Kubernetes peer discovery improvements

michaelklishin · michaelklishin · commit 2ea5fc818fc6 · 2024-04-03T22:20:54.000-04:00
* Use file path validators to improve error messages
   when a certificate, key or another file does not
   exist or cannot be read by the node
 * Introduce a number of standard TLS options in
   addition to the Kubelet-provided CA certificate
diff --git a/deps/rabbitmq_peer_discovery_k8s/priv/schema/rabbitmq_peer_discovery_k8s.schema b/deps/rabbitmq_peer_discovery_k8s/priv/schema/rabbitmq_peer_discovery_k8s.schema
@@ -51,7 +51,7 @@ end}.
 %% (ACL) Token path
 
 {mapping, "cluster_formation.k8s.token_path", "rabbit.cluster_formation.peer_discovery_k8s.k8s_token_path", [
-    {datatype, string}
+    {datatype, string}, {validators, ["file_accessible"]}
 ]}.
 
 {translation, "rabbit.cluster_formation.peer_discovery_k8s.k8s_token_path",
@@ -62,10 +62,14 @@ fun(Conf) ->
     end
 end}.
 
-%% Certificate path
+%%
+%% TLS
+%%
+
+%% deprecated
 
 {mapping, "cluster_formation.k8s.cert_path", "rabbit.cluster_formation.peer_discovery_k8s.k8s_cert_path", [
-    {datatype, string}
+    {datatype, string}, {validators, ["file_accessible"]}
 ]}.
 
 {translation, "rabbit.cluster_formation.peer_discovery_k8s.k8s_cert_path",
@@ -76,10 +80,73 @@ fun(Conf) ->
     end
 end}.
 
+%% modern keys
+
+{mapping, "cluster_formation.k8s.tls.cacertfile", "rabbit.cluster_formation.peer_discovery_k8s.ssl_options.cacertfile",
+    [{datatype, string}, {validators, ["file_accessible"]}
+]}.
+
+{translation, "rabbit.cluster_formation.peer_discovery_k8s.ssl_options.cacertfile",
+fun(Conf) ->
+    case cuttlefish:conf_get("cluster_formation.k8s.tls.cacertfile", Conf, undefined) of
+        undefined -> cuttlefish:unset();
+        Value     -> Value
+    end
+end}.
+
+{mapping, "cluster_formation.k8s.tls.certfile", "rabbit.cluster_formation.peer_discovery_k8s.ssl_options.certfile",
+    [{datatype, string}, {validators, ["file_accessible"]}
+]}.
+
+{translation, "rabbit.cluster_formation.peer_discovery_k8s.ssl_options.certfile",
+fun(Conf) ->
+    case cuttlefish:conf_get("cluster_formation.k8s.tls.certfile", Conf, undefined) of
+        undefined -> cuttlefish:unset();
+        Value     -> Value
+    end
+end}.
+
+{mapping, "cluster_formation.k8s.tls.keyfile", "rabbit.cluster_formation.peer_discovery_k8s.ssl_options.keyfile",
+    [{datatype, string}, {validators, ["file_accessible"]}
+]}.
+
+{translation, "rabbit.cluster_formation.peer_discovery_k8s.ssl_options.keyfile",
+fun(Conf) ->
+    case cuttlefish:conf_get("cluster_formation.k8s.tls.keyfile", Conf, undefined) of
+        undefined -> cuttlefish:unset();
+        Value     -> Value
+    end
+end}.
+
+{mapping, "cluster_formation.k8s.tls.verify", "rabbit.cluster_formation.peer_discovery_k8s.ssl_options.verify", [
+    {datatype, {enum, [verify_peer, verify_none]}}
+]}.
+
+{translation, "rabbit.cluster_formation.peer_discovery_k8s.ssl_options.verify",
+fun(Conf) ->
+    case cuttlefish:conf_get("cluster_formation.k8s.tls.verify", Conf, undefined) of
+        undefined -> cuttlefish:unset();
+        Value     -> Value
+    end
+end}.
+
+{mapping, "cluster_formation.k8s.tls.fail_if_no_peer_cert", "rabbit.cluster_formation.peer_discovery_k8s.ssl_options.fail_if_no_peer_cert", [
+    {datatype, {enum, [true, false]}}
+]}.
+
+{translation, "rabbit.cluster_formation.peer_discovery_k8s.ssl_options.fail_if_no_peer_cert",
+fun(Conf) ->
+    case cuttlefish:conf_get("cluster_formation.k8s.tls.fail_if_no_peer_cert", Conf, undefined) of
+        undefined -> cuttlefish:unset();
+        Value     -> Value
+    end
+end}.
+
+
 %% Namespace path
 
