rabbitmq: Deploy RabbitMQ Server
RabbitMQ is an AMQP message broker. It will be used by `xactmon` to pass messages between the components. Although RabbitMQ can be deployed in a high-availability cluster, we don't really need that level of robustness for `xactmon`, so we will just run a single instance. Deploying a single-host RabbitMQ server is pretty straightforward. We're using mTLS authentication; clients need to have a certificate issued by the *RabbitMQ CA* in order to connect to the message broker. The `rabbitmq-ca` _cert-manager_ ClusterIssuer issues these certificates for in-cluster services like `xactmon`.etcd
parent
a04a2b5334
commit
1a1d8ff27d
|
|
@ -0,0 +1,12 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
labels:
|
||||
- pairs:
|
||||
app.kubernetes.io/component: rabbitmq-ca
|
||||
app.kubernetes.io/instance: rabbitmq-ca
|
||||
app.kubernetes.io/part-of: rabbitmq
|
||||
|
||||
resources:
|
||||
- rabbitmq-ca.yaml
|
||||
- secrets.yaml
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIICazCCAc2gAwIBAgIUHOLoRkpqTumPczT4haPTrDR+NWYwCgYIKoZIzj0EAwQw
|
||||
UDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDERMA8GA1UE
|
||||
CwwIUmFiYml0TVExFDASBgNVBAMMC1JhYmJpdE1RIENBMB4XDTI0MDcyMTE1MzQ1
|
||||
NloXDTM0MDcyMjE1MzQ1NlowUDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3Rp
|
||||
biBDLiBIYXRjaDERMA8GA1UECwwIUmFiYml0TVExFDASBgNVBAMMC1JhYmJpdE1R
|
||||
IENBMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBUciaWKnxGTNnfkeTBFm4O8Qx
|
||||
byOua3LYDBVvP04U6xxpm3k/f6m8PVpj8k57lXFtSAi4xpAgVy9gCzTnoud1YZEA
|
||||
e4qSR4FG7M7mTygYLXkS6IheeRadWjRrjKvdtWr74gdsughnQ9dZjvE0lzqpFg0l
|
||||
ncYN6FVsW4jo4tj+rayp1tajQjBAMB0GA1UdDgQWBBTTZi3xHWChlywYYs+QIlRh
|
||||
96pcdDASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjAKBggqhkjOPQQD
|
||||
BAOBiwAwgYcCQgDf4KpCADduVqdgeXp/eUoQEznKplgiZF8fdM+fVSEd+4t+IQZw
|
||||
wi58uu2Ib5sPop0//iPT3AogIqmr+E1eu/EmAgJBY7naClR/IINeTTzUAqNjDxJa
|
||||
GkQ7jJjpnGHNbnwLJ7e7VCP2rqDRtgw7z2QCxk3gIZSThXGicHPqxyiK9T9rjZI=
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: rabbitmq-ca
|
||||
spec:
|
||||
ca:
|
||||
secretName: rabbitmq-ca
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
name: rabbitmq-ca
|
||||
