Skip to content

Commit

Permalink
[rabbitmq] Option to enable SSL for amqp server
Browse files Browse the repository at this point in the history
The option `enableSsl` configures a certificate with the same name as
the rabbitmq with the prefix `tls-`, which will in turn generate a
secret of the same name.

The only other missing value is the name of the cluster-issuer to
be specified with `certificate.issuerRef.name`

Erlang should automatically reload the certificate, when the file
changes. So, certificate rotation should also be handled.
  • Loading branch information
fwiesel committed Nov 29, 2024
1 parent 4829eca commit 841c29f
Show file tree
Hide file tree
Showing 9 changed files with 120 additions and 11 deletions.
15 changes: 15 additions & 0 deletions common/rabbitmq/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,21 @@

This file is used to list changes made in each version of the common chart rabbitmq.

## 0.13.0
[@fwiesel](https://github.com/fwiesel)
- Add option to enable ssl in rabbitmq

The following options need to be set:
```yaml
enableSsl: true
certificate:
issuerRef:
name: issuer-name
```
The default is a cluster-issuer, but it can be changed with the respective value
`certifcate.issuerRef.kind`

## 0.12.0

[@businessbean](https://github.com/businessbean)
Expand Down
2 changes: 1 addition & 1 deletion common/rabbitmq/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v1
name: rabbitmq
version: 0.12.0
version: 0.13.0
appVersion: 3.13.7
description: A Helm chart for RabbitMQ
sources:
Expand Down
14 changes: 14 additions & 0 deletions common/rabbitmq/ci/test-values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ global:
user_suffix: ""
master_password: ""
dockerHubMirrorAlternateRegion: "other.dockerhub.mirror"
region: "region"
tld: "tld"

ports:
public: 5672
Expand Down Expand Up @@ -33,3 +35,15 @@ replicas: 1

metrics:
enabled: false


externalIPs:
- "127.0.0.1"

externalNames:
- "rabbitmq.example.com"

