FIPS support for RabbitMQ

When the OCP cluster is deployed in FIPS mode RabbitMQ needs to be
deployed with specific parameters to also enable its FIPS mode.

This patch checks when OCP is running in FIPS mode using lib-common and
changes the environmental variables used to deploy RabbitMQ just like we
did in TripleO [1].

[1]: https://opendev.org/openstack/puppet-tripleo/src/commit/019ec495180d2065a172861554df2ba2a76b5b17/manifests/profile/base/rabbitmq.pp#L176

Jira: #OSPRH-4668
Depends-On: openstack-k8s-operators/lib-common#448

apis/go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240221083751-49edc0df8a12
 	github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240229174131-28e3aee56d91
 	github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240226160457-b1b853eb4600
-	github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240229121803-169ced56d56e
+	github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240306153230-dc65ab49ebc0
 	github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240229121803-169ced56d56e
 	github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240305194401-0fda28a84acb
 	github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240222094307-76fef735f093

apis/go.sum

@@ -106,8 +106,7 @@ github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240229174131-2
 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240229174131-28e3aee56d91/go.mod h1:Yac7wRClzl1/a7uBso4w8wq6Rjm+JLIouEsLre7VSDE=
 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240226160457-b1b853eb4600 h1:Lqlkv5CWGlarcjsc1SW2YzhxAVQtQZp0BWEwFUl+OyM=
 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240226160457-b1b853eb4600/go.mod h1:YyoDWNxCFstwhVRAcEh2X6bXBG0ML5iEhOYQhltgqi4=
-github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240229121803-169ced56d56e h1:zpxxz/iI8C09XHBcDYW9prMoODndBBsSmoonRXRXu1Q=
-github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240229121803-169ced56d56e/go.mod h1:P2a38htIPn9Ws9eqZBS/5jfxzLdMdBqZcbv6H4YcQfw=
+github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240306153230-dc65ab49ebc0 h1:1Q/9F3SAKvLN9vX+YxwaEB0WvBekj9eakQPoQbI1K6w=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240229121803-169ced56d56e h1:T/ZQR6KfJf45ydZq4gsq7FUl+bKR1IIQpuvja9Nun4s=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240229121803-169ced56d56e/go.mod h1:fvCDr4wd7Oy2rIunTzpGoMKWXHk2pQYaF3tJBFLELpM=
 github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240229121803-169ced56d56e h1:801PPU2Awfnqg/uJMeGOfi3zkNA0qS5axmINN6Gusbg=

go.mod

@@ -23,7 +23,7 @@ require (
 	github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240229174131-28e3aee56d91
 	github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240226160457-b1b853eb4600
 	github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240229121803-169ced56d56e
-	github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240229121803-169ced56d56e
+	github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240306153230-dc65ab49ebc0
 	github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20240229121803-169ced56d56e
 	github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240305194401-0fda28a84acb
 	github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240222094307-76fef735f093

go.sum

@@ -122,8 +122,8 @@ github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240226160457
 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240226160457-b1b853eb4600/go.mod h1:YyoDWNxCFstwhVRAcEh2X6bXBG0ML5iEhOYQhltgqi4=
 github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240229121803-169ced56d56e h1:n1XMajTDxjNTMf4l2U7JFQ2EKhNtsYIsCcnvAxIJpF0=
 github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240229121803-169ced56d56e/go.mod h1:GGbtUK5VQ/BHIT3n0ia31bzNJaQIAANhzT/nC6pygbQ=
-github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240229121803-169ced56d56e h1:zpxxz/iI8C09XHBcDYW9prMoODndBBsSmoonRXRXu1Q=
-github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240229121803-169ced56d56e/go.mod h1:P2a38htIPn9Ws9eqZBS/5jfxzLdMdBqZcbv6H4YcQfw=
+github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240306153230-dc65ab49ebc0 h1:1Q/9F3SAKvLN9vX+YxwaEB0WvBekj9eakQPoQbI1K6w=
+github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240306153230-dc65ab49ebc0/go.mod h1:R2plZL2JdwDMJwv9+pkPmCB1Mww81J75G0MxRzi2Kug=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240229121803-169ced56d56e h1:T/ZQR6KfJf45ydZq4gsq7FUl+bKR1IIQpuvja9Nun4s=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240229121803-169ced56d56e/go.mod h1:fvCDr4wd7Oy2rIunTzpGoMKWXHk2pQYaF3tJBFLELpM=
 github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240229121803-169ced56d56e h1:801PPU2Awfnqg/uJMeGOfi3zkNA0qS5axmINN6Gusbg=

pkg/openstack/rabbitmq.go

@@ -9,6 +9,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/ocp"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
@@ -89,6 +90,7 @@ func ReconcileRabbitMQs(
 	return ctrlResult, nil
 }
 
