Add initial version of Vault integration example

George Harley · George Harley · commit 09e63602953d · 2022-01-11T18:47:18.000Z
* setup.sh installs Vault to current cluster and configures it
  for the work carried out in the test.sh script
* test.sh goes through a series of steps to demonstrate how the
  operator can use Vault for accessing admin credentials for a
  RabbitMQ cluster
* README.md describes the basic flow of the example as well as
  stating that the RabbitMQ Cluster operator and Messaging Topology
  operators are pre-requisites for this example
diff --git a/docs/examples/vault-support/README.md b/docs/examples/vault-support/README.md
@@ -0,0 +1,71 @@
+# HashiCorp Vault Support Example
+
+The RabbitMQ Cluster Operator supports storing RabbitMQ default user (admin)
+credentials and RabbitMQ server certificates in
+[HashiCorp Vault](https://www.vaultproject.io/) and in K8 Secrets. And
+accordingly, the RabbitMQ Messaging Topology operator can operate on clusters
+which are vault-enabled or k8s-secrets enabled.
+
+As explained in [this KubeCon talk](https://youtu.be/w0k7MI6sCJg?t=177) there
+are four different approaches in Kubernetes to consume external secrets:
+
+1. Direct API
+2. Controller to mirrors secrets in K8s
+3. Sidecar + MutatingWebhookConfiguration
+4. Secrets Store CSI Driver
+
+The RabbitMQ Cluster Operator integrates with Vault using the third approach
+(Sidecar + MutatingWebhookConfiguration) whereas the RabbitMQ Messaging
+Topology Operator uses the first approach (Direct API).
+
+## Vault-related configuration required
+
+The Vault server must have the version 2 key value secret engine and the 
+[Vault Kubernetes auth method](https://www.vaultproject.io/docs/auth/kubernetes)
+enabled.
+
+```bash
+$ vault secrets enable -path=secret kv-v2
+```
+
+```bash
+$ vault auth enable kubernetes
+```
+
+In order for the RabbitMQ Messaging Topology operator to authenticate with
+a Vault server and access RabbitMQ cluster default user credentials it is
+necessary for the operator container to have one or more environment variables
+set. 
+
+- `VAULT_ADDR` should be set to the URL of the Vault server API
+- `OPERATOR_VAULT_ROLE` should be set to the name of the Vault role that is used when accessing credentials. This defaults to "messaging-topology-operator"
+- `OPERATOR_VAULT_NAMESPACE` may be set to the Vault namespace to use when the Messaging Topology operator is authenticating. If not set then the default Vault namespace is assumed
+- `OPERATOR_VAULT_AUTH_PATH` may be set to the auth path that the operator ought to use when authenticating to Vault. If not set then it is assumed that the “auth/kubernetes” path should be used
+
+In this example the Vault configuration is carried out automatically using
+the  [setup.sh](./setup.sh) script.
+
+## Usage
+
+This example requires:
+1. RabbitMQ Cluster operator is installed
+2. RabbitMQ Messaging Topology operator is installed
+
+Run the [setup.sh](./setup.sh) script to install Vault to the current
+Kubernetes cluster. This will also create the necessary credentials, 
+policy, and configuration in preparation for running the example.
+
+Next, run the [test.sh](./test.sh) script. This automates the execution of the
+following steps:
+1. Update the existing Messaging Topology operator deployment to set the `VAULT_ADDR` and `OPERATOR_VAULT_ROLE` environment variables. This triggers a redeployment. 
+2. Create two RabbitMQ clusters: `cluster-vault-a` which uses Vault to store its admin credentials and `cluster-b` which uses the Kubernetes secret alternative.
+3. Creates a queue in each of the RabbitMQ clusters. This demonstrates that the Messaging Topology operator is able to use both access methods to interact with the clusters.
+4. Deletes both queues from the RabbitMQ clusters.
+5. Updates the Messaging Topology operator configuration to set an incorrect value of `OPERATOR_VAULT_ROLE`. Doing this intentionally breaks the operator authentication with Vault. This triggers a redeployment.
+6. Repeats the creation of a queue in each of the RabbitMQ clusters. This will succeed for the `cluster-b` but not for `cluster-vault-a` which will no longer be able to connect to Vault. 
+7. Updates the Messaging Topology operator configuration a further time to restore the correct Vault configuration. This triggers a redeployment.
+8. Deletes both queues.
+9. Deletes both RabbitMQ clusters.
+10. Removes the `VAULT_ADDR` and `OPERATOR_VAULT_ROLE` environment variables from the Messaging Topology operator.
+11. Removes Vault.
