Add support for RabbitMQ Users and Vhosts and implement credentials rotation #511
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lmiccini The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
lmiccini
force-pushed
the
rabbitmq_vhosts
branch
from
fefe46f to
f8c165e
Compare
| }, | ||
| Spec: rabbitmqv1.RabbitMQVhostSpec{RabbitmqClusterName: instance.Spec.RabbitmqClusterName, Name: vhostName}, | ||
| } | ||
| if err := controllerutil.SetControllerReference(instance, vhost, r.Scheme); err == nil { |
| if !controllerutil.ContainsFinalizer(user, rabbitmqv1.UserFinalizer) { | ||
| controllerutil.AddFinalizer(user, rabbitmqv1.UserFinalizer) | ||
| } |
There was a problem hiding this comment.
same, could just call AddFinalizer, it returns true if it got added.
| }, | ||
| Spec: rabbitmqv1.RabbitMQUserSpec{RabbitmqClusterName: instance.Spec.RabbitmqClusterName, Username: instance.Spec.Username, VhostRef: vhostRef}, | ||
| } | ||
| if err := controllerutil.SetControllerReference(instance, user, r.Scheme); err == nil { |
| if vhostName != "/" { | ||
| if err := apiClient.DeleteVhost(vhostName); err != nil { | ||
| // Log error but don't fail deletion - the vhost may already be gone | ||
| log.FromContext(ctx).Error(err, "Failed to delete vhost from RabbitMQ", "vhost", vhostName) |
lmiccini
force-pushed
the
rabbitmq_vhosts
branch
3 times, most recently
from
85b6224 to
944d12b
Compare
|
Merge Failed. This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset. |
lmiccini
force-pushed
the
rabbitmq_vhosts
branch
from
944d12b to
a371354
Compare
|
Merge Failed. This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset. |
lmiccini
force-pushed
the
rabbitmq_vhosts
branch
from
a371354 to
b1562fc
Compare
|
Merge Failed. This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset. |
…otation This commit: - adds RabbitMQUser and RabbitMQVhost CRDs - adds a basic client using the rabbitmq management api - modifies TransportURL to be able to reference users and vhosts - adds functional tests for RabbitMQUser and RabbitMQVhost - adds a RabbitMqConfig shared struct that can be used by other operators to configure the respective user and vhost In addition: - reworks how Mirrored queues policy is applied to use the management api instead of a direct pod rsh Operators can now perform rabbitmq credentials rotation by: - editing the openstackcontrolplane to point each service at a new user - wait the pods reconciliation - trigger the edpm deployment to apply the change to the data plane - finally delete the previous RabbitMQUser when desired Rollback is possible by switching the service to use the previous RabbitMQUser. Credential rotation happens without downtime since both the old and new credentials are valid at the same time. Assisted-by: Claude (Anthropic AI)
lmiccini
force-pushed
the
rabbitmq_vhosts
branch
from
b1562fc to
5093262
Compare
lmiccini
force-pushed
the
rabbitmq_vhosts
branch
from
5093262 to
d2b549c
Compare
| // Log non-NotFound errors but continue with deletion | ||
| log.FromContext(ctx).Error(err, "Failed to get admin secret") | ||
| } | ||
| // Skip policy deletion if credentials are not accessible - finalizer will still be removed |
There was a problem hiding this comment.
do I get it right that we proceed with deletion and say its ok that the policy remains on the cluster?
There was a problem hiding this comment.
my idea with this was not to block the cluster deletion in case we can't delete the poicy for whatever reason.
| // Note: Delete methods already treat 404 as success | ||
| if err := apiClient.DeletePermissions(vhostName, username); err != nil { | ||
| // Log error but don't fail deletion - the permissions may already be gone | ||
| // Log error but don't fail deletion - finalizer will still be removed to prevent CR from being stuck |
There was a problem hiding this comment.
couldn't there be a side effect that permissions remain on the cluster? in case of debugging you could not rely on the CR status maps to what is on the cluster configured?
There was a problem hiding this comment.
same as previous comment, not sure if it's better to have the cluster stuck deleting if we can't delete the user?
lmiccini
force-pushed
the
rabbitmq_vhosts
branch
from
f18a119 to
508c2aa
Compare
3 participants
This commit:
In addition:
Operators can now perform rabbitmq credentials rotation by:
Rollback is possible by switching the service to use the previous RabbitMQUser.
Credential rotation happens without downtime since both the old and new credentials are valid at the same time.
Assisted-by: Claude (Anthropic AI)