From 99f1bdcd2735a385bc4a8a2769bb5f2a523b22dd Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Mon, 17 Jun 2024 14:54:14 +0200 Subject: [PATCH 01/19] Generate rabbitmq certificates --- .../rabbitmq-config/certificates/ca-key.pem | 28 +++++++++++++++++++ .../rabbitmq-config/certificates/ca.pem | 19 +++++++++++++ .../rabbitmq-config/certificates/cert.pem | 19 +++++++++++++ .../rabbitmq-config/certificates/key.pem | 28 +++++++++++++++++++ hack/bin/gen-certs.sh | 6 ++++ 5 files changed, 100 insertions(+) create mode 100644 deploy/dockerephemeral/rabbitmq-config/certificates/ca-key.pem create mode 100644 deploy/dockerephemeral/rabbitmq-config/certificates/ca.pem create mode 100644 deploy/dockerephemeral/rabbitmq-config/certificates/cert.pem create mode 100644 deploy/dockerephemeral/rabbitmq-config/certificates/key.pem diff --git a/deploy/dockerephemeral/rabbitmq-config/certificates/ca-key.pem b/deploy/dockerephemeral/rabbitmq-config/certificates/ca-key.pem new file mode 100644 index 00000000000..ae4cd7bffd0 --- /dev/null +++ b/deploy/dockerephemeral/rabbitmq-config/certificates/ca-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDaRhd33jqotsw2 +TM91YeHu5w2WIqcyV9ezMU2tGBBwVhdhwmW+pTcSzsr1sFzvNLLmGCkA/xg/Rvik +DedL/nmJQTJKexn9UJrXwwWiC01k6T6TnuCDX7k0f4RD6BCqV8iYoY1TQ7RiHFNl +Dsk4K9tWfSh45EgqQnbx9dmWUu10WAfe9tCH/3MZV1P8RFHw5ZgtavOc8N8Jjko+ +o3hqfe/LhsrmF3SjMsgmvBqgZcHTwZvvfvI/78Sovs6SQTbtdrWB+PyMviSnP1M5 +igmdWTd7G83AczNGkZ2XGLbeDnf9mD3FABJh6upR1YC/CAGT3UGUlxbkzMuFxJxM +hyFifSC5AgMBAAECggEABYwJdaTipb37g5fBH/EMXldl235m9FsSIr4qhK8bX9d4 +QaZAkq89Lo+tzb+dJQEYWMudYyaYdac2k2i9C4vch9Xt0sG9H9hoDvqoTn1uCpX4 +3qSHfR82JDTnZhhkMAgKE4LrhgWu9F1W6zcMew52RQTqPeRDRzuoLS77yBu0aCP2 +jdNc+IwKqBPW6r6DKpu7iOFJTh+vAqJKsHfjkdXHLb0uTGdNSG854Vsbh1rSFMML +MTEE7LNOmlICAWokt1PQEfuAv1Gisgm3/J1TUwT+kOgLCiud0J6sqfYydLPcVXly +eE0YOuURTMIwRcXF/2/BbvGW42ZNi9KNl7K+QzWv1wKBgQD0Oayw9Xp46tnjThSt +NC2VefkI1LJSPoYNq6mLJUlCBV0Jp+7jAa3EzUdaPoTg6YnG4RjKhQKzoYGOACV3 +ax1VOrxX0DrJ2kZ8AbldVb6RIpY9vTRkuevsoPa+I0craF1TJAlhO3J7bI7/X6hR +l8YHONy0rE6yLjETADdVaE4tawKBgQDkzB0KmuUDYsBNxqLwHLmGkJS0E3xljIDs +mzAGrKylPZ2RWZRxZJK4tjhwYiHUc7C693bQi1FkFnB2sA74Yq5QtVttMs8hXT1j +9oSsiLoljddrjRjX46W5eKbdTudrHoZRkx66X9WgfjdcQhXdwd+bFiv/2XjN7eMX +0sEV10yvawKBgEYOETJFiBcNTuj76cRxNi4tabkVwf0DgFKFjkGitWvhu/lcGZM2 +VREhzTjevCED/Ih24zSciNTcHByOgDDMIgLjsUkDKwnhudwyZmiWgu6A3FXjYxcN +mdYrqfuKhQy3iCWkLaidc85hqncoilC1V5GUxwJwdrZ3t436vuSZ4er3AoGBANCp +Gj9Gvl+VGx6TbpwfBlAj4YpNTyDpv9aJPYaIyjc091PM56V2fJz6ioRr6sBv9hi9 +gV12AXePQ2fq7uw2SxWOIGB5ew/JkihtddhIJcQEFRegKa0Sj1yUHVIuGL3Hq+YP +j3GX3yMsmN6J4plIq94rnVsLgbIFJxvd+Hwry2MbAoGAWQnycqCQ7C/9JXU/CuNk +iVz329x4XAL/dZM+UUV+SjtlVUng27zH3N3kijcFMiSW70e4p/Sg8oza2aA3eoMO +HEpyQD4D+Lg9a/7hBy3OxMnlEsW03S1BxnB78jjJF9JLD1lWU1uCVbdNRdyUl8eJ +cB8kJ9chhQSvXZcXZ1c9jbg= +-----END PRIVATE KEY----- diff --git a/deploy/dockerephemeral/rabbitmq-config/certificates/ca.pem b/deploy/dockerephemeral/rabbitmq-config/certificates/ca.pem new file mode 100644 index 00000000000..937cd548c89 --- /dev/null +++ b/deploy/dockerephemeral/rabbitmq-config/certificates/ca.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDJTCCAg2gAwIBAgIUZZTlVQ+gsAjvazhlHwTb+1FEXIEwDQYJKoZIhvcNAQEL +BQAwIjEgMB4GA1UEAwwXcmFiYml0bXEuY2EuZXhhbXBsZS5jb20wHhcNMjQwNjE3 +MTIzNzI4WhcNMzQwNjE1MTIzNzI4WjAiMSAwHgYDVQQDDBdyYWJiaXRtcS5jYS5l +eGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANpGF3fe +Oqi2zDZMz3Vh4e7nDZYipzJX17MxTa0YEHBWF2HCZb6lNxLOyvWwXO80suYYKQD/ +GD9G+KQN50v+eYlBMkp7Gf1QmtfDBaILTWTpPpOe4INfuTR/hEPoEKpXyJihjVND +tGIcU2UOyTgr21Z9KHjkSCpCdvH12ZZS7XRYB9720If/cxlXU/xEUfDlmC1q85zw +3wmOSj6jeGp978uGyuYXdKMyyCa8GqBlwdPBm+9+8j/vxKi+zpJBNu12tYH4/Iy+ +JKc/UzmKCZ1ZN3sbzcBzM0aRnZcYtt4Od/2YPcUAEmHq6lHVgL8IAZPdQZSXFuTM +y4XEnEyHIWJ9ILkCAwEAAaNTMFEwHQYDVR0OBBYEFEv2M4tLrc+gHVRs0ZeSdD8S +12lDMB8GA1UdIwQYMBaAFEv2M4tLrc+gHVRs0ZeSdD8S12lDMA8GA1UdEwEB/wQF +MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJ3HMrNy5J1JMsj0J2Z9lyIunBwwCXnK +vmP/Sna5LuE6KgclaBJrtissQUKe/vFj5pZ3sGHpX+kzV8ncOE6kcXdY6Ts0RAfw +VZMP48GJhahmZbntNdlpzEvkisqNKJOrbTz9a6MNzdtZXDRhMd2/FcymqgGuVxPf +nv0dMwqRSY/bShfmGUQWFvJHUQwYsShH8h7yju68e4YpoHBagNO5uzm4mW4Md5yt +GZFMJ15UtCI1O/1LyZwCqeGNhrFCi8kejEUkj8kHitWo2+IaVUkU5FkAjNpK+S6L +/pBMvfrhKCAvfblwaD6zhSIcSeIzW/iDo3w2GcxJJDWLZhrXTgto1Gs= +-----END CERTIFICATE----- diff --git a/deploy/dockerephemeral/rabbitmq-config/certificates/cert.pem b/deploy/dockerephemeral/rabbitmq-config/certificates/cert.pem new file mode 100644 index 00000000000..9a842b2a154 --- /dev/null +++ b/deploy/dockerephemeral/rabbitmq-config/certificates/cert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDKzCCAhOgAwIBAgIBADANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQDDBdyYWJi +aXRtcS5jYS5leGFtcGxlLmNvbTAeFw0yNDA2MTcxMjM3MjhaFw0yNDA3MTcxMjM3 +MjhaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAKom+D/QCoLNyFv5N0NddQuCnOLWf76YYocY5fnaPo3L2R/BoPBI +TG035Eam4ydFbqY5SB++n4I/jNMFc2IW+WHc1QGu70+RTS2T5noYoXrVCilhOs5q +1tzNHP+J2AB/uF5/y2sCDBWBrIiGDRckGZi57yokWmpLFzlDdYFEOs9VXeovXv2v +WfHYYefdDG7dQUM3982970mQ8tXfvXfOi2ucaVcQsPlxqHIieE2O8mjV7l4CQNP3 +IVWu4U3gNSTZ9i6gLvuXbFjc29IzB54eK2cdaWQTB3eeorNlG3CBlK2uancbu561 +k/qtrg2P9PQNnjWO8L9HaDrRpE/ZJC2lRdsCAwEAAaN6MHgwHQYDVR0lBBYwFAYI +KwYBBQUHAwEGCCsGAQUFBwMCMBcGA1UdEQEB/wQNMAuCCWxvY2FsaG9zdDAdBgNV +HQ4EFgQUy64e8Fn1HfPDw+UM/J86ViiypeQwHwYDVR0jBBgwFoAUS/Yzi0utz6Ad +VGzRl5J0PxLXaUMwDQYJKoZIhvcNAQELBQADggEBAF/bNcLahB+BhvqOwJlaTdXu +NGYyeMAiYePdlltcBcRmejEOjcufs3HvpbY6lmpxrUvVZM8U8sCRe8H9jgXZLi5k +SNnYXdOmAnOCfRztAS6vrw286XRYjWV2UNcnfEGg9JgcobbaYMj+iuzSBIpd/DgB +rYgqprdbP7R1ce49o1yc28hifYpR/lLEcBFQFwzGoIIK2kWCvw9S8DbJeh6hx/KP +ESHgtm9/+2nsnhGDoh/qiH88xCkwNtUp+Qqny10Lk2PYnvBSo+TSTalpKePzysBu +dZow3wqrtAz50nNBIyco0tA47nadLGWckkVIS8adWS3b6YUJj05Lnal7FYb8SPY= +-----END CERTIFICATE----- diff --git a/deploy/dockerephemeral/rabbitmq-config/certificates/key.pem b/deploy/dockerephemeral/rabbitmq-config/certificates/key.pem new file mode 100644 index 00000000000..6ad76fc3cf8 --- /dev/null +++ b/deploy/dockerephemeral/rabbitmq-config/certificates/key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQCqJvg/0AqCzchb ++TdDXXULgpzi1n++mGKHGOX52j6Ny9kfwaDwSExtN+RGpuMnRW6mOUgfvp+CP4zT +BXNiFvlh3NUBru9PkU0tk+Z6GKF61QopYTrOatbczRz/idgAf7hef8trAgwVgayI +hg0XJBmYue8qJFpqSxc5Q3WBRDrPVV3qL179r1nx2GHn3Qxu3UFDN/fNve9JkPLV +3713zotrnGlXELD5cahyInhNjvJo1e5eAkDT9yFVruFN4DUk2fYuoC77l2xY3NvS +MweeHitnHWlkEwd3nqKzZRtwgZStrmp3G7uetZP6ra4Nj/T0DZ41jvC/R2g60aRP +2SQtpUXbAgMBAAECggEAPvGznEel28WsfPmwi+ciyWNEDlYzY5qTuE5ppQgrY+Ep +LSpAEyNrwmuOsuRB2+E/kZZXLAckktZXjijSClNdZep/kePY+6JQ3q9772b1Na9h +1vT1AC9d1Mi8FXw0v9p/pdW4tplHRx11afvNE+Zy4aDG7NwN5oxoxvJBodRPvSrI +FzTxlCO49r9e76xSmOA7UovN14rL7810AaAVrfA+P5EVKF5WAoZ9mHnpXhIFumJ1 +8X96Wn6vErOF1qVYQjQQf6BYng9mPRxmbXq1bV1SgwAcOjTHWuwohVCZEN0MFXY9 +BIIBv/v7n+0nfzHHnRWvKPcNIje9YtgTyYXZ23x+wQKBgQDnjbYN08XM7YY1rm57 +kPEuTHimO8Gudc5USrwrEIzuCGaNCoHPVOZcwjFzd9KG9HruxXJD8jaOPOBNn3Yk +AgLnpGSJ25LCeK76+D3GHVupoYvgZOY6NGwRgssW+B9bCc0S/pemREWYztwmLvjR +Yt2ZhMRo9Gq24z7qpitFlsLP+QKBgQC8Hb2bPIZzWlAAOSThUPJStnixn+q68yuJ +5jOWT184nIiNriGsSbqO0Cx4L16yiReKxKSktjymriw2D4bB8i3pCVuzVWfrAApc +ljKNvY1qfuC892SJ2uBr68kLbIjyXAKZNIY2sx4LhJfMarhZmb9+5bDpmbseSXNQ +r7OpnBjhcwKBgQDEwHZMQ4EUg1OB86ivWFaHF7WA0s/dNP7QQvymvxZxADRbbe0l +RifD88JfMhZyU/TNRHq2X26Z6AJUEsYpDIh5WgeP2EJY+oD8gcjDuZh0h+86CaJT +HM4jBvcYmlbSXX6iwDANuH9Gu6b2zvzftllDpDvcTqsKogeJDQ9BvzvjyQKBgCq/ +o2/ckD00f8udMMlXKMotFz5eNexoCDPdMUnuHZhy0gFIWfSaCKAdpI1nTmDKEKSD +TVr04tGJ8RgT7S6zx0UW0FTvip73smMZ6sEVG0bhMFcg7SL6r1c3DMfg0ToqOJjy +O7HAgIpjhk94zQ3nh4Hh1pMvUTtvu5nRY8WeaHULAn9WqEyo04D07bWMd07XcfPD +cOesfEHWwaTXBWCJsMriUI1HDIHiZ1l7zkjhzyV7EUgNJPuvbO2Ya3cJNG4j/455 +9p9SnHwZbfS2hBViRhIaFLCrpfCRxwVAekHB6Fk+r2/JFqeijlZLNcY0wr5pu2zp +qNekJu0SmEpsMULD1Uxt +-----END PRIVATE KEY----- diff --git a/hack/bin/gen-certs.sh b/hack/bin/gen-certs.sh index 65d278fcaa8..1fd3e5750f3 100755 --- a/hack/bin/gen-certs.sh +++ b/hack/bin/gen-certs.sh @@ -78,3 +78,9 @@ for redis_node in $(seq 1 6); do "redis-node-${redis_node}-cert" \ "redis-node-${redis_node}-key" done + +# rabbitmq +RABBITMQ="$ROOT_DIR/deploy/dockerephemeral/rabbitmq-config/certificates" +gen_ca "$RABBITMQ" rabbitmq.ca.example.com +gen_cert "$RABBITMQ" "DNS:localhost" localhost +chmod a+r "$RABBITMQ/key.pem" From 5fb64367c659fdf484f21b3951c3c10836bc8be5 Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Thu, 13 Jun 2024 14:17:58 +0200 Subject: [PATCH 02/19] Configure TLS for rabbitmq in dockerephemeral --- deploy/dockerephemeral/docker-compose.yaml | 6 ++++-- .../rabbitmq-config/enabled_plugins | 1 + .../dockerephemeral/rabbitmq-config/rabbitmq.conf | 15 +++++++++++++++ 3 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 deploy/dockerephemeral/rabbitmq-config/enabled_plugins create mode 100644 deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf diff --git a/deploy/dockerephemeral/docker-compose.yaml b/deploy/dockerephemeral/docker-compose.yaml index 38db77dd5a0..a007be03eee 100644 --- a/deploy/dockerephemeral/docker-compose.yaml +++ b/deploy/dockerephemeral/docker-compose.yaml @@ -264,11 +264,13 @@ services: container_name: rabbitmq image: rabbitmq:3.11-management-alpine environment: - - RABBITMQ_DEFAULT_USER=${RABBITMQ_USERNAME} - - RABBITMQ_DEFAULT_PASS=${RABBITMQ_PASSWORD} + - RABBITMQ_USERNAME + - RABBITMQ_PASSWORD ports: - '127.0.0.1:5672:5672' - '127.0.0.1:15672:15672' + volumes: + - ./rabbitmq-config:/etc/rabbitmq/ networks: - demo_wire diff --git a/deploy/dockerephemeral/rabbitmq-config/enabled_plugins b/deploy/dockerephemeral/rabbitmq-config/enabled_plugins new file mode 100644 index 00000000000..cc972a47a45 --- /dev/null +++ b/deploy/dockerephemeral/rabbitmq-config/enabled_plugins @@ -0,0 +1 @@ +[rabbitmq_management,rabbitmq_prometheus]. diff --git a/deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf b/deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf new file mode 100644 index 00000000000..042d323391f --- /dev/null +++ b/deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf @@ -0,0 +1,15 @@ +default_user = $(RABBITMQ_USERNAME) +default_pass = $(RABBITMQ_PASSWORD) + +log.console = true +log.console.level = info + +loopback_users.guest = false + +listeners.ssl.default = 5671 + +ssl_options.cacertfile = /etc/rabbitmq/certificates/ca.pem +ssl_options.certfile = /etc/rabbitmq/certificates/cert.pem +ssl_options.keyfile = /etc/rabbitmq/certificates/key.pem +ssl_options.verify = verify_peer +ssl_options.fail_if_no_peer_cert = true From 3353c12f3c05c6d24a029f8b8106bc9c20953d5f Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Fri, 14 Jun 2024 10:25:39 +0200 Subject: [PATCH 03/19] Implement rabbit tls connection --- deploy/dockerephemeral/docker-compose.yaml | 1 + .../rabbitmq-config/rabbitmq.conf | 7 ++- integration/test/Testlib/ResourcePool.hs | 4 +- libs/extended/extended.cabal | 4 ++ libs/extended/src/Network/AMQP/Extended.hs | 58 +++++++++++++++++-- services/brig/brig.integration.yaml | 6 +- services/brig/test/resources/rabbitmq-ca.pem | 1 + 7 files changed, 71 insertions(+), 10 deletions(-) create mode 120000 services/brig/test/resources/rabbitmq-ca.pem diff --git a/deploy/dockerephemeral/docker-compose.yaml b/deploy/dockerephemeral/docker-compose.yaml index a007be03eee..2135ee845c7 100644 --- a/deploy/dockerephemeral/docker-compose.yaml +++ b/deploy/dockerephemeral/docker-compose.yaml @@ -267,6 +267,7 @@ services: - RABBITMQ_USERNAME - RABBITMQ_PASSWORD ports: + - '127.0.0.1:5671:5671' - '127.0.0.1:5672:5672' - '127.0.0.1:15672:15672' volumes: diff --git a/deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf b/deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf index 042d323391f..edb5b355ef2 100644 --- a/deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf +++ b/deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf @@ -2,7 +2,7 @@ default_user = $(RABBITMQ_USERNAME) default_pass = $(RABBITMQ_PASSWORD) log.console = true -log.console.level = info +log.console.level = debug loopback_users.guest = false @@ -11,5 +11,6 @@ listeners.ssl.default = 5671 ssl_options.cacertfile = /etc/rabbitmq/certificates/ca.pem ssl_options.certfile = /etc/rabbitmq/certificates/cert.pem ssl_options.keyfile = /etc/rabbitmq/certificates/key.pem -ssl_options.verify = verify_peer -ssl_options.fail_if_no_peer_cert = true + +# ssl_options.verify = verify_peer +# ssl_options.fail_if_no_peer_cert = true diff --git a/integration/test/Testlib/ResourcePool.hs b/integration/test/Testlib/ResourcePool.hs index 560967c06d0..a663c29b0dd 100644 --- a/integration/test/Testlib/ResourcePool.hs +++ b/integration/test/Testlib/ResourcePool.hs @@ -84,7 +84,9 @@ deleteAllRabbitMQQueues rc resource = do { host = rc.host, port = 0, adminPort = fromIntegral rc.adminPort, - vHost = T.pack resource.berVHost + vHost = T.pack resource.berVHost, + caCert = Nothing, + insecureSkipVerifyTls = True } client <- mkRabbitMqAdminClientEnv opts queues <- listQueuesByVHost client (T.pack resource.berVHost) diff --git a/libs/extended/extended.cabal b/libs/extended/extended.cabal index 087fb75843a..13d4347578b 100644 --- a/libs/extended/extended.cabal +++ b/libs/extended/extended.cabal @@ -85,6 +85,9 @@ library , bytestring , cassandra-util , containers + , crypton-connection + , crypton-x509-store + , data-default , errors , exceptions , extra @@ -104,6 +107,7 @@ library , text , time , tinylog + , tls , unliftio , wai diff --git a/libs/extended/src/Network/AMQP/Extended.hs b/libs/extended/src/Network/AMQP/Extended.hs index 502cdb95a77..a461f01d2b1 100644 --- a/libs/extended/src/Network/AMQP/Extended.hs +++ b/libs/extended/src/Network/AMQP/Extended.hs @@ -7,13 +7,18 @@ import Control.Monad.Catch import Control.Monad.Trans.Control import Control.Retry import Data.Aeson +import Data.Default import Data.Proxy import Data.Text qualified as Text import Data.Text.Encoding qualified as Text +import Data.X509.CertificateStore qualified as X509 import Imports import Network.AMQP qualified as Q +import Network.Connection as Conn import Network.HTTP.Client qualified as HTTP import Network.RabbitMqAdmin +import Network.TLS +import Network.TLS.Extra.Cipher import Servant import Servant.Client import Servant.Client qualified as Servant @@ -37,11 +42,21 @@ data RabbitMqAdminOpts = RabbitMqAdminOpts { host :: !String, port :: !Int, vHost :: !Text, + caCert :: !(Maybe FilePath), + insecureSkipVerifyTls :: Bool, adminPort :: !Int } deriving (Show, Generic) -instance FromJSON RabbitMqAdminOpts +instance FromJSON RabbitMqAdminOpts where + parseJSON = withObject "RabbitMqAdminOpts" $ \v -> + RabbitMqAdminOpts + <$> v .: "host" + <*> v .: "port" + <*> v .: "vHost" + <*> v .:? "caCert" + <*> v .:? "insecureSkipVerifyTls" .!= False + <*> v .: "adminPort" mkRabbitMqAdminClientEnv :: RabbitMqAdminOpts -> IO (AdminAPI (AsClientT IO)) mkRabbitMqAdminClientEnv opts = do @@ -60,11 +75,20 @@ mkRabbitMqAdminClientEnv opts = do data RabbitMqOpts = RabbitMqOpts { host :: !String, port :: !Int, - vHost :: !Text + vHost :: !Text, + caCert :: !(Maybe FilePath), + insecureSkipVerifyTls :: Bool } deriving (Show, Generic) -instance FromJSON RabbitMqOpts +instance FromJSON RabbitMqOpts where + parseJSON = withObject "RabbitMqAdminOpts" $ \v -> + RabbitMqOpts + <$> v .: "host" + <*> v .: "port" + <*> v .: "vHost" + <*> v .:? "caCert" + <*> v .:? "insecureSkipVerifyTls" .!= False demoteOpts :: RabbitMqAdminOpts -> RabbitMqOpts demoteOpts RabbitMqAdminOpts {..} = RabbitMqOpts {..} @@ -123,7 +147,15 @@ openConnectionWithRetries l RabbitMqOpts {..} hooks = do ) ( const $ do Log.info l $ Log.msg (Log.val "Trying to connect to RabbitMQ") - liftIO $ Q.openConnection' host (fromIntegral port) vHost username password + mTlsSettings <- traverse (liftIO . mkTLSSettings) caCert + liftIO $ + Q.openConnection'' $ + Q.defaultConnectionOpts + { Q.coServers = [(host, fromIntegral port)], + Q.coVHost = vHost, + Q.coAuth = [Q.plain username password], + Q.coTLSSettings = fmap Q.TLSCustom mTlsSettings + } ) bracket getConn (liftIO . Q.closeConnection) $ \conn -> do liftBaseWith $ \runInIO -> @@ -133,6 +165,24 @@ openConnectionWithRetries l RabbitMqOpts {..} hooks = do connectWithRetries username password openChan conn + mkTLSSettings :: FilePath -> IO TLSSettings + mkTLSSettings path = do + -- TODO: throw better exception here + caStore <- fromJust <$> X509.readCertificateStore path + pure $ + TLSSettings + (defaultParamsClient host "rabbitmq") + { clientShared = + def + { sharedCAStore = caStore + }, + clientSupported = + def + { supportedVersions = [TLS13, TLS12], + supportedCiphers = ciphersuite_strong + } + } + openChan :: Q.Connection -> m () openChan conn = do Log.info l $ Log.msg (Log.val "Opening channel with RabbitMQ") diff --git a/services/brig/brig.integration.yaml b/services/brig/brig.integration.yaml index 1723ec9f1e5..e39f05bd5f7 100644 --- a/services/brig/brig.integration.yaml +++ b/services/brig/brig.integration.yaml @@ -20,9 +20,11 @@ elasticsearch: additionalInsecureSkipVerifyTls: false rabbitmq: - host: 127.0.0.1 - port: 5672 + host: localhost + port: 5671 vHost: / + caCert: test/resources/rabbitmq-ca.pem + insecureSkipVerifyTls: false cargohold: host: 127.0.0.1 diff --git a/services/brig/test/resources/rabbitmq-ca.pem b/services/brig/test/resources/rabbitmq-ca.pem new file mode 120000 index 00000000000..ca91c2c31bd --- /dev/null +++ b/services/brig/test/resources/rabbitmq-ca.pem @@ -0,0 +1 @@ +../../../../deploy/dockerephemeral/rabbitmq-config/certificates/ca.pem \ No newline at end of file From 68dd15ade51a6f189f5403ef37094a911a357685 Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Fri, 14 Jun 2024 11:21:56 +0200 Subject: [PATCH 04/19] Refactor rabbitmq connection opts --- integration/test/Testlib/ResourcePool.hs | 3 +- libs/extended/extended.cabal | 1 + libs/extended/src/Network/AMQP/Extended.hs | 63 +++++++++++++++------- services/brig/brig.integration.yaml | 1 + 4 files changed, 47 insertions(+), 21 deletions(-) diff --git a/integration/test/Testlib/ResourcePool.hs b/integration/test/Testlib/ResourcePool.hs index a663c29b0dd..e2d843dc42f 100644 --- a/integration/test/Testlib/ResourcePool.hs +++ b/integration/test/Testlib/ResourcePool.hs @@ -85,8 +85,7 @@ deleteAllRabbitMQQueues rc resource = do port = 0, adminPort = fromIntegral rc.adminPort, vHost = T.pack resource.berVHost, - caCert = Nothing, - insecureSkipVerifyTls = True + tls = Nothing } client <- mkRabbitMqAdminClientEnv opts queues <- listQueuesByVHost client (T.pack resource.berVHost) diff --git a/libs/extended/extended.cabal b/libs/extended/extended.cabal index 13d4347578b..f27a3930341 100644 --- a/libs/extended/extended.cabal +++ b/libs/extended/extended.cabal @@ -108,6 +108,7 @@ library , time , tinylog , tls + , transformers , unliftio , wai diff --git a/libs/extended/src/Network/AMQP/Extended.hs b/libs/extended/src/Network/AMQP/Extended.hs index a461f01d2b1..863e5e21d35 100644 --- a/libs/extended/src/Network/AMQP/Extended.hs +++ b/libs/extended/src/Network/AMQP/Extended.hs @@ -1,12 +1,23 @@ {-# LANGUAGE RecordWildCards #-} -module Network.AMQP.Extended where +module Network.AMQP.Extended + ( RabbitMqHooks (..), + RabbitMqAdminOpts (..), + RabbitMqOpts (..), + openConnectionWithRetries, + mkRabbitMqAdminClientEnv, + mkRabbitMqChannelMVar, + demoteOpts, + ) +where import Control.Exception (throwIO) import Control.Monad.Catch import Control.Monad.Trans.Control +import Control.Monad.Trans.Maybe import Control.Retry import Data.Aeson +import Data.Aeson.Types import Data.Default import Data.Proxy import Data.Text qualified as Text @@ -38,15 +49,32 @@ data RabbitMqHooks m = RabbitMqHooks onChannelException :: SomeException -> m () } +data RabbitMqTlsOpts = RabbitMqTlsOpts + { caCert :: !