Add spec.tls.disableNonTLSListeners property

- set to true to disable non TLS listeners for rmq core and enabled
  plugins (stomp, mqtt, web_stomp and web_mqtt)
- can only configure to true if TLS is enabled

Author: ChunyiLyu

Diff for: api/v1beta1/rabbitmqcluster_types.go

@@ -241,6 +241,9 @@ type TLSSpec struct {
 	// The Secret must store this as ca.crt.
 	// Used for mTLS, and TLS for rabbitmq_web_stomp and rabbitmq_web_mqtt.
 	CaSecretName string `json:"caSecretName,omitempty"`
+	// When set to true, the RabbitmqCluster disables non-TLS listeners for RabbitMQ and for any enabled plugins in the following list: stomp, mqtt, web_stomp, web_mqtt.
+	// Only TLS-enabled clients will be able to connect.
+	DisableNonTLSListeners bool `json:"disableNonTLSListeners,omitempty"`
 }
 
 // kubebuilder validating tags 'Pattern' and 'MaxLength' must be specified on string type.
@@ -325,6 +328,10 @@ func (cluster *RabbitmqCluster) SingleTLSSecret() bool {
 	return cluster.MutualTLSEnabled() && cluster.Spec.TLS.CaSecretName == cluster.Spec.TLS.SecretName
 }
 
+func (cluster *RabbitmqCluster) DisableNonTLSListeners() bool {
+	return cluster.Spec.TLS.DisableNonTLSListeners
+}
+
 func (cluster *RabbitmqCluster) AdditionalPluginEnabled(plugin Plugin) bool {
 	for _, p := range cluster.Spec.Rabbitmq.AdditionalPlugins {
 		if p == plugin {

Diff for: config/crd/bases/rabbitmq.com_rabbitmqclusters.yaml

@@ -106,11 +106,8 @@ func (r *RabbitmqClusterReconciler) Reconcile(req ctrl.Request) (ctrl.Result, er
 		return ctrl.Result{}, err
 	}
 
-	// TLS: check if specified, and if secret exists
-	if rabbitmqCluster.TLSEnabled() {
-		if result, err := r.checkTLSSecrets(ctx, rabbitmqCluster); err != nil {
-			return result, err
-		}
+	if err := r.reconcileTLS(ctx, rabbitmqCluster); err != nil {
+		return ctrl.Result{}, err
 	}
 
 	childResources, err := r.getChildResources(ctx, *rabbitmqCluster)

Diff for: controllers/rabbitmqcluster_controller.go

@@ -8,10 +8,25 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
-	ctrl "sigs.k8s.io/controller-runtime"
 )
 
-func (r *RabbitmqClusterReconciler) checkTLSSecrets(ctx context.Context, rabbitmqCluster *rabbitmqv1beta1.RabbitmqCluster) (ctrl.Result, error) {
+func (r *RabbitmqClusterReconciler) reconcileTLS(ctx context.Context, rabbitmqCluster *rabbitmqv1beta1.RabbitmqCluster) error {
+	if rabbitmqCluster.DisableNonTLSListeners() && !rabbitmqCluster.TLSEnabled() {
+		err := errors.NewBadRequest("TLS must be enabled if disableNonTLSListeners is set to true")
+		r.Recorder.Event(rabbitmqCluster, corev1.EventTypeWarning, "TLSError", err.Error())
+		r.Log.Error(err, "Error setting up TLS", "namespace", rabbitmqCluster.Namespace, "name", rabbitmqCluster.Name)
+		return err
+	}
+
+	if rabbitmqCluster.TLSEnabled() {
+		if err := r.checkTLSSecrets(ctx, rabbitmqCluster); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *RabbitmqClusterReconciler) checkTLSSecrets(ctx context.Context, rabbitmqCluster *rabbitmqv1beta1.RabbitmqCluster) error {
 	secretName := rabbitmqCluster.Spec.TLS.SecretName
 	r.Log.Info("TLS enabled, looking for secret", "secret", secretName, "namespace", rabbitmqCluster.Namespace)
 
@@ -21,7 +36,7 @@ func (r *RabbitmqClusterReconciler) checkTLSSecrets(ctx context.Context, rabbitm
 		r.Recorder.Event(rabbitmqCluster, corev1.EventTypeWarning, "TLSError",
 			fmt.Sprintf("Failed to get TLS secret %s in namespace %s: %v", secretName, rabbitmqCluster.Namespace, err.Error()))
 		r.Log.Error(err, "Error setting up TLS", "namespace", rabbitmqCluster.Namespace, "name", rabbitmqCluster.Name)
-		return ctrl.Result{}, err
+		return err
 	}
 	// check if secret has the right keys
 	_, hasTLSKey := secret.Data["tls.key"]
@@ -30,7 +45,7 @@ func (r *RabbitmqClusterReconciler) checkTLSSecrets(ctx context.Context, rabbitm
 		err := errors.NewBadRequest(fmt.Sprintf("TLS secret %s in namespace %s does not have the fields tls.crt and tls.key", secretName, rabbitmqCluster.Namespace))
 		r.Recorder.Event(rabbitmqCluster, corev1.EventTypeWarning, "TLSError", err.Error())
 		r.Log.Error(err, "Error setting up TLS", "namespace", rabbitmqCluster.Namespace, "name", rabbitmqCluster.Name)
-		return ctrl.Result{}, err
+		return err
 	}
 
