rabbitmq
diff --git a/‎api/v1beta1/rabbitmqcluster_types.go
+7 b/‎api/v1beta1/rabbitmqcluster_types.go
+7
diff --git a/‎config/crd/bases/rabbitmq.com_rabbitmqclusters.yaml
+3,150-3,459 b/‎config/crd/bases/rabbitmq.com_rabbitmqclusters.yaml
+3,150-3,459
diff --git a/‎controllers/rabbitmqcluster_controller.go
+2-5 b/‎controllers/rabbitmqcluster_controller.go
+2-5
diff --git a/‎controllers/rabbitmqcluster_controller_test.go
+1-1 b/‎controllers/rabbitmqcluster_controller_test.go
+1-1
diff --git a/‎controllers/reconcile_tls.go
+22-7 b/‎controllers/reconcile_tls.go
+22-7
diff --git a/‎controllers/reconcile_tls_test.go
+14 b/‎controllers/reconcile_tls_test.go
+14
diff --git a/‎internal/resource/configmap.go
+25 b/‎internal/resource/configmap.go
+25
diff --git a/‎internal/resource/configmap_test.go
+122 b/‎internal/resource/configmap_test.go
+122
@@ -241,6 +241,9 @@ type TLSSpec struct {
 	// The Secret must store this as ca.crt.
 	// Used for mTLS, and TLS for rabbitmq_web_stomp and rabbitmq_web_mqtt.
 	CaSecretName string `json:"caSecretName,omitempty"`
+	// When set to true, the RabbitmqCluster disables non-TLS listeners for RabbitMQ and for any enabled plugins in the following list: stomp, mqtt, web_stomp, web_mqtt.
+	// Only TLS-enabled clients will be able to connect.
+	DisableNonTLSListeners bool `json:"disableNonTLSListeners,omitempty"`
 }
 
 // kubebuilder validating tags 'Pattern' and 'MaxLength' must be specified on string type.
@@ -325,6 +328,10 @@ func (cluster *RabbitmqCluster) SingleTLSSecret() bool {
 	return cluster.MutualTLSEnabled() && cluster.Spec.TLS.CaSecretName == cluster.Spec.TLS.SecretName
 }
 
+func (cluster *RabbitmqCluster) DisableNonTLSListeners() bool {
+	return cluster.Spec.TLS.DisableNonTLSListeners
+}
+
 func (cluster *RabbitmqCluster) AdditionalPluginEnabled(plugin Plugin) bool {
 	for _, p := range cluster.Spec.Rabbitmq.AdditionalPlugins {
 		if p == plugin {
 
@@ -106,11 +106,8 @@ func (r *RabbitmqClusterReconciler) Reconcile(req ctrl.Request) (ctrl.Result, er
 		return ctrl.Result{}, err
 	}
 
-	// TLS: check if specified, and if secret exists
-	if rabbitmqCluster.TLSEnabled() {
-		if result, err := r.checkTLSSecrets(ctx, rabbitmqCluster); err != nil {
-			return result, err
-		}
+	if err := r.reconcileTLS(ctx, rabbitmqCluster); err != nil {
+		return ctrl.Result{}, err
 	}
 
 	childResources, err := r.getChildResources(ctx, *rabbitmqCluster)
 
@@ -1067,7 +1067,7 @@ var _ = Describe("RabbitmqClusterController", func() {
 					TargetPort: amqpTargetPort,
 				},
 				corev1.ServicePort{
-					Name:       "http",
+					Name:       "management",
 					Port:       15672,
 					Protocol:   corev1.ProtocolTCP,
 					TargetPort: managementTargetPort,
 
@@ -8,10 +8,25 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
-	ctrl "sigs.k8s.io/controller-runtime"
 )
 
