Merge pull request #533 from rabbitmq/cluster-operator_479

Add support for  prometheus TLS

Author: gerhard

Diff for: internal/resource/configmap.go

@@ -42,6 +42,10 @@ listeners.ssl.default = 5671
 management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
 management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
 management.ssl.port       = 15671
+
+prometheus.ssl.certfile  = /etc/rabbitmq-tls/tls.crt
+prometheus.ssl.keyfile   = /etc/rabbitmq-tls/tls.key
+prometheus.ssl.port      = 15691
 `
 	caCertPath  = "/etc/rabbitmq-tls/ca.crt"
 	tlsCertPath = "/etc/rabbitmq-tls/tls.crt"

Diff for: internal/resource/configmap_test.go

@@ -251,7 +251,13 @@ listeners.ssl.default = 5671
 management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
 management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
 management.ssl.port       = 15671
-management.tcp.port       = 15672
+
+prometheus.ssl.certfile = /etc/rabbitmq-tls/tls.crt
+prometheus.ssl.keyfile  = /etc/rabbitmq-tls/tls.key
+prometheus.ssl.port     = 15691
+
+management.tcp.port     = 15672
+
 `)
 
 				Expect(configMapBuilder.Update(configMap)).To(Succeed())
@@ -274,6 +280,11 @@ listeners.ssl.default = 5671
 management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
 management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
 management.ssl.port       = 15671
+
+prometheus.ssl.certfile = /etc/rabbitmq-tls/tls.crt
+prometheus.ssl.keyfile   = /etc/rabbitmq-tls/tls.key
+prometheus.ssl.port       = 15691
+
 management.tcp.port       = 15672
 
 mqtt.listeners.ssl.default = 8883
@@ -301,6 +312,11 @@ listeners.ssl.default  = 5671
 management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
 management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
 management.ssl.port       = 15671
+
+prometheus.ssl.certfile = /etc/rabbitmq-tls/tls.crt
+prometheus.ssl.keyfile   = /etc/rabbitmq-tls/tls.key
+prometheus.ssl.port       = 15691
+
 management.tcp.port       = 15672
 
 ssl_options.cacertfile = /etc/rabbitmq-tls/ca.crt
@@ -329,6 +345,11 @@ management.ssl.cacertfile = /etc/rabbitmq-tls/ca.crt
 			management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
 			management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
 			management.ssl.port       = 15671
+
+			prometheus.ssl.certfile = /etc/rabbitmq-tls/tls.crt
+			prometheus.ssl.keyfile   = /etc/rabbitmq-tls/tls.key
+			prometheus.ssl.port       = 15691
+			
 			management.tcp.port       = 15672
 
 			ssl_options.cacertfile = /etc/rabbitmq-tls/ca.crt
@@ -376,6 +397,10 @@ management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
 management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
 management.ssl.port       = 15671
 
+prometheus.ssl.certfile = /etc/rabbitmq-tls/tls.crt
+prometheus.ssl.keyfile   = /etc/rabbitmq-tls/tls.key
+prometheus.ssl.port       = 15691
+
 listeners.tcp = none
 `)
 
@@ -410,6 +435,11 @@ listeners.ssl.default  = 5671
 management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
 management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
 management.ssl.port       = 15671
+
+prometheus.ssl.certfile = /etc/rabbitmq-tls/tls.crt
+prometheus.ssl.keyfile   = /etc/rabbitmq-tls/tls.key
+prometheus.ssl.port       = 15691
+
 listeners.tcp = none
 
 mqtt.listeners.ssl.default = 8883
@@ -451,6 +481,11 @@ listeners.ssl.default  = 5671
 management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
 management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
 management.ssl.port       = 15671
+
+prometheus.ssl.certfile                  = /etc/rabbitmq-tls/tls.crt
+prometheus.ssl.keyfile                   = /etc/rabbitmq-tls/tls.key
+prometheus.ssl.port                      = 15691
+
 listeners.tcp = none
 
 ssl_options.cacertfile = /etc/rabbitmq-tls/ca.crt

Diff for: internal/resource/statefulset.go

@@ -280,9 +280,14 @@ func sortVolumeMounts(mounts []corev1.VolumeMount) {
 
 func (builder *StatefulSetBuilder) podTemplateSpec(previousPodAnnotations map[string]string) corev1.PodTemplateSpec {
 	// default pod annotations used for prometheus metrics
+	prometheusPort := "15692"
+	if builder.Instance.DisableNonTLSListeners() {
+		prometheusPort = "15691"
+	}
+
 	defaultPodAnnotations := map[string]string{
 		"prometheus.io/scrape": "true",
-		"prometheus.io/port":   "15692",
+		"prometheus.io/port":   prometheusPort,
 	}
 
 	//Init Container resources
@@ -711,6 +716,10 @@ func (builder *StatefulSetBuilder) updateContainerPorts() []corev1.ContainerPort
 				Name:          "management-tls",
 				ContainerPort: 15671,
 			},
+			corev1.ContainerPort{
+				Name:          "prometheus-tls",
+				ContainerPort: 15691,
+			},
 		)
 
 		// enable tls ports for plugins
@@ -763,8 +772,8 @@ func (builder *StatefulSetBuilder) updateContainerPortsOnlyTLSListeners() []core
 			ContainerPort: 15671,
 		},
 		{
-			Name:          "prometheus",
-			ContainerPort: 15692,
+			Name:          "prometheus-tls",
+			ContainerPort: 15691,
 		},
 	}
 

Diff for: internal/resource/statefulset_test.go

@@ -706,8 +706,8 @@ var _ = Describe("StatefulSet", func() {
 							ContainerPort: 4369,
 						},
 						{
-							Name:          "prometheus",
-							ContainerPort: 15692,
+							Name:          "prometheus-tls",
+							ContainerPort: 15691,
 						},
 						{
 							Name:          "amqps",
@@ -731,8 +731,8 @@ var _ = Describe("StatefulSet", func() {
 							ContainerPort: 4369,
 						},
 						{
-							Name:          "prometheus",
-							ContainerPort: 15692,
+							Name:          "prometheus-tls",
+							ContainerPort: 15691,
 						},
 						{
 							Name:          "amqps",