbitMqClusterName.
Example usage:
Jira: https://issues.redhat.com/browse/OSPRH-23882