Skip to content

Commit

Permalink
FIPS support for RabbitMQ
Browse files Browse the repository at this point in the history
When the OCP cluster is deployed in FIPS mode RabbitMQ needs to be
deployed with specific parameters to also enable its FIPS mode.

This patch checks when OCP is running in FIPS mode using lib-common and
changes the environmental variables used to deploy RabbitMQ just like we
did in TripleO [1].

[1]: https://opendev.org/openstack/puppet-tripleo/src/commit/019ec495180d2065a172861554df2ba2a76b5b17/manifests/profile/base/rabbitmq.pp#L176

Jira: #OSPRH-4668
Depends-On: openstack-k8s-operators/lib-common#448
  • Loading branch information
Akrog committed Mar 11, 2024
1 parent 81a98c7 commit adbc5fa
Showing 1 changed file with 55 additions and 33 deletions.
88 changes: 55 additions & 33 deletions pkg/openstack/rabbitmq.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
"github.com/openstack-k8s-operators/lib-common/modules/common/ocp"
"github.com/openstack-k8s-operators/lib-common/modules/common/service"
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
"github.com/openstack-k8s-operators/lib-common/modules/common/util"
Expand Down Expand Up @@ -113,6 +114,58 @@ func reconcileRabbitMQ(
return mqReady, ctrl.Result{}, nil
}

envVars := []corev1.EnvVar{
{
// The upstream rabbitmq image has /var/log/rabbitmq mode 777, so when
// openshift runs the rabbitmq container as a random uid it can still write
// the logs there. The OSP image however has the directory more constrained,
// so the random uid cannot write the logs there. Force it into /var/lib
// where it can create the file without crashing.
Name: "RABBITMQ_UPGRADE_LOG",
Value: "/var/lib/rabbitmq/rabbitmq_upgrade.log",
},
{
// For some reason HOME needs to be explictly set here even though the entry
// for the random user in /etc/passwd has the correct homedir set.
Name: "HOME",
Value: "/var/lib/rabbitmq",
},
{
// The various /usr/sbin/rabbitmq* scripts are really all the same
// wrapper shell-script that performs some "sanity checks" and then
// invokes the corresponding "real" program in
// /usr/lib/rabbitmq/bin. The main "sanity check" is to ensure that
// the user running the command is either root or rabbitmq. Inside
// of an openshift pod, however, the user is neither of these, so
// the wrapper script will always fail.

// By putting the real programs ahead of the wrapper in PATH we can
// avoid the unnecessary check and just run things directly as
// whatever user the pod has graciously generated for us.
Name: "PATH",
Value: "/usr/lib/rabbitmq/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
},
}

tlsEnabled := instance.Spec.TLS.Enabled(service.EndpointInternal)
if tlsEnabled {
fipsEnabled, err := ocp.IsFipsCluster(ctx, helper)
if err != nil {
return mqFailed, ctrl.Result{}, err
}
if fipsEnabled {
fipsModeStr := "-crypto fips_mode true"

envVars = append(envVars, corev1.EnvVar{
Name: "RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS",
Value: fipsModeStr,
}, corev1.EnvVar{
Name: "RABBITMQ_CTL_ERL_ARGS",
Value: fipsModeStr,
})
}
}

defaultStatefulSet := rabbitmqv2.StatefulSet{
Spec: &rabbitmqv2.StatefulSetSpec{
Template: &rabbitmqv2.PodTemplateSpec{
Expand All @@ -127,38 +180,7 @@ func reconcileRabbitMQ(
// NOTE(gibi): without this the second RabbitMqCluster
// will fail as the Pod will have no image.
Image: spec.Image,
Env: []corev1.EnvVar{
{
// The upstream rabbitmq image has /var/log/rabbitmq mode 777, so when
// openshift runs the rabbitmq container as a random uid it can still write
// the logs there. The OSP image however has the directory more constrained,
// so the random uid cannot write the logs there. Force it into /var/lib
// where it can create the file without crashing.
Name: "RABBITMQ_UPGRADE_LOG",
Value: "/var/lib/rabbitmq/rabbitmq_upgrade.log",
},
{
// For some reason HOME needs to be explictly set here even though the entry
// for the random user in /etc/passwd has the correct homedir set.
Name: "HOME",
Value: "/var/lib/rabbitmq",
},
{
// The various /usr/sbin/rabbitmq* scripts are really all the same
// wrapper shell-script that performs some "sanity checks" and then
// invokes the corresponding "real" program in
// /usr/lib/rabbitmq/bin. The main "sanity check" is to ensure that
// the user running the command is either root or rabbitmq. Inside
// of an openshift pod, however, the user is neither of these, so
// the wrapper script will always fail.

// By putting the real programs ahead of the wrapper in PATH we can
// avoid the unnecessary check and just run things directly as
// whatever user the pod has graciously generated for us.
Name: "PATH",
Value: "/usr/lib/rabbitmq/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
},
},
Env: envVars,
Args: []string{
// OSP17 runs kolla_start here, instead just run rabbitmq-server directly
"/usr/lib/rabbitmq/bin/rabbitmq-server",
Expand All @@ -175,7 +197,7 @@ func reconcileRabbitMQ(
hostname := fmt.Sprintf("%s.%s.svc", name, instance.Namespace)
tlsCert := ""

if instance.Spec.TLS.Enabled(service.EndpointInternal) {
if tlsEnabled {
certRequest := certmanager.CertificateRequest{
IssuerName: tls.DefaultCAPrefix + string(service.EndpointInternal),
CertName: fmt.Sprintf("%s-svc", rabbitmq.Name),
Expand Down

0 comments on commit adbc5fa

Please sign in to comment.