enableSsl: true
certificate:
issuerRef:
name: "test-issuer"
28 changes: 28 additions & 0 deletions common/rabbitmq/templates/certificate.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{{- if .Values.enableSsl }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: tls-{{ template "fullname" . }}
labels:
{{- include "rabbitmq.labels" (list $ "version" "rabbitmq" "deployment" "messagequeue") | indent 4 }}
spec:
secretName: tls-{{ template "fullname" . }}
secretTemplate:
labels:
{{- include "rabbitmq.labels" (list $ "version" "rabbitmq" "deployment" "messagequeue") | indent 6 }}
commonName: "{{ template "fullname" . }}.{{ .Release.Namespace }}.svc.kubernetes.{{ .Values.global.region | required "global.region missing" }}.{{ .Values.global.tld | required "global.tld missing" }}"
dnsNames:
- "{{ template "fullname" . }}.{{ .Release.Namespace }}.svc.kubernetes.{{ .Values.global.region | required "global.region missing" }}.{{ .Values.global.tld | required "global.tld missing" }}"
{{- if .Values.externalNames }}
{{- range .Values.externalNames }}
- "{{ . }}"
{{- end }}
{{- end }}
{{- if .Values.externalIPs }}
ipAddresses:
{{- range .Values.externalIPs }}
- "{{ . }}"
{{- end }}
{{- end }}
{{- .Values.certificate | toYaml | nindent 2 }}
{{- end }}
12 changes: 10 additions & 2 deletions common/rabbitmq/templates/custom-conf-configmap.yaml
Original file line number Diff line number Diff line change
@@ -1,12 +1,20 @@
---
{{ if $.Values.customConfig }}
{{ if or $.Values.customConfig $.Values.enableSsl }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "fullname" . }}-custom-conf
labels:
{{- include "rabbitmq.labels" (list $ "version" "rabbitmq" "configmap" "messagequeue") | indent 4 }}
data:
{{- if $.Values.customConfig }}
20-custom.conf: |
{{ include (print .Template.BasePath "/etc/_rabbitmq-custom-config.tpl") . | indent 4 }}
{{- include (print .Template.BasePath "/etc/_rabbitmq-custom-config.tpl") . | nindent 4 }}
{{- end }}
{{- if $.Values.enableSsl }}
30-ssl.conf: |
listeners.ssl.default={{ $.Values.ports.amqps }}
ssl_options.certfile=/etc/rabbitmq/ssl/tls.crt
ssl_options.keyfile=/etc/rabbitmq/ssl/tls.key
{{- end }}
{{ end }}
24 changes: 20 additions & 4 deletions common/rabbitmq/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -106,12 +106,16 @@ spec:
{{ toYaml .Values.resources | indent 10 }}
ports:
- name: public
containerPort: {{ default "5672" .Values.ports.public }}
containerPort: {{ .Values.ports.public }}
- name: management
containerPort: {{ default "15672" .Values.ports.management }}
containerPort: {{ .Values.ports.management }}
{{- if hasKey .Values.customConfig "listeners.ssl.default" }}
- name: amqps
containerPort: {{ get .Values.customConfig "listeners.ssl.default" }}
{{- end }}
{{- if .Values.metrics.enabled }}
- name: metrics
containerPort: {{ default "15692" .Values.metrics.port }}
containerPort: {{ .Values.metrics.port }}
{{- end }}
volumeMounts:
- mountPath: /var/lib/rabbitmq
Expand All @@ -125,6 +129,13 @@ spec:
name: rabbitmq-custom-config
subPath: 20-custom.conf
{{- end }}
{{- if .Values.enableSsl }}
- mountPath: /etc/rabbitmq/conf.d/30-ssl.conf
name: rabbitmq-custom-config
subPath: 30-ssl.conf
- mountPath: /etc/rabbitmq/ssl
name: ssl
{{- end }}
priorityClassName: {{ .Values.priority_class | default "critical-infrastructure" | quote }}
volumes:
- name: rabbitmq-persistent-storage
Expand All @@ -145,9 +156,14 @@ spec:
sources:
- secret:
name: {{ template "fullname" . }}-users
{{- if .Values.customConfig }}
{{- if or .Values.customConfig .Values.enableSsl }}
- name: rabbitmq-custom-config
configMap:
name: {{ template "fullname" . }}-custom-conf
{{- end }}
{{- if .Values.enableSsl }}
- name: ssl
secret:
secretName: tls-{{ template "fullname" . }}
{{- end }}
{{- end }}
8 changes: 6 additions & 2 deletions common/rabbitmq/templates/service.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,13 @@ spec:
{{- end }}
ports:
- name: public
port: {{ default 5672 .Values.ports.public }}
port: {{ .Values.ports.public }}
- name: management
port: {{ default 15672 .Values.ports.management }}
port: {{ .Values.ports.management }}
{{- if .Values.enableSsl }}
- name: amqps
port: {{ .Values.ports.amqps }}
{{- end }}
selector:
app.kubernetes.io/instance: {{ template "fullname" . }}
{{- if .Values.externalIPs }}
Expand Down
14 changes: 13 additions & 1 deletion common/rabbitmq/templates/statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,13 @@ spec:
name: rabbitmq-custom-config
subPath: 20-custom.conf
{{- end }}
{{- if .Values.enableSsl }}
- mountPath: /etc/rabbitmq/conf.d/30-ssl.conf
name: rabbitmq-custom-config
subPath: 30-ssl.conf
- mountPath: /etc/rabbitmq/ssl
name: ssl
{{- end }}
priorityClassName: {{ .Values.priority_class | default "critical-infrastructure" | quote }}
volumes:
{{- if not .Values.persistence.enabled }}
Expand All @@ -131,11 +138,16 @@ spec:
sources:
- secret:
name: {{ template "fullname" . }}-users
{{- if .Values.customConfig }}
{{- if or .Values.customConfig .Values.enableSsl }}
- name: rabbitmq-custom-config
configMap:
name: {{ template "fullname" . }}-custom-conf
{{- end }}
{{- if .Values.enableSsl }}
- name: ssl
secret:
secretName: tls-{{ template "fullname" . }}
{{- end }}
{{- if .Values.persistence.enabled }}
volumeClaimTemplates:
- metadata:
Expand Down
14 changes: 13 additions & 1 deletion common/rabbitmq/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ imageTag: 3.13.7-management
priority_class: "critical-infrastructure"

ports:
amqps: 5671
public: 5672
management: 15672

Expand Down Expand Up @@ -117,7 +118,18 @@ linkerd:
enabled: true

# RabbitMQ custom configuration to be added under /etc/rabbitmq/conf.d/20-custom.conf
customConfig:
customConfig: {}
# to set a custom limit please use the following format: 50MB or 1GB
# if not set default value of 50MB will be used
# disk_free_limit.absolute: 500MB

enableSsl: false
certificate:
issuerRef:
name: nil
kind: "ClusterIssuer"
group: "cert-manager.io"
usages:
- digital signature
- key encipherment
- server auth

0 comments on commit 841c29f

Please sign in to comment.