+
diff --git a/docs/examples/vault-support/rabbitmq-clusters.yaml b/docs/examples/vault-support/rabbitmq-clusters.yaml
@@ -0,0 +1,39 @@
+apiVersion: rabbitmq.com/v1beta1
+kind: RabbitmqCluster
+metadata:
+  name: cluster-vault-a
+  namespace: default
+  annotations:
+    rabbitmq.com/topology-allowed-namespaces: "*"
+spec:
+  image: rabbitmq:3.9.7-management
+  replicas: 1
+  service:
+    type: NodePort
+  rabbitmq:
+    additionalConfig: |
+      loopback_users = none
+  secretBackend:
+    vault:
+      role: messaging-topology-operator
+      defaultUserPath: secret/data/rabbitmq/cluster-vault-a/creds
+
+---
+
+apiVersion: rabbitmq.com/v1beta1
+kind: RabbitmqCluster
+metadata:
+  name: cluster-b
+  namespace: default
+  annotations:
+    rabbitmq.com/topology-allowed-namespaces: "*"
+spec:
+  image: rabbitmq:3.9.7-management
+  replicas: 1
+  service:
+    type: NodePort
+  rabbitmq:
+    additionalConfig: |
+      loopback_users = none
+
+
diff --git a/docs/examples/vault-support/rabbitmq-queue-a.yaml b/docs/examples/vault-support/rabbitmq-queue-a.yaml
@@ -0,0 +1,12 @@
+apiVersion: rabbitmq.com/v1beta1
+kind: Queue
+metadata:
+  name: queue-a
+spec:
+  name: queue-a # name of the queue
+  type: quorum # without providing a queue type, rabbitmq creates a classic queue
+  autoDelete: false
+  durable: true # seting 'durable' to false means this queue won't survive a server restart
+  rabbitmqClusterReference:
+    name: cluster-vault-a  # rabbitmqCluster must exist in the same namespace as this resource
+
diff --git a/docs/examples/vault-support/rabbitmq-queue-b.yaml b/docs/examples/vault-support/rabbitmq-queue-b.yaml
@@ -0,0 +1,12 @@
+apiVersion: rabbitmq.com/v1beta1
+kind: Queue
+metadata:
+  name: queue-b
+spec:
+  name: queue-b # name of the queue
+  type: quorum # without providing a queue type, rabbitmq creates a classic queue
+  autoDelete: false
+  durable: true # seting 'durable' to false means this queue won't survive a server restart
+  rabbitmqClusterReference:
+    name: cluster-b  # rabbitmqCluster must exist in the same namespace as this resource
+
diff --git a/docs/examples/vault-support/rabbitmq-queue-c.yaml b/docs/examples/vault-support/rabbitmq-queue-c.yaml
@@ -0,0 +1,12 @@
+apiVersion: rabbitmq.com/v1beta1
+kind: Queue
+metadata:
+  name: queue-c
+spec:
+  name: queue-c # name of the queue
+  type: quorum # without providing a queue type, rabbitmq creates a classic queue
+  autoDelete: false
+  durable: true # seting 'durable' to false means this queue won't survive a server restart
+  rabbitmqClusterReference:
+    name: cluster-vault-a  # rabbitmqCluster must exist in the same namespace as this resource
+
diff --git a/docs/examples/vault-support/rabbitmq-queue-d.yaml b/docs/examples/vault-support/rabbitmq-queue-d.yaml
@@ -0,0 +1,12 @@
+apiVersion: rabbitmq.com/v1beta1
+kind: Queue
+metadata:
+  name: queue-d
+spec:
+  name: queue-d # name of the queue
+  type: quorum # without providing a queue type, rabbitmq creates a classic queue
+  autoDelete: false
+  durable: true # seting 'durable' to false means this queue won't survive a server restart
+  rabbitmqClusterReference:
+    name: cluster-b  # rabbitmqCluster must exist in the same namespace as this resource
+
diff --git a/docs/examples/vault-support/setup.sh b/docs/examples/vault-support/setup.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+set -euo pipefail
+
+RABBITMQ_NAMESPACE=${RABBITMQ_NAMESPACE:-'default'}
+
+vault_exec () {
+    kubectl exec vault-0 -c vault -- /bin/sh -c "$*"
+}
+
+echo "Installing Vault server and Vault agent injector..."
+helm repo add hashicorp https://helm.releases.hashicorp.com
+helm repo update
+# For OpenShift deployments, also set the following:
+# --set "global.openshift=true"
+helm install vault hashicorp/vault \
+    --set='server.dev.enabled=true' \
+    --set='server.logLevel=debug' \
+    --set='injector.logLevel=debug' \
+    --wait
+sleep 5
+kubectl wait --for=condition=Ready pod/vault-0
+
+echo "Configuring K8s authentication..."
+# Required so that Vault init container and sidecar of RabbitmqCluster can authenticate with Vault.
