diff --git a/apis/go.mod b/apis/go.mod index dec028de3..10c1834f7 100644 --- a/apis/go.mod +++ b/apis/go.mod @@ -14,7 +14,7 @@ require ( github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240221083751-49edc0df8a12 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240229174131-28e3aee56d91 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240226160457-b1b853eb4600 - github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240229121803-169ced56d56e + github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240306153230-dc65ab49ebc0 github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240229121803-169ced56d56e github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240305194401-0fda28a84acb github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240222094307-76fef735f093 diff --git a/apis/go.sum b/apis/go.sum index 029f0afb1..7693dd3dc 100644 --- a/apis/go.sum +++ b/apis/go.sum @@ -106,8 +106,7 @@ github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240229174131-2 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240229174131-28e3aee56d91/go.mod h1:Yac7wRClzl1/a7uBso4w8wq6Rjm+JLIouEsLre7VSDE= github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240226160457-b1b853eb4600 h1:Lqlkv5CWGlarcjsc1SW2YzhxAVQtQZp0BWEwFUl+OyM= github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240226160457-b1b853eb4600/go.mod h1:YyoDWNxCFstwhVRAcEh2X6bXBG0ML5iEhOYQhltgqi4= -github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240229121803-169ced56d56e h1:zpxxz/iI8C09XHBcDYW9prMoODndBBsSmoonRXRXu1Q= -github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240229121803-169ced56d56e/go.mod h1:P2a38htIPn9Ws9eqZBS/5jfxzLdMdBqZcbv6H4YcQfw= +github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240306153230-dc65ab49ebc0 h1:1Q/9F3SAKvLN9vX+YxwaEB0WvBekj9eakQPoQbI1K6w= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240229121803-169ced56d56e h1:T/ZQR6KfJf45ydZq4gsq7FUl+bKR1IIQpuvja9Nun4s= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240229121803-169ced56d56e/go.mod h1:fvCDr4wd7Oy2rIunTzpGoMKWXHk2pQYaF3tJBFLELpM= github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240229121803-169ced56d56e h1:801PPU2Awfnqg/uJMeGOfi3zkNA0qS5axmINN6Gusbg= diff --git a/go.mod b/go.mod index e48b4a462..0b71232cf 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,7 @@ require ( github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240229174131-28e3aee56d91 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240226160457-b1b853eb4600 github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240229121803-169ced56d56e - github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240229121803-169ced56d56e + github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240306153230-dc65ab49ebc0 github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20240229121803-169ced56d56e github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240305194401-0fda28a84acb github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240222094307-76fef735f093 diff --git a/go.sum b/go.sum index 7f2bc8387..76d6b7436 100644 --- a/go.sum +++ b/go.sum @@ -122,8 +122,8 @@ github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240226160457 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240226160457-b1b853eb4600/go.mod h1:YyoDWNxCFstwhVRAcEh2X6bXBG0ML5iEhOYQhltgqi4= github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240229121803-169ced56d56e h1:n1XMajTDxjNTMf4l2U7JFQ2EKhNtsYIsCcnvAxIJpF0= github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240229121803-169ced56d56e/go.mod h1:GGbtUK5VQ/BHIT3n0ia31bzNJaQIAANhzT/nC6pygbQ= -github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240229121803-169ced56d56e h1:zpxxz/iI8C09XHBcDYW9prMoODndBBsSmoonRXRXu1Q= -github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240229121803-169ced56d56e/go.mod h1:P2a38htIPn9Ws9eqZBS/5jfxzLdMdBqZcbv6H4YcQfw= +github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240306153230-dc65ab49ebc0 h1:1Q/9F3SAKvLN9vX+YxwaEB0WvBekj9eakQPoQbI1K6w= +github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240306153230-dc65ab49ebc0/go.mod h1:R2plZL2JdwDMJwv9+pkPmCB1Mww81J75G0MxRzi2Kug= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240229121803-169ced56d56e h1:T/ZQR6KfJf45ydZq4gsq7FUl+bKR1IIQpuvja9Nun4s= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240229121803-169ced56d56e/go.mod h1:fvCDr4wd7Oy2rIunTzpGoMKWXHk2pQYaF3tJBFLELpM= github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240229121803-169ced56d56e h1:801PPU2Awfnqg/uJMeGOfi3zkNA0qS5axmINN6Gusbg= diff --git a/pkg/openstack/rabbitmq.go b/pkg/openstack/rabbitmq.go index 726d4f946..74d15ce9b 100644 --- a/pkg/openstack/rabbitmq.go +++ b/pkg/openstack/rabbitmq.go @@ -9,6 +9,7 @@ import ( "github.com/openstack-k8s-operators/lib-common/modules/certmanager" condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition" "github.com/openstack-k8s-operators/lib-common/modules/common/helper" + "github.com/openstack-k8s-operators/lib-common/modules/common/ocp" "github.com/openstack-k8s-operators/lib-common/modules/common/service" "github.com/openstack-k8s-operators/lib-common/modules/common/tls" "github.com/openstack-k8s-operators/lib-common/modules/common/util" @@ -89,6 +90,7 @@ func ReconcileRabbitMQs( return ctrlResult, nil } + func reconcileRabbitMQ( ctx context.Context, instance *corev1beta1.OpenStackControlPlane, @@ -113,6 +115,58 @@ func reconcileRabbitMQ( return mqReady, ctrl.Result{}, nil } + envVars := []corev1.EnvVar{ + { + // The upstream rabbitmq image has /var/log/rabbitmq mode 777, so when + // openshift runs the rabbitmq container as a random uid it can still write + // the logs there. The OSP image however has the directory more constrained, + // so the random uid cannot write the logs there. Force it into /var/lib + // where it can create the file without crashing. + Name: "RABBITMQ_UPGRADE_LOG", + Value: "/var/lib/rabbitmq/rabbitmq_upgrade.log", + }, + { + // For some reason HOME needs to be explictly set here even though the entry + // for the random user in /etc/passwd has the correct homedir set. + Name: "HOME", + Value: "/var/lib/rabbitmq", + }, + { + // The various /usr/sbin/rabbitmq* scripts are really all the same + // wrapper shell-script that performs some "sanity checks" and then + // invokes the corresponding "real" program in + // /usr/lib/rabbitmq/bin. The main "sanity check" is to ensure that + // the user running the command is either root or rabbitmq. Inside + // of an openshift pod, however, the user is neither of these, so + // the wrapper script will always fail. + + // By putting the real programs ahead of the wrapper in PATH we can + // avoid the unnecessary check and just run things directly as + // whatever user the pod has graciously generated for us. + Name: "PATH", + Value: "/usr/lib/rabbitmq/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + }, + } + + tlsEnabled := instance.Spec.TLS.Enabled(service.EndpointInternal) + if tlsEnabled { + fipsEnabled, err := ocp.IsFipsCluster(ctx, helper) + if err != nil{ + return mqFailed, ctrl.Result{}, err + } + if fipsEnabled { + fipsModeStr := "-crypto fips_mode true" + + envVars = append(envVars, corev1.EnvVar{ + Name: "RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS", + Value: fipsModeStr, + }, corev1.EnvVar{ + Name: "RABBITMQ_CTL_ERL_ARGS", + Value: fipsModeStr, + }) + } + } + defaultStatefulSet := rabbitmqv2.StatefulSet{ Spec: &rabbitmqv2.StatefulSetSpec{ Template: &rabbitmqv2.PodTemplateSpec{ @@ -127,38 +181,7 @@ func reconcileRabbitMQ( // NOTE(gibi): without this the second RabbitMqCluster // will fail as the Pod will have no image. Image: spec.Image, - Env: []corev1.EnvVar{ - { - // The upstream rabbitmq image has /var/log/rabbitmq mode 777, so when - // openshift runs the rabbitmq container as a random uid it can still write - // the logs there. The OSP image however has the directory more constrained, - // so the random uid cannot write the logs there. Force it into /var/lib - // where it can create the file without crashing. - Name: "RABBITMQ_UPGRADE_LOG", - Value: "/var/lib/rabbitmq/rabbitmq_upgrade.log", - }, - { - // For some reason HOME needs to be explictly set here even though the entry - // for the random user in /etc/passwd has the correct homedir set. - Name: "HOME", - Value: "/var/lib/rabbitmq", - }, - { - // The various /usr/sbin/rabbitmq* scripts are really all the same - // wrapper shell-script that performs some "sanity checks" and then - // invokes the corresponding "real" program in - // /usr/lib/rabbitmq/bin. The main "sanity check" is to ensure that - // the user running the command is either root or rabbitmq. Inside - // of an openshift pod, however, the user is neither of these, so - // the wrapper script will always fail. - - // By putting the real programs ahead of the wrapper in PATH we can - // avoid the unnecessary check and just run things directly as - // whatever user the pod has graciously generated for us. - Name: "PATH", - Value: "/usr/lib/rabbitmq/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", - }, - }, + Env: envVars, Args: []string{ // OSP17 runs kolla_start here, instead just run rabbitmq-server directly "/usr/lib/rabbitmq/bin/rabbitmq-server", @@ -175,7 +198,7 @@ func reconcileRabbitMQ( hostname := fmt.Sprintf("%s.%s.svc", name, instance.Namespace) tlsCert := "" - if instance.Spec.TLS.Enabled(service.EndpointInternal) { + if tlsEnabled { certRequest := certmanager.CertificateRequest{ IssuerName: tls.DefaultCAPrefix + string(service.EndpointInternal), CertName: fmt.Sprintf("%s-svc", rabbitmq.Name),