Configure default user/password through conf.d

coro · coro · commit c39b8208f365 · 2020-09-16T16:15:23.000Z
This commit stops the operator configuring the default username and
password for the cluster through environment variables. Instead, these
credentials are configured through `/etc/rabbitmq/conf.d/`. This is for
two reasons:

* RabbitMQ is moving away from configuration via env vars
* The operator should not be coupled to functionality in the entrypoint script in the docker-library/rabbitmq Docker image, as this prevents other RabbitMQ images being used

This effectively removes support for RabbitMQ images pre 3.8.4, where
the ability to configure RabbitMQ via sysctl-style `*.conf` files in
the conf.d directory.
diff --git a/controllers/rabbitmqcluster_controller_test.go b/controllers/rabbitmqcluster_controller_test.go
@@ -1218,19 +1218,15 @@ var _ = Describe("RabbitmqclusterController", func() {
 					},
 				},
 				corev1.Volume{
-					Name: "rabbitmq-admin",
+					Name: "rabbitmq-confd",
 					VolumeSource: corev1.VolumeSource{
 						Secret: &corev1.SecretVolumeSource{
 							DefaultMode: &defaultMode,
 							SecretName:  "rabbitmq-sts-override-rabbitmq-admin",
 							Items: []corev1.KeyToPath{
 								{
-									Key:  "username",
-									Path: "username",
-								},
-								{
-									Key:  "password",
-									Path: "password",
+									Key:  "default_user.conf",
+									Path: "default_user.conf",
 								},
 							},
 						},
diff --git a/internal/resource/admin_secret.go b/internal/resource/admin_secret.go
@@ -10,8 +10,12 @@
 package resource
 
 import (
+	"bytes"
+	"encoding/base64"
+
 	rabbitmqv1beta1 "github.com/rabbitmq/cluster-operator/api/v1beta1"
 	"github.com/rabbitmq/cluster-operator/internal/metadata"
+	"gopkg.in/ini.v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -31,6 +35,31 @@ func (builder *RabbitmqResourceBuilder) AdminSecret() *AdminSecretBuilder {
 	}
 }
 
+func generateDefaultUserConf(username, password []byte) ([]byte, error) {
+
+	ini.PrettySection = false // Remove trailing new line because default_user.conf has only a default section.
+	cfg, err := ini.Load([]byte{})
+	if err != nil {
+		return nil, err
+	}
+	defaultSection := cfg.Section("")
+
+	if _, err := defaultSection.NewKey("default_user", string(username)); err != nil {
+		return nil, err
+	}
+
+	if _, err := defaultSection.NewKey("default_pass", string(password)); err != nil {
+		return nil, err
+	}
+
+	var userConfBuffer bytes.Buffer
+	if cfg.WriteTo(&userConfBuffer); err != nil {
+		return nil, err
+	}
+
+	return userConfBuffer.Bytes(), nil
+}
+
 func (builder *AdminSecretBuilder) UpdateRequiresStsRestart() bool {
 	return false
 }
@@ -43,12 +72,17 @@ func (builder *AdminSecretBuilder) Update(object runtime.Object) error {
 }
 
 func (builder *AdminSecretBuilder) Build() (runtime.Object, error) {
-	username, err := randomEncodedString(24)
+	username, err := randomBytes(24)
+	if err != nil {
+		return nil, err
+	}
+
+	password, err := randomBytes(24)
 	if err != nil {
 		return nil, err
 	}
 
-	password, err := randomEncodedString(24)
+	defaultUserConf, err := generateDefaultUserConf(username, password)
 	if err != nil {
 		return nil, err
 	}
@@ -60,8 +94,9 @@ func (builder *AdminSecretBuilder) Build() (runtime.Object, error) {
 		},
 		Type: corev1.SecretTypeOpaque,
 		Data: map[string][]byte{
-			"username": []byte(username),
-			"password": []byte(password),
+			"username":          []byte(base64.URLEncoding.EncodeToString(username)),
+			"password":          []byte(base64.URLEncoding.EncodeToString(password)),
+			"default_user.conf": []byte(base64.URLEncoding.EncodeToString(defaultUserConf)),
 		},
 	}, nil
 }
diff --git a/internal/resource/admin_secret_test.go b/internal/resource/admin_secret_test.go
@@ -12,6 +12,7 @@ package resource_test
 import (
 	b64 "encoding/base64"
 
