Collapse to single resourceTemplate; other clean-ups

redhat-cop · Aug 30, 2024 · 0f523e6 · 0f523e6
1 parent 003bf19
commit 0f523e6
Show file tree

Hide file tree

Showing 13 changed files with 235 additions and 127 deletions.
diff --git a/amq-broker-operator/instance/base/activemq-artemis-cr.yaml b/amq-broker-operator/instance/base/activemq-artemis-cr.yaml
@@ -60,12 +60,54 @@ spec:
       - match: '#'
 
         enableMetrics: false
+        messageCounterHistoryDayLimit: 0
+        enableIngressTimestamp: false
 
         addressFullPolicy: BLOCK
 
+        pageMaxCacheSize: 5
+        pageSizeBytes: 10Mb
+
+        retroactiveMessageCount: 0
+        maxSizeMessages: -1
+        maxSizeBytes: '-1'
+        maxSizeBytesRejectThreshold: -1
+
+        redistributionDelay: -1
+
+        slowConsumerPolicy: NOTIFY
+        slowConsumerCheckPeriod: 5
+        slowConsumerThreshold: -1
+
         autoCreateAddresses: true
         autoCreateQueues: true
         autoCreateDeadLetterResources: true
+        autoCreateExpiryResources: true
+
+        autoDeleteAddresses: true
+        # delay is in milliseconds
+        autoDeleteAddressesDelay: 0
+
+        autoDeleteQueues: true
+        # delay is in milliseconds
+        autoDeleteQueuesDelay: 0
+
+        deadLetterAddress: DLQ
+        deadLetterQueuePrefix: DLQ.
+        #deadLetterQueueSuffix:
+
+        sendToDlaOnNoRoute: false
+        maxDeliveryAttempts: 10
+        # delay in milliseconds
+        redeliveryDelay: 0
+        maxRedeliveryDelay: 0
+
+        expiryAddress: ExpiryQueue
+        expiryQueuePrefix: EXP.
+        #expiryQueueSuffix:
+        expiryDelay: -1
+        minExpiryDelay: -1
+        maxExpiryDelay: -1
 
   env: []