Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-16 06:47:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/rabbitmq] Add support for autogenerated certs (#6528)

Browse Source 
* [bitnami/rabbitmq] Add support for autogenerated certs

* Update README.md, chart version bump and minor changes

* Update README.md

* Fix linting issue

* Update README.md and add commonAnnotations to tls-secret.yaml

* Apply suggestions

* Add TLS validation check

* Update _helpers.tpl
This commit is contained in:
Miguel Ruiz
2021-06-16 11:12:12 +02:00
committed by GitHub
parent 66edf04e3e
commit 2c88d0bdef
7 changed files with 59 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/rabbitmq/Chart.yaml
View File

@@ -23,4 +23,4 @@ name: rabbitmq
sources: sources:
- https://github.com/bitnami/bitnami-docker-rabbitmq - https://github.com/bitnami/bitnami-docker-rabbitmq
- https://www.rabbitmq.com - https://www.rabbitmq.com
version: 8.15.3 version: 8.16.0

1
bitnami/rabbitmq/README.md
View File

@@ -79,6 +79,7 @@ The following table lists the configurable parameters of the RabbitMQ chart and
| `auth.erlangCookie` | Erlang cookie | _random 32 character long alphanumeric string_ | | `auth.erlangCookie` | Erlang cookie | _random 32 character long alphanumeric string_ |
| `auth.existingErlangSecret` | Existing secret with RabbitMQ Erlang cookie (must contain a value for `rabbitmq-erlang-cookie` key) | `nil` (evaluated as a template) | | `auth.existingErlangSecret` | Existing secret with RabbitMQ Erlang cookie (must contain a value for `rabbitmq-erlang-cookie` key) | `nil` (evaluated as a template) |
| `auth.tls.enabled` | Enable TLS support on RabbitMQ | `false` | | `auth.tls.enabled` | Enable TLS support on RabbitMQ | `false` |
| `auth.tls.autoGenerated` | Generate automatically self-signed TLS certificates | `talse` |
| `auth.tls.failIfNoPeerCert` | When set to true, TLS connection will be rejected if client fails to provide a certificate | `true` | | `auth.tls.failIfNoPeerCert` | When set to true, TLS connection will be rejected if client fails to provide a certificate | `true` |
| `auth.tls.sslOptionsVerify` | Should [peer verification](https://www.rabbitmq.com/ssl.html#peer-verification) be enabled? | `verify_peer` | | `auth.tls.sslOptionsVerify` | Should [peer verification](https://www.rabbitmq.com/ssl.html#peer-verification) be enabled? | `verify_peer` |
| `auth.tls.caCertificate` | Certificate Authority (CA) bundle content | `nil` | | `auth.tls.caCertificate` | Certificate Authority (CA) bundle content | `nil` |

26
bitnami/rabbitmq/templates/_helpers.tpl
View File

@@ -84,7 +84,7 @@ Get the erlang secret.
{{/* {{/*
Get the TLS secret. Get the TLS secret.
*/}} */}}
{{- define "rabbitmq.secretTLSName" -}} {{- define "rabbitmq.tlsSecretName" -}}
{{- if .Values.auth.tls.existingSecret -}} {{- if .Values.auth.tls.existingSecret -}}
{{- printf "%s" .Values.auth.tls.existingSecret -}} {{- printf "%s" .Values.auth.tls.existingSecret -}}
{{- else -}} {{- else -}}
@@ -92,6 +92,15 @@ Get the TLS secret.
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{/*
Return true if a TLS credentials secret object should be created
*/}}
{{- define "rabbitmq.createTlsSecret" -}}
{{- if and .Values.auth.tls.enabled (not .Values.auth.tls.existingSecret) }}
{{- true -}}
{{- end -}}
{{- end -}}
{{/* {{/*
Return the proper RabbitMQ plugin list Return the proper RabbitMQ plugin list
*/}} */}}
@@ -150,6 +159,7 @@ Compile all warnings into a single message, and call fail.
{{- $messages := append $messages (include "rabbitmq.validateValues.ldap" .) -}} {{- $messages := append $messages (include "rabbitmq.validateValues.ldap" .) -}}
{{- $messages := append $messages (include "rabbitmq.validateValues.memoryHighWatermark" .) -}} {{- $messages := append $messages (include "rabbitmq.validateValues.memoryHighWatermark" .) -}}
{{- $messages := append $messages (include "rabbitmq.validateValues.ingress.tls" .) -}} {{- $messages := append $messages (include "rabbitmq.validateValues.ingress.tls" .) -}}
{{- $messages := append $messages (include "rabbitmq.validateValues.auth.tls" .) -}}
{{- $messages := without $messages "" -}} {{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}} {{- $message := join "\n" $messages -}}
@@ -221,3 +231,17 @@ rabbitmq: ingress.tls
- Relay on Helm to create self-signed certificates by setting `ingress.selfSigned=true` - Relay on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{/*
Validate values of RabbitMQ - Auth TLS enabled
*/}}
{{- define "rabbitmq.validateValues.auth.tls" -}}
{{- if and .Values.auth.tls.enabled (not .Values.auth.tls.autoGenerated) (not .Values.auth.tls.existingSecret) (not .Values.auth.tls.caCertificate) (not .Values.auth.tls.serverCertificate) (not .Values.auth.tls.serverKey) }}
rabbitmq: auth.tls
You enabled TLS for RabbitMQ but you did not enable any of the available mechanisms to create the TLS secret.
Please use any of these alternatives:
- Provide an existing secret containing the TLS certificates using `auth.tls.existingSecret`
- Provide the plain text certificates using `auth.tls.caCertificate`, `auth.tls.serverCertificate` and `auth.tls.serverKey`.
- Enable auto-generated certificates using `auth.tls.autoGenerated`.
{{- end -}}
{{- end -}}