-func (r *RabbitmqClusterReconciler) checkTLSSecrets(ctx context.Context, rabbitmqCluster *rabbitmqv1beta1.RabbitmqCluster) (ctrl.Result, error) {
+func (r *RabbitmqClusterReconciler) reconcileTLS(ctx context.Context, rabbitmqCluster *rabbitmqv1beta1.RabbitmqCluster) error {
+	if rabbitmqCluster.DisableNonTLSListeners() && !rabbitmqCluster.TLSEnabled() {
+		err := errors.NewBadRequest("TLS must be enabled if disableNonTLSListeners is set to true")
+		r.Recorder.Event(rabbitmqCluster, corev1.EventTypeWarning, "TLSError", err.Error())
+		r.Log.Error(err, "Error setting up TLS", "namespace", rabbitmqCluster.Namespace, "name", rabbitmqCluster.Name)
+		return err
+	}
+
+	if rabbitmqCluster.TLSEnabled() {
+		if err := r.checkTLSSecrets(ctx, rabbitmqCluster); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *RabbitmqClusterReconciler) checkTLSSecrets(ctx context.Context, rabbitmqCluster *rabbitmqv1beta1.RabbitmqCluster) error {
 	secretName := rabbitmqCluster.Spec.TLS.SecretName
 	r.Log.Info("TLS enabled, looking for secret", "secret", secretName, "namespace", rabbitmqCluster.Namespace)
 
@@ -21,7 +36,7 @@ func (r *RabbitmqClusterReconciler) checkTLSSecrets(ctx context.Context, rabbitm
 		r.Recorder.Event(rabbitmqCluster, corev1.EventTypeWarning, "TLSError",
 			fmt.Sprintf("Failed to get TLS secret %s in namespace %s: %v", secretName, rabbitmqCluster.Namespace, err.Error()))
 		r.Log.Error(err, "Error setting up TLS", "namespace", rabbitmqCluster.Namespace, "name", rabbitmqCluster.Name)
-		return ctrl.Result{}, err
+		return err
 	}
 	// check if secret has the right keys
 	_, hasTLSKey := secret.Data["tls.key"]
@@ -30,7 +45,7 @@ func (r *RabbitmqClusterReconciler) checkTLSSecrets(ctx context.Context, rabbitm
 		err := errors.NewBadRequest(fmt.Sprintf("TLS secret %s in namespace %s does not have the fields tls.crt and tls.key", secretName, rabbitmqCluster.Namespace))
 		r.Recorder.Event(rabbitmqCluster, corev1.EventTypeWarning, "TLSError", err.Error())
 		r.Log.Error(err, "Error setting up TLS", "namespace", rabbitmqCluster.Namespace, "name", rabbitmqCluster.Name)
-		return ctrl.Result{}, err
+		return err
 	}
 
 	// Mutual TLS: check if CA certificate is stored in a separate secret
@@ -45,7 +60,7 @@ func (r *RabbitmqClusterReconciler) checkTLSSecrets(ctx context.Context, rabbitm
 				r.Recorder.Event(rabbitmqCluster, corev1.EventTypeWarning, "TLSError",
 					fmt.Sprintf("Failed to get CA certificate secret %v in namespace %v: %v", secretName, rabbitmqCluster.Namespace, err.Error()))
 				r.Log.Error(err, "Error setting up TLS", "namespace", rabbitmqCluster.Namespace, "name", rabbitmqCluster.Name)
-				return ctrl.Result{}, err
+				return err
 			}
 		}
 
@@ -54,8 +69,8 @@ func (r *RabbitmqClusterReconciler) checkTLSSecrets(ctx context.Context, rabbitm
 			err := errors.NewBadRequest(fmt.Sprintf("TLS secret %s in namespace %s does not have the field ca.crt", rabbitmqCluster.Spec.TLS.CaSecretName, rabbitmqCluster.Namespace))
 			r.Recorder.Event(rabbitmqCluster, corev1.EventTypeWarning, "TLSError", err.Error())
 			r.Log.Error(err, "Error setting up TLS", "namespace", rabbitmqCluster.Namespace, "name", rabbitmqCluster.Name)
-			return ctrl.Result{}, err
+			return err
 		}
 	}
-	return ctrl.Result{}, nil
+	return nil
 }
@@ -201,6 +201,20 @@ var _ = Describe("Reconcile TLS", func() {
 			})
 		})
 	})
+
+	When("DiableNonTLSListeners set to true", func() {
+		It("errors and logs TLSError when TLS is not enabled", func() {
+			tlsSpec := rabbitmqv1beta1.TLSSpec{
+				DisableNonTLSListeners: true,
+			}
+			cluster = rabbitmqClusterWithTLS(ctx, "rabbitmq-disablenontlslisteners", defaultNamespace, tlsSpec)
+
+			verifyTLSErrorEvents(ctx, cluster, "TLS must be enabled if disableNonTLSListeners is set to true")
+
+			_, err := clientSet.AppsV1().StatefulSets(cluster.Namespace).Get(ctx, cluster.ChildResourceName("server"), metav1.GetOptions{})
+			Expect(err).To(HaveOccurred())
+		})
+	})
 })
 