(Maybe FilePath), + insecureSkipVerifyTls :: Bool + } + deriving (Show) + +parseTlsJson :: Object -> Parser (Maybe RabbitMqTlsOpts) +parseTlsJson v = do + enabled <- v .:? "enableTls" .!= False + if enabled + then + Just + <$> ( RabbitMqTlsOpts + <$> v .:? "caCert" + <*> v .:? "insecureSkipVerifyTls" .!= False + ) + else pure Nothing + data RabbitMqAdminOpts = RabbitMqAdminOpts { host :: !String, port :: !Int, vHost :: !Text, - caCert :: !(Maybe FilePath), - insecureSkipVerifyTls :: Bool, + tls :: Maybe RabbitMqTlsOpts, adminPort :: !Int } - deriving (Show, Generic) + deriving (Show) instance FromJSON RabbitMqAdminOpts where parseJSON = withObject "RabbitMqAdminOpts" $ \v -> @@ -54,8 +82,7 @@ instance FromJSON RabbitMqAdminOpts where <$> v .: "host" <*> v .: "port" <*> v .: "vHost" - <*> v .:? "caCert" - <*> v .:? "insecureSkipVerifyTls" .!= False + <*> parseTlsJson v <*> v .: "adminPort" mkRabbitMqAdminClientEnv :: RabbitMqAdminOpts -> IO (AdminAPI (AsClientT IO)) @@ -76,10 +103,9 @@ data RabbitMqOpts = RabbitMqOpts { host :: !String, port :: !Int, vHost :: !Text, - caCert :: !(Maybe FilePath), - insecureSkipVerifyTls :: Bool + tls :: !(Maybe RabbitMqTlsOpts) } - deriving (Show, Generic) + deriving (Show) instance FromJSON RabbitMqOpts where parseJSON = withObject "RabbitMqAdminOpts" $ \v -> @@ -87,8 +113,7 @@ instance FromJSON RabbitMqOpts where <$> v .: "host" <*> v .: "port" <*> v .: "vHost" - <*> v .:? "caCert" - <*> v .:? "insecureSkipVerifyTls" .!= False + <*> parseTlsJson v demoteOpts :: RabbitMqAdminOpts -> RabbitMqOpts demoteOpts RabbitMqAdminOpts {..} = RabbitMqOpts {..} @@ -147,7 +172,7 @@ openConnectionWithRetries l RabbitMqOpts {..} hooks = do ) ( const $ do Log.info l $ Log.msg (Log.val "Trying to connect to RabbitMQ") - mTlsSettings <- traverse (liftIO . mkTLSSettings) caCert + mTlsSettings <- traverse (liftIO . mkTLSSettings) tls liftIO $ Q.openConnection'' $ Q.defaultConnectionOpts @@ -165,17 +190,17 @@ openConnectionWithRetries l RabbitMqOpts {..} hooks = do connectWithRetries username password openChan conn - mkTLSSettings :: FilePath -> IO TLSSettings - mkTLSSettings path = do + mkTLSSettings :: RabbitMqTlsOpts -> IO TLSSettings + mkTLSSettings opts = do -- TODO: throw better exception here - caStore <- fromJust <$> X509.readCertificateStore path + setCAStore <- runMaybeT $ do + path <- maybe mzero pure opts.caCert + store <- MaybeT $ X509.readCertificateStore path + pure $ \shared -> shared {sharedCAStore = store} pure $ TLSSettings (defaultParamsClient host "rabbitmq") - { clientShared = - def - { sharedCAStore = caStore - }, + { clientShared = fromMaybe id setCAStore def, clientSupported = def { supportedVersions = [TLS13, TLS12], diff --git a/services/brig/brig.integration.yaml b/services/brig/brig.integration.yaml index e39f05bd5f7..5d7d07e7b5b 100644 --- a/services/brig/brig.integration.yaml +++ b/services/brig/brig.integration.yaml @@ -23,6 +23,7 @@ rabbitmq: host: localhost port: 5671 vHost: / + enableTls: true caCert: test/resources/rabbitmq-ca.pem insecureSkipVerifyTls: false From f645fc2019f4f2329c38ced6d1769905e019752c Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Mon, 17 Jun 2024 14:54:52 +0200 Subject: [PATCH 05/19] Remove TODO --- libs/extended/src/Network/AMQP/Extended.hs | 1 - 1 file changed, 1 deletion(-) diff --git a/libs/extended/src/Network/AMQP/Extended.hs b/libs/extended/src/Network/AMQP/Extended.hs index 863e5e21d35..5b50ab6cff2 100644 --- a/libs/extended/src/Network/AMQP/Extended.hs +++ b/libs/extended/src/Network/AMQP/Extended.hs @@ -192,7 +192,6 @@ openConnectionWithRetries l RabbitMqOpts {..} hooks = do mkTLSSettings :: RabbitMqTlsOpts -> IO TLSSettings mkTLSSettings opts = do - -- TODO: throw better exception here setCAStore <- runMaybeT $ do path <- maybe mzero pure opts.caCert store <- MaybeT $ X509.readCertificateStore path From 61443ba1180d09a089b276f8ebfc00bfe44f9bfb Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Mon, 17 Jun 2024 16:15:21 +0200 Subject: [PATCH 06/19] Implement insecureSkipVerifyTls --- deploy/dockerephemeral/docker-compose.yaml | 4 +- deploy/dockerephemeral/init_vhosts.sh | 16 +++--- .../rabbitmq-config/certificates/ca-key.pem | 52 +++++++++---------- .../rabbitmq-config/certificates/ca.pem | 32 ++++++------ .../rabbitmq-config/certificates/cert.pem | 35 +++++++------ .../rabbitmq-config/certificates/key.pem | 52 +++++++++---------- .../rabbitmq-config/enabled_plugins | 1 - .../rabbitmq-config/rabbitmq.conf | 20 ++++--- hack/bin/gen-certs.sh | 2 +- libs/extended/src/Network/AMQP/Extended.hs | 5 ++ .../background-worker.integration.yaml | 7 ++- .../src/Wire/BackendNotificationPusher.hs | 2 +- .../test/resources/rabbitmq-ca.pem | 1 + services/brig/brig.integration.yaml | 2 +- services/galley/galley.integration.yaml | 5 +- .../galley/test/resources/rabbitmq-ca.pem | 1 + 16 files changed, 127 insertions(+), 110 deletions(-) delete mode 100644 deploy/dockerephemeral/rabbitmq-config/enabled_plugins create mode 120000 services/background-worker/test/resources/rabbitmq-ca.pem create mode 120000 services/galley/test/resources/rabbitmq-ca.pem diff --git a/deploy/dockerephemeral/docker-compose.yaml b/deploy/dockerephemeral/docker-compose.yaml index 2135ee845c7..2d6ef0aec5a 100644 --- a/deploy/dockerephemeral/docker-compose.yaml +++ b/deploy/dockerephemeral/docker-compose.yaml @@ -271,7 +271,8 @@ services: - '127.0.0.1:5672:5672' - '127.0.0.1:15672:15672' volumes: - - ./rabbitmq-config:/etc/rabbitmq/ + - ./rabbitmq-config/rabbitmq.conf:/etc/rabbitmq/conf.d/20-wire.conf + - ./rabbitmq-config/certificates:/etc/rabbitmq/certificates networks: - demo_wire @@ -285,6 +286,7 @@ services: entrypoint: /scripts/init_vhosts.sh volumes: - ./:/scripts + - ./rabbitmq-config/certificates/ca.pem:/etc/rabbitmq-ca.pem networks: - demo_wire diff --git a/deploy/dockerephemeral/init_vhosts.sh b/deploy/dockerephemeral/init_vhosts.sh index 9323e6f5a43..688d635e0a5 100755 --- a/deploy/dockerephemeral/init_vhosts.sh +++ b/deploy/dockerephemeral/init_vhosts.sh @@ -4,13 +4,17 @@ exec_until_ready() { until $1; do echo 'service not ready yet'; sleep 1; done } +create_vhost() { + exec_until_ready "curl --cacert /etc/rabbitmq-ca.pem -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT https://rabbitmq:15671/api/vhosts/$1" +} + echo 'Creating RabbitMQ resources' -exec_until_ready "curl -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT http://rabbitmq:15672/api/vhosts/backendA" -exec_until_ready "curl -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT http://rabbitmq:15672/api/vhosts/backendB" -exec_until_ready "curl -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT http://rabbitmq:15672/api/vhosts/d1.example.com" -exec_until_ready "curl -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT http://rabbitmq:15672/api/vhosts/d2.example.com" -exec_until_ready "curl -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT http://rabbitmq:15672/api/vhosts/d3.example.com" -exec_until_ready "curl -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT http://rabbitmq:15672/api/vhosts/federation-v0" +create_vhost backendA +create_vhost backendB +create_vhost d1.example.com +create_vhost d2.example.com +create_vhost d3.example.com +create_vhost federation-v0 echo 'RabbitMQ resources created successfully!' diff --git a/deploy/dockerephemeral/rabbitmq-config/certificates/ca-key.pem b/deploy/dockerephemeral/rabbitmq-config/certificates/ca-key.pem index ae4cd7bffd0..406f6d9ed97 100644 --- a/deploy/dockerephemeral/rabbitmq-config/certificates/ca-key.pem +++ b/deploy/dockerephemeral/rabbitmq-config/certificates/ca-key.