+	"gopkg.in/ini.v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -44,41 +45,62 @@ var _ = Describe("AdminSecret", func() {
 	})
 
 	Context("Build with defaults", func() {
-		BeforeEach(func() {
+		It("creates the necessary admin secret", func() {
+			var decodedUsername []byte
+			var decodedPassword []byte
+			var err error
+
 			obj, err := adminSecretBuilder.Build()
 			Expect(err).NotTo(HaveOccurred())
 			secret = obj.(*corev1.Secret)
-		})
 
-		It("creates the secret with correct name and namespace", func() {
-			Expect(secret.Name).To(Equal(instance.ChildResourceName("admin")))
-			Expect(secret.Namespace).To(Equal("a namespace"))
-		})
+			By("creating the secret with correct name and namespace", func() {
+				Expect(secret.Name).To(Equal(instance.ChildResourceName("admin")))
+				Expect(secret.Namespace).To(Equal("a namespace"))
+			})
 
-		It("creates a 'opaque' secret ", func() {
-			Expect(secret.Type).To(Equal(corev1.SecretTypeOpaque))
-		})
+			By("creating a 'opaque' secret ", func() {
+				Expect(secret.Type).To(Equal(corev1.SecretTypeOpaque))
+			})
 
-		It("creates a rabbitmq username that is base64 encoded and 24 characters in length", func() {
-			username, ok := secret.Data["username"]
-			Expect(ok).NotTo(BeFalse())
-			decodedUsername, err := b64.URLEncoding.DecodeString(string(username))
-			Expect(err).NotTo(HaveOccurred())
-			Expect(len(decodedUsername)).To(Equal(24))
+			By("creating a rabbitmq username that is base64 encoded and 24 characters in length", func() {
+				username, ok := secret.Data["username"]
+				Expect(ok).NotTo(BeFalse())
+				decodedUsername, err = b64.URLEncoding.DecodeString(string(username))
+				Expect(err).NotTo(HaveOccurred())
+				Expect(len(decodedUsername)).To(Equal(24))
 
-		})
+			})
 
-		It("creates a rabbitmq password that is base64 encoded and 24 characters in length", func() {
-			password, ok := secret.Data["password"]
-			Expect(ok).NotTo(BeFalse())
-			decodedPassword, err := b64.URLEncoding.DecodeString(string(password))
-			Expect(err).NotTo(HaveOccurred())
-			Expect(len(decodedPassword)).To(Equal(24))
+			By("creating a rabbitmq password that is base64 encoded and 24 characters in length", func() {
+				password, ok := secret.Data["password"]
+				Expect(ok).NotTo(BeFalse())
+				decodedPassword, err = b64.URLEncoding.DecodeString(string(password))
+				Expect(err).NotTo(HaveOccurred())
+				Expect(len(decodedPassword)).To(Equal(24))
+			})
+
+			By("creating a default_user.conf file that contains the correct sysctl config format to be parsed by RabbitMQ", func() {
+				defaultUserConf, ok := secret.Data["default_user.conf"]
+				Expect(ok).NotTo(BeFalse())
+
+				decodedDefaultUserConf, err := b64.URLEncoding.DecodeString(string(defaultUserConf))
+				Expect(err).NotTo(HaveOccurred())
+
+				cfg, err := ini.Load(decodedDefaultUserConf)
+				Expect(err).NotTo(HaveOccurred())
+
+				Expect(cfg.Section("").HasKey("default_user")).To(BeTrue())
+				Expect(cfg.Section("").HasKey("default_pass")).To(BeTrue())
+
+				Expect(cfg.Section("").Key("default_user").Value()).To(Equal(string(decodedUsername)))
+				Expect(cfg.Section("").Key("default_pass").Value()).To(Equal(string(decodedPassword)))
+			})
 		})
 	})
 
 	Context("Update with instance labels", func() {
-		BeforeEach(func() {
+		It("Updates the secret", func() {
 			instance = rabbitmqv1beta1.RabbitmqCluster{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "rabbit-labelled",
@@ -102,26 +124,26 @@ var _ = Describe("AdminSecret", func() {
 			}
 			err := adminSecretBuilder.Update(secret)
 			Expect(err).NotTo(HaveOccurred())
-		})
 