 	// Mutual TLS: check if CA certificate is stored in a separate secret
@@ -45,7 +60,7 @@ func (r *RabbitmqClusterReconciler) checkTLSSecrets(ctx context.Context, rabbitm
 				r.Recorder.Event(rabbitmqCluster, corev1.EventTypeWarning, "TLSError",
 					fmt.Sprintf("Failed to get CA certificate secret %v in namespace %v: %v", secretName, rabbitmqCluster.Namespace, err.Error()))
 				r.Log.Error(err, "Error setting up TLS", "namespace", rabbitmqCluster.Namespace, "name", rabbitmqCluster.Name)
-				return ctrl.Result{}, err
+				return err
 			}
 		}
 
@@ -54,8 +69,8 @@ func (r *RabbitmqClusterReconciler) checkTLSSecrets(ctx context.Context, rabbitm
 			err := errors.NewBadRequest(fmt.Sprintf("TLS secret %s in namespace %s does not have the field ca.crt", rabbitmqCluster.Spec.TLS.CaSecretName, rabbitmqCluster.Namespace))
 			r.Recorder.Event(rabbitmqCluster, corev1.EventTypeWarning, "TLSError", err.Error())
 			r.Log.Error(err, "Error setting up TLS", "namespace", rabbitmqCluster.Namespace, "name", rabbitmqCluster.Name)
-			return ctrl.Result{}, err
+			return err
 		}
 	}
-	return ctrl.Result{}, nil
+	return nil
 }

Diff for: controllers/reconcile_tls.go

@@ -201,6 +201,20 @@ var _ = Describe("Reconcile TLS", func() {
 			})
 		})
 	})
+
+	When("DiableNonTLSListeners set to true", func() {
+		It("errors and logs TLSError when TLS is not enabled", func() {
+			tlsSpec := rabbitmqv1beta1.TLSSpec{
+				DisableNonTLSListeners: true,
+			}
+			cluster = rabbitmqClusterWithTLS(ctx, "rabbitmq-disablenontlslisteners", defaultNamespace, tlsSpec)
+
+			verifyTLSErrorEvents(ctx, cluster, "TLS must be enabled if disableNonTLSListeners is set to true")
+
+			_, err := clientSet.AppsV1().StatefulSets(cluster.Namespace).Get(ctx, cluster.ChildResourceName("server"), metav1.GetOptions{})
+			Expect(err).To(HaveOccurred())
+		})
+	})
 })
 
 func tlsSecretWithCACert(ctx context.Context, secretName, namespace string) {

Diff for: controllers/reconcile_tls_test.go

@@ -89,15 +89,30 @@ func (builder *ServerConfigMapBuilder) Update(object runtime.Object) error {
 		if err := cfg.Append([]byte(defaultTLSConf)); err != nil {
 			return err
 		}
+		if builder.Instance.DisableNonTLSListeners() {
+			if _, err := defaultSection.NewKey("listeners.tcp", "none"); err != nil {
+				return err
+			}
+		}
 		if builder.Instance.AdditionalPluginEnabled("rabbitmq_mqtt") {
 			if _, err := defaultSection.NewKey("mqtt.listeners.ssl.default", "8883"); err != nil {
 				return err
 			}
+			if builder.Instance.DisableNonTLSListeners() {
+				if _, err := defaultSection.NewKey("mqtt.listeners.tcp", "none"); err != nil {
+					return err
+				}
+			}
 		}
 		if builder.Instance.AdditionalPluginEnabled("rabbitmq_stomp") {
 			if _, err := defaultSection.NewKey("stomp.listeners.ssl.1", "61614"); err != nil {
 				return err
 			}
+			if builder.Instance.DisableNonTLSListeners() {
+				if _, err := defaultSection.NewKey("stomp.listeners.tcp", "none"); err != nil {
+					return err
+				}
+			}
 		}
 	}
 