 func tlsSecretWithCACert(ctx context.Context, secretName, namespace string) {
 
@@ -89,15 +89,30 @@ func (builder *ServerConfigMapBuilder) Update(object runtime.Object) error {
 		if err := cfg.Append([]byte(defaultTLSConf)); err != nil {
 			return err
 		}
+		if builder.Instance.DisableNonTLSListeners() {
+			if _, err := defaultSection.NewKey("listeners.tcp", "none"); err != nil {
+				return err
+			}
+		}
 		if builder.Instance.AdditionalPluginEnabled("rabbitmq_mqtt") {
 			if _, err := defaultSection.NewKey("mqtt.listeners.ssl.default", "8883"); err != nil {
 				return err
 			}
+			if builder.Instance.DisableNonTLSListeners() {
+				if _, err := defaultSection.NewKey("mqtt.listeners.tcp", "none"); err != nil {
+					return err
+				}
+			}
 		}
 		if builder.Instance.AdditionalPluginEnabled("rabbitmq_stomp") {
 			if _, err := defaultSection.NewKey("stomp.listeners.ssl.1", "61614"); err != nil {
 				return err
 			}
+			if builder.Instance.DisableNonTLSListeners() {
+				if _, err := defaultSection.NewKey("stomp.listeners.tcp", "none"); err != nil {
+					return err
+				}
+			}
 		}
 	}
 
@@ -125,6 +140,11 @@ func (builder *ServerConfigMapBuilder) Update(object runtime.Object) error {
 			if _, err := defaultSection.NewKey("web_mqtt.ssl.keyfile", tlsKeyPath); err != nil {
 				return err
 			}
+			if builder.Instance.DisableNonTLSListeners() {
+				if _, err := defaultSection.NewKey("web_mqtt.tcp.listener", "none"); err != nil {
+					return err
+				}
+			}
 		}
 		if builder.Instance.AdditionalPluginEnabled("rabbitmq_web_stomp") {
 			if _, err := defaultSection.NewKey("web_stomp.ssl.port", "15673"); err != nil {
@@ -139,6 +159,11 @@ func (builder *ServerConfigMapBuilder) Update(object runtime.Object) error {
 			if _, err := defaultSection.NewKey("web_stomp.ssl.keyfile", tlsKeyPath); err != nil {
 				return err
 			}
+			if builder.Instance.DisableNonTLSListeners() {
+				if _, err := defaultSection.NewKey("web_stomp.tcp.listener", "none"); err != nil {
+					return err
+				}
+			}
 		}
 	}
 
 
@@ -401,6 +401,128 @@ management.ssl.cacertfile = /etc/rabbitmq-tls/ca.crt
 			})
 		})
 
