Using cert manager with RabbitMQ
1,833 views
Skip to first unread message
Anjitha M
Jun 16, 2021, 11:01:42 AM6/16/21
to rabbitmq-users
Hi all,
I have a requirement to set up rabbitmq with CA and TLS certificates. I have cert manager installed in my GKE cluster. So, I want to leverage that - meaning control the issuer and certificate resources getting created, their validity etc.
So, I made the following yaml which would be applied to the namespace where rabbitmq cluster will be deployed.
I need help to check if
1. a similar yaml as given below would spin up the required certificates
2. What is the dns names I should mention in the yaml to create certificate
3. What is the organization name to be mentioned
4. In rabbitmq.yaml - under the spec.tls section - what all details would need to be mentioned?
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: rabbitmq-ca-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: rabbitmq-ca-cert
spec:
duration: <duration>
renewBefore: <renew before>
secretName: rabbitmq-ca-secret
commonName: "rabbitmq-root-ca"
isCA: true
issuerRef:
name: rabbitmq-ca-issuer
kind: Issuer
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: rabbitmq-issuer
spec:
ca:
secretName: rabbitmq-ca-cert
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: <rabbitmqcluster-name>-tls
spec:
commonName: {{ .Values.clusterName }}-rabbitmq
dnsNames:
- 'localhost'
- <other dns names to be added>
isCA: false
issuerRef:
kind: Issuer
name: rabbitmq-issuer
duration: <duration>
renewBefore: <renew before>
secretName: rabbitmqtls-secret
subject:
organizations:
- <organization here>
Would really appreciate some insight over here.
Thanks,
Anjitha M.
Michal Kuratczyk
Jun 16, 2021, 11:30:04 AM6/16/21
to rabbitm...@googlegroups.com
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/93fd2b98-20af-460e-b802-cd54f479835fn%40googlegroups.com.
Michał
RabbitMQ teamAnjitha M
Jun 17, 2021, 4:28:11 AM6/17/21
to rabbitmq-users
Hi,
Thank you for the reference. Actually, I was looking for a better configuration - as mentioned above in which I can control the validity and renewal time of certs.
Can you confirm if the dns name should be given as in https://github.com/rabbitmq/cluster-operator/tree/main/docs/examples/tls
Could you also tell me how I can create CA and TLS certs, and if I need separate issuer resources for both? Also, what is the difference between using an Issuer and a ClusterIssuer?
Michal Kuratczyk
Jun 17, 2021, 5:03:06 AM6/17/21
to rabbitm...@googlegroups.com
These are all TLS and/or cert-manager questions, not RabbitMQ questions. We just need a secret to exist and be mentioned in spec.tls.secretName. How this secret is created/managed is up to you.
Names in the certificate need to match the names used by client applications - this is always true for any TLS connection (not RabbitMQ specific). The goal of the SANs in the certificate is for the client to compare what they were trying to connect to (server DNS name/IP), with what they actually connected to (if the server presents a valid, trusted, certificate for that DNS name/IP).
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/8a058632-90d8-49d8-9ad4-6b10b549b86dn%40googlegroups.com.
Michał
RabbitMQ teamAnjitha M
Jun 18, 2021, 9:24:05 AM6/18/21
to rabbitmq-users
Hi Michal,
Made a note of your previous reply. Could you clarify one thing for me? Say I have a certificate I have created using cert manager. It has a validity of 1 hr (for testing purposes) after which the cert is automatically renewed, which means the connected secret is also updated.
However, I noticed that the rabbitmq pods are not picking up this updated secret. Is it because the secret name is same as before so pod doesn't recognize that the data inside secret has been updated? If so, how can I make sure my pods use the latest certs?
Right now, my tls certificate, issuer and secret is created with a yaml as given below:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: rabbitmq-ca-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: rabbitmqcluster-ca-cert
spec:
duration: 1hr
renewBefore: 30m
secretName: rabbitmq-ca-cert
commonName: "rabbitmq-root-ca"
isCA: true
revisionHistoryLimit: 1
issuerRef:
name: rabbitmq-ca-issuer
kind: Issuer
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: rabbitmqcluster-tls-issuer
name:
rabbitmqcluster-tls
spec:
commonName: rabbitmqcluster
dnsNames:
- '
rabbitmqcluster.<namespace>.svc.cluster.local'
- '*.
rabbitmqcluster.<namespace>.svc.cluster.local'
isCA: false
revisionHistoryLimit: 1
issuerRef:
kind: Issuer
name: rabbitmqcluster-tls-issuer
duration: 1hr
renewBefore: 30m
secretName: rabbitmqcluster-tls-secret
subject:
organizations:
- rabbitmqcluster
Michal Kuratczyk
Jun 18, 2021, 9:44:16 AM6/18/21
to rabbitm...@googlegroups.com
From https://www.rabbitmq.com/kubernetes/operator/using-operator.html#tls-conf:
-------------------------------
RabbitMQ nodes can reload TLS certificates without a node restart. To rotate the TLS certificate, update the TLS Secret object with the new certificate directly and this change will be picked up by the RabbitMQ pods within several minutes. If you need to speed up the process, you can force RabbitMQ to reload the certificate immediately by running:
kubectl exec -it INSTANCE-server-0 -- rabbitmqctl eval "ssl:clear_pem_cache()."
or directly from within the node pod:
rabbitmqctl eval "ssl:clear_pem_cache()."
Since each node has its own cache, if you decide to run this command, you should execute it on all cluster nodes.
-------------------------------
There is no special functionality for this in the Operator. This behaviour depends on:
1. Kubernetes secrets getting updated in the pod immediately (you can check if that happens in your case)
2. RabbitMQ reloading certificates when the files change
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/ec64015f-b581-4f8c-9a1b-b6c5a9cbe6e0n%40googlegroups.com.
Michał
RabbitMQ teamReply all
Reply to author
Forward
0 new messages