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDaRhd33jqotsw2 -TM91YeHu5w2WIqcyV9ezMU2tGBBwVhdhwmW+pTcSzsr1sFzvNLLmGCkA/xg/Rvik -DedL/nmJQTJKexn9UJrXwwWiC01k6T6TnuCDX7k0f4RD6BCqV8iYoY1TQ7RiHFNl -Dsk4K9tWfSh45EgqQnbx9dmWUu10WAfe9tCH/3MZV1P8RFHw5ZgtavOc8N8Jjko+ -o3hqfe/LhsrmF3SjMsgmvBqgZcHTwZvvfvI/78Sovs6SQTbtdrWB+PyMviSnP1M5 -igmdWTd7G83AczNGkZ2XGLbeDnf9mD3FABJh6upR1YC/CAGT3UGUlxbkzMuFxJxM -hyFifSC5AgMBAAECggEABYwJdaTipb37g5fBH/EMXldl235m9FsSIr4qhK8bX9d4 -QaZAkq89Lo+tzb+dJQEYWMudYyaYdac2k2i9C4vch9Xt0sG9H9hoDvqoTn1uCpX4 -3qSHfR82JDTnZhhkMAgKE4LrhgWu9F1W6zcMew52RQTqPeRDRzuoLS77yBu0aCP2 -jdNc+IwKqBPW6r6DKpu7iOFJTh+vAqJKsHfjkdXHLb0uTGdNSG854Vsbh1rSFMML -MTEE7LNOmlICAWokt1PQEfuAv1Gisgm3/J1TUwT+kOgLCiud0J6sqfYydLPcVXly -eE0YOuURTMIwRcXF/2/BbvGW42ZNi9KNl7K+QzWv1wKBgQD0Oayw9Xp46tnjThSt -NC2VefkI1LJSPoYNq6mLJUlCBV0Jp+7jAa3EzUdaPoTg6YnG4RjKhQKzoYGOACV3 -ax1VOrxX0DrJ2kZ8AbldVb6RIpY9vTRkuevsoPa+I0craF1TJAlhO3J7bI7/X6hR -l8YHONy0rE6yLjETADdVaE4tawKBgQDkzB0KmuUDYsBNxqLwHLmGkJS0E3xljIDs -mzAGrKylPZ2RWZRxZJK4tjhwYiHUc7C693bQi1FkFnB2sA74Yq5QtVttMs8hXT1j -9oSsiLoljddrjRjX46W5eKbdTudrHoZRkx66X9WgfjdcQhXdwd+bFiv/2XjN7eMX -0sEV10yvawKBgEYOETJFiBcNTuj76cRxNi4tabkVwf0DgFKFjkGitWvhu/lcGZM2 -VREhzTjevCED/Ih24zSciNTcHByOgDDMIgLjsUkDKwnhudwyZmiWgu6A3FXjYxcN -mdYrqfuKhQy3iCWkLaidc85hqncoilC1V5GUxwJwdrZ3t436vuSZ4er3AoGBANCp -Gj9Gvl+VGx6TbpwfBlAj4YpNTyDpv9aJPYaIyjc091PM56V2fJz6ioRr6sBv9hi9 -gV12AXePQ2fq7uw2SxWOIGB5ew/JkihtddhIJcQEFRegKa0Sj1yUHVIuGL3Hq+YP -j3GX3yMsmN6J4plIq94rnVsLgbIFJxvd+Hwry2MbAoGAWQnycqCQ7C/9JXU/CuNk -iVz329x4XAL/dZM+UUV+SjtlVUng27zH3N3kijcFMiSW70e4p/Sg8oza2aA3eoMO -HEpyQD4D+Lg9a/7hBy3OxMnlEsW03S1BxnB78jjJF9JLD1lWU1uCVbdNRdyUl8eJ -cB8kJ9chhQSvXZcXZ1c9jbg= +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC/vE2Cea18UZ1J +J0a3IkIoXl2JPSJp7y/bPXsN6sk44F5Dv9mt5hxVERyCQSMiuM6dXfzkRcMAZ7dx +5nQ7GpSEJksqe4h+WFHWDQjaoxrOYVg9UAa6q0rq5h+uHZEpBWwJWNlwRgzyf5zf +IZnjttVD2mu4Gp2xRqtNkEbAOgMJp7ijb76foKsGLFrxJNA3khNjsnDlwRuoffVS +LafF0CA7cW2FYxjwKM/IymCaRVUS18IftCtm3KCl5ou+1aD0/rMsLMKEY1HYCyGo +ZSOnvd5xhRPj6upk3MpWUUyULSkpkQtVPy+RZKUNXb3CGVNJz3UgvMwNXKpW9FdG +Suze9HxdAgMBAAECggEAEU8SKZA10tOaAQue/P4GaOyJQdAXYObV3tNAXkjux3Ks +hS3hnIBPLc1wpxWdnWR/n9c8nZg/+rO3l3xiy8nM1IKR0JD8Xnjh/RKKKmqvtdKL +NmXDZcCm775nPRRa5rrK6QEbXWEFiYgZr6Rckcu57vkzNkM42dMeYyR+Lpujazs6 +Um3Z7rPXevX/gVr9XHjxJ5bX9WYB7sJfZTHLqkO7VGwrXf7HGrtT1ES+iXqjGLpH +5Sg55V5XJfxsqhq+TQgEnorzp8+LEXms2HYTP3G47wP51IWbHa54BUBwkwhiNYV7 +os71j5mrZbUnJ/2KvQPMjiF7uHKlKYjxXiAoj9wRZQKBgQD4e4RuFVaLtF1+khNI +uEgmY4AfakeCB9D2Do1/fhLDTT6EdAxFeSx62VyY3wTG5Pi8DyrFIUNbIYbO8vRx +u8XpzCPxn9TnPnLZ9BRf1+GrCuyQWaFZOnnfAovk3KK4D3vWD9Yn38aTYpTd+3Hg +AEIzd7Bd4dozKtKW7+wI9uOm0wKBgQDFiUih6D0TYrS4T+cM5KhI+ErqTTiFpZ/L +BvA2hyRZTbP+erII9A+IqRNlwidGc1UF4xGu9Ei5QBVfFFbch6C1IRwIoog0hqsH +7s47VIcDuoASq52DHoUABbw9SrfsLjAZz5bLNPmvrEorwIImHNwDG/yOgpT8z7PV +z4/MhoWyDwKBgB+8FrPAgechx/cMTO4yqvRMLObWOf+/Y86pGSU5Qsgyq1NbRt3w +ld+ytwLHKOMGB0ZtYXb/wox3AbKYkOOdqa8sZULMuPI3pY90fs2m0ql3obLl35d3 +wmza9GbsTtPXFmfGagF5sPDN3FllbavAHLRaCupSl/2E8JRaW/jhHz4FAoGAfL4H +Ggd4mkdY7JO4ytGS3BG/7Vo6eVtwH1wQUb7h22tQYUHGMBU/wgNTdo03FCw84uzT ++/HUAvhPBq3ndHhJqlhwRZut+82XL/lETv9AC8C4pBGv9F9PigYVK3eF0iYQxhvr +lAOuMZvRcvOsvLi4z1XbFXus7kGTxU+/9V52C00CgYBY5SgRETt5kgbH/rm36SsE +4x58yK8uYF8MgtBCLxn7E0vnZ2cAMmmDC9wWCHtuq2QhqL/pB+fPI8ri4XNPMXJC +faAxJ0VNmz8fYTzliAWy3Sqp/kgeXdrX9KJkN24LP345LocDBcaML+thDFevmXBW +mahBgoa1ZWxnLJe5XweVkg== -----END PRIVATE KEY----- diff --git a/deploy/dockerephemeral/rabbitmq-config/certificates/ca.pem b/deploy/dockerephemeral/rabbitmq-config/certificates/ca.pem index 937cd548c89..cb18742fab2 100644 --- a/deploy/dockerephemeral/rabbitmq-config/certificates/ca.pem +++ b/deploy/dockerephemeral/rabbitmq-config/certificates/ca.pem @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDJTCCAg2gAwIBAgIUZZTlVQ+gsAjvazhlHwTb+1FEXIEwDQYJKoZIhvcNAQEL +MIIDJTCCAg2gAwIBAgIUaJxRWt/eEYHgz+Rs5QNWVHMfk5swDQYJKoZIhvcNAQEL BQAwIjEgMB4GA1UEAwwXcmFiYml0bXEuY2EuZXhhbXBsZS5jb20wHhcNMjQwNjE3 -MTIzNzI4WhcNMzQwNjE1MTIzNzI4WjAiMSAwHgYDVQQDDBdyYWJiaXRtcS5jYS5l -eGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANpGF3fe -Oqi2zDZMz3Vh4e7nDZYipzJX17MxTa0YEHBWF2HCZb6lNxLOyvWwXO80suYYKQD/ -GD9G+KQN50v+eYlBMkp7Gf1QmtfDBaILTWTpPpOe4INfuTR/hEPoEKpXyJihjVND -tGIcU2UOyTgr21Z9KHjkSCpCdvH12ZZS7XRYB9720If/cxlXU/xEUfDlmC1q85zw -3wmOSj6jeGp978uGyuYXdKMyyCa8GqBlwdPBm+9+8j/vxKi+zpJBNu12tYH4/Iy+ -JKc/UzmKCZ1ZN3sbzcBzM0aRnZcYtt4Od/2YPcUAEmHq6lHVgL8IAZPdQZSXFuTM -y4XEnEyHIWJ9ILkCAwEAAaNTMFEwHQYDVR0OBBYEFEv2M4tLrc+gHVRs0ZeSdD8S -12lDMB8GA1UdIwQYMBaAFEv2M4tLrc+gHVRs0ZeSdD8S12lDMA8GA1UdEwEB/wQF -MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJ3HMrNy5J1JMsj0J2Z9lyIunBwwCXnK -vmP/Sna5LuE6KgclaBJrtissQUKe/vFj5pZ3sGHpX+kzV8ncOE6kcXdY6Ts0RAfw -VZMP48GJhahmZbntNdlpzEvkisqNKJOrbTz9a6MNzdtZXDRhMd2/FcymqgGuVxPf -nv0dMwqRSY/bShfmGUQWFvJHUQwYsShH8h7yju68e4YpoHBagNO5uzm4mW4Md5yt -GZFMJ15UtCI1O/1LyZwCqeGNhrFCi8kejEUkj8kHitWo2+IaVUkU5FkAjNpK+S6L -/pBMvfrhKCAvfblwaD6zhSIcSeIzW/iDo3w2GcxJJDWLZhrXTgto1Gs= +MTQwMjE0WhcNMzQwNjE1MTQwMjE0WjAiMSAwHgYDVQQDDBdyYWJiaXRtcS5jYS5l +eGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL+8TYJ5 +rXxRnUknRrciQiheXYk9ImnvL9s9ew3qyTjgXkO/2a3mHFURHIJBIyK4zp1d/ORF +wwBnt3HmdDsalIQmSyp7iH5YUdYNCNqjGs5hWD1QBrqrSurmH64dkSkFbAlY2XBG +DPJ/nN8hmeO21UPaa7ganbFGq02QRsA6AwmnuKNvvp+gqwYsWvEk0DeSE2OycOXB +G6h99VItp8XQIDtxbYVjGPAoz8jKYJpFVRLXwh+0K2bcoKXmi77VoPT+sywswoRj +UdgLIahlI6e93nGFE+Pq6mTcylZRTJQtKSmRC1U/L5FkpQ1dvcIZU0nPdSC8zA1c +qlb0V0ZK7N70fF0CAwEAAaNTMFEwHQYDVR0OBBYEFN8gWZGKR0/K/e+qyGcN+8Ae +IokuMB8GA1UdIwQYMBaAFN8gWZGKR0/K/e+qyGcN+8AeIokuMA8GA1UdEwEB/wQF +MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKTpmSYDx+Fabe/idnMlC9+5KaQmD/dp +x1BW8HZT+ZK+NuadPUVyUx1xHOw+wh1u5G8docGkrCsA/hvgyIRSyycJRCaySt1y +zjml3s3T4wRktgx6Z5X3kfw612/tZ5NE4QyQuN9A7DC9Fh4Z520fMDel15D+t70z +nNjZdp5gxpJPUJCebJ7+OhSUhtgr6g4hXwNqDR7DLwXyhp90UFdjfx4kBYFE8Vnk +nA9ZwC7GhUioMV/yXOuekyiJBv9LtaSuc/Y29EbLufLAwZJD1lA7WN254nNmZgAE +hAhTqL6dgvIIhuKHQ6f4vqAWi4FsrRy6cvh7S80+ldcchMBDcIgh1BA= -----END CERTIFICATE----- diff --git a/deploy/dockerephemeral/rabbitmq-config/certificates/cert.pem b/deploy/dockerephemeral/rabbitmq-config/certificates/cert.pem index 9a842b2a154..6d5744d1f7d 100644 --- a/deploy/dockerephemeral/rabbitmq-config/certificates/cert.pem +++ b/deploy/dockerephemeral/rabbitmq-config/certificates/cert.pem @@ -1,19 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDKzCCAhOgAwIBAgIBADANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQDDBdyYWJi -aXRtcS5jYS5leGFtcGxlLmNvbTAeFw0yNDA2MTcxMjM3MjhaFw0yNDA3MTcxMjM3 -MjhaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEP -ADCCAQoCggEBAKom+D/QCoLNyFv5N0NddQuCnOLWf76YYocY5fnaPo3L2R/BoPBI -TG035Eam4ydFbqY5SB++n4I/jNMFc2IW+WHc1QGu70+RTS2T5noYoXrVCilhOs5q -1tzNHP+J2AB/uF5/y2sCDBWBrIiGDRckGZi57yokWmpLFzlDdYFEOs9VXeovXv2v -WfHYYefdDG7dQUM3982970mQ8tXfvXfOi2ucaVcQsPlxqHIieE2O8mjV7l4CQNP3 -IVWu4U3gNSTZ9i6gLvuXbFjc29IzB54eK2cdaWQTB3eeorNlG3CBlK2uancbu561 -k/qtrg2P9PQNnjWO8L9HaDrRpE/ZJC2lRdsCAwEAAaN6MHgwHQYDVR0lBBYwFAYI -KwYBBQUHAwEGCCsGAQUFBwMCMBcGA1UdEQEB/wQNMAuCCWxvY2FsaG9zdDAdBgNV -HQ4EFgQUy64e8Fn1HfPDw+UM/J86ViiypeQwHwYDVR0jBBgwFoAUS/Yzi0utz6Ad -VGzRl5J0PxLXaUMwDQYJKoZIhvcNAQELBQADggEBAF/bNcLahB+BhvqOwJlaTdXu -NGYyeMAiYePdlltcBcRmejEOjcufs3HvpbY6lmpxrUvVZM8U8sCRe8H9jgXZLi5k -SNnYXdOmAnOCfRztAS6vrw286XRYjWV2UNcnfEGg9JgcobbaYMj+iuzSBIpd/DgB -rYgqprdbP7R1ce49o1yc28hifYpR/lLEcBFQFwzGoIIK2kWCvw9S8DbJeh6hx/KP -ESHgtm9/+2nsnhGDoh/qiH88xCkwNtUp+Qqny10Lk2PYnvBSo+TSTalpKePzysBu -dZow3wqrtAz50nNBIyco0tA47nadLGWckkVIS8adWS3b6YUJj05Lnal7FYb8SPY= +MIIDPTCCAiWgAwIBAgIBADANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQDDBdyYWJi +aXRtcS5jYS5leGFtcGxlLmNvbTAeFw0yNDA2MTcxNDAyMTRaFw0yNDA3MTcxNDAy +MTRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAJZ3b8mfnf8XuUJmFQ8xN9V8N1PiMe5X+WMqOKduZXqPeW9rECmC +B3opcDVMQ3iyRtc+fXYSJiCllMeCCwzIWQw+k1PcFZ6zXWsvtEFQRCN91vcShZm0 +v8YlNcYl3wxsnIcZ5/IAZTiyX2U/hTBkgOszJcfe8cBOZsI9QzRuLRzE3kkpA+U7 +/3ekPsIxk/g0NtbRA4BgSrcKl3iAI4CMJTJlsezQbF6LZqW7yIOyvaQzT0kyJ564 +0X7YCT5QozL09ZdbQY5b6pphNNfXqY1KEP/aje+UrzQm2R3e9BUGMM4o14pQOU7Q +cxWRjPSPL3nDKUxI3kI9etrluFLH9lQ1uT8CAwEAAaOBizCBiDAdBgNVHSUEFjAU +BggrBgEFBQcDAQYIKwYBBQUHAwIwJwYDVR0RAQH/BB0wG4IJbG9jYWxob3N0gghy +YWJiaXRtcYcEfwAAATAdBgNVHQ4EFgQUf53Mqv9QZmcO5uwUUNZcMQA05cAwHwYD +VR0jBBgwFoAU3yBZkYpHT8r976rIZw37wB4iiS4wDQYJKoZIhvcNAQELBQADggEB +ABXBCl+jy+EeDPLwFlHX/DTJrce3VQMAG+x5WxbuKr68zS8uwJFfqmb4dK01RiSe +QAaISp/vr4KRbbNc5f/TA5dOhc2qXf8dZ0rILWE0u1I+1y9DFuNnymIywbodo6ho +ln7bj2wNl1vZ1A6Tm9fH6MJhavCCM18AHZuz+ml9b8SSVnL3XfPUWuZjYnElSXWj +qTJUF+o/1QC3E+ILj5iiwaAgp8kJJezr5m90RC/DTchYS/CRtz79jYMY8IMdOpN6 +JC92KzpO0jKZ4qWkDi4ZgszPTNcUdnjUc4botJrfZhioA26skUiuacyqfpvnspno +y5DFD+Od2XpBCCwgeYk6IPM= -----END CERTIFICATE----- diff --git a/deploy/dockerephemeral/rabbitmq-config/certificates/key.pem b/deploy/dockerephemeral/rabbitmq-config/certificates/key.pem index 6ad76fc3cf8..6471c8d1781 100644 --- a/deploy/dockerephemeral/rabbitmq-config/certificates/key.pem +++ b/deploy/dockerephemeral/rabbitmq-config/certificates/key.