@@ -125,6 +140,11 @@ func (builder *ServerConfigMapBuilder) Update(object runtime.Object) error {
 			if _, err := defaultSection.NewKey("web_mqtt.ssl.keyfile", tlsKeyPath); err != nil {
 				return err
 			}
+			if builder.Instance.DisableNonTLSListeners() {
+				if _, err := defaultSection.NewKey("web_mqtt.tcp.listener", "none"); err != nil {
+					return err
+				}
+			}
 		}
 		if builder.Instance.AdditionalPluginEnabled("rabbitmq_web_stomp") {
 			if _, err := defaultSection.NewKey("web_stomp.ssl.port", "15673"); err != nil {
@@ -139,6 +159,11 @@ func (builder *ServerConfigMapBuilder) Update(object runtime.Object) error {
 			if _, err := defaultSection.NewKey("web_stomp.ssl.keyfile", tlsKeyPath); err != nil {
 				return err
 			}
+			if builder.Instance.DisableNonTLSListeners() {
+				if _, err := defaultSection.NewKey("web_stomp.tcp.listener", "none"); err != nil {
+					return err
+				}
+			}
 		}
 	}
 

Diff for: internal/resource/configmap.go

@@ -401,6 +401,128 @@ management.ssl.cacertfile = /etc/rabbitmq-tls/ca.crt
 			})
 		})
 
+		When("DisableNonTLSListeners is set to true", func() {
+			It("disables non tls listeners in rabbitmq.conf", func() {
+				instance = rabbitmqv1beta1.RabbitmqCluster{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "rabbit-tls",
+					},
+					Spec: rabbitmqv1beta1.RabbitmqClusterSpec{
+						TLS: rabbitmqv1beta1.TLSSpec{
+							SecretName:             "some-secret",
+							DisableNonTLSListeners: true,
+						},
+					},
+				}
+
+				expectedRabbitmqConf := iniString(defaultRabbitmqConf(builder.Instance.Name) + `
+ssl_options.certfile  = /etc/rabbitmq-tls/tls.crt
+ssl_options.keyfile   = /etc/rabbitmq-tls/tls.key
+listeners.ssl.default = 5671
+
+management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
+management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
+management.ssl.port       = 15671
+
+listeners.tcp = none
+`)
+
+				Expect(configMapBuilder.Update(configMap)).To(Succeed())
+				Expect(configMap.Data).To(HaveKeyWithValue("rabbitmq.conf", expectedRabbitmqConf))
+			})
+
+			It("disables non tls listeners for mqtt and stomp when enabled", func() {
+				instance = rabbitmqv1beta1.RabbitmqCluster{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "rabbit-tls",
+					},
+					Spec: rabbitmqv1beta1.RabbitmqClusterSpec{
+						TLS: rabbitmqv1beta1.TLSSpec{
+							SecretName:             "some-secret",
+							DisableNonTLSListeners: true,
+						},
+						Rabbitmq: rabbitmqv1beta1.RabbitmqClusterConfigurationSpec{
+							AdditionalPlugins: []rabbitmqv1beta1.Plugin{
+								"rabbitmq_mqtt",
+								"rabbitmq_stomp",
+							},
+						},
+					},
+				}
+
+				expectedRabbitmqConf := iniString(defaultRabbitmqConf(builder.Instance.Name) + `
+ssl_options.certfile   = /etc/rabbitmq-tls/tls.crt
+ssl_options.keyfile    = /etc/rabbitmq-tls/tls.key
+listeners.ssl.default  = 5671
+
+management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
+management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
+management.ssl.port       = 15671
+listeners.tcp = none
+
+mqtt.listeners.ssl.default = 8883
+mqtt.listeners.tcp   = none
+
+stomp.listeners.ssl.1 = 61614
+stomp.listeners.tcp   = none
+			`)
+
+				Expect(configMapBuilder.Update(configMap)).To(Succeed())
+				Expect(configMap.Data).To(HaveKeyWithValue("rabbitmq.conf", expectedRabbitmqConf))
+			})
+
+			It("disables non tls listeners for web mqtt and web stomp when enabled", func() {
+				instance = rabbitmqv1beta1.RabbitmqCluster{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "rabbit-tls",
+					},
+					Spec: rabbitmqv1beta1.RabbitmqClusterSpec{
+						TLS: rabbitmqv1beta1.TLSSpec{
+							SecretName:             "some-secret",
+							CaSecretName:           "some-mutual-secret",
+							DisableNonTLSListeners: true,
+						},
+						Rabbitmq: rabbitmqv1beta1.RabbitmqClusterConfigurationSpec{
+							AdditionalPlugins: []rabbitmqv1beta1.Plugin{
+								"rabbitmq_web_mqtt",
+								"rabbitmq_web_stomp",
+							},
+						},
+					},
+				}
+
+				expectedRabbitmqConf := iniString(defaultRabbitmqConf(builder.Instance.Name) + `
+ssl_options.certfile   = /etc/rabbitmq-tls/tls.crt
+ssl_options.keyfile    = /etc/rabbitmq-tls/tls.key
+listeners.ssl.default  = 5671
+
+management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
+management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
+management.ssl.port       = 15671
+listeners.tcp = none
+
+ssl_options.cacertfile = /etc/rabbitmq-tls/ca.crt
+ssl_options.verify     = verify_peer
+management.ssl.cacertfile = /etc/rabbitmq-tls/ca.crt
+
+web_mqtt.ssl.port       = 15676
+web_mqtt.ssl.cacertfile = /etc/rabbitmq-tls/ca.crt
+web_mqtt.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
+web_mqtt.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
+web_mqtt.tcp.listener = none
+
+web_stomp.ssl.port       = 15673
+web_stomp.ssl.cacertfile = /etc/rabbitmq-tls/ca.crt
+web_stomp.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
+web_stomp.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
+web_stomp.tcp.listener = none
+			`)
+
+				Expect(configMapBuilder.Update(configMap)).To(Succeed())
+				Expect(configMap.Data).To(HaveKeyWithValue("rabbitmq.conf", expectedRabbitmqConf))
+			})
+		})
+
 		Context("Memory Limits", func() {
 			It("sets a RabbitMQ memory limit with headroom when memory limits are specified", func() {
 				const GiB int64 = 1073741824