+
 func reconcileRabbitMQ(
 	ctx context.Context,
 	instance *corev1beta1.OpenStackControlPlane,
@@ -113,6 +115,58 @@ func reconcileRabbitMQ(
 		return mqReady, ctrl.Result{}, nil
 	}
 
+	envVars := []corev1.EnvVar{
+		{
+			// The upstream rabbitmq image has /var/log/rabbitmq mode 777, so when
+			// openshift runs the rabbitmq container as a random uid it can still write
+			// the logs there.  The OSP image however has the directory more constrained,
+			// so the random uid cannot write the logs there.  Force it into /var/lib
+			// where it can create the file without crashing.
+			Name:  "RABBITMQ_UPGRADE_LOG",
+			Value: "/var/lib/rabbitmq/rabbitmq_upgrade.log",
+		},
+		{
+			// For some reason HOME needs to be explictly set here even though the entry
+			// for the random user in /etc/passwd has the correct homedir set.
+			Name:  "HOME",
+			Value: "/var/lib/rabbitmq",
+		},
+		{
+			// The various /usr/sbin/rabbitmq* scripts are really all the same
+			// wrapper shell-script that performs some "sanity checks" and then
+			// invokes the corresponding "real" program in
+			// /usr/lib/rabbitmq/bin.  The main "sanity check" is to ensure that
+			// the user running the command is either root or rabbitmq.  Inside
+			// of an openshift pod, however, the user is neither of these, so
+			// the wrapper script will always fail.
+
+			// By putting the real programs ahead of the wrapper in PATH we can
+			// avoid the unnecessary check and just run things directly as
+			// whatever user the pod has graciously generated for us.
+			Name:  "PATH",
+			Value: "/usr/lib/rabbitmq/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+		},
+	}
+
+	tlsEnabled := instance.Spec.TLS.Enabled(service.EndpointInternal)
+	if tlsEnabled {
+		fipsEnabled, err := ocp.IsFipsCluster(ctx, helper)
+		if err != nil{
+			return mqFailed, ctrl.Result{}, err
+		}
+		if fipsEnabled {
+			fipsModeStr := "-crypto fips_mode true"
+
+			envVars = append(envVars, corev1.EnvVar{
+				Name:  "RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS",
+				Value: fipsModeStr,
+			}, corev1.EnvVar{
+				Name:  "RABBITMQ_CTL_ERL_ARGS",
+				Value: fipsModeStr,
+			})
+		}
+	}
+
 	defaultStatefulSet := rabbitmqv2.StatefulSet{
 		Spec: &rabbitmqv2.StatefulSetSpec{
 			Template: &rabbitmqv2.PodTemplateSpec{
@@ -127,38 +181,7 @@ func reconcileRabbitMQ(
 							// NOTE(gibi): without this the second RabbitMqCluster
 							// will fail as the Pod will have no image.
 							Image: spec.Image,
-							Env: []corev1.EnvVar{
-								{
-									// The upstream rabbitmq image has /var/log/rabbitmq mode 777, so when
-									// openshift runs the rabbitmq container as a random uid it can still write
-									// the logs there.  The OSP image however has the directory more constrained,
-									// so the random uid cannot write the logs there.  Force it into /var/lib
-									// where it can create the file without crashing.
-									Name:  "RABBITMQ_UPGRADE_LOG",
-									Value: "/var/lib/rabbitmq/rabbitmq_upgrade.log",
-								},
-								{
-									// For some reason HOME needs to be explictly set here even though the entry
-									// for the random user in /etc/passwd has the correct homedir set.
-									Name:  "HOME",
-									Value: "/var/lib/rabbitmq",
-								},
-								{
-									// The various /usr/sbin/rabbitmq* scripts are really all the same
-									// wrapper shell-script that performs some "sanity checks" and then
-									// invokes the corresponding "real" program in
-									// /usr/lib/rabbitmq/bin.  The main "sanity check" is to ensure that
-									// the user running the command is either root or rabbitmq.  Inside
-									// of an openshift pod, however, the user is neither of these, so
-									// the wrapper script will always fail.
-
-									// By putting the real programs ahead of the wrapper in PATH we can
-									// avoid the unnecessary check and just run things directly as
-									// whatever user the pod has graciously generated for us.
-									Name:  "PATH",
-									Value: "/usr/lib/rabbitmq/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
-								},
-							},
+							Env: envVars,
 							Args: []string{
 								// OSP17 runs kolla_start here, instead just run rabbitmq-server directly
 								"/usr/lib/rabbitmq/bin/rabbitmq-server",
@@ -175,7 +198,7 @@ func reconcileRabbitMQ(
 	hostname := fmt.Sprintf("%s.%s.svc", name, instance.Namespace)
 	tlsCert := ""
 
-	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+	if tlsEnabled {
 		certRequest := certmanager.CertificateRequest{
 			IssuerName: tls.DefaultCAPrefix + string(service.EndpointInternal),
 			CertName:   fmt.Sprintf("%s-svc", rabbitmq.Name),