-		It("adds new labels from the CR", func() {
-			testLabels(secret.Labels)
-		})
+			By("adding new labels from the CR", func() {
+				testLabels(secret.Labels)
+			})
 
-		It("restores the default labels", func() {
-			labels := secret.Labels
-			Expect(labels["app.kubernetes.io/name"]).To(Equal(instance.Name))
-			Expect(labels["app.kubernetes.io/component"]).To(Equal("rabbitmq"))
-			Expect(labels["app.kubernetes.io/part-of"]).To(Equal("rabbitmq"))
-		})
+			By("restoring the default labels", func() {
+				labels := secret.Labels
+				Expect(labels["app.kubernetes.io/name"]).To(Equal(instance.Name))
+				Expect(labels["app.kubernetes.io/component"]).To(Equal("rabbitmq"))
+				Expect(labels["app.kubernetes.io/part-of"]).To(Equal("rabbitmq"))
+			})
 
-		It("deletes the labels that are removed from the CR", func() {
-			Expect(secret.Labels).NotTo(HaveKey("this-was-the-previous-label"))
+			By("deleting the labels that are removed from the CR", func() {
+				Expect(secret.Labels).NotTo(HaveKey("this-was-the-previous-label"))
+			})
 		})
 	})
 
 	Context("Update with instance annotations", func() {
-		BeforeEach(func() {
+		It("updates the secret with the annotations", func() {
 			instance = rabbitmqv1beta1.RabbitmqCluster{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "rabbit-labelled",
@@ -150,19 +172,19 @@ var _ = Describe("AdminSecret", func() {
 			}
 			err := adminSecretBuilder.Update(secret)
 			Expect(err).NotTo(HaveOccurred())
-		})
-
-		It("updates secret annotations on admin secret", func() {
-			expectedAnnotations := map[string]string{
-				"my-annotation":                 "i-like-this",
-				"i-was-here-already":            "please-dont-delete-me",
-				"im-here-to-stay.kubernetes.io": "for-a-while",
-				"kubernetes.io/name":            "should-stay",
-				"kubectl.kubernetes.io/name":    "should-stay",
-				"k8s.io/name":                   "should-stay",
-			}
 
-			Expect(secret.Annotations).To(Equal(expectedAnnotations))
+			By("updating secret annotations on admin secret", func() {
+				expectedAnnotations := map[string]string{
+					"my-annotation":                 "i-like-this",
+					"i-was-here-already":            "please-dont-delete-me",
+					"im-here-to-stay.kubernetes.io": "for-a-while",
+					"kubernetes.io/name":            "should-stay",
+					"kubectl.kubernetes.io/name":    "should-stay",
+					"k8s.io/name":                   "should-stay",
+				}
+
+				Expect(secret.Annotations).To(Equal(expectedAnnotations))
+			})
 		})
 	})
 })
diff --git a/internal/resource/erlang_cookie.go b/internal/resource/erlang_cookie.go
@@ -63,10 +63,18 @@ func (builder *ErlangCookieBuilder) Update(object runtime.Object) error {
 	return nil
 }
 
-func randomEncodedString(dataLen int) (string, error) {
+func randomBytes(dataLen int) ([]byte, error) {
 	randomBytes := make([]byte, dataLen)
 	if _, err := rand.Read(randomBytes); err != nil {
+		return nil, err
+	}
+	return randomBytes, nil
+}
+
+func randomEncodedString(dataLen int) (string, error) {
+	generatedBytes, err := randomBytes(dataLen)
+	if err != nil {
 		return "", err
 	}
-	return base64.URLEncoding.EncodeToString(randomBytes), nil
+	return base64.URLEncoding.EncodeToString(generatedBytes), nil
 }
diff --git a/internal/resource/statefulset.go b/internal/resource/statefulset.go
@@ -258,24 +258,6 @@ func (builder *StatefulSetBuilder) podTemplateSpec(annotations, labels map[strin
 	terminationGracePeriod := defaultGracePeriodTimeoutSeconds
 
