Merge pull request #801 from dciabrin/rabbitmq-fips

Generate RabbitMQ TLS config that works with FIPS
openstack-k8s-operators · May 17, 2024 · 8eb2f97 · 8eb2f97
2 parents 706510e + 7b45fe3
commit 8eb2f97
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 3 deletions.
diff --git a/pkg/openstack/ca.go b/pkg/openstack/ca.go
@@ -530,8 +530,8 @@ func createRootCACertAndIssuer(
 			CommonName: caName,
 			SecretName: caName,
 			PrivateKey: &certmgrv1.CertificatePrivateKey{
-				Algorithm: "ECDSA",
-				Size:      256,
+				Algorithm: "RSA",
+				Size:      3072,
 			},
 			IssuerRef: certmgrmetav1.ObjectReference{
 				Name:  selfsignedIssuerReq.Name,

diff --git a/pkg/openstack/rabbitmq.go b/pkg/openstack/rabbitmq.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"strings"
 
+	certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	networkv1 "github.com/openstack-k8s-operators/infra-operator/apis/network/v1beta1"
 	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
@@ -195,15 +196,28 @@ func reconcileRabbitMQ(
 
 	hostname := fmt.Sprintf("%s.%s.svc", name, instance.Namespace)
 	tlsCert := ""
+	commonName := fmt.Sprintf("%s.%s", hostname, ClusterInternalDomain)
 
 	if instance.Spec.TLS.PodLevel.Enabled {
 		certRequest := certmanager.CertificateRequest{
 			IssuerName: instance.GetInternalIssuer(),
 			CertName:   fmt.Sprintf("%s-svc", rabbitmq.Name),
+			CommonName: &commonName,
 			Hostnames: []string{
 				hostname,
 				fmt.Sprintf("%s.%s", hostname, ClusterInternalDomain),
 			},
+			Subject: &certmgrv1.X509Subject{
+				Organizations: []string{fmt.Sprintf("%s.%s", rabbitmq.Namespace, ClusterInternalDomain)},
+			},
+			Usages: []certmgrv1.KeyUsage{
+				"key encipherment",
+				"data encipherment",
+				"digital signature",
+				"server auth",
+				"client auth",
+				"content commitment",
+			},
 		}
 		if instance.Spec.TLS.PodLevel.Internal.Cert.Duration != nil {
 			certRequest.Duration = &instance.Spec.TLS.PodLevel.Internal.Cert.Duration.Duration
@@ -267,14 +281,63 @@ func reconcileRabbitMQ(
 			Log.Info("Setting AdditionalConfig")
 			// This is the same situation as RABBITMQ_UPGRADE_LOG above,
 			// except for the "main" rabbitmq log we can just force it to use the console.
-			rabbitmq.Spec.Rabbitmq.AdditionalConfig = "log.console = true"
+			var settings []string
+			settings = append(settings, "log.console = true")
+			if tlsCert != "" {
+				settings = append(settings, "ssl_options.verify = verify_none")
+			}
+			rabbitmq.Spec.Rabbitmq.AdditionalConfig = strings.Join(settings, "\n")
 		}
 
 		if tlsCert != "" {
 			rabbitmq.Spec.TLS.CaSecretName = tlsCert
 			rabbitmq.Spec.TLS.SecretName = tlsCert
 			// disable non tls listeners
 			rabbitmq.Spec.TLS.DisableNonTLSListeners = true
+			// NOTE(dciabrin) RabbitMQ/Erlang needs a specific TLS configuration ordering
+			// in ssl_options.versions for TLS to work with FIPS. We cannot enforce the right
+			// ordering with AdditionalConfig, we have to pass a specific Erlang value via
+			// the AdvancedConfig field. We also add configuration flags which were known to
+			// work with FIPS in previous version of Openstack.
+			rabbitmq.Spec.Rabbitmq.AdvancedConfig = `[
+  {rabbit, [
+    {ssl_options, [
+      {cacertfile,"/etc/rabbitmq-tls/ca.crt"},
+      {certfile,"/etc/rabbitmq-tls/tls.crt"},
+      {keyfile,"/etc/rabbitmq-tls/tls.key"},
+      {depth,1},
+      {secure_renegotiate,true},
+      {reuse_sessions,true},
+      {honor_cipher_order,false},
+      {honor_ecc_order,false},
+      {verify,verify_none},
+      {fail_if_no_peer_cert,false},
+      {versions, ['tlsv1.2','tlsv1.3']}
+    ]}
+  ]},
+  {rabbitmq_management, [
+    {ssl_config, [
+      {cacertfile,"/etc/rabbitmq-tls/ca.crt"},
+      {certfile,"/etc/rabbitmq-tls/tls.crt"},
+      {keyfile,"/etc/rabbitmq-tls/tls.key"},
+      {depth,1},
+      {secure_renegotiate,true},
+      {reuse_sessions,true},
+      {honor_cipher_order,false},
+      {honor_ecc_order,false},
+      {verify,verify_none},
+      {fail_if_no_peer_cert,false},
+      {versions, ['tlsv1.2','tlsv1.3']}
+    ]}
+  ]},
+  {client, [
+    {cacertfile, "/etc/rabbitmq-tls/ca.crt"},
+    {verify,verify_peer},
+    {secure_renegotiate,true},
+    {versions, ['tlsv1.2','tlsv1.3']}
+  ]}
+].
+`
 		}
 
 		// overrides