 {mapping, "cluster_formation.k8s.namespace_path", "rabbit.cluster_formation.peer_discovery_k8s.k8s_namespace_path", [
-    {datatype, string}
+    {datatype, string}, {validators, ["file_accessible"]}
 ]}.
 
 {translation, "rabbit.cluster_formation.peer_discovery_k8s.k8s_namespace_path",
diff --git a/deps/rabbitmq_peer_discovery_k8s/src/rabbit_peer_discovery_k8s.erl b/deps/rabbitmq_peer_discovery_k8s/src/rabbit_peer_discovery_k8s.erl
@@ -116,14 +116,29 @@ make_request() ->
     M = ?CONFIG_MODULE:config_map(?BACKEND_CONFIG_KEY),
     {ok, Token} = rabbit_misc:raw_read_file(get_config_key(k8s_token_path, M)),
     Token1 = binary:replace(Token, <<"\n">>, <<>>),
+
+    rabbit_log:debug("Will issue a Kubernetes API request client with the following settings: ~tp", [M]),
+
+    TLSClientOpts0 = maps:get(ssl_options, M, []),
+    LegacyCACertfilePath = get_config_key(k8s_cert_path, M),
+    %% merge legacy CA certificate file argument if TLSClientOpts does not have its modern counterpart set
+    TLSClientOpts = case proplists:get_value(cacertfile, TLSClientOpts0, undefined) of
+        undefined ->
+            [{cacertfile, LegacyCACertfilePath} | TLSClientOpts0];
+        _Other ->
+            TLSClientOpts0
+    end,
+
+    rabbit_log:debug("Will issue a Kubernetes API request client with the following TLS options: ~tp", [TLSClientOpts]),
+
     ?HTTPC_MODULE:get(
       get_config_key(k8s_scheme, M),
       get_config_key(k8s_host, M),
       get_config_key(k8s_port, M),
-      base_path(endpoints,get_config_key(k8s_service_name, M)),
+      base_path(endpoints, get_config_key(k8s_service_name, M)),
       [],
       [{"Authorization", "Bearer " ++ binary_to_list(Token1)}],
-      [{ssl, [{cacertfile, get_config_key(k8s_cert_path, M)}]}]).
+      [{ssl, TLSClientOpts}]).
 
 %% @spec node_name(k8s_endpoint) -> list()
 %% @doc Return a full rabbit node name, appending hostname suffix
diff --git a/deps/rabbitmq_peer_discovery_k8s/test/config_schema_SUITE_data/certs/cacert.pem b/deps/rabbitmq_peer_discovery_k8s/test/config_schema_SUITE_data/certs/cacert.pem
@@ -0,0 +1 @@
+I'm not a certificate
diff --git a/deps/rabbitmq_peer_discovery_k8s/test/config_schema_SUITE_data/certs/cert.pem b/deps/rabbitmq_peer_discovery_k8s/test/config_schema_SUITE_data/certs/cert.pem
@@ -0,0 +1 @@
+I'm not a certificate
diff --git a/deps/rabbitmq_peer_discovery_k8s/test/config_schema_SUITE_data/certs/key.pem b/deps/rabbitmq_peer_discovery_k8s/test/config_schema_SUITE_data/certs/key.pem
@@ -0,0 +1 @@
+I'm not a certificate
diff --git a/deps/rabbitmq_peer_discovery_k8s/test/config_schema_SUITE_data/namespace.txt b/deps/rabbitmq_peer_discovery_k8s/test/config_schema_SUITE_data/namespace.txt
@@ -0,0 +1 @@
+example-namespace
diff --git a/deps/rabbitmq_peer_discovery_k8s/test/config_schema_SUITE_data/rabbitmq_peer_discovery_k8s.snippets b/deps/rabbitmq_peer_discovery_k8s/test/config_schema_SUITE_data/rabbitmq_peer_discovery_k8s.snippets
@@ -101,33 +101,72 @@
     ], [rabbitmq_peer_discovery_k8s]
   }
 