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQCqJvg/0AqCzchb -+TdDXXULgpzi1n++mGKHGOX52j6Ny9kfwaDwSExtN+RGpuMnRW6mOUgfvp+CP4zT -BXNiFvlh3NUBru9PkU0tk+Z6GKF61QopYTrOatbczRz/idgAf7hef8trAgwVgayI -hg0XJBmYue8qJFpqSxc5Q3WBRDrPVV3qL179r1nx2GHn3Qxu3UFDN/fNve9JkPLV -3713zotrnGlXELD5cahyInhNjvJo1e5eAkDT9yFVruFN4DUk2fYuoC77l2xY3NvS -MweeHitnHWlkEwd3nqKzZRtwgZStrmp3G7uetZP6ra4Nj/T0DZ41jvC/R2g60aRP -2SQtpUXbAgMBAAECggEAPvGznEel28WsfPmwi+ciyWNEDlYzY5qTuE5ppQgrY+Ep -LSpAEyNrwmuOsuRB2+E/kZZXLAckktZXjijSClNdZep/kePY+6JQ3q9772b1Na9h -1vT1AC9d1Mi8FXw0v9p/pdW4tplHRx11afvNE+Zy4aDG7NwN5oxoxvJBodRPvSrI -FzTxlCO49r9e76xSmOA7UovN14rL7810AaAVrfA+P5EVKF5WAoZ9mHnpXhIFumJ1 -8X96Wn6vErOF1qVYQjQQf6BYng9mPRxmbXq1bV1SgwAcOjTHWuwohVCZEN0MFXY9 -BIIBv/v7n+0nfzHHnRWvKPcNIje9YtgTyYXZ23x+wQKBgQDnjbYN08XM7YY1rm57 -kPEuTHimO8Gudc5USrwrEIzuCGaNCoHPVOZcwjFzd9KG9HruxXJD8jaOPOBNn3Yk -AgLnpGSJ25LCeK76+D3GHVupoYvgZOY6NGwRgssW+B9bCc0S/pemREWYztwmLvjR -Yt2ZhMRo9Gq24z7qpitFlsLP+QKBgQC8Hb2bPIZzWlAAOSThUPJStnixn+q68yuJ -5jOWT184nIiNriGsSbqO0Cx4L16yiReKxKSktjymriw2D4bB8i3pCVuzVWfrAApc -ljKNvY1qfuC892SJ2uBr68kLbIjyXAKZNIY2sx4LhJfMarhZmb9+5bDpmbseSXNQ -r7OpnBjhcwKBgQDEwHZMQ4EUg1OB86ivWFaHF7WA0s/dNP7QQvymvxZxADRbbe0l -RifD88JfMhZyU/TNRHq2X26Z6AJUEsYpDIh5WgeP2EJY+oD8gcjDuZh0h+86CaJT -HM4jBvcYmlbSXX6iwDANuH9Gu6b2zvzftllDpDvcTqsKogeJDQ9BvzvjyQKBgCq/ -o2/ckD00f8udMMlXKMotFz5eNexoCDPdMUnuHZhy0gFIWfSaCKAdpI1nTmDKEKSD -TVr04tGJ8RgT7S6zx0UW0FTvip73smMZ6sEVG0bhMFcg7SL6r1c3DMfg0ToqOJjy -O7HAgIpjhk94zQ3nh4Hh1pMvUTtvu5nRY8WeaHULAn9WqEyo04D07bWMd07XcfPD -cOesfEHWwaTXBWCJsMriUI1HDIHiZ1l7zkjhzyV7EUgNJPuvbO2Ya3cJNG4j/455 -9p9SnHwZbfS2hBViRhIaFLCrpfCRxwVAekHB6Fk+r2/JFqeijlZLNcY0wr5pu2zp -qNekJu0SmEpsMULD1Uxt +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCWd2/Jn53/F7lC +ZhUPMTfVfDdT4jHuV/ljKjinbmV6j3lvaxApggd6KXA1TEN4skbXPn12EiYgpZTH +ggsMyFkMPpNT3BWes11rL7RBUEQjfdb3EoWZtL/GJTXGJd8MbJyHGefyAGU4sl9l +P4UwZIDrMyXH3vHATmbCPUM0bi0cxN5JKQPlO/93pD7CMZP4NDbW0QOAYEq3Cpd4 +gCOAjCUyZbHs0Gxei2alu8iDsr2kM09JMieeuNF+2Ak+UKMy9PWXW0GOW+qaYTTX +16mNShD/2o3vlK80Jtkd3vQVBjDOKNeKUDlO0HMVkYz0jy95wylMSN5CPXra5bhS +x/ZUNbk/AgMBAAECggEAFSsQawktrSmlQpYh+FUwSbSEBCUaaTGvQCg8eDGrzSZK +K0agq3ZDnwgdZSIpi91o4fdEp0u+WXFyEO9WpqG5BWP4Th/0WrNZPS8k6Ntl+qhF +idTtPsaTBElP22SQkKrnCoq2evFbTDKsAQ6CqmA5Ut2LPyc6U5e0FTeRMNsfNaC1 +e+60J5yjxYWfZQdU5F+uiycWWiqabOafJfbN0gdLeuIICG+Z8AuWoUjLg2v55itw +X9T3AWZ2+/kdUY8j5FXFoK2MfuzW7Ys+Y1JeLMHrquy2hicSMbJE7vnxNsv1VMPc +IZzlgS+N/Lqre0S0NQAKqTGxe4PcUw+Mp5ZqXHtBwQKBgQDEViEeOAAtfvpK4pFv +drXmv2KacieEtUeEVfgbzMY4tL2q7RfFGxC4iiLklvwhQSGyfRamtut+t+eR4eFx +XKHaZxobwwfW5sMi6Ye/iyuL3YXvtWiaOz6XNImFTeWUPLnrX5qtMuVbx4UGiKa7 +kjg/214A8Zf/qoVJxzAJwp1E6QKBgQDEMOM+dnUlUc8FrllXmlsGYMxwWdQ+vvvw +BdKrm6Q61z3+C5189VwQQ1+ruIcmfVqCm1BKa0J76evgdqHo/pgiAaGEhItVt8cN +3IVnpQu9Fhphgd/iFYxyTOCW2d1Nze30H1oqwpgmZsw2vE/6WrU8e1j279+SUevS +2+rx7i1T5wKBgE6rhFGrdsbEHl5rMoNLOc/f2A6ytwsB6EoqeGQLRVHreiRHJEMi +eSy4jQqzRQu+IVZ3sN/UY8A+yFc3/zGBQIlWzqtZFocRqBcRJAeoKCa++K/4LJXA +L3A+6Ou1LsybGJQrlrrXrfd8ltzrXIPELy3HJH+UTqdvGEFbwu/mP0YhAoGBAINX +Pyp33yDmzbM97y3Idhuk/fhRCtgev0cGfuzHu4BwzF2gpQQctk9k601osYHA9bDu +DShk+hM+nNyeTvJOTsalVN4EZcsyxx2ufdjPEza471xLt/gA+Q8kDE6w94i4zg5a +VuC9eWJr+1bBZsFxrFcbNInMOF4aXcfB1l20V8ANAoGAXZcAv5zU5Cj4ktoe0uqi +7p9zR8mgW2oXU0orgdQ3Ce2Z2qy4yFU5AfHPmn1RuRFsQCxX8RpUqLDHOvpn6gyt +/u9GBqlCqYG4KAbGKGVjodEIXilbIVNEbCIi4kGcRO038fzZJawwhrXg3FuMd6EV +G92A1vtGnTZYkatPK4LRnBk= -----END PRIVATE KEY----- diff --git a/deploy/dockerephemeral/rabbitmq-config/enabled_plugins b/deploy/dockerephemeral/rabbitmq-config/enabled_plugins deleted file mode 100644 index cc972a47a45..00000000000 --- a/deploy/dockerephemeral/rabbitmq-config/enabled_plugins +++ /dev/null @@ -1 +0,0 @@ -[rabbitmq_management,rabbitmq_prometheus]. diff --git a/deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf b/deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf index edb5b355ef2..83486e4f8cd 100644 --- a/deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf +++ b/deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf @@ -1,16 +1,14 @@ default_user = $(RABBITMQ_USERNAME) default_pass = $(RABBITMQ_PASSWORD) -log.console = true -log.console.level = debug - -loopback_users.guest = false - +# listeners.tcp = none listeners.ssl.default = 5671 - ssl_options.cacertfile = /etc/rabbitmq/certificates/ca.pem -ssl_options.certfile = /etc/rabbitmq/certificates/cert.pem -ssl_options.keyfile = /etc/rabbitmq/certificates/key.pem - -# ssl_options.verify = verify_peer -# ssl_options.fail_if_no_peer_cert = true +ssl_options.certfile = /etc/rabbitmq/certificates/cert.pem +ssl_options.keyfile = /etc/rabbitmq/certificates/key.pem + +management.tcp.port = 15672 +management.ssl.port = 15671 +management.ssl.cacertfile = /etc/rabbitmq/certificates/ca.pem +management.ssl.certfile = /etc/rabbitmq/certificates/cert.pem +management.ssl.keyfile = /etc/rabbitmq/certificates/key.pem diff --git a/hack/bin/gen-certs.sh b/hack/bin/gen-certs.sh index 1fd3e5750f3..a2a33a26253 100755 --- a/hack/bin/gen-certs.sh +++ b/hack/bin/gen-certs.sh @@ -82,5 +82,5 @@ done # rabbitmq RABBITMQ="$ROOT_DIR/deploy/dockerephemeral/rabbitmq-config/certificates" gen_ca "$RABBITMQ" rabbitmq.ca.example.com -gen_cert "$RABBITMQ" "DNS:localhost" localhost +gen_cert "$RABBITMQ" "DNS:localhost, DNS:rabbitmq, IP:127.0.0.1" localhost chmod a+r "$RABBITMQ/key.pem" diff --git a/libs/extended/src/Network/AMQP/Extended.hs b/libs/extended/src/Network/AMQP/Extended.hs index 5b50ab6cff2..42c1492be80 100644 --- a/libs/extended/src/Network/AMQP/Extended.hs +++ b/libs/extended/src/Network/AMQP/Extended.hs @@ -196,10 +196,15 @@ openConnectionWithRetries l RabbitMqOpts {..} hooks = do path <- maybe mzero pure opts.caCert store <- MaybeT $ X509.readCertificateStore path pure $ \shared -> shared {sharedCAStore = store} + let setHooks = + if opts.insecureSkipVerifyTls + then \h -> h {onServerCertificate = \_ _ _ _ -> pure []} + else id pure $ TLSSettings (defaultParamsClient host "rabbitmq") { clientShared = fromMaybe id setCAStore def, + clientHooks = setHooks def, clientSupported = def { supportedVersions = [TLS13, TLS12], diff --git a/services/background-worker/background-worker.integration.yaml b/services/background-worker/background-worker.integration.yaml index 32ff94e37ef..70559cd74b6 100644 --- a/services/background-worker/background-worker.integration.yaml +++ b/services/background-worker/background-worker.integration.yaml @@ -10,11 +10,14 @@ federatorInternal: rabbitmq: host: 127.0.0.1 - port: 5672 + port: 5671 vHost: / adminPort: 15672 + enableTls: true + caCert: test/resources/rabbitmq-ca.pem + insecureSkipVerifyTls: false backendNotificationPusher: pushBackoffMinWait: 1000 # 1ms pushBackoffMaxWait: 1000000 # 1s - remotesRefreshInterval: 10000 # 10ms \ No newline at end of file + remotesRefreshInterval: 10000 # 10ms diff --git a/services/background-worker/src/Wire/BackendNotificationPusher.hs b/services/background-worker/src/Wire/BackendNotificationPusher.hs index 913bf246f70..f7cfe209ad6 100644 --- a/services/background-worker/src/Wire/BackendNotificationPusher.hs +++ b/services/background-worker/src/Wire/BackendNotificationPusher.hs @@ -268,7 +268,7 @@ getRemoteDomains = do let policy = limitRetriesByCumulativeDelay 60_000_000 $ fullJitterBackoff 10000 logErrr willRetry (SomeException e) rs = Log.err $ - Log.msg (Log.val "Exception occurred while refreshig domains") + Log.msg (Log.val "Exception occurred while refreshing domains") . Log.field "error" (displayException e) . Log.field "willRetry" willRetry . Log.field "retryCount" rs.rsIterNumber diff --git a/services/background-worker/test/resources/rabbitmq-ca.pem b/services/background-worker/test/resources/rabbitmq-ca.pem new file mode 120000 index 00000000000..ca91c2c31bd --- /dev/null +++ b/services/background-worker/test/resources/rabbitmq-ca.pem @@ -0,0 +1 @@ +../../../../deploy/dockerephemeral/rabbitmq-config/certificates/ca.pem \ No newline at end of file diff --git a/services/brig/brig.integration.yaml b/services/brig/brig.integration.yaml index 5d7d07e7b5b..b3837d1c66c 100644 --- a/services/brig/brig.integration.yaml +++ b/services/brig/brig.integration.yaml @@ -20,7 +20,7 @@ elasticsearch: additionalInsecureSkipVerifyTls: false rabbitmq: - host: localhost + host: 127.0.0.1 port: 5671 vHost: / enableTls: true diff --git a/services/galley/galley.integration.yaml b/services/galley/galley.integration.yaml index acf9326915f..465d807cec3 100644 --- a/services/galley/galley.integration.yaml +++ b/services/galley/galley.integration.yaml @@ -27,8 +27,11 @@ federator: rabbitmq: host: 127.0.0.1 - port: 5672 + port: 5671 vHost: / + enableTls: true + caCert: test/resources/rabbitmq-ca.pem + insecureSkipVerifyTls: false settings: httpPoolSize: 128 diff --git a/services/galley/test/resources/rabbitmq-ca.pem b/services/galley/test/resources/rabbitmq-ca.pem new file mode 120000 index 00000000000..ca91c2c31bd --- /dev/null +++ b/services/galley/test/resources/rabbitmq-ca.pem @@ -0,0 +1 @@ +../../../../deploy/dockerephemeral/rabbitmq-config/certificates/ca.pem \ No newline at end of file From 7a4f9a6a67f0eac02cfb36a5a0ed718ab4a092fb Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Mon, 17 Jun 2024 16:40:28 +0200 Subject: [PATCH 07/19] Access rabbitmq admin interface via TLS --- deploy/dockerephemeral/docker-compose.yaml | 3 +- .../rabbitmq-config/rabbitmq.conf | 7 +-- libs/extended/extended.cabal | 1 + libs/extended/src/Network/AMQP/Extended.hs | 55 ++++++++++--------- .../background-worker.integration.yaml | 2 +- 5 files changed, 36 insertions(+), 32 deletions(-) diff --git a/deploy/dockerephemeral/docker-compose.yaml b/deploy/dockerephemeral/docker-compose.yaml index 2d6ef0aec5a..0b223eeb144 100644 --- a/deploy/dockerephemeral/docker-compose.yaml +++ b/deploy/dockerephemeral/docker-compose.yaml @@ -268,8 +268,7 @@ services: - RABBITMQ_PASSWORD ports: - '127.0.0.1:5671:5671' - - '127.0.0.1:5672:5672' - - '127.0.0.1:15672:15672' + - '127.0.0.1:15671:15671' volumes: - ./rabbitmq-config/rabbitmq.conf:/etc/rabbitmq/conf.d/20-wire.conf - ./rabbitmq-config/certificates:/etc/rabbitmq/certificates diff --git a/deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf b/deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf index 83486e4f8cd..f6c473f2499 