+vault_exec "vault auth enable kubernetes"
+
+# In Kubernetes 1.21+ clusters, issuer may need to be configured as described in https://www.vaultproject.io/docs/auth/kubernetes#discovering-the-service-account-issuer
+# Otherwise, vault-agent-init container will output "error authenticating".
+issuer=$(kubectl get --raw=http://127.0.0.1:8001/.well-known/openid-configuration | jq -r .issuer)
+vault_exec "vault write auth/kubernetes/config issuer=\"$issuer\" token_reviewer_jwt=\"\$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" kubernetes_host=https://\${KUBERNETES_PORT_443_TCP_ADDR}:443 kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+#vault_exec "vault write auth/kubernetes/config token_reviewer_jwt=\"\$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" kubernetes_host=https://\${KUBERNETES_PORT_443_TCP_ADDR}:443 kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+
+# Each RabbitMQ cluster may have its own secret path.
+echo "Creating credentials for rabbitmq default user in cluster-vault-a..."
+vault_exec "vault kv put secret/rabbitmq/cluster-vault-a/creds username='rabbitmq' password='pwda'"
+#echo "Creating credentials for rabbitmq default user in cluster-vault-b..."
+#vault_exec "vault kv put secret/rabbitmq/cluster-vault-b/creds username='rabbitmq' password='pwdb'"
+
+# Create a policy that allows reading of the default user credentials for the RabbitMQ cluster cluster-vault-a
+# The path must be referenced from the RabbitmqCluster cluster-vault-a CRD spec.secretBackend.vault.defaultUserPath
+echo "Creating Vault policy named cluster-vault-a-policy for reading of cluster-vault-a credentials..."
+vault_exec "vault policy write cluster-vault-a-policy - <<EOF
+path \"secret/data/rabbitmq/cluster-vault-a/creds\" {
+    capabilities = [\"read\"]
+}
+EOF
+"
+
+# Create a separate policy that allows reading of the default user credentials for the RabbitMQ cluster cluster-vault-b
+# The path must be referenced from the RabbitmqCluster cluster-vault-b CRD spec.secretBackend.vault.defaultUserPath
+#echo "Creating Vault policy named cluster-vault-b-policy for reading of cluster-vault-b credentials..."
+#vault_exec "vault policy write cluster-vault-b-policy - <<EOF
+#path \"secret/data/rabbitmq/cluster-vault-b/creds\" {
+#    capabilities = [\"read\"]
+#}
+#EOF
+#"
+
+# Define a Vault role that needs to be referenced from the RabbitmqCluster cluster-vault-a and cluster-vault-b CRD spec.secretBackend.vault.role
+# bound_service_account_names values follow the pattern "<RabbitmqCluster name>-server”.
+# bound_service_account_namespaces values must include rabbitmq-system (where the messaging topology operator is deployed) and the namespaces where the RabbitmqClusters are deployed.
+#vault_exec "vault write auth/kubernetes/role/messaging-topology-operator bound_service_account_names=cluster-vault-a-server,cluster-vault-b-server,vault-tls-server,messaging-topology-operator bound_service_account_namespaces=$RABBITMQ_NAMESPACE,rabbitmq-system policies=cluster-vault-a-policy,cluster-vault-b-policy ttl=24h"
+vault_exec "vault write auth/kubernetes/role/messaging-topology-operator bound_service_account_names=cluster-vault-a-server,vault-tls-server,messaging-topology-operator bound_service_account_namespaces=$RABBITMQ_NAMESPACE,rabbitmq-system policies=cluster-vault-a-policy ttl=24h"
+
diff --git a/docs/examples/vault-support/test.sh b/docs/examples/vault-support/test.sh
@@ -0,0 +1,92 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Update the Messaging Topology operator deployment, providing it with the Vault related environment variables
+echo "Updating Messaging Topology operator to work with Vault..."
+kubectl set env deployment/messaging-topology-operator -n rabbitmq-system --containers='manager' OPERATOR_VAULT_ROLE=messaging-topology-operator VAULT_ADDR=http://vault.default.svc.cluster.local:8200
+kubectl wait --for=condition=Available deployment/messaging-topology-operator -n rabbitmq-system
+sleep 10
+
+echo
+echo "Creating RabbitMQ clusters..."
+kubectl apply -f rabbitmq-clusters.yaml
+sleep 10
+kubectl wait --for=condition=Ready pod/cluster-b-server-0
+kubectl wait --for=condition=Ready pod/cluster-vault-a-server-0
+
+echo
+echo "Messaging Topology operator attempting to create a queue in each of the RabbitMQ clusters..."
