Merge pull request #1747 from rabbitmq/fix/cluster-operator-1616

Fix CA certs overriding server certs

Author: Zerpet

api/v1beta1/rabbitmqcluster_types.go

@@ -350,15 +350,15 @@ type PersistentVolumeClaim struct {
 	Spec corev1.PersistentVolumeClaimSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
 }
 
-// Allows for the configuration of TLS certificates to be used by RabbitMQ. Also allows for non-TLS traffic to be disabled.
+// TLSSpec allows for the configuration of TLS certificates to be used by RabbitMQ. Also allows for non-TLS traffic to be disabled.
 type TLSSpec struct {
 	// Name of a Secret in the same Namespace as the RabbitmqCluster, containing the server's private key & public certificate for TLS.
 	// The Secret must store these as tls.key and tls.crt, respectively.
-	// This Secret can be created by running `kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/to/tls.key`
+	// This Secret can be created by running `kubectl create secret tls tls-secret --cert=path/to/tls.crt --key=path/to/tls.key`
 	SecretName string `json:"secretName,omitempty"`
 	// Name of a Secret in the same Namespace as the RabbitmqCluster, containing the Certificate Authority's public certificate for TLS.
 	// The Secret must store this as ca.crt.
-	// This Secret can be created by running `kubectl create secret generic ca-secret --from-file=ca.crt=path/to/ca.cert`
+	// This Secret can be created by running `kubectl create secret generic ca-secret --from-file=ca.crt=path/to/ca.crt`
 	// Used for mTLS, and TLS for rabbitmq_web_stomp and rabbitmq_web_mqtt.
 	CaSecretName string `json:"caSecretName,omitempty"`
 	// When set to true, the RabbitmqCluster disables non-TLS listeners for RabbitMQ, management plugin and for any enabled plugins in the following list: stomp, mqtt, web_stomp, web_mqtt.

controllers/reconcile_tls.go

@@ -60,6 +60,7 @@ func (r *RabbitmqClusterReconciler) checkTLSSecrets(ctx context.Context, rabbitm
 
 	// Mutual TLS: check if CA certificate is stored in a separate secret
 	if rabbitmqCluster.MutualTLSEnabled() {
+		// This is an optimisation to avoid reading the same secret twice
 		if !rabbitmqCluster.SingleTLSSecret() {
 			secretName := rabbitmqCluster.Spec.TLS.CaSecretName
 			logger.V(1).Info("mutual TLS enabled, looking for CA certificate secret", "secret", secretName)

controllers/reconcile_tls_test.go

@@ -58,6 +58,19 @@ var _ = Describe("Reconcile TLS", func() {
 											Name: "tls-secret",
 										},
 										Optional: ptr.To(true),
+										Items: []corev1.KeyToPath{
+											{Key: "tls.crt", Path: "tls.crt"},
+											{Key: "tls.key", Path: "tls.key"},
+										},
+									},
+								},
+								{
+									Secret: &corev1.SecretProjection{
+										LocalObjectReference: corev1.LocalObjectReference{
+											Name: "tls-secret",
+										},
+										Optional: ptr.To(true),
+										Items:    []corev1.KeyToPath{{Key: "ca.crt", Path: "ca.crt"}},
 									},
 								},
 							},

docs/api/rabbitmq.com.ref.asciidoc

@@ -539,7 +539,7 @@ created from the StatefulSet VolumeClaimTemplates.
 [id="{anchor_prefix}-github-com-rabbitmq-cluster-operator-v2-api-v1beta1-tlsspec"]
 ==== TLSSpec 
 
-Allows for the configuration of TLS certificates to be used by RabbitMQ. Also allows for non-TLS traffic to be disabled.
+TLSSpec allows for the configuration of TLS certificates to be used by RabbitMQ. Also allows for non-TLS traffic to be disabled.
 
 .Appears In:
 ****
@@ -551,10 +551,10 @@ Allows for the configuration of TLS certificates to be used by RabbitMQ. Also al
 | Field | Description
 | *`secretName`* __string__ | Name of a Secret in the same Namespace as the RabbitmqCluster, containing the server's private key & public certificate for TLS.
 The Secret must store these as tls.key and tls.crt, respectively.
-This Secret can be created by running `kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/to/tls.key`
+This Secret can be created by running `kubectl create secret tls tls-secret --cert=path/to/tls.crt --key=path/to/tls.key`
 | *`caSecretName`* __string__ | Name of a Secret in the same Namespace as the RabbitmqCluster, containing the Certificate Authority's public certificate for TLS.
 The Secret must store this as ca.crt.
-This Secret can be created by running `kubectl create secret generic ca-secret --from-file=ca.crt=path/to/ca.cert`
+This Secret can be created by running `kubectl create secret generic ca-secret --from-file=ca.crt=path/to/ca.crt`
 Used for mTLS, and TLS for rabbitmq_web_stomp and rabbitmq_web_mqtt.
 | *`disableNonTLSListeners`* __boolean__ | When set to true, the RabbitmqCluster disables non-TLS listeners for RabbitMQ, management plugin and for any enabled plugins in the following list: stomp, mqtt, web_stomp, web_mqtt.
 Only TLS-enabled clients will be able to connect.

