[rabbitmq] add LDAP example

datatok · Sep 15, 2021 · 0c71070 · 0c71070
1 parent cd550d1
commit 0c71070
Show file tree

Hide file tree

Showing 7 changed files with 180 additions and 2 deletions.
diff --git a/charts/rabbitmq/Chart.yaml b/charts/rabbitmq/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.1
+version: 0.1.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/rabbitmq/dev/.gitignore b/charts/rabbitmq/dev/.gitignore
@@ -0,0 +1,3 @@
+ca.crt
+rabbitmq.conf
+advanced.config
diff --git a/charts/rabbitmq/dev/Dockerfile b/charts/rabbitmq/dev/Dockerfile
@@ -0,0 +1,7 @@
+FROM rabbitmq:3.9.5-management
+
+RUN apt-get update -y && \
+    apt-get install -y erlang-eldap
+
+RUN rabbitmq-plugins enable rabbitmq_auth_backend_ldap && \
+    rabbitmq-plugins enable rabbitmq_trust_store
diff --git a/charts/rabbitmq/dev/docker-compose.yaml b/charts/rabbitmq/dev/docker-compose.yaml
@@ -0,0 +1,14 @@
+version: "2"
+
+services:
+
+  rabbitmq:
+    build: .
+    read_only: true
+    volumes:
+    - ./advanced.config:/etc/rabbitmq/advanced.config:ro
+    - ./rabbitmq.conf:/etc/rabbitmq/rabbitmq.conf:ro
+    - ./ca.crt:/etc/rabbitmq/ca.crt:ro
+    - /var/log/rabbitmq
+    ports:
+    - 15672:15672
diff --git a/charts/rabbitmq/examples/rabbitmq+ldap/rabbitmq-ldap-secret.yaml b/charts/rabbitmq/examples/rabbitmq+ldap/rabbitmq-ldap-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: rabbitmq-ldap
+type: Opaque
+stringData:
+  user_bind_dn: "CN=XXXXXXXXX,OU=serviceAccounts,DC=ad,DC=XXXX,DC=com"
+  user_bind_password: guest
diff --git a/charts/rabbitmq/examples/rabbitmq+ldap/values.yaml b/charts/rabbitmq/examples/rabbitmq+ldap/values.yaml
@@ -0,0 +1,146 @@
+replicaCount: 3
+
+image:
+  repository: rabbitmq
+  pullPolicy: IfNotPresent
+  tag: ""
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+service:
+  type: ClusterIP
+  annotations: {}
+  #  service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
+
+resources:
+  requests:
+    cpu: 50m
+    memory: 512Mi
+  limits:
+    cpu: 50m
+    memory: 512Mi
+
+persistence:
+  enabled: false
+  storageClassName: fast
+  storage: 20Gi
+
+rabbitmq:
+  additionalConfig: |
+    # try LDAP first
+    auth_backends.1 = ldap
+    # fall back to the internal database
+    auth_backends.2 = internal
+
+    auth_ldap.servers.1 = XXXXXXX
+    auth_ldap.port      = 636
+    auth_ldap.use_ssl   = true
+    auth_ldap.timeout   = 5000
+    auth_ldap.log       = network_unsafe
+    auth_ldap.ssl_options.verify = verify_none
+
+  additionalPlugins:
+  - rabbitmq_auth_backend_ldap
+
+cluster:
+  annotations: {}
+  extraSpec: {}
+
+  override:
+    statefulSet:
+      spec:
+        template:
+          metadata:
+            labels:
+              XXX.com/fw.kubernetes: allow
+              XXX.com/fw.ldap: allow
+          spec:
+            securityContext:
+              fsGroup: 1000
+              runAsUser: 1000
+            volumes:
+            - name: rabbitmq-config
+              emptyDir: {}
+            - name: rabbitmq-log
+              emptyDir: {}
+            initContainers:
+            - name: setup-container
+              command:
+                - sh
+                - '-c'
+                - >-
+                  cp /tmp/erlang-cookie-secret/.erlang.cookie
+                  /var/lib/rabbitmq/.erlang.cookie && chmod 600
+                  /var/lib/rabbitmq/.erlang.cookie ; cp
+                  /tmp/rabbitmq-plugins/enabled_plugins /operator/enabled_plugins ; echo
+                  '[default]' > /var/lib/rabbitmq/.rabbitmqadmin.conf && sed -e
+                  's/default_user/username/' -e 's/default_pass/password/'
+                  /tmp/default_user.conf >> /var/lib/rabbitmq/.rabbitmqadmin.conf &&
+                  chmod 600 /var/lib/rabbitmq/.rabbitmqadmin.conf;
+                  cp -r /etc/rabbitmq/. /etc/rabbitmq2
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                    drop:
+                    - ALL
+                readOnlyRootFilesystem: true
+                runAsNonRoot: true
+                runAsUser: 1000
+              volumeMounts:
+              - name: rabbitmq-config
+                mountPath: /etc/rabbitmq2
+            - name: ldap-configure
+              image: bhgedigital/envsubst:v1.0-alpine3.6
+              command:
+                - sh
+                - '-c'
+                - |
+                  echo '
+                    [
+                      {rabbitmq_auth_backend_ldap, [
+                        {dn_lookup_attribute, "sAMAccountName"},
+                        {dn_lookup_base,      "OU=people,DC=ad,DC=XXXX,DC=com"},
+                        {dn_lookup_bind,      {"${LDAP_USER_BIND_DN}", "${LDAP_USER_BIND_PASSWORD}"}},
+                        {tag_queries,         [{administrator, {in_group, "CN=XXXX,OU=groups,DC=ad,DC=XXXX,DC=com", "member"}},
+                                               {management,    {constant, true}}]}
+                       ]}
+                    ].' | envsubst > /etc/rabbitmq/advanced.config
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                    drop:
+                    - ALL
+                readOnlyRootFilesystem: true
+                runAsNonRoot: true
+                runAsUser: 1000
+              volumeMounts:
+              - name: rabbitmq-config
+                mountPath: /etc/rabbitmq
+              env:
+              - name: LDAP_USER_BIND_DN
+                valueFrom:
+                  secretKeyRef:
+                    name: rabbitmq-ldap
+                    key: user_bind_dn
+              - name: LDAP_USER_BIND_PASSWORD
+                valueFrom:
+                  secretKeyRef:
+                    name: rabbitmq-ldap
+                    key: user_bind_password
+            containers:
+            - name: rabbitmq
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                    drop:
+                    - ALL
+                readOnlyRootFilesystem: true
+                runAsNonRoot: true
+                runAsUser: 1000
+              volumeMounts:
+              - name: rabbitmq-log
+                mountPath: /var/log/rabbitmq
+              - name: rabbitmq-config
+                mountPath: /etc/rabbitmq
diff --git a/charts/rabbitmq/values.yaml b/charts/rabbitmq/values.yaml
@@ -63,7 +63,7 @@ persistence:
 rabbitmq:
   additionalConfig: ""
   advancedConfig: ""
-  additionalPlugins: {}
+  additionalPlugins: []
 
   vhosts:
   - test