Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-07 08:07:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/rabbitmq] Improve Ingress TLS management (#6235)

Browse Source
This commit is contained in:
Juan Ariza Toledano
2021-05-04 12:24:59 +02:00
committed by GitHub
parent 2b3e4c61ec
commit 29ae259492
6 changed files with 93 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/rabbitmq/Chart.yaml
View File

@@ -23,4 +23,4 @@ name: rabbitmq
sources:
- https://github.com/bitnami/bitnami-docker-rabbitmq
- https://www.rabbitmq.com
version: 8.12.3
version: 8.13.0

4
bitnami/rabbitmq/README.md
View File

@@ -191,12 +191,12 @@ The following table lists the configurable parameters of the RabbitMQ chart and
| `service.annotationsHeadless` | Headless service annotations different from regular service | `{}` (evaluated as a template) |
| `ingress.enabled` | Enable ingress resource for Management console | `false` |
| `ingress.path` | Path for the default host | `/` |
| `ingress.certManager` | Add annotations for cert-manager | `false` |
| `ingress.hostname` | Default host for the ingress resource | `rabbitmq.local` |
| `ingress.pathType` | Ingress path type | `ImplementationSpecific` |
| `ingress.annotations` | Ingress annotations | `[]` |
| `ingress.tls` | Enable TLS configuration for the hostname defined at `ingress.hostname` parameter | `false` |
| `ingress.existingSecret` | Existing secret for the Ingress TLS certificate | `nil` |
| `ingress.certManager` | Add annotations for cert-manager to generate a TLS secret for the ingress record | `false` |
| `ingress.selfSigned` | Create a TLS secret for the ingress record using self-signed certificates | `false` |
| `ingress.extraHosts[0].name` | Additional hostnames to be covered | `nil` |
| `ingress.extraHosts[0].path` | Additional hostnames to be covered | `nil` |
| `ingress.extraTls[0].hosts[0]` | TLS configuration for additional hostnames to be covered | `nil` |

28
bitnami/rabbitmq/templates/_helpers.tpl
View File

@@ -92,17 +92,6 @@ Get the TLS secret.
{{- end -}}
{{- end -}}
{{/*
Get the Ingress TLS secret.
*/}}
{{- define "rabbitmq.ingressSecretTLSName" -}}
{{- if .Values.ingress.existingSecret -}}
{{- printf "%s" .Values.ingress.existingSecret -}}
{{- else -}}
{{- printf "%s-tls" .Values.ingress.hostname -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper RabbitMQ plugin list
*/}}
@@ -160,6 +149,7 @@ Compile all warnings into a single message, and call fail.
{{- $messages := list -}}
{{- $messages := append $messages (include "rabbitmq.validateValues.ldap" .) -}}
{{- $messages := append $messages (include "rabbitmq.validateValues.memoryHighWatermark" .) -}}
{{- $messages := append $messages (include "rabbitmq.validateValues.ingress.tls" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
@@ -215,3 +205,19 @@ rabbitmq: memoryHighWatermark
--set memoryHighWatermark.value="512MB"
{{- end -}}
{{- end -}}
{{/*
Validate values of rabbitmq - TLS configuration for Ingress
*/}}
{{- define "rabbitmq.validateValues.ingress.tls" -}}
{{- if and .Values.ingress.enabled .Values.ingress.tls (not .Values.ingress.certManager) (not .Values.ingress.selfSigned) (empty .Values.ingress.extraTls) }}
rabbitmq: ingress.tls
You enabled the TLS configuration for the default ingress hostname but
you did not enable any of the available mechanisms to create the TLS secret
to be used by the Ingress Controller.
Please use any of these alternatives:
- Use the `ingress.extraTls` and `ingress.secrets` parameters to provide your custom TLS certificates.
- Relay on cert-manager to create it by setting `ingress.certManager=true`
- Relay on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
{{- end -}}
{{- end -}}