+		When("DisableNonTLSListeners is set to true", func() {
+			It("disables non tls listeners in rabbitmq.conf", func() {
+				instance = rabbitmqv1beta1.RabbitmqCluster{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "rabbit-tls",
+					},
+					Spec: rabbitmqv1beta1.RabbitmqClusterSpec{
+						TLS: rabbitmqv1beta1.TLSSpec{
+							SecretName:             "some-secret",
+							DisableNonTLSListeners: true,
+						},
+					},
+				}
+
+				expectedRabbitmqConf := iniString(defaultRabbitmqConf(builder.Instance.Name) + `
+ssl_options.certfile  = /etc/rabbitmq-tls/tls.crt
+ssl_options.keyfile   = /etc/rabbitmq-tls/tls.key
+listeners.ssl.default = 5671
+
+management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
+management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
+management.ssl.port       = 15671
+
+listeners.tcp = none
+`)
+
+				Expect(configMapBuilder.Update(configMap)).To(Succeed())
+				Expect(configMap.Data).To(HaveKeyWithValue("rabbitmq.conf", expectedRabbitmqConf))
+			})
+
+			It("disables non tls listeners for mqtt and stomp when enabled", func() {
+				instance = rabbitmqv1beta1.RabbitmqCluster{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "rabbit-tls",
+					},
+					Spec: rabbitmqv1beta1.RabbitmqClusterSpec{
+						TLS: rabbitmqv1beta1.TLSSpec{
+							SecretName:             "some-secret",
+							DisableNonTLSListeners: true,
+						},
+						Rabbitmq: rabbitmqv1beta1.RabbitmqClusterConfigurationSpec{
+							AdditionalPlugins: []rabbitmqv1beta1.Plugin{
+								"rabbitmq_mqtt",
+								"rabbitmq_stomp",
+							},
+						},
+					},
+				}
+
+				expectedRabbitmqConf := iniString(defaultRabbitmqConf(builder.Instance.Name) + `
+ssl_options.certfile   = /etc/rabbitmq-tls/tls.crt
+ssl_options.keyfile    = /etc/rabbitmq-tls/tls.key
+listeners.ssl.default  = 5671
+
+management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
+management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
+management.ssl.port       = 15671
+listeners.tcp = none
+
+mqtt.listeners.ssl.default = 8883
+mqtt.listeners.tcp   = none
+
+stomp.listeners.ssl.1 = 61614
+stomp.listeners.tcp   = none
+			`)
+
+				Expect(configMapBuilder.Update(configMap)).To(Succeed())
+				Expect(configMap.Data).To(HaveKeyWithValue("rabbitmq.conf", expectedRabbitmqConf))
+			})
+
+			It("disables non tls listeners for web mqtt and web stomp when enabled", func() {
+				instance = rabbitmqv1beta1.RabbitmqCluster{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "rabbit-tls",
+					},
+					Spec: rabbitmqv1beta1.RabbitmqClusterSpec{
+						TLS: rabbitmqv1beta1.TLSSpec{
+							SecretName:             "some-secret",
+							CaSecretName:           "some-mutual-secret",
+							DisableNonTLSListeners: true,
+						},
+						Rabbitmq: rabbitmqv1beta1.RabbitmqClusterConfigurationSpec{
+							AdditionalPlugins: []rabbitmqv1beta1.Plugin{
+								"rabbitmq_web_mqtt",
+								"rabbitmq_web_stomp",
+							},
+						},
+					},
+				}
+
+				expectedRabbitmqConf := iniString(defaultRabbitmqConf(builder.Instance.Name) + `
+ssl_options.certfile   = /etc/rabbitmq-tls/tls.crt
+ssl_options.keyfile    = /etc/rabbitmq-tls/tls.key
+listeners.ssl.default  = 5671
+
+management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
+management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
+management.ssl.port       = 15671
+listeners.tcp = none
+
+ssl_options.cacertfile = /etc/rabbitmq-tls/ca.crt
+ssl_options.verify     = verify_peer
+management.ssl.cacertfile = /etc/rabbitmq-tls/ca.crt
+
+web_mqtt.ssl.port       = 15676
+web_mqtt.ssl.cacertfile = /etc/rabbitmq-tls/ca.crt
+web_mqtt.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
+web_mqtt.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