namespace: cert-manager
|
||||
labels:
|
||||
app.kubernetes.io/name: rabbitmq-ca
|
||||
spec:
|
||||
encryptedData:
|
||||
tls.crt: AgBB9P7G4egqhKywdjQnfA9FbNdd1Nmn32RVo5aQpBf2TIOdpJ4r/vMSS+b80NLTt3KJ1eAim8RGOwCqJW/BKnLZhK95n2RnlqkmQysVFtemq0VXnmDnXVQ95TwFZQOxB2CzVFpXBWNFjrd+E3E9IPdU8XH35IuA4UiFp5YUeMcPKFnkmsNjOpu4axH4R9NDOAfiA+Eh0btGAT4+vqy78A0RImfPoRYSVN5EYulLD9xY9ShuivdJKZLIKIf69ma3Tzk1CBEO/wBgpy7E/XMQOptqq615u5KfxSknEXPeMH/leZatGRZF8YvUFl0Y9km2pCUBkYpzqCIDh9EMcEvB5+6Tmz52wpr73xTUlhjdVhJrha+VPk+Uut/49q5+ADB3v19JXvV+KIVdtV9LPPp14muyOrWSVKiH+CvoG0vfewnkR/rDQa5eHmCTkCv9PFtyeySsy5MkGE/ujo5jZP+w25fylaKnHepReyjfH5+xwkIHXiJ7DmZCsxayqdEEjjRacT/wrabP5MS9YEPi360uvPFr4P4navhZ4e8H66Ib7WscBc/HYynKv8Sirzc71IjGb07AGm1ivI1ddzbYZMBcifZlXh5R6C0sYePyWKlDzygWaFIvGPYWmnjD6PEg/wp94396xAsT3sh/+/Rv95hLcy4zHJYFQovW4zzxFNljgQVsJb+jzkEZlyYpiKwSqyaXVtMe5LBAhvNT9BRx0f1l1zrWE2PTWRtVH69kR3sTZ5Ur1JUN3e3weJqLhBV24BzcULdmyYHjc0qXcGMDMcd2FY3NYc4+EuFglmeu990j37WyY2LVr/XKkNdL8l4W7Q1DMGTyK6GiyNWsQolsBP9RviBsSbE2WsCGQUE51pjcSt8GVFMKYh7tyDT0iNd75L20YoyDlr8u7qlll2jUH6KhZmMz1zrC3MCkcnSAuWy1LK+Dm3ddcApEhVZAh9B7cY7eWcQUCPqW0jU3GhYyYt+F62rnZ8FcI38NTKEQqxVzJEaUsT8/AcCkq6jyYDM3YvDvo3zTOVTOzNQ1vc5ZIn8FDb9UDQcElo+neUyHnwUItHMLuIc44qMtdSGZsYAQzNjw3E5ZyRzEGpagglTTzjfvlGFJx57pheUtih2m0sbE4rtsYb79d/VhKMtRVVOiM5ChxcJK1Y7hJkpDqmzlMe06xRtuGf8VXl9VucWK5jZIC6rLdjwHOc3kwdXH+3+uVi2PdUbiGypJMK7iuRfe/FIAK+tDdcpVXXJn+okb1Oo36wZRapN8phFmvYOblZdVMl2BBljx778nXdA12NeKyIxLtdJ+86OQKskN6OpuLzLiCNl2lG5JpOzlwdtbOmmd0efQEwzFr9xd8XXb5Q8QImnoslBvhgmYLruFd1cPrcclZFQvCQgb1xN4uMtqCBMaVPJUaY0hXKLemzV/9bYLYP+3ES4jYAT/M/xyVnleWh+rJgMIHedEDWaAfZbbTYhHo7raBSecyl2opYKTTR7sjsVnACv2zB0LpOHVcWccwY5Zko4e21S/xjVq9Aff5tfwjV59g54oCun1HR6GHcuYgYYbqUt8BFbd09QaA1rgMAkNqaprJb7LXwt13Vm8sP6x6OcXt2YxZGlmPHsThcOFwV9SmUIyi8D+XEW/6FdFnUOhdnwNAQyagGT9A91Y5C3kz7Xh54Jdbgcg/Sc+8LQwlP86W35iCpsZjIiaQ/sRJcbQALAKXv/aKW2FxtXnXES2ynPf6RzpFzPv7xrLlva3AgYEm9rCD3LNl094tCoW4ZwxN45EKwk/7GGFpGS8+vhEfPfTe9RkHID5Hv76FeUr8Q+7l82QGCvZfvz4Ag5ZEp3sQpwfkvQFN94D8sfwSD87nmZVjQptJ0yu3yw4mhcMyVT5beMlMhtlUTG6Fq3hT0y0Leg8K63SHg==
|
||||
