rabbitmq: Deploy RabbitMQ Server

RabbitMQ is an AMQP message broker. It will be used by `xactmon` to pass messages between the components. Although RabbitMQ can be deployed in a high-availability cluster, we don't really need that level of robustness for `xactmon`, so we will just run a single instance. Deploying a single-host RabbitMQ server is pretty straightforward. We're using mTLS authentication; clients need to have a certificate issued by the *RabbitMQ CA* in order to connect to the message broker. The `rabbitmq-ca` _cert-manager_ ClusterIssuer issues these certificates for in-cluster services like `xactmon`.
2024-07-26 20:43:39 -05:00
parent a04a2b5334
commit 1a1d8ff27d
12 changed files with 272 additions and 0 deletions
--- a/rabbitmq/rabbitmq.yaml
+++ b/rabbitmq/rabbitmq.yaml
@@ -0,0 +1,107 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: rabbitmq
+  labels:
+    app.kubernetes.io/name: rabbitmq
+    app.kubernetes.io/component: rabbitmq
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: rabbitmq
+    app.kubernetes.io/component: rabbitmq
+  name: rabbitmq
+spec:
+  ports:
+  - name: amqps
+    port: 5671
+  selector:
+    app.kubernetes.io/name: rabbitmq
+    app.kubernetes.io/component: rabbitmq
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: rabbitmq
+  labels:
+    app.kubernetes.io/name: rabbitmq
+    app.kubernetes.io/component: rabbitmq
+spec:
+  serviceName: rabbitmq
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: rabbitmq
+      app.kubernetes.io/component: rabbitmq
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: rabbitmq
+        app.kubernetes.io/component: rabbitmq
+    spec:
+      containers:
+      - name: rabbitmq
+        image: docker.io/library/rabbitmq:3.13-alpine
+        ports:
+        - name: amqps
+          containerPort: 5671
+        - name: metrics
+          containerPort: 15692
+        readinessProbe: &probe
+          tcpSocket:
+            port: amqps
+          periodSeconds: 60
+          successThreshold: 1
+          failureThreshold: 2
+        startupProbe:
+          <<: *probe
+          initialDelaySeconds: 5
+          periodSeconds: 1
+          timeoutSeconds: 1
+          failureThreshold: 10
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /etc/rabbitmq
+          name: rabbitmq-config
+          readOnly: true
+        - mountPath: /run/secrets/rabbitmq/cert
+          name: rabbitmq-cert
+          readOnly: true
+        - mountPath: /tmp
+          name: tmp
+          subPath: tmp
+        - mountPath: /var/lib/rabbitmq
+          name: rabbitmq-data
+          subPath: data
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 5672
+        runAsGroup: 5762
+        fsGroup: 5672
+        fsGroupChangePolicy: OnRootMismatch
+      volumes:
+      - name: rabbitmq-cert
+        secret:
+          secretName: rabbitmq-cert
+          defaultMode: 0440
+      - name: rabbitmq-config
+        configMap:
+          name: rabbitmq
+      - name: rabbitmq-data
+        persistentVolumeClaim:
+          claimName: rabbitmq
+      - name: tmp
+        emptyDir:
+          medium: Memory
+