19
bitnami/rabbitmq/templates/certs.yaml
View File

@@ -1,19 +0,0 @@
{{- if and .Values.auth.tls.enabled (not .Values.auth.tls.existingSecret) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "rabbitmq.fullname" . }}-certs
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
ca.crt:
{{ required "A valid .Values.auth.tls.caCertificate entry required!" .Values.auth.tls.caCertificate | b64enc | quote }}
tls.crt:
{{ required "A valid .Values.auth.tls.serverCertificate entry required!" .Values.auth.tls.serverCertificate| b64enc | quote }}
tls.key:
{{ required "A valid .Values.auth.tls.serverKey entry required!" .Values.auth.tls.serverKey | b64enc | quote }}
{{- end }}

5
bitnami/rabbitmq/templates/statefulset.yaml
View File

@@ -35,9 +35,6 @@ spec:
{{- if or (not .Values.auth.existingErlangSecret) (not .Values.auth.existingPasswordSecret) .Values.extraSecrets }} {{- if or (not .Values.auth.existingErlangSecret) (not .Values.auth.existingPasswordSecret) .Values.extraSecrets }}
checksum/secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} checksum/secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- end }} {{- end }}
{{- if and .Values.auth.tls.enabled (not .Values.auth.tls.existingSecret) }}
checksum/secret-cert: {{ include (print $.Template.BasePath "/certs.yaml") . | sha256sum }}
{{- end }}
{{- if or .Values.podAnnotations .Values.metrics.enabled }} {{- if or .Values.podAnnotations .Values.metrics.enabled }}
{{- include "rabbitmq.podAnnotations" . | nindent 8 }} {{- include "rabbitmq.podAnnotations" . | nindent 8 }}
{{- end }} {{- end }}
@@ -318,7 +315,7 @@ spec:
{{- if .Values.auth.tls.enabled }} {{- if .Values.auth.tls.enabled }}
- name: certs - name: certs
secret: secret:
secretName: {{ template "rabbitmq.secretTLSName" . }} secretName: {{ template "rabbitmq.tlsSecretName" . }}
items: items:
- key: {{ ternary "tls.crt" "ca.crt" .Values.auth.tls.existingSecretFullChain }} - key: {{ ternary "tls.crt" "ca.crt" .Values.auth.tls.existingSecretFullChain }}
path: ca_certificate.pem path: ca_certificate.pem

30
bitnami/rabbitmq/templates/tls-secrets.yaml
View File

@@ -40,5 +40,35 @@ data:
tls.crt: {{ $cert.Cert | b64enc | quote }} tls.crt: {{ $cert.Cert | b64enc | quote }}
tls.key: {{ $cert.Key | b64enc | quote }} tls.key: {{ $cert.Key | b64enc | quote }}
ca.crt: {{ $ca.Cert | b64enc | quote }} ca.crt: {{ $ca.Cert | b64enc | quote }}
---
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if (include "rabbitmq.createTlsSecret" . )}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "rabbitmq.fullname" . }}-certs
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
{{- if or (not .Values.auth.tls.autoGenerated ) (and .Values.auth.tls.caCertificate .Values.auth.tls.serverCertificate .Values.auth.tls.serverKey) }}
ca.crt: {{ required "A valid .Values.auth.tls.caCertificate entry required!" .Values.auth.tls.caCertificate | b64enc | quote }}
tls.crt: {{ required "A valid .Values.auth.tls.serverCertificate entry required!" .Values.auth.tls.serverCertificate| b64enc | quote }}
tls.key: {{ required "A valid .Values.auth.tls.serverKey entry required!" .Values.auth.tls.serverKey | b64enc | quote }}
{{- else }}
{{- $ca := genCA "rabbitmq-internal-ca" 365 }}
{{- $fullname := include "rabbitmq.fullname" . }}
{{- $releaseNamespace := .Release.Namespace }}
{{- $clusterDomain := .Values.clusterDomain }}
{{- $serviceName := include "rabbitmq.fullname" . }}
{{- $altNames := list (printf "*.%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) $fullname }}
{{- $crt := genSignedCert $fullname nil $altNames 365 $ca }}
ca.crt: {{ $ca.Cert | b64enc | quote }}
tls.crt: {{ $crt.Cert | b64enc | quote }}
tls.key: {{ $crt.Key | b64enc | quote }}
{{- end }}
{{- end }}

1
bitnami/rabbitmq/values.yaml
View File

@@ -81,6 +81,7 @@ auth:
## ##
tls: tls:
enabled: false enabled: false
autoGenerated: false
failIfNoPeerCert: true failIfNoPeerCert: true
sslOptionsVerify: verify_peer sslOptionsVerify: verify_peer
caCertificate: |- caCertificate: |-