tls.key: AgA6rWYBoogSLgfUQ82Lw++CvZSlhsUthdPtuMzrEAoCAYE55Vx5IvaEEKXkGLXcorYPFZSmVIlO35IM29F6u/DvHLQ/v4DXpcQJHXIejBM+zwynBXN/LGFIcBqj1JI1dZUYheb05nkD+qwiYhHCv4c6RSScX5osvPtXnq0AtCgNKNH4aRf3LQ4EUKakA8cVKmi8QC151L9pOWIrtkFdv28wSfW4viTkDhGornERcHZvPdkyG8gGQAy8B1Suy5LoZsfr8rFfWhYGOuVKNwM8RN3bBHVKhbCR5u6ap+ZzgPWdcWG88fRcXRY+YIgW2Q0Ffrk2TAVxgIbh/GuwYptwIKxj7cM3h11UqG57MpvcgE3rxhcwO5JbxPD2fAqxl98vkfIrasrhEpN3I3SHRrzxYKYt+6oYiK3H2xwIzBfMPIYfghyMLyf9H4f/zxRb945ehQrqYovduYdQR7ODsFYJmiGdMsITuPfq0Zl6KErDy+WILIY+eH5pkOym0A4te8jACbEALT6kcJ7buLfMZ65OHJDUzWf3W8Qi5WPkOXtDKkprzwjXotHdYcMInabE6rPjePb+uf9G9782WJQ7W5/ebJqEeL/FWFTQEurgrAt5v/8ugL8oF8LOyvt0dUboJKtDk/ZKgGEN4QQWQsuiBUX9qJxEgocbjnqw8/ZlzYy0AXdesv5nyspGYrIe2msrBbrrFMOQWAhyTdpXY+ZZldrH+qucUkbZZYBL1ItGOORg+dtcv3cXCfvL3cRUQrbZprjBGY4wqJB9CmfgCoLmxPBot6Lkedv1RrwaBB8KPpGi+hRtvI3rTeCuw0Ky7Q+qDFDsdoAZasRSPxQK3/9oY4gUplC2X5i3uC/jiNzbpA98IsmHKxDjcUk46kIbhLVOFp4CLTUILvOnLm0IMVpF7NtJhD0L7wbEC3iIF1UVAfixj/XaggT+jOuHzYJTowAbYHX7gUOUzTEmkAczy+6Aw7qoPwKYiJvbjM8PdqbMZ3ILtS3FmrlYEB9qi5J28J1R8t/LeG3gDsyabv52f0abFcfGQkPLsMbcEvBy2Xj2jQWVv+tK2a/0/iqCKRQydpEXkWP0Ae7YYqd4S+6sfe4zoUKHxLLCw/+jhI9sig+NZQau2zD24jx4INAdbaOwrd+udmqb2wtpQw/hwM9fARQXERy94VGRMxDUSSaOdv9dn/hJ1dawC7FNUk2HutTSBKquBPOB2aU=
|
||||
template:
|
||||
metadata:
|
||||
name: rabbitmq-ca
|
||||
namespace: cert-manager
|
||||
labels:
|
||||
app.kubernetes.io/name: rabbitmq-ca
|
||||
type: kubernetes.io/tls
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: rabbitmq
|
||||
spec:
|
||||
secretName: rabbitmq-cert
|
||||
dnsNames:
|
||||
- rabbitmq.pyrocufflink.blue
|
||||
issuerRef:
|
||||
group: cert-manager.io
|
||||
kind: ClusterIssuer
|
||||
name: dch-ca
|
||||
privateKey:
|
||||
algorithm: ECDSA
|
||||
rotationPolicy: Always
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
{
|
||||
"rabbit_version": "3.13.4",
|
||||
"vhosts": [
|
||||
{
|
||||
"name": "/",
|
||||
"metadata": {
|
||||
"description": "Default virtual host"
|
||||
}
|
||||
}
|
||||
],
|
||||
"users": [
|
||||
{
|
||||
"name": "xactmon",
|
||||
"tags": []
|
||||
}
|
||||
],
|
||||
"permissions": [
|
||||
{
|
||||
"user": "xactmon",
|
||||
"vhost": "/",
|
||||
"configure": "^xactmon\\..*",
|
||||
"read": "^xactmon\\..*",
|
||||
"write": "^xactmon\\..*"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -0,0 +1 @@
|
|||
[rabbitmq_auth_mechanism_ssl,rabbitmq_prometheus].