Diff for: internal/resource/configmap_test.go

@@ -109,7 +109,65 @@ func applySvcOverride(svc *corev1.Service, override *rabbitmqv1beta1.Service) er
 	return nil
 }
 
-func (builder *ServiceBuilder) updatePorts(servicePorts []corev1.ServicePort) []corev1.ServicePort {
+func (builder *ServiceBuilder) generateServicePortsMapOnlyTLSListeners() map[string]corev1.ServicePort {
+	servicePortsMap := map[string]corev1.ServicePort{
+		"amqps": {
+			Protocol:   corev1.ProtocolTCP,
+			Port:       5671,
+			TargetPort: intstr.FromInt(5671),
+			Name:       "amqps",
+		},
+		"management-tls": {
+			Protocol:   corev1.ProtocolTCP,
+			Port:       15671,
+			TargetPort: intstr.FromInt(15671),
+			Name:       "management-tls",
+		},
+	}
+
+	if builder.Instance.AdditionalPluginEnabled("rabbitmq_stomp") {
+		servicePortsMap["stomps"] = corev1.ServicePort{
+			Protocol:   corev1.ProtocolTCP,
+			Port:       61614,
+			Name:       "stomps",
+			TargetPort: intstr.FromInt(61614),
+		}
+	}
+	if builder.Instance.AdditionalPluginEnabled("rabbitmq_mqtt") {
+		servicePortsMap["mqtts"] = corev1.ServicePort{
+			Protocol:   corev1.ProtocolTCP,
+			Port:       8883,
+			Name:       "mqtts",
+			TargetPort: intstr.FromInt(8883),
+		}
+	}
+
+	if builder.Instance.MutualTLSEnabled() {
+		if builder.Instance.AdditionalPluginEnabled("rabbitmq_web_stomp") {
+			servicePortsMap["web-stomp-tls"] = corev1.ServicePort{
+				Protocol:   corev1.ProtocolTCP,
+				Port:       15673,
+				Name:       "web-stomp-tls",
+				TargetPort: intstr.FromInt(15673),
+			}
+		}
+		if builder.Instance.AdditionalPluginEnabled("rabbitmq_web_mqtt") {
+			servicePortsMap["web-mqtt-tls"] = corev1.ServicePort{
+				Protocol:   corev1.ProtocolTCP,
+				Port:       15676,
+				Name:       "web-mqtt-tls",
+				TargetPort: intstr.FromInt(15676),
+			}
+		}
+	}
+	return servicePortsMap
+}
+
+func (builder *ServiceBuilder) generateServicePortsMap() map[string]corev1.ServicePort {
+	if builder.Instance.DisableNonTLSListeners() {
+		return builder.generateServicePortsMapOnlyTLSListeners()
+	}
+
 	servicePortsMap := map[string]corev1.ServicePort{
 		"amqp": {
 			Protocol:   corev1.ProtocolTCP,
@@ -204,7 +262,11 @@ func (builder *ServiceBuilder) updatePorts(servicePorts []corev1.ServicePort) []
 			}
 		}
 	}
+	return servicePortsMap
+}
 
+func (builder *ServiceBuilder) updatePorts(servicePorts []corev1.ServicePort) []corev1.ServicePort {
+	servicePortsMap := builder.generateServicePortsMap()
 	var updatedServicePorts []corev1.ServicePort
 
 	for _, servicePort := range servicePorts {
@@ -221,7 +283,6 @@ func (builder *ServiceBuilder) updatePorts(servicePorts []corev1.ServicePort) []
 	}
 
 	return updatedServicePorts
-
 }
 
 func (builder *ServiceBuilder) setAnnotations(service *corev1.Service) {