100644 --- a/deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf +++ b/deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf @@ -1,13 +1,12 @@ default_user = $(RABBITMQ_USERNAME) default_pass = $(RABBITMQ_PASSWORD) -# listeners.tcp = none +listeners.tcp = none listeners.ssl.default = 5671 ssl_options.cacertfile = /etc/rabbitmq/certificates/ca.pem -ssl_options.certfile = /etc/rabbitmq/certificates/cert.pem -ssl_options.keyfile = /etc/rabbitmq/certificates/key.pem +ssl_options.certfile = /etc/rabbitmq/certificates/cert.pem +ssl_options.keyfile = /etc/rabbitmq/certificates/key.pem -management.tcp.port = 15672 management.ssl.port = 15671 management.ssl.cacertfile = /etc/rabbitmq/certificates/ca.pem management.ssl.certfile = /etc/rabbitmq/certificates/cert.pem diff --git a/libs/extended/extended.cabal b/libs/extended/extended.cabal index f27a3930341..03d180a004a 100644 --- a/libs/extended/extended.cabal +++ b/libs/extended/extended.cabal @@ -92,6 +92,7 @@ library , exceptions , extra , http-client + , http-client-tls , http-types , imports , metrics-wai diff --git a/libs/extended/src/Network/AMQP/Extended.hs b/libs/extended/src/Network/AMQP/Extended.hs index 42c1492be80..43bdec456b9 100644 --- a/libs/extended/src/Network/AMQP/Extended.hs +++ b/libs/extended/src/Network/AMQP/Extended.hs @@ -27,6 +27,7 @@ import Imports import Network.AMQP qualified as Q import Network.Connection as Conn import Network.HTTP.Client qualified as HTTP +import Network.HTTP.Client.TLS qualified as HTTP import Network.RabbitMqAdmin import Network.TLS import Network.TLS.Extra.Cipher @@ -88,9 +89,13 @@ instance FromJSON RabbitMqAdminOpts where mkRabbitMqAdminClientEnv :: RabbitMqAdminOpts -> IO (AdminAPI (AsClientT IO)) mkRabbitMqAdminClientEnv opts = do (username, password) <- readCredsFromEnv - manager <- HTTP.newManager HTTP.defaultManagerSettings + mTlsSettings <- traverse (mkTLSSettings opts.host) opts.tls + let (protocol, managerSettings) = case mTlsSettings of + Nothing -> (Servant.Http, HTTP.defaultManagerSettings) + Just tlsSettings -> (Servant.Https, HTTP.mkManagerSettings tlsSettings Nothing) + manager <- HTTP.newManager managerSettings let basicAuthData = Servant.BasicAuthData (Text.encodeUtf8 username) (Text.encodeUtf8 password) - clientEnv = Servant.mkClientEnv manager (Servant.BaseUrl Servant.Http opts.host opts.adminPort "") + clientEnv = Servant.mkClientEnv manager (Servant.BaseUrl protocol opts.host opts.adminPort "") pure . fromServant $ hoistClient (Proxy @(ToServant AdminAPI AsApi)) @@ -172,7 +177,7 @@ openConnectionWithRetries l RabbitMqOpts {..} hooks = do ) ( const $ do Log.info l $ Log.msg (Log.val "Trying to connect to RabbitMQ") - mTlsSettings <- traverse (liftIO . mkTLSSettings) tls + mTlsSettings <- traverse (liftIO . (mkTLSSettings host)) tls liftIO $ Q.openConnection'' $ Q.defaultConnectionOpts @@ -190,28 +195,6 @@ openConnectionWithRetries l RabbitMqOpts {..} hooks = do connectWithRetries username password openChan conn - mkTLSSettings :: RabbitMqTlsOpts -> IO TLSSettings - mkTLSSettings opts = do - setCAStore <- runMaybeT $ do - path <- maybe mzero pure opts.caCert - store <- MaybeT $ X509.readCertificateStore path - pure $ \shared -> shared {sharedCAStore = store} - let setHooks = - if opts.insecureSkipVerifyTls - then \h -> h {onServerCertificate = \_ _ _ _ -> pure []} - else id - pure $ - TLSSettings - (defaultParamsClient host "rabbitmq") - { clientShared = fromMaybe id setCAStore def, - clientHooks = setHooks def, - clientSupported = - def - { supportedVersions = [TLS13, TLS12], - supportedCiphers = ciphersuite_strong - } - } - openChan :: Q.Connection -> m () openChan conn = do Log.info l $ Log.msg (Log.val "Opening channel with RabbitMQ") @@ -235,6 +218,28 @@ openConnectionWithRetries l RabbitMqOpts {..} hooks = do logException l "RabbitMQ channel closed" e openChan conn +mkTLSSettings :: HostName -> RabbitMqTlsOpts -> IO TLSSettings +mkTLSSettings host opts = do + setCAStore <- runMaybeT $ do + path <- maybe mzero pure opts.caCert + store <- MaybeT $ X509.readCertificateStore path + pure $ \shared -> shared {sharedCAStore = store} + let setHooks = + if opts.insecureSkipVerifyTls + then \h -> h {onServerCertificate = \_ _ _ _ -> pure []} + else id + pure $ + TLSSettings + (defaultParamsClient host "rabbitmq") + { clientShared = fromMaybe id setCAStore def, + clientHooks = setHooks def, + clientSupported = + def + { supportedVersions = [TLS13, TLS12], + supportedCiphers = ciphersuite_strong + } + } + logException :: (MonadIO m) => Logger -> String -> SomeException -> m () logException l m (SomeException e) = do Log.err l $ diff --git a/services/background-worker/background-worker.integration.yaml b/services/background-worker/background-worker.integration.yaml index 70559cd74b6..c23798e63ed 100644 --- a/services/background-worker/background-worker.integration.yaml +++ b/services/background-worker/background-worker.integration.yaml @@ -12,7 +12,7 @@ rabbitmq: host: 127.0.0.1 port: 5671 vHost: / - adminPort: 15672 + adminPort: 15671 enableTls: true caCert: test/resources/rabbitmq-ca.pem insecureSkipVerifyTls: false From f0f736db86413c7a0da726910c075d11e2330dea Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Tue, 18 Jun 2024 09:17:48 +0200 Subject: [PATCH 08/19] Update nix packages --- libs/extended/default.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libs/extended/default.nix b/libs/extended/default.nix index 66687c40075..b47de8057a2 100644 --- a/libs/extended/default.nix +++ b/libs/extended/default.nix @@ -9,6 +9,9 @@ , bytestring , cassandra-util , containers +, crypton-connection +, crypton-x509-store +, data-default , errors , exceptions , extra @@ -16,6 +19,7 @@ , hspec , hspec-discover , http-client +, http-client-tls , http-types , imports , lib @@ -34,6 +38,8 @@ , text , time , tinylog +, tls +, transformers , unliftio , wai }: @@ -48,10 +54,14 @@ mkDerivation { bytestring cassandra-util containers + crypton-connection + crypton-x509-store + data-default errors exceptions extra http-client + http-client-tls http-types imports metrics-wai @@ -67,6 +77,8 @@ mkDerivation { text time tinylog + tls + transformers unliftio wai ]; From c8c3c00ee293997d80e02e2fc842be8f71649cbd Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Tue, 18 Jun 2024 10:31:47 +0200 Subject: [PATCH 09/19] Configure rabbitmq TLS in helm_vars --- hack/helm_vars/certs/values.yaml.gotmpl | 55 ++++++++++++++++++++++ hack/helm_vars/rabbitmq/values.yaml.gotmpl | 10 ++++ 2 files changed, 65 insertions(+) diff --git a/hack/helm_vars/certs/values.yaml.gotmpl b/hack/helm_vars/certs/values.yaml.gotmpl index 875a4a17124..170a54c2121 100644 --- a/hack/helm_vars/certs/values.yaml.gotmpl +++ b/hack/helm_vars/certs/values.yaml.gotmpl @@ -15,6 +15,8 @@ resources: spec: ca: secretName: elasticsearch-ca + + # redis CA and certificate - apiVersion: cert-manager.io/v1 kind: Issuer metadata: @@ -66,3 +68,56 @@ resources: issuerRef: name: redis-issuer kind: Issuer + + # RabbitMQ CA and certificate + - apiVersion: cert-manager.io/v1 + kind: Issuer + metadata: + name: rabbitmq-ca-issuer + namespace: '{{ .Release.Namespace }}' + spec: + selfSigned: {} + - apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: rabbitmq-ca + namespace: '{{ .Release.Namespace }}' + spec: + secretName: rabbitmq-ca-certificate + isCA: true + duration: 2160h # 90d + renewBefore: 360h # 15d + commonName: rabbitmq.example.com + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + issuerRef: + name: rabbitmq-ca-issuer + kind: Issuer + - apiVersion: cert-manager.io/v1 + kind: Issuer + metadata: + name: rabbitmq-issuer + namespace: '{{ .Release.Namespace }}' + spec: + ca: + secretName: rabbitmq-ca-certificate + - apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: rabbitmq + namespace: '{{ .Release.Namespace }}' + spec: + secretName: rabbitmq-certificate + isCA: false + duration: 2160h # 90d + renewBefore: 360h # 15d + commonName: rabbitmq-ephemeral-master + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + issuerRef: + name: rabbitmq-issuer + kind: Issuer diff --git a/hack/helm_vars/rabbitmq/values.yaml.gotmpl b/hack/helm_vars/rabbitmq/values.yaml.gotmpl index a8a4a81dee2..464a6529d4f 100644 --- a/hack/helm_vars/rabbitmq/values.yaml.gotmpl +++ b/hack/helm_vars/rabbitmq/values.yaml.gotmpl @@ -4,3 +4,13 @@ rabbitmq: auth: username: {{ .Values.rabbitmqUsername }} password: {{ .Values.rabbitmqPassword }} + tls: + enabled: true + failIfNoPeerCert: false + existingSecret: rabbitmq-certificate + extraConfiguration: |- + listeners.tcp = none + management.ssl.port = 15671 + management.ssl.cacertfile = /opt/bitnami/rabbitmq/certs/ca_certificate.pem + management.ssl.certfile = /opt/bitnami/rabbitmq/certs/server_certificate.pem + management.ssl.keyfile = /opt/bitnami/rabbitmq/certs/server_key.pem From 4e97dd21621c7bdc21d0d8892f573560cf64e318 Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Tue, 18 Jun 2024 10:43:58 +0200 Subject: [PATCH 10/19] Hi CI From a6c7fbfedf0b7d1dc5cea632b4a65e21773b548b Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Tue, 18 Jun 2024 10:47:19 +0200 Subject: [PATCH 11/19] Add CHANGELOG entry --- changelog.d/2-features/rabbit-tls | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/2-features/rabbit-tls diff --git