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namespace: rabbitmq
|
||||
|
||||
labels:
|
||||
- pairs:
|
||||
app.kubernetes.io/instance: rabbitmq
|
||||
app.kubernetes.io/part-of: rabbitmq
|
||||
|
||||
resources:
|
||||
- namespace.yaml
|
||||
- certificate.yaml
|
||||
- rabbitmq.yaml
|
||||
|
||||
configMapGenerator:
|
||||
- name: rabbitmq
|
||||
files:
|
||||
- ca.crt=ca/rabbitmq-ca.crt
|
||||
- definitions.json
|
||||
- enabled_plugins
|
||||
- rabbitmq.conf
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: rabbitmq
|
||||
labels:
|
||||
app.kubernetes.io/component: rabbitmq
|
||||
app.kubernetes.io/name: rabbitmq
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
[req]
|
||||
distinguished_name = root_ca_dn
|
||||
prompt = no
|
||||
default_md = sha512
|
||||
x509_extensions = root_ca
|
||||
string_mask = utf8only
|
||||
|
||||
[root_ca_dn]
|
||||
countryName = US
|
||||
organizationName = Dustin C. Hatch
|
||||
organizationalUnitName = RabbitMQ
|
||||
commonName = RabbitMQ CA
|
||||
|
||||
[root_ca]
|
||||
subjectKeyIdentifier = hash
|
||||
basicConstraints = critical,CA:true,pathlen:0
|
||||
keyUsage = cRLSign, keyCertSign
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
# Send logs to container engine via stderr
|
||||
log.console = true
|
||||
log.console.level = info
|
||||
log.file = false
|
||||
|
||||
# Disable default (non-TLS) listener
|
||||
listeners.tcp = none
|
||||
|
||||
# Activate TLS listener on AMQPS port
|
||||
listeners.ssl.default = 5671
|
||||
ssl_options.certfile = /run/secrets/rabbitmq/cert/tls.crt
|
||||
ssl_options.keyfile = /run/secrets/rabbitmq/cert/tls.key
|
||||
|
||||
# Require mTLS authentication (client certificate)
|
||||
ssl_options.cacertfile = /etc/rabbitmq/ca.crt
|
||||
ssl_options.verify = verify_peer
|
||||
ssl_options.fail_if_no_peer_cert = true
|
||||
auth_mechanisms.1 = EXTERNAL
|
||||
ssl_cert_login_from = common_name
|
||||
|
||||
## Import user/permission definitions from JSON file
|
||||
definitions.import_backend = local_filesystem
|
||||
definitions.local.path = /etc/rabbitmq/definitions.json
|
||||
definitions.skip_if_unchanged = true
|
||||
|
|
@ -0,0 +1,107 @@
|
|||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: rabbitmq
|
||||
labels:
|
||||
app.kubernetes.io/name: rabbitmq
|
||||
app.kubernetes.io/component: rabbitmq
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: rabbitmq
|
||||
app.kubernetes.io/component: rabbitmq
|
||||
name: rabbitmq
|
||||
spec:
|
||||
ports:
|
||||
- name: amqps
|
||||
port: 5671
|
||||
selector:
|
||||
app.kubernetes.io/name: rabbitmq
|
||||
app.kubernetes.io/component: rabbitmq
|
||||
type: ClusterIP
|
||||
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: rabbitmq
|
||||
labels:
|
||||
app.kubernetes.io/name: rabbitmq
|
||||
app.kubernetes.io/component: rabbitmq
|
||||
spec:
|
||||
serviceName: rabbitmq
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: rabbitmq
|
||||
app.kubernetes.io/component: rabbitmq
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: rabbitmq
|
||||
app.kubernetes.io/component: rabbitmq
|
||||
spec:
|
||||
containers:
|
||||
- name: rabbitmq
|
||||
image: docker.io/library/rabbitmq:3.13-alpine
|
||||
ports:
|
||||
- name: amqps
|
||||
containerPort: 5671
|
||||
- name: metrics
|
||||
containerPort: 15692
|
||||
readinessProbe: &probe
|
||||
tcpSocket:
|
||||
port: amqps
|
||||
periodSeconds: 60
|
||||
successThreshold: 1
|
||||
failureThreshold: 2
|
||||
startupProbe:
|
||||
<<: *probe
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 1
|
||||
timeoutSeconds: 1
|
||||
failureThreshold: 10
|
||||
securityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
volumeMounts:
|
||||
- mountPath: /etc/rabbitmq
|
||||
name: rabbitmq-config
|
||||
readOnly: true
|
||||
- mountPath: /run/secrets/rabbitmq/cert
|
||||
name: rabbitmq-cert
|
||||
readOnly: true
|
||||
- mountPath: /tmp
|
||||
name: tmp
|
||||
subPath: tmp
|
||||
- mountPath: /var/lib/rabbitmq
|
||||
name: rabbitmq-data
|
||||
subPath: data
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 5672
|
||||
runAsGroup: 5762
|
||||
fsGroup: 5672
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
volumes:
|
||||
- name: rabbitmq-cert
|
||||
secret:
|
||||
secretName: rabbitmq-cert
|
||||
defaultMode: 0440
|
||||
- name: rabbitmq-config
|
||||
configMap:
|
||||
name: rabbitmq
|
||||
- name: rabbitmq-data
|
||||
persistentVolumeClaim:
|
||||
claimName: rabbitmq
|
||||
- name: tmp
|
||||
emptyDir:
|
||||
medium: Memory
|
||||
|
||||
Loading…
Reference in New Issue