 	volumes := []corev1.Volume{
-		{
-			Name: "rabbitmq-admin",
-			VolumeSource: corev1.VolumeSource{
-				Secret: &corev1.SecretVolumeSource{
-					SecretName: builder.Instance.ChildResourceName(AdminSecretName),
-					Items: []corev1.KeyToPath{
-						{
-							Key:  "username",
-							Path: "username",
-						},
-						{
-							Key:  "password",
-							Path: "password",
-						},
-					},
-				},
-			},
-		},
 		{
 			Name: "server-conf",
 			VolumeSource: corev1.VolumeSource{
@@ -302,6 +284,20 @@ func (builder *StatefulSetBuilder) podTemplateSpec(annotations, labels map[strin
 				EmptyDir: &corev1.EmptyDirVolumeSource{},
 			},
 		},
+		{
+			Name: "rabbitmq-confd",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: builder.Instance.ChildResourceName(AdminSecretName),
+					Items: []corev1.KeyToPath{
+						{
+							Key:  "default_user.conf",
+							Path: "default_user.conf",
+						},
+					},
+				},
+			},
+		},
 		{
 			Name: "rabbitmq-erlang-cookie",
 			VolumeSource: corev1.VolumeSource{
@@ -378,10 +374,6 @@ func (builder *StatefulSetBuilder) podTemplateSpec(annotations, labels map[strin
 	}
 
 	rabbitmqContainerVolumeMounts := []corev1.VolumeMount{
-		{
-			Name:      "rabbitmq-admin",
-			MountPath: "/opt/rabbitmq-secret/",
-		},
 		{
 			Name:      "persistence",
 			MountPath: "/var/lib/rabbitmq/mnesia/",
@@ -390,6 +382,10 @@ func (builder *StatefulSetBuilder) podTemplateSpec(annotations, labels map[strin
 			Name:      "rabbitmq-etc",
 			MountPath: "/etc/rabbitmq/",
 		},
+		{
+			Name:      "rabbitmq-confd",
+			MountPath: "/etc/rabbitmq/conf.d/",
+		},
 		{
 			Name:      "rabbitmq-erlang-cookie",
 			MountPath: "/var/lib/rabbitmq/",
@@ -509,6 +505,8 @@ func (builder *StatefulSetBuilder) podTemplateSpec(annotations, labels map[strin
 							"&& chown 999:999 /etc/rabbitmq/advanced.config ; " +
 							"cp /tmp/rabbitmq/rabbitmq-env.conf /etc/rabbitmq/rabbitmq-env.conf " +
 							"&& chown 999:999 /etc/rabbitmq/rabbitmq-env.conf ; " +
+							"cp /tmp/rabbitmq-admin/default_user.conf /etc/rabbitmq/conf.d/default_user.conf " +
+							"&& chown 999:999 /etc/rabbitmq/conf.d/*.conf ; " +
 							"cp /tmp/erlang-cookie-secret/.erlang.cookie /var/lib/rabbitmq/.erlang.cookie " +
 							"&& chown 999:999 /var/lib/rabbitmq/.erlang.cookie " +
 							"&& chmod 600 /var/lib/rabbitmq/.erlang.cookie ; " +
@@ -535,10 +533,18 @@ func (builder *StatefulSetBuilder) podTemplateSpec(annotations, labels map[strin
 							Name:      "plugins-conf",
 							MountPath: "/tmp/rabbitmq-plugins/",
 						},
+						{
+							Name:      "rabbitmq-admin",
+							MountPath: "/tmp/rabbitmq-admin/",
+						},
 						{
 							Name:      "rabbitmq-etc",
 							MountPath: "/etc/rabbitmq/",
 						},
+						{
+							Name:      "rabbitmq-confd",
+							MountPath: "/etc/rabbitmq/conf.d/",
+						},
 						{
 							Name:      "rabbitmq-erlang-cookie",
 							MountPath: "/var/lib/rabbitmq/",
@@ -561,14 +567,6 @@ func (builder *StatefulSetBuilder) podTemplateSpec(annotations, labels map[strin
 					Resources: *builder.Instance.Spec.Resources,
 					Image:     builder.Instance.Spec.Image,
 					Env: []corev1.EnvVar{
-						{
-							Name:  "RABBITMQ_DEFAULT_PASS_FILE",
-							Value: "/opt/rabbitmq-secret/password",
-						},
-						{
-							Name:  "RABBITMQ_DEFAULT_USER_FILE",
-							Value: "/opt/rabbitmq-secret/username",
-						},
 						{
 							Name: "MY_POD_NAME",
 							ValueFrom: &corev1.EnvVarSource{
diff --git a/internal/resource/statefulset_test.go b/internal/resource/statefulset_test.go
