From 7803fe7a7407fc13d57e726ad4929ec95f9db80b Mon Sep 17 00:00:00 2001
From: Gabriele Santomaggio <g.santomaggio@gmail.com>
Date: Wed, 23 Dec 2020 16:26:14 +0100
Subject: [PATCH 1/4] Add support for  prometheus TLS

Fixes https://github.com/rabbitmq/cluster-operator/issues/479
---
 internal/resource/configmap.go   | 4 ++++
 internal/resource/statefulset.go | 6 +++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/internal/resource/configmap.go b/internal/resource/configmap.go
index eecc6d6dc..c861051c0 100644
--- a/internal/resource/configmap.go
+++ b/internal/resource/configmap.go
@@ -42,6 +42,10 @@ listeners.ssl.default = 5671
 management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
 management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
 management.ssl.port       = 15671
+
+prometheus.ssl.certfile = /etc/rabbitmq-tls/tls.crt
+prometheus.ssl.keyfile   = /etc/rabbitmq-tls/tls.key
+prometheus.ssl.port       = 15691
 `
 	caCertPath  = "/etc/rabbitmq-tls/ca.crt"
 	tlsCertPath = "/etc/rabbitmq-tls/tls.crt"
diff --git a/internal/resource/statefulset.go b/internal/resource/statefulset.go
index 38934c6e9..760c979d1 100644
--- a/internal/resource/statefulset.go
+++ b/internal/resource/statefulset.go
@@ -711,6 +711,10 @@ func (builder *StatefulSetBuilder) updateContainerPorts() []corev1.ContainerPort
 				Name:          "management-tls",
 				ContainerPort: 15671,
 			},
+			corev1.ContainerPort{
+				Name:          "prometheus-tls",
+				ContainerPort: 15691,
+			},
 		)
 
 		// enable tls ports for plugins
@@ -764,7 +768,7 @@ func (builder *StatefulSetBuilder) updateContainerPortsOnlyTLSListeners() []core
 		},
 		{
 			Name:          "prometheus",
-			ContainerPort: 15692,
+			ContainerPort: 15691,
 		},
 	}
 

From d153a507d4b3d73830b8b67af678e2ea701b936a Mon Sep 17 00:00:00 2001
From: Gabriele Santomaggio <g.santomaggio@gmail.com>
Date: Wed, 23 Dec 2020 16:52:12 +0100
Subject: [PATCH 2/4] Change prometheus annotation

use TLS port in case nonTlS
---
 internal/resource/statefulset.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/internal/resource/statefulset.go b/internal/resource/statefulset.go
index 760c979d1..c509b05b7 100644
--- a/internal/resource/statefulset.go
+++ b/internal/resource/statefulset.go
@@ -280,9 +280,14 @@ func sortVolumeMounts(mounts []corev1.VolumeMount) {
 
 func (builder *StatefulSetBuilder) podTemplateSpec(previousPodAnnotations map[string]string) corev1.PodTemplateSpec {
 	// default pod annotations used for prometheus metrics
+	prometheusPort := "15692"
+	if builder.Instance.DisableNonTLSListeners() {
+		prometheusPort = "15691"
+	}
+
 	defaultPodAnnotations := map[string]string{
 		"prometheus.io/scrape": "true",
-		"prometheus.io/port":   "15692",
+		"prometheus.io/port":   prometheusPort,
 	}
 
 	//Init Container resources

From eebd2aba32bb7bdb2cd2306b46b311245a129478 Mon Sep 17 00:00:00 2001
From: Gabriele Santomaggio <g.santomaggio@gmail.com>
Date: Thu, 24 Dec 2020 17:23:56 +0100
Subject: [PATCH 3/4] Add tests for prometheus TLS

---
 internal/resource/configmap.go        |  4 +--
 internal/resource/configmap_test.go   | 36 ++++++++++++++++++++++++++-
 internal/resource/statefulset.go      |  2 +-
 internal/resource/statefulset_test.go |  8 +++---
 4 files changed, 42 insertions(+), 8 deletions(-)

diff --git a/internal/resource/configmap.go b/internal/resource/configmap.go
index c861051c0..0031d3aae 100644
--- a/internal/resource/configmap.go
+++ b/internal/resource/configmap.go
@@ -43,9 +43,9 @@ management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
 management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
 management.ssl.port       = 15671
 
-prometheus.ssl.certfile = /etc/rabbitmq-tls/tls.crt
+prometheus.ssl.certfile  = /etc/rabbitmq-tls/tls.crt
 prometheus.ssl.keyfile   = /etc/rabbitmq-tls/tls.key
-prometheus.ssl.port       = 15691
+prometheus.ssl.port      = 15691
 `
 	caCertPath  = "/etc/rabbitmq-tls/ca.crt"
 	tlsCertPath = "/etc/rabbitmq-tls/tls.crt"
diff --git a/internal/resource/configmap_test.go b/internal/resource/configmap_test.go
index a6d812d8a..bcaff4420 100644
--- a/internal/resource/configmap_test.go
+++ b/internal/resource/configmap_test.go
@@ -251,7 +251,12 @@ listeners.ssl.default = 5671
 management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
 management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
 management.ssl.port       = 15671
-management.tcp.port       = 15672
+
+prometheus.ssl.certfile = /etc/rabbitmq-tls/tls.crt
+prometheus.ssl.keyfile  = /etc/rabbitmq-tls/tls.key
+prometheus.ssl.port     = 15691
+management.tcp.port     = 15672
+
 `)
 