+kubectl apply -f rabbitmq-queue-a.yaml
+kubectl apply -f rabbitmq-queue-b.yaml
+kubectl wait --for=condition=Ready queue.rabbitmq.com/queue-a
+kubectl wait --for=condition=Ready queue.rabbitmq.com/queue-b
+
+# Verify that the expected queues exist (one in each cluster)
+echo
+echo "Listing all queues in RabbitMQ cluster 'cluster-vault-a'..."
+kubectl exec cluster-vault-a-server-0 -c rabbitmq -- rabbitmqadmin list queues
+echo
+echo "Listing all queues in RabbitMQ cluster 'cluster-b'..."
+kubectl exec cluster-b-server-0 -c rabbitmq -- rabbitmqadmin list queues
+
+echo
+echo "Deleting queues from clusters..."
+kubectl delete -f rabbitmq-queue-a.yaml
+kubectl delete -f rabbitmq-queue-b.yaml
+sleep 10
+
+# Update the Messaging Topology operator deployment, providing it with an intentionally incorrect Vault role identifier
+echo
+echo "Updating Messaging Topology operator to intentionally break authentication with Vault..."
+kubectl set env deployment/messaging-topology-operator -n rabbitmq-system --containers='manager' OPERATOR_VAULT_ROLE=no-such-role
+kubectl wait --for=condition=Available deployment/messaging-topology-operator -n rabbitmq-system
+sleep 30
+
+# Attempt to create queues in each cluster (creation in the cluster using Vault should fail)
+echo
+echo "Messaging Topology operator attempting to create a queue in each of the RabbitMQ clusters..."
+kubectl apply -f rabbitmq-queue-c.yaml
+kubectl apply -f rabbitmq-queue-d.yaml
+sleep 10
+kubectl wait --for=condition=Ready queue.rabbitmq.com/queue-d
+
+# Verify that only the expected queue in the cluster not using Vault for admin credentials exists
+echo
+echo "Listing all queues in RabbitMQ cluster 'cluster-vault-a'..."
+kubectl exec cluster-vault-a-server-0 -c rabbitmq -- rabbitmqadmin list queues
+echo
+echo "Listing all queues in RabbitMQ cluster 'cluster-b'..."
+kubectl exec cluster-b-server-0 -c rabbitmq -- rabbitmqadmin list queues
+
+# Update the Messaging Topology operator deployment to restore correct Vault role identifier before continuing
+echo
+echo "Updating Messaging Topology operator to repair Vault authentication configuration..."
+kubectl set env deployment/messaging-topology-operator -n rabbitmq-system --containers='manager' OPERATOR_VAULT_ROLE=messaging-topology-operator
+kubectl wait --for=condition=Available deployment/messaging-topology-operator -n rabbitmq-system
+sleep 30
+
+echo
+echo "Deleting queues from clusters..."
+kubectl delete -f rabbitmq-queue-c.yaml
+kubectl delete -f rabbitmq-queue-d.yaml
+sleep 10
+
+echo
+echo "Deleting RabbitMQ clusters..."
+kubectl delete -f rabbitmq-clusters.yaml
+sleep 10
+kubectl wait --for=delete pod/cluster-vault-a-server-0
+kubectl wait --for=delete pod/cluster-b-server-0
+
+echo
+echo "Removing Vault env vars from Messaging Topology operator deployment..."
+kubectl set env deployment/messaging-topology-operator -n rabbitmq-system --containers='manager' OPERATOR_VAULT_ROLE- VAULT_ADDR-
+kubectl wait --for=condition=Available deployment/messaging-topology-operator -n rabbitmq-system
+sleep 20
+
+echo
+echo "Deleting Vault..."
+helm uninstall vault
+sleep 10
+kubectl wait --for=delete pod/vault-0
diff --git a/go.mod b/go.mod
@@ -46,7 +46,6 @@ require (
 	github.com/bgentry/speakeasy v0.1.0 // indirect
 	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
 	github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
-	github.com/cespare/xxhash v1.1.0 // indirect
 	github.com/cespare/xxhash/v2 v2.1.1 // indirect
 	github.com/cncf/udpa/go v0.0.0-20210322005330-6414d713912e // indirect
 	github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158 // indirect
@@ -179,7 +178,7 @@ require (
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.7.0 // indirect
 	go.uber.org/zap v1.19.0 // indirect
-	golang.org/x/crypto v0.0.0-20210506145944-38f3c27a63bf // indirect
+	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 // indirect
 	golang.org/x/mod v0.4.2 // indirect
 	golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d // indirect
 	golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a // indirect
@@ -192,7 +191,7 @@ require (
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8 // indirect
-	google.golang.org/grpc v1.40.0 // indirect
+	google.golang.org/grpc v1.41.0 // indirect
 	google.golang.org/protobuf v1.27.1 // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
diff --git a/go.sum b/go.sum
