From 0c7107077915a965fd75c39782d86ea03c7088bb Mon Sep 17 00:00:00 2001 From: "t.decaux" Date: Wed, 15 Sep 2021 18:05:18 +0200 Subject: [PATCH] [rabbitmq] add LDAP example --- charts/rabbitmq/Chart.yaml | 2 +- charts/rabbitmq/dev/.gitignore | 3 + charts/rabbitmq/dev/Dockerfile | 7 + charts/rabbitmq/dev/docker-compose.yaml | 14 ++ .../rabbitmq+ldap/rabbitmq-ldap-secret.yaml | 8 + .../examples/rabbitmq+ldap/values.yaml | 146 ++++++++++++++++++ charts/rabbitmq/values.yaml | 2 +- 7 files changed, 180 insertions(+), 2 deletions(-) create mode 100644 charts/rabbitmq/dev/.gitignore create mode 100644 charts/rabbitmq/dev/Dockerfile create mode 100644 charts/rabbitmq/dev/docker-compose.yaml create mode 100644 charts/rabbitmq/examples/rabbitmq+ldap/rabbitmq-ldap-secret.yaml create mode 100644 charts/rabbitmq/examples/rabbitmq+ldap/values.yaml diff --git a/charts/rabbitmq/Chart.yaml b/charts/rabbitmq/Chart.yaml index 228c7a1..09c9b23 100644 --- a/charts/rabbitmq/Chart.yaml +++ b/charts/rabbitmq/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.1 +version: 0.1.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/rabbitmq/dev/.gitignore b/charts/rabbitmq/dev/.gitignore new file mode 100644 index 0000000..c4fc548 --- /dev/null +++ b/charts/rabbitmq/dev/.gitignore @@ -0,0 +1,3 @@ +ca.crt +rabbitmq.conf +advanced.config diff --git a/charts/rabbitmq/dev/Dockerfile b/charts/rabbitmq/dev/Dockerfile new file mode 100644 index 0000000..a26bd49 --- /dev/null +++ b/charts/rabbitmq/dev/Dockerfile @@ -0,0 +1,7 @@ +FROM rabbitmq:3.9.5-management + +RUN apt-get update -y && \ + apt-get install -y erlang-eldap + +RUN rabbitmq-plugins enable rabbitmq_auth_backend_ldap && \ + rabbitmq-plugins enable rabbitmq_trust_store diff --git a/charts/rabbitmq/dev/docker-compose.yaml b/charts/rabbitmq/dev/docker-compose.yaml new file mode 100644 index 0000000..8d667fe --- /dev/null +++ b/charts/rabbitmq/dev/docker-compose.yaml @@ -0,0 +1,14 @@ +version: "2" + +services: + + rabbitmq: + build: . + read_only: true + volumes: + - ./advanced.config:/etc/rabbitmq/advanced.config:ro + - ./rabbitmq.conf:/etc/rabbitmq/rabbitmq.conf:ro + - ./ca.crt:/etc/rabbitmq/ca.crt:ro + - /var/log/rabbitmq + ports: + - 15672:15672 diff --git a/charts/rabbitmq/examples/rabbitmq+ldap/rabbitmq-ldap-secret.yaml b/charts/rabbitmq/examples/rabbitmq+ldap/rabbitmq-ldap-secret.yaml new file mode 100644 index 0000000..49bbe27 --- /dev/null +++ b/charts/rabbitmq/examples/rabbitmq+ldap/rabbitmq-ldap-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: rabbitmq-ldap +type: Opaque +stringData: + user_bind_dn: "CN=XXXXXXXXX,OU=serviceAccounts,DC=ad,DC=XXXX,DC=com" + user_bind_password: guest diff --git a/charts/rabbitmq/examples/rabbitmq+ldap/values.yaml b/charts/rabbitmq/examples/rabbitmq+ldap/values.yaml new file mode 100644 index 0000000..86d166f --- /dev/null +++ b/charts/rabbitmq/examples/rabbitmq+ldap/values.yaml @@ -0,0 +1,146 @@ +replicaCount: 3 + +image: + repository: rabbitmq + pullPolicy: IfNotPresent + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +service: + type: ClusterIP + annotations: {} + # service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + +resources: + requests: + cpu: 50m + memory: 512Mi + limits: + cpu: 50m + memory: 512Mi + +persistence: + enabled: false + storageClassName: fast + storage: 20Gi + +rabbitmq: + additionalConfig: | + # try LDAP first + auth_backends.1 = ldap + # fall back to the internal database + auth_backends.2 = internal + + auth_ldap.servers.1 = XXXXXXX + auth_ldap.port = 636 + auth_ldap.use_ssl = true + auth_ldap.timeout = 5000 + auth_ldap.log = network_unsafe + auth_ldap.ssl_options.verify = verify_none + + additionalPlugins: + - rabbitmq_auth_backend_ldap + +cluster: + annotations: {} + extraSpec: {} + + override: + statefulSet: + spec: + template: + metadata: + labels: + XXX.com/fw.kubernetes: allow + XXX.com/fw.ldap: allow + spec: + securityContext: + fsGroup: 1000 + runAsUser: 1000 + volumes: + - name: rabbitmq-config + emptyDir: {} + - name: rabbitmq-log + emptyDir: {} + initContainers: + - name: setup-container + command: + - sh + - '-c' + - >- + cp /tmp/erlang-cookie-secret/.erlang.cookie + /var/lib/rabbitmq/.erlang.cookie && chmod 600 + /var/lib/rabbitmq/.erlang.cookie ; cp + /tmp/rabbitmq-plugins/enabled_plugins /operator/enabled_plugins ; echo + '[default]' > /var/lib/rabbitmq/.rabbitmqadmin.conf && sed -e + 's/default_user/username/' -e 's/default_pass/password/' + /tmp/default_user.conf >> /var/lib/rabbitmq/.rabbitmqadmin.conf && + chmod 600 /var/lib/rabbitmq/.rabbitmqadmin.conf; + cp -r /etc/rabbitmq/. /etc/rabbitmq2 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + volumeMounts: + - name: rabbitmq-config + mountPath: /etc/rabbitmq2 + - name: ldap-configure + image: bhgedigital/envsubst:v1.0-alpine3.6 + command: + - sh + - '-c' + - | + echo ' + [ + {rabbitmq_auth_backend_ldap, [ + {dn_lookup_attribute, "sAMAccountName"}, + {dn_lookup_base, "OU=people,DC=ad,DC=XXXX,DC=com"}, + {dn_lookup_bind, {"${LDAP_USER_BIND_DN}", "${LDAP_USER_BIND_PASSWORD}"}}, + {tag_queries, [{administrator, {in_group, "CN=XXXX,OU=groups,DC=ad,DC=XXXX,DC=com", "member"}}, + {management, {constant, true}}]} + ]} + ].' | envsubst > /etc/rabbitmq/advanced.config + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + volumeMounts: + - name: rabbitmq-config + mountPath: /etc/rabbitmq + env: + - name: LDAP_USER_BIND_DN + valueFrom: + secretKeyRef: + name: rabbitmq-ldap + key: user_bind_dn + - name: LDAP_USER_BIND_PASSWORD + valueFrom: + secretKeyRef: + name: rabbitmq-ldap + key: user_bind_password + containers: + - name: rabbitmq + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + volumeMounts: + - name: rabbitmq-log + mountPath: /var/log/rabbitmq + - name: rabbitmq-config + mountPath: /etc/rabbitmq diff --git a/charts/rabbitmq/values.yaml b/charts/rabbitmq/values.yaml index 3e3a4db..a494861 100644 --- a/charts/rabbitmq/values.yaml +++ b/charts/rabbitmq/values.yaml @@ -63,7 +63,7 @@ persistence: rabbitmq: additionalConfig: "" advancedConfig: "" - additionalPlugins: {} + additionalPlugins: [] vhosts: - test