+web_mqtt.tcp.listener = none
+
+web_stomp.ssl.port       = 15673
+web_stomp.ssl.cacertfile = /etc/rabbitmq-tls/ca.crt
+web_stomp.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
+web_stomp.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
+web_stomp.tcp.listener = none
+			`)
+
+				Expect(configMapBuilder.Update(configMap)).To(Succeed())
+				Expect(configMap.Data).To(HaveKeyWithValue("rabbitmq.conf", expectedRabbitmqConf))
+			})
+		})
+
 		Context("Memory Limits", func() {
 			It("sets a RabbitMQ memory limit with headroom when memory limits are specified", func() {
 				const GiB int64 = 1073741824
Original file line number	Diff line number	Diff line change
`@@ -106,11 +106,8 @@ func (r *RabbitmqClusterReconciler) Reconcile(req ctrl.Request) (ctrl.Result, er`
`106`	`106`	`return ctrl.Result{}, err`
`107`	`107`	`}`
`108`	`108`
`109`		`- // TLS: check if specified, and if secret exists`
`110`		`- if rabbitmqCluster.TLSEnabled() {`
`111`		`- if result, err := r.checkTLSSecrets(ctx, rabbitmqCluster); err != nil {`
`112`		`- return result, err`
`113`		`- }`
	`109`	`+ if err := r.reconcileTLS(ctx, rabbitmqCluster); err != nil {`
	`110`	`+ return ctrl.Result{}, err`
`114`	`111`	`}`
`115`	`112`
`116`	`113`	`childResources, err := r.getChildResources(ctx, *rabbitmqCluster)`
Original file line number	Diff line number	Diff line change
`@@ -89,15 +89,30 @@ func (builder *ServerConfigMapBuilder) Update(object runtime.Object) error {`
`89`	`89`	`if err := cfg.Append([]byte(defaultTLSConf)); err != nil {`
`90`	`90`	`return err`
`91`	`91`	`}`
	`92`	`+ if builder.Instance.DisableNonTLSListeners() {`
	`93`	`+ if _, err := defaultSection.NewKey("listeners.tcp", "none"); err != nil {`
	`94`	`+ return err`
	`95`	`+ }`
	`96`	`+ }`
`92`	`97`	`if builder.Instance.AdditionalPluginEnabled("rabbitmq_mqtt") {`
`93`	`98`	`if _, err := defaultSection.NewKey("mqtt.listeners.ssl.default", "8883"); err != nil {`
`94`	`99`	`return err`
`95`	`100`	`}`
	`101`	`+ if builder.Instance.DisableNonTLSListeners() {`
	`102`	`+ if _, err := defaultSection.NewKey("mqtt.listeners.tcp", "none"); err != nil {`
	`103`	`+ return err`
	`104`	`+ }`
	`105`	`+ }`
`96`	`106`	`}`
`97`	`107`	`if builder.Instance.AdditionalPluginEnabled("rabbitmq_stomp") {`
`98`	`108`	`if _, err := defaultSection.NewKey("stomp.listeners.ssl.1", "61614"); err != nil {`
`99`	`109`	`return err`
`100`	`110`	`}`
	`111`	`+ if builder.Instance.DisableNonTLSListeners() {`
	`112`	`+ if _, err := defaultSection.NewKey("stomp.listeners.tcp", "none"); err != nil {`
	`113`	`+ return err`
	`114`	`+ }`
	`115`	`+ }`
`101`	`116`	`}`
`102`	`117`	`}`
`103`	`118`
`@@ -125,6 +140,11 @@ func (builder *ServerConfigMapBuilder) Update(object runtime.Object) error {`
`125`	`140`	`if _, err := defaultSection.NewKey("web_mqtt.ssl.keyfile", tlsKeyPath); err != nil {`
`126`	`141`	`return err`
`127`	`142`	`}`
	`143`	`+ if builder.Instance.DisableNonTLSListeners() {`
	`144`	`+ if _, err := defaultSection.NewKey("web_mqtt.tcp.listener", "none"); err != nil {`
	`145`	`+ return err`
	`146`	`+ }`
	`147`	`+ }`
`128`	`148`	`}`
`129`	`149`	`if builder.Instance.AdditionalPluginEnabled("rabbitmq_web_stomp") {`
`130`	`150`	`if _, err := defaultSection.NewKey("web_stomp.ssl.port", "15673"); err != nil {`
`@@ -139,6 +159,11 @@ func (builder *ServerConfigMapBuilder) Update(object runtime.Object) error {`
`139`	`159`	`if _, err := defaultSection.NewKey("web_stomp.ssl.keyfile", tlsKeyPath); err != nil {`
`140`	`160`	`return err`
`141`	`161`	`}`
	`162`	`+ if builder.Instance.DisableNonTLSListeners() {`
	`163`	`+ if _, err := defaultSection.NewKey("web_stomp.tcp.listener", "none"); err != nil {`
	`164`	`+ return err`
	`165`	`+ }`
	`166`	`+ }`
`142`	`167`	`}`
`143`	`168`	`}`
`144`	`169`