-, {k8s_token_path, "cluster_formation.k8s.token_path = /a/b/c", [
+, {k8s_token_path, "cluster_formation.k8s.token_path = test/config_schema_SUITE_data/token.txt", [
         {rabbit, [
             {cluster_formation, [
                 {peer_discovery_k8s, [
-                    {k8s_token_path, "/a/b/c"}
+                    {k8s_token_path, "test/config_schema_SUITE_data/token.txt"}
                 ]}
             ]}
         ]}
     ], [rabbitmq_peer_discovery_k8s]
   }
 
-, {k8s_token_path, "cluster_formation.k8s.cert_path = /a/b/c", [
+, {k8s_ca_certificate_legacy_cert_path, "cluster_formation.k8s.cert_path = test/config_schema_SUITE_data/certs/cacert.pem", [
         {rabbit, [
             {cluster_formation, [
                 {peer_discovery_k8s, [
-                    {k8s_cert_path, "/a/b/c"}
+                    {k8s_cert_path, "test/config_schema_SUITE_data/certs/cacert.pem"}
                 ]}
             ]}
         ]}
     ], [rabbitmq_peer_discovery_k8s]
   }
 
-, {k8s_token_path, "cluster_formation.k8s.namespace_path = /a/b/c", [
+, {k8s_ca_certificate_modern_path, "cluster_formation.k8s.tls.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem", [
         {rabbit, [
             {cluster_formation, [
                 {peer_discovery_k8s, [
-                    {k8s_namespace_path, "/a/b/c"}
+                    {ssl_options, [
+                        {cacertfile, "test/config_schema_SUITE_data/certs/cacert.pem"}
+                    ]}
+                ]}
+            ]}
+        ]}
+    ], [rabbitmq_peer_discovery_k8s]
+  }
+
+, {k8s_client_certificate_modern_path, "cluster_formation.k8s.tls.certfile = test/config_schema_SUITE_data/certs/cert.pem", [
+        {rabbit, [
+            {cluster_formation, [
+                {peer_discovery_k8s, [
+                    {ssl_options, [
+                        {certfile, "test/config_schema_SUITE_data/certs/cert.pem"}
+                    ]}
+                ]}
+            ]}
+        ]}
+    ], [rabbitmq_peer_discovery_k8s]
+  }
+
+, {k8s_client_key_modern_path, "cluster_formation.k8s.tls.keyfile = test/config_schema_SUITE_data/certs/key.pem", [
+        {rabbit, [
+            {cluster_formation, [
+                {peer_discovery_k8s, [
+                    {ssl_options, [
+                        {keyfile, "test/config_schema_SUITE_data/certs/key.pem"}
+                    ]}
+                ]}
+            ]}
+        ]}
+    ], [rabbitmq_peer_discovery_k8s]
+  }
+
+, {k8s_namespace_path, "cluster_formation.k8s.namespace_path = test/config_schema_SUITE_data/namespace.txt", [
+        {rabbit, [
+            {cluster_formation, [
+                {peer_discovery_k8s, [
+                    {k8s_namespace_path, "test/config_schema_SUITE_data/namespace.txt"}
                 ]}
             ]}
         ]}
diff --git a/deps/rabbitmq_peer_discovery_k8s/test/config_schema_SUITE_data/token.txt b/deps/rabbitmq_peer_discovery_k8s/test/config_schema_SUITE_data/token.txt
@@ -0,0 +1 @@
+example-token