a/changelog.d/2-features/rabbit-tls b/changelog.d/2-features/rabbit-tls new file mode 100644 index 00000000000..21114d011dd --- /dev/null +++ b/changelog.d/2-features/rabbit-tls @@ -0,0 +1 @@ +Support connecting to RabbitMQ over TLS. See "Configure RabbitMQ" section in the documentation for details. From 3c3ae527b344c5203e702a658465449bd6255a1e Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Tue, 18 Jun 2024 15:24:16 +0200 Subject: [PATCH 12/19] Configure services for rabbitmq TLS on CI --- .../templates/configmap.yaml | 13 ++++++++++- .../templates/deployment.yaml | 9 ++++++++ charts/background-worker/values.yaml | 6 +++++ charts/brig/templates/configmap.yaml | 12 +++++++++- charts/brig/templates/deployment.yaml | 9 ++++++++ charts/brig/values.yaml | 5 +++++ charts/galley/templates/configmap.yaml | 12 +++++++++- charts/galley/templates/deployment.yaml | 9 ++++++++ charts/galley/values.yaml | 5 +++++ hack/helm_vars/certs/values.yaml.gotmpl | 2 +- hack/helm_vars/wire-server/values.yaml.gotmpl | 22 +++++++++++++++++++ 11 files changed, 100 insertions(+), 4 deletions(-) diff --git a/charts/background-worker/templates/configmap.yaml b/charts/background-worker/templates/configmap.yaml index 1a03ad0d5e4..fea77ab59d5 100644 --- a/charts/background-worker/templates/configmap.yaml +++ b/charts/background-worker/templates/configmap.yaml @@ -21,8 +21,19 @@ data: host: federator port: 8080 + {{- with .rabbitmq }} rabbitmq: -{{toYaml .rabbitmq | indent 6 }} + host: {{ .host }} + port: {{ .port }} + vHost: {{ .vHost }} + adminPort: {{ .adminPort }} + enableTls: {{ .enableTls }} + insecureSkipVerifyTls: {{ .insecureSkipVerifyTls }} + {{- if .tlsCaSecretRef }} + caCert: /etc/wire/background-worker/rabbitmq-ca/{{ .tlsCaSecretRef.key }} + {{- end }} + {{- end }} + backendNotificationPusher: {{toYaml .backendNotificationPusher | indent 6 }} {{- end }} diff --git a/charts/background-worker/templates/deployment.yaml b/charts/background-worker/templates/deployment.yaml index 2f556f6fc5d..bbc0b6f71f4 100644 --- a/charts/background-worker/templates/deployment.yaml +++ b/charts/background-worker/templates/deployment.yaml @@ -36,6 +36,11 @@ spec: - name: "background-worker-secrets" secret: secretName: "background-worker" + {{- if .Values.config.rabbitmq.tlsCaSecretRef }} + - name: "rabbitmq-ca" + secret: + secretName: {{ .Values.config.rabbitmq.tlsCaSecretRef.name }} + {{- end }} containers: - name: background-worker image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -47,6 +52,10 @@ spec: volumeMounts: - name: "background-worker-config" mountPath: "/etc/wire/background-worker/conf" + {{- if .Values.config.rabbitmq.tlsCaSecretRef }} + - name: "rabbitmq-ca" + mountPath: "/etc/wire/background-worker/rabbitmq-ca/" + {{- end }} env: - name: RABBITMQ_USERNAME valueFrom: diff --git a/charts/background-worker/values.yaml b/charts/background-worker/values.yaml index a7a552a4536..e38cd9c8225 100644 --- a/charts/background-worker/values.yaml +++ b/charts/background-worker/values.yaml @@ -23,6 +23,12 @@ config: port: 5672 vHost: / adminPort: 15672 + enableTls: false + insecureSkipVerifyTls: false + # tlsCaSecretRef: + # name: + # key: + backendNotificationPusher: pushBackoffMinWait: 10000 # in microseconds, so 10ms pushBackoffMaxWait: 300000000 # microseconds, so 300s diff --git a/charts/brig/templates/configmap.yaml b/charts/brig/templates/configmap.yaml index 8e002aa35a7..bf7881db81c 100644 --- a/charts/brig/templates/configmap.yaml +++ b/charts/brig/templates/configmap.yaml @@ -80,8 +80,18 @@ data: federatorInternal: host: federator port: 8080 + + {{- with .rabbitmq }} rabbitmq: -{{ toYaml .rabbitmq | indent 6}} + host: {{ .host }} + port: {{ .port }} + vHost: {{ .vHost }} + enableTls: {{ .enableTls }} + insecureSkipVerifyTls: {{ .insecureSkipVerifyTls }} + {{- if .tlsCaSecretRef }} + caCert: /etc/wire/brig/rabbitmq-ca/{{ .tlsCaSecretRef.key }} + {{- end }} + {{- end }} {{- end }} {{- with .aws }} diff --git a/charts/brig/templates/deployment.yaml b/charts/brig/templates/deployment.yaml index dea3c0dacba..cff8bffd9bb 100644 --- a/charts/brig/templates/deployment.yaml +++ b/charts/brig/templates/deployment.yaml @@ -57,6 +57,11 @@ spec: secret: secretName: {{ include "additionalElasticsearchTlsSecretName" .Values.config }} {{- end }} + {{- if .Values.config.rabbitmq.tlsCaSecretRef }} + - name: "rabbitmq-ca" + secret: + secretName: {{ .Values.config.rabbitmq.tlsCaSecretRef.name }} + {{- end }} containers: - name: brig @@ -87,6 +92,10 @@ spec: - name: "additional-elasticsearch-ca" mountPath: "/etc/wire/brig/additional-elasticsearch-ca/" {{- end }} + {{- if .Values.config.rabbitmq.tlsCaSecretRef }} + - name: "rabbitmq-ca" + mountPath: "/etc/wire/brig/rabbitmq-ca/" + {{- end }} env: - name: LOG_LEVEL value: {{ .Values.config.logLevel }} diff --git a/charts/brig/values.yaml b/charts/brig/values.yaml index e11aa931a5a..7dcedbce2dc 100644 --- a/charts/brig/values.yaml +++ b/charts/brig/values.yaml @@ -69,6 +69,11 @@ config: host: rabbitmq port: 5672 vHost: / + enableTls: false + insecureSkipVerifyTls: false + # tlsCaSecretRef: + # name: + # key: emailSMS: general: templateBranding: diff --git a/charts/galley/templates/configmap.yaml b/charts/galley/templates/configmap.yaml index 1043cc17416..ea0cd15354c 100644 --- a/charts/galley/templates/configmap.yaml +++ b/charts/galley/templates/configmap.yaml @@ -41,8 +41,18 @@ data: federator: host: federator port: 8080 + + {{- with .rabbitmq }} rabbitmq: -{{ toYaml .rabbitmq | indent 6}} + host: {{ .host }} + port: {{ .port }} + vHost: {{ .vHost }} + enableTls: {{ .enableTls }} + insecureSkipVerifyTls: {{ .insecureSkipVerifyTls }} + {{- if .tlsCaSecretRef }} + caCert: /etc/wire/galley/rabbitmq-ca/{{ .tlsCaSecretRef.key }} + {{- end }} + {{- end }} {{- end }} {{- if (.journal) }} diff --git a/charts/galley/templates/deployment.yaml b/charts/galley/templates/deployment.yaml index df9eee0c206..ebfb5582abd 100644 --- a/charts/galley/templates/deployment.yaml +++ b/charts/galley/templates/deployment.yaml @@ -41,6 +41,11 @@ spec: secret: secretName: {{ (include "tlsSecretRef" .Values.config | fromYaml).name }} {{- end }} + {{- if .Values.config.rabbitmq.tlsCaSecretRef }} + - name: "rabbitmq-ca" + secret: + secretName: {{ .Values.config.rabbitmq.tlsCaSecretRef.name }} + {{- end }} containers: - name: galley image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -58,6 +63,10 @@ spec: - name: "galley-cassandra" mountPath: "/etc/wire/galley/cassandra" {{- end }} + {{- if .Values.config.rabbitmq.tlsCaSecretRef }} + - name: "rabbitmq-ca" + mountPath: "/etc/wire/galley/rabbitmq-ca/" + {{- end }} env: {{- if hasKey .Values.secrets "awsKeyId" }} - name: AWS_ACCESS_KEY_ID diff --git a/charts/galley/values.yaml b/charts/galley/values.yaml index 8239f4019e8..1d170d39883 100644 --- a/charts/galley/values.yaml +++ b/charts/galley/values.yaml @@ -35,6 +35,11 @@ config: host: rabbitmq port: 5672 vHost: / + enableTls: false + insecureSkipVerifyTls: false + # tlsCaSecretRef: + # name: + # key: settings: httpPoolSize: 128 maxTeamSize: 10000 diff --git a/hack/helm_vars/certs/values.yaml.gotmpl b/hack/helm_vars/certs/values.yaml.gotmpl index 170a54c2121..2d771907e65 100644 --- a/hack/helm_vars/certs/values.yaml.gotmpl +++ b/hack/helm_vars/certs/values.yaml.gotmpl @@ -113,7 +113,7 @@ resources: isCA: false duration: 2160h # 90d renewBefore: 360h # 15d - commonName: rabbitmq-ephemeral-master + commonName: rabbitmq privateKey: algorithm: RSA encoding: PKCS1 diff --git a/hack/helm_vars/wire-server/values.yaml.gotmpl b/hack/helm_vars/wire-server/values.yaml.gotmpl index 66a7e300915..6eaaf3249af 100644 --- a/hack/helm_vars/wire-server/values.yaml.gotmpl +++ b/hack/helm_vars/wire-server/values.yaml.gotmpl @@ -75,6 +75,13 @@ brig: additionalTlsCaSecretRef: name: "elasticsearch-ephemeral-certificate" key: "ca.crt" + rabbitmq: + port: 5671 + enableTls: true + insecureSkipVerifyTls: false + tlsCaSecretRef: + name: rabbitmq-certificate + key: "ca.crt" authSettings: userTokenTimeout: 120 sessionTokenTimeout: 20 @@ -233,6 +240,13 @@ galley: name: "cassandra-jks-keystore" key: "ca.crt" {{- end }} + rabbitmq: + port: 5671 + enableTls: true + insecureSkipVerifyTls: false + tlsCaSecretRef: + name: rabbitmq-certificate + key: "ca.crt" enableFederation: true # keep in sync with brig.config.enableFederation, cargohold.config.enableFederation and tags.federator! settings: maxConvAndTeamSize: 16 @@ -471,6 +485,14 @@ background-worker: pushBackoffMinWait: 1000 # 1ms pushBackoffMaxWait: 500000 # 0.5s remotesRefreshInterval: 1000000 # 1s + rabbitmq: + port: 5671 + adminPort: 15671 + enableTls: true + insecureSkipVerifyTls: false + tlsCaSecretRef: + name: rabbitmq-certificate + key: "ca.crt" secrets: rabbitmq: username: {{ .Values.rabbitmqUsername }} From 71b9f19af6b51e68d1eb8ae472e9e3b588e2edc6 Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Wed, 19 Jun 2024 09:21:55 +0200 Subject: [PATCH 13/19] Document new configuration options --- .../src/developer/reference/config-options.md | 31 ++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/docs/src/developer/reference/config-options.md b/docs/src/developer/reference/config-options.md index a46ad32fe5a..1c90bdfcc57 100644 --- a/docs/src/developer/reference/config-options.md +++ b/docs/src/developer/reference/config-options.md @@ -1085,7 +1085,7 @@ gundeck: **WARNING:** Please do this only if you know what you're doing. -In case it is not possible to verify TLS certificate of the elasticsearch +In case it is not possible to verify TLS certificate of the redis server, it can be turned off without tuning off TLS like this: ```yaml @@ -1096,3 +1096,32 @@ gundeck: redisAdditionalWrite: insecureSkipVerifyTls: true ``` + +## Configure RabbitMQ + +RabbitMQ authentication must be configured on brig, galley and background-worker. For example: + +```yaml +rabbitmq: + host: localhost + port: 5672 + vHost: / + adminPort: 15672 # for background-worker +``` + +the `adminPort` setting is only needed by background-worker. + +In order to enable TLS when connecting to RabbitMQ, the following settings need to be added: + +```yaml +rabbitmq: + enableTls: true + caCert: test/resources/rabbitmq-ca.pem + insecureSkipVerifyTls: false +``` + +**WARNING:** Please do this only if you know what you're doing. + +In case it is not possible to verify the TLS certificate of the RabbitMQ +server, verification can be turned off by settings `insecureSkipVerifyTls` to +`true`. From fd7b9aff802326cda24deea2edbfaaa4e77b1241 Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Wed, 19 Jun 2024 09:25:59 +0200 Subject: [PATCH 14/19] Add rabbitmq-ca to integration-integration --- .../templates/integration-integration.yaml | 13 +++++++++++++ hack/helm_vars/wire-server/values.yaml.gotmpl | 4 ++++ 2 files changed, 17 insertions(+) diff --git a/charts/integration/templates/integration-integration.yaml b/charts/integration/templates/integration-integration.yaml index 324f6ebe609..55b3e74cac7 100644 --- a/charts/integration/templates/integration-integration.yaml +++ b/charts/integration/templates/integration-integration.yaml @@ -84,6 +84,10 @@ spec: secret: secretName: {{ .Values.config.redis.tlsCaSecretRef.name }} + - name: rabbitmq-ca + secret: + secretName: {{ .Values.config.rabbitmq.tlsCaSecretRef.name }} + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} - name: integration-cassandra secret: @@ -246,6 +250,15 @@ spec: - name: redis-ca mountPath: /etc/wire/gundeck/redis-ca + - name: rabbitmq-ca + mountPath: /etc/wire/brig/rabbitmq-ca + + - name: rabbitmq-ca + mountPath: /etc/wire/galley/rabbitmq-ca + + - name: rabbitmq-ca + mountPath: /etc/wire/background-worker/rabbitmq-ca + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} - name: "integration-cassandra" mountPath: "/certs" diff --git a/hack/helm_vars/wire-server/values.yaml.gotmpl b/hack/helm_vars/wire-server/values.yaml.gotmpl index 6eaaf3249af..e57f8a4b1cc 100644 --- a/hack/helm_vars/wire-server/values.yaml.gotmpl +++ b/hack/helm_vars/wire-server/values.yaml.gotmpl @@ -519,6 +519,10 @@ integration: tlsCaSecretRef: name: "redis-certificate" key: "ca.crt" + rabbitmq: + tlsCaSecretRef: + name: "rabbitmq-certificate" + key: "ca.crt" {{- if .Values.uploadXml }} uploadXml: baseUrl: {{ .Values.uploadXml.baseUrl }} From 985541b12f15ea20328399f64aa733f376ec9dff Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Wed, 19 Jun 2024 15:53:51 +0200 Subject: [PATCH 15/19] Enable plain-text rabbitmq on the local test setup We can't disable it because it is needed by federation-v0. --- deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf b/deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf index f6c473f2499..fe1756e9285 100644 --- a/deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf +++ b/deploy/dockerephemeral/rabbitmq-config/rabbitmq.conf @@ -1,12 +1,13 @@ default_user = $(RABBITMQ_USERNAME) default_pass = $(RABBITMQ_PASSWORD) -listeners.tcp = none +listeners.tcp.default = 5672 listeners.ssl.default = 5671 ssl_options.cacertfile = /etc/rabbitmq/certificates/ca.pem ssl_options.certfile = /etc/rabbitmq/certificates/cert.pem ssl_options.keyfile = /etc/rabbitmq/certificates/key.pem +management.tcp.port = 15672 management.ssl.port = 15671 management.ssl.cacertfile = /etc/rabbitmq/certificates/ca.pem management.ssl.certfile = /etc/rabbitmq/certificates/cert.pem From a2f7035e3cb97466a9d12cbd17fbe933917dcc24 Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Wed, 19 Jun 2024 16:25:53 +0200 Subject: [PATCH 16/19] Fix kube-ci integration vhost setup --- charts/integration/templates/integration-integration.yaml | 2 ++ integration/scripts/integration-dynamic-backends-vhosts.sh | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/charts/integration/templates/integration-integration.yaml b/charts/integration/templates/integration-integration.yaml index 55b3e74cac7..56dbf2bf8e7 100644 --- a/charts/integration/templates/integration-integration.yaml +++ b/charts/integration/templates/integration-integration.yaml @@ -109,6 +109,8 @@ spec: - name: "integration-cassandra" mountPath: "/certs/cassandra" {{- end }} + - name: rabbitmq-ca + mountPath: /certs/rabbitmq-ca env: - name: INTEGRATION_DYNAMIC_BACKENDS_POOLSIZE value: "{{ .Values.config.dynamicBackendsPoolsize }}" diff --git a/integration/scripts/integration-dynamic-backends-vhosts.sh b/integration/scripts/integration-dynamic-backends-vhosts.sh index f919f6b9121..5478a68b03a 100755 --- a/integration/scripts/integration-dynamic-backends-vhosts.sh +++ b/integration/scripts/integration-dynamic-backends-vhosts.sh @@ -7,7 +7,6 @@ DOMAIN=$2 echo 'Creating RabbitMQ resources' -curl -u "$RABBITMQ_USERNAME":"$RABBITMQ_PASSWORD" -X PUT "$ENDPOINT_URL/$DOMAIN" +curl --cacert /certs/rabbitmq-ca/ca.pem -u "$RABBITMQ_USERNAME:$RABBITMQ_PASSWORD" -X PUT "$ENDPOINT_URL/$DOMAIN" echo "RabbitMQ vhost created successfully for $DOMAIN" - From 3be345d24f09e6463f00f05aeaf7f89ed49567ca Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Thu, 20 Jun 2024 09:46:04 +0200 Subject: [PATCH 17/19] Enable plain-text management interface in CI --- hack/helm_vars/rabbitmq/values.yaml.gotmpl | 1 + 1 file changed, 1 insertion(+) diff --git a/hack/helm_vars/rabbitmq/values.yaml.gotmpl b/hack/helm_vars/rabbitmq/values.yaml.gotmpl index 464a6529d4f..747cfab23b1 100644 --- a/hack/helm_vars/rabbitmq/values.yaml.gotmpl +++ b/hack/helm_vars/rabbitmq/values.yaml.gotmpl @@ -10,6 +10,7 @@ rabbitmq: existingSecret: rabbitmq-certificate extraConfiguration: |- listeners.tcp = none + management.tcp.port = 15672 management.ssl.port = 15671 management.ssl.cacertfile = /opt/bitnami/rabbitmq/certs/ca_certificate.pem management.ssl.certfile = /opt/bitnami/rabbitmq/certs/server_certificate.pem From c91b5627e1602b8631c4bac76d2faf02f378b64c Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Thu, 20 Jun 2024 14:46:32 +0200 Subject: [PATCH 18/19] Expose Rabbit MQ management interface port --- hack/helm_vars/rabbitmq/values.yaml.gotmpl | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hack/helm_vars/rabbitmq/values.yaml.gotmpl b/hack/helm_vars/rabbitmq/values.yaml.gotmpl index 747cfab23b1..710e9b0d338 100644 --- a/hack/helm_vars/rabbitmq/values.yaml.gotmpl +++ b/hack/helm_vars/rabbitmq/values.yaml.gotmpl @@ -8,6 +8,12 @@ rabbitmq: enabled: true failIfNoPeerCert: false existingSecret: rabbitmq-certificate + service: + extraPorts: + - name: http-stats-ssl + port: 15671 + protocol: TCP + targetPort: 15671 extraConfiguration: |- listeners.tcp = none management.tcp.port = 15672 From 3541599827ecbc974e3fd883951f692fbc9ba593 Mon Sep 17 00:00:00 2001 From: Paolo Capriotti Date: Fri, 21 Jun 2024 09:27:01 +0200 Subject: [PATCH 19/19] Add rabbitmq CA to integration pods --- charts/brig/templates/tests/brig-integration.yaml | 5 +++++ charts/galley/templates/tests/galley-integration.yaml | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/charts/brig/templates/tests/brig-integration.yaml b/charts/brig/templates/tests/brig-integration.yaml index 62bea731895..2acf25d6fbc 100644 --- a/charts/brig/templates/tests/brig-integration.yaml +++ b/charts/brig/templates/tests/brig-integration.yaml @@ -54,6 +54,9 @@ spec: secret: secretName: {{ (include "tlsSecretRef" .Values.config | fromYaml).name }} {{- end}} + - name: "rabbitmq-ca" + secret: + secretName: {{ .Values.config.rabbitmq.tlsCaSecretRef.name }} containers: - name: integration image: "{{ .Values.image.repository }}-integration:{{ .Values.image.tag }}" @@ -119,6 +122,8 @@ spec: - name: "brig-cassandra" mountPath: "/etc/wire/brig/cassandra" {{- end }} + - name: "rabbitmq-ca" + mountPath: "/etc/wire/brig/rabbitmq-ca/" env: # these dummy values are necessary for Amazonka's "Discover" diff --git a/charts/galley/templates/tests/galley-integration.yaml b/charts/galley/templates/tests/galley-integration.yaml index 1fdd9e206ac..879af2e5225 100644 --- a/charts/galley/templates/tests/galley-integration.yaml +++ b/charts/galley/templates/tests/galley-integration.yaml @@ -45,6 +45,9 @@ spec: secret: secretName: {{ (include "tlsSecretRef" .Values.config | fromYaml).name }} {{- end }} + - name: "rabbitmq-ca" + secret: + secretName: {{ .Values.config.rabbitmq.tlsCaSecretRef.name }} containers: - name: integration image: "{{ .Values.image.repository }}-integration:{{ .Values.image.tag }}" @@ -93,6 +96,8 @@ spec: - name: "galley-cassandra" mountPath: "/etc/wire/galley/cassandra" {{- end }} + - name: "rabbitmq-ca" + mountPath: "/etc/wire/galley/rabbitmq-ca/" env: # these dummy values are necessary for Amazonka's "Discover" - name: AWS_ACCESS_KEY_ID