internal/resource/statefulset.go

@@ -523,6 +523,10 @@ func (builder *StatefulSetBuilder) podTemplateSpec(previousPodAnnotations map[st
 									Name: tlsSpec.SecretName,
 								},
 								Optional: &secretEnforced,
+								Items: []corev1.KeyToPath{
+									{Key: "tls.crt", Path: "tls.crt"},
+									{Key: "tls.key", Path: "tls.key"},
+								},
 							},
 						},
 					},
@@ -531,11 +535,14 @@ func (builder *StatefulSetBuilder) podTemplateSpec(previousPodAnnotations map[st
 			},
 		}
 
-		if builder.Instance.MutualTLSEnabled() && !builder.Instance.SingleTLSSecret() {
+		if builder.Instance.MutualTLSEnabled() {
 			caSecretProjection := corev1.VolumeProjection{
 				Secret: &corev1.SecretProjection{
 					LocalObjectReference: corev1.LocalObjectReference{Name: tlsSpec.CaSecretName},
 					Optional:             &secretEnforced,
+					Items: []corev1.KeyToPath{
+						{Key: "ca.crt", Path: "ca.crt"},
+					},
 				},
 			}
 			tlsProjectedVolume.VolumeSource.Projected.Sources = append(tlsProjectedVolume.VolumeSource.Projected.Sources, caSecretProjection)

internal/resource/statefulset_test.go

@@ -530,6 +530,10 @@ var _ = Describe("StatefulSet", func() {
 											Name: "tls-secret",
 										},
 										Optional: ptr.To(true),
+										Items: []corev1.KeyToPath{
+											{Key: "tls.crt", Path: "tls.crt"},
+											{Key: "tls.key", Path: "tls.key"},
+										},
 									},
 								},
 							},
@@ -621,28 +625,6 @@ var _ = Describe("StatefulSet", func() {
 				}))
 			})
 
-			When("Mutual TLS (same secret) is enabled", func() {
-				It("opens tls ports when rabbitmq_web_mqtt and rabbitmq_web_stomp are configured", func() {
-					instance.Spec.TLS.SecretName = "tls-secret"
-					instance.Spec.TLS.CaSecretName = "tls-secret"
-					instance.Spec.Rabbitmq.AdditionalPlugins = []rabbitmqv1beta1.Plugin{"rabbitmq_web_mqtt", "rabbitmq_web_stomp"}
-					Expect(stsBuilder.Update(statefulSet)).To(Succeed())
-
-					rabbitmqContainerSpec := extractContainer(statefulSet.Spec.Template.Spec.Containers, "rabbitmq")
-
-					Expect(rabbitmqContainerSpec.Ports).To(ContainElements([]corev1.ContainerPort{
-						{
-							Name:          "web-mqtt-tls",
-							ContainerPort: 15676,
-						},
-						{
-							Name:          "web-stomp-tls",
-							ContainerPort: 15673,
-						},
-					}))
-				})
-			})
-
 			When("Mutual TLS (different secret) is enabled", func() {
 				It("adds the CA cert secret to tls project volume", func() {
 					instance.Spec.TLS.SecretName = "tls-secret"
@@ -660,6 +642,10 @@ var _ = Describe("StatefulSet", func() {
 												Name: "tls-secret",
 											},
 											Optional: ptr.To(true),
+											Items: []corev1.KeyToPath{
+												{Key: "tls.crt", Path: "tls.crt"},
+												{Key: "tls.key", Path: "tls.key"},
+											},
 										},
 									},
 									{
@@ -668,6 +654,9 @@ var _ = Describe("StatefulSet", func() {
 												Name: "mutual-tls-secret",
 											},
 											Optional: ptr.To(true),
+											Items: []corev1.KeyToPath{
+												{Key: "ca.crt", Path: "ca.crt"},
+											},
 										},
 									},
 								},