10
bitnami/rabbitmq/templates/ingress.yaml
View File

@@ -15,7 +15,7 @@ metadata:
spec:
rules:
{{- if .Values.ingress.hostname }}
- host: {{ .Values.ingress.hostname }}
- host: {{ .Values.ingress.hostname | quote }}
http:
paths:
{{- if .Values.ingress.extraPaths }}
@@ -37,12 +37,12 @@ spec:
{{- end }}
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "http-stats" "context" $) | nindent 14 }}
{{- end }}
{{- if or .Values.ingress.tls .Values.ingress.extraTls }}
{{- if or (and .Values.ingress.tls (or .Values.ingress.certManager .Values.ingress.selfSigned)) .Values.ingress.extraTls }}
tls:
{{- if .Values.ingress.tls }}
{{- if and .Values.ingress.tls (or .Values.ingress.certManager .Values.ingress.selfSigned) }}
- hosts:
- {{ .Values.ingress.hostname }}
secretName: {{ template "rabbitmq.ingressSecretTLSName" . }}
- {{ .Values.ingress.hostname | quote }}
secretName: {{ printf "%s-tls" .Values.ingress.hostname }}
{{- end }}
{{- if .Values.ingress.extraTls }}
{{- toYaml .Values.ingress.extraTls | nindent 4 }}

30
bitnami/rabbitmq/templates/tls-secrets.yaml
View File

@@ -1,4 +1,5 @@
{{- if .Values.ingress.enabled }}
{{- if .Values.ingress.secrets }}
{{- range .Values.ingress.secrets }}
apiVersion: v1
kind: Secret
@@ -6,9 +7,38 @@ metadata:
name: {{ .name }}
namespace: {{ $.Release.Namespace | quote }}
labels: {{- include "common.labels.standard" $ | nindent 4 }}
{{- if $.Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if $.Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
tls.crt: {{ .certificate | b64enc }}
tls.key: {{ .key | b64enc }}
---
{{- end }}
{{- end }}
{{- if and .Values.ingress.tls .Values.ingress.selfSigned }}
{{- $ca := genCA "rabbitmq-ca" 365 }}
{{- $cert := genSignedCert .Values.ingress.hostname nil (list .Values.ingress.hostname) 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-tls" .Values.ingress.hostname }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
tls.crt: {{ $cert.Cert | b64enc | quote }}
tls.key: {{ $cert.Key | b64enc | quote }}
ca.crt: {{ $ca.Cert | b64enc | quote }}
{{- end }}
{{- end }}

61
bitnami/rabbitmq/values.yaml
View File

@@ -748,10 +748,6 @@ ingress:
##
pathType: ImplementationSpecific
## Set this to true in order to add the corresponding annotations for cert-manager
##
certManager: false
## When the ingress is enabled, a host pointing to this will be created
##
hostname: rabbitmq.local
@@ -766,43 +762,62 @@ ingress:
## Enable TLS configuration for the hostname defined at ingress.hostname parameter
## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }}
## or a custom one if you use the tls.existingSecret parameter
## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it
## You can:
## - Use the `ingress.secrets` parameter to create this TLS secret
## - Relay on cert-manager to create it by setting `ingress.certManager=true`
## - Relay on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
##
tls: false
## existingSecret: name-of-existing-secret
## Set this to true in order to add the corresponding annotations for cert-manager
## to generate a TLS secret for the ingress record
##
certManager: false
## Set this to true in order to create a TLS secret for this ingress record
## using self-signed certificates generated by Helm
##
selfSigned: false
## The list of additional hostnames to be covered with this ingress record.
## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
## e.g:
## extraHosts:
## - name: rabbitmq.local
## path: /
## - name: rabbitmq.local
## path: /
##
extraHosts: []
## The tls configuration for additional hostnames to be covered with this ingress record.
## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
## e.g:
## extraTls:
## - hosts:
## - rabbitmq.local
## secretName: rabbitmq.local-tls
## - hosts:
## - rabbitmq.local
## secretName: rabbitmq.local-tls
##
extraTls: []
## If you're providing your own certificates, please use this to add the certificates as secrets
## key and certificate should start with -----BEGIN CERTIFICATE----- or
## -----BEGIN RSA PRIVATE KEY-----
##
## name should line up with a tlsSecret set further up
## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
##
## Custom TLS certificates as secrets
## NOTE: 'key' and 'certificate' are expected in PEM format
## NOTE: 'name' should line up with a 'secretName' set further up
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
## It is also possible to create and manage the certificates outside of this helm chart
## Please see README.md for more information
## e.g:
## secrets:
## - name: rabbitmq.local-tls
## key: |-
## -----BEGIN RSA PRIVATE KEY-----
## ...
## -----END RSA PRIVATE KEY-----
## certificate: |-
## -----BEGIN CERTIFICATE-----
## ...
## -----END CERTIFICATE-----
##
secrets: []
## - name: rabbitmq.local-tls
## key:
## certificate:
##
## Prometheus Metrics
##