 				Expect(configMapBuilder.Update(configMap)).To(Succeed())
@@ -274,6 +279,11 @@ listeners.ssl.default = 5671
 management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
 management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
 management.ssl.port       = 15671
+
+prometheus.ssl.certfile = /etc/rabbitmq-tls/tls.crt
+prometheus.ssl.keyfile   = /etc/rabbitmq-tls/tls.key
+prometheus.ssl.port       = 15691
+
 management.tcp.port       = 15672
 
 mqtt.listeners.ssl.default = 8883
@@ -301,6 +311,11 @@ listeners.ssl.default  = 5671
 management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
 management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
 management.ssl.port       = 15671
+
+prometheus.ssl.certfile = /etc/rabbitmq-tls/tls.crt
+prometheus.ssl.keyfile   = /etc/rabbitmq-tls/tls.key
+prometheus.ssl.port       = 15691
+
 management.tcp.port       = 15672
 
 ssl_options.cacertfile = /etc/rabbitmq-tls/ca.crt
@@ -329,6 +344,11 @@ management.ssl.cacertfile = /etc/rabbitmq-tls/ca.crt
 			management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
 			management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
 			management.ssl.port       = 15671
+
+			prometheus.ssl.certfile = /etc/rabbitmq-tls/tls.crt
+			prometheus.ssl.keyfile   = /etc/rabbitmq-tls/tls.key
+			prometheus.ssl.port       = 15691
+			
 			management.tcp.port       = 15672
 
 			ssl_options.cacertfile = /etc/rabbitmq-tls/ca.crt
@@ -376,6 +396,10 @@ management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
 management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
 management.ssl.port       = 15671
 
+prometheus.ssl.certfile = /etc/rabbitmq-tls/tls.crt
+prometheus.ssl.keyfile   = /etc/rabbitmq-tls/tls.key
+prometheus.ssl.port       = 15691
+
 listeners.tcp = none
 `)
 
@@ -410,6 +434,11 @@ listeners.ssl.default  = 5671
 management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
 management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
 management.ssl.port       = 15671
+
+prometheus.ssl.certfile = /etc/rabbitmq-tls/tls.crt
+prometheus.ssl.keyfile   = /etc/rabbitmq-tls/tls.key
+prometheus.ssl.port       = 15691
+
 listeners.tcp = none
 
 mqtt.listeners.ssl.default = 8883
@@ -451,6 +480,11 @@ listeners.ssl.default  = 5671
 management.ssl.certfile   = /etc/rabbitmq-tls/tls.crt
 management.ssl.keyfile    = /etc/rabbitmq-tls/tls.key
 management.ssl.port       = 15671
+
+prometheus.ssl.certfile                  = /etc/rabbitmq-tls/tls.crt
+prometheus.ssl.keyfile                   = /etc/rabbitmq-tls/tls.key
+prometheus.ssl.port                      = 15691
+
 listeners.tcp = none
 
 ssl_options.cacertfile = /etc/rabbitmq-tls/ca.crt
diff --git a/internal/resource/statefulset.go b/internal/resource/statefulset.go
index c509b05b7..d3c43e933 100644
--- a/internal/resource/statefulset.go
+++ b/internal/resource/statefulset.go
@@ -772,7 +772,7 @@ func (builder *StatefulSetBuilder) updateContainerPortsOnlyTLSListeners() []core
 			ContainerPort: 15671,
 		},
 		{
-			Name:          "prometheus",
+			Name:          "prometheus-tls",
 			ContainerPort: 15691,
 		},
 	}
diff --git a/internal/resource/statefulset_test.go b/internal/resource/statefulset_test.go
index e18221e7f..5c035c275 100644
--- a/internal/resource/statefulset_test.go
+++ b/internal/resource/statefulset_test.go
@@ -706,8 +706,8 @@ var _ = Describe("StatefulSet", func() {
 							ContainerPort: 4369,
 						},
 						{
-							Name:          "prometheus",
-							ContainerPort: 15692,
+							Name:          "prometheus-tls",
+							ContainerPort: 15691,
 						},
 						{
 							Name:          "amqps",
@@ -731,8 +731,8 @@ var _ = Describe("StatefulSet", func() {
 							ContainerPort: 4369,
 						},
 						{
-							Name:          "prometheus",
-							ContainerPort: 15692,
+							Name:          "prometheus-tls",
+							ContainerPort: 15691,
 						},
 						{
 							Name:          "amqps",

From 97ce18d95bf0edab8cba95b565dccc0819636763 Mon Sep 17 00:00:00 2001
From: Gabriele Santomaggio <g.santomaggio@gmail.com>
Date: Sat, 26 Dec 2020 15:36:36 +0100
Subject: [PATCH 4/4] Add space

---
 internal/resource/configmap_test.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/internal/resource/configmap_test.go b/internal/resource/configmap_test.go
index bcaff4420..72a082f2b 100644
--- a/internal/resource/configmap_test.go
+++ b/internal/resource/configmap_test.go
@@ -255,6 +255,7 @@ management.ssl.port       = 15671
 prometheus.ssl.certfile = /etc/rabbitmq-tls/tls.crt
 prometheus.ssl.keyfile  = /etc/rabbitmq-tls/tls.key
 prometheus.ssl.port     = 15691
+
 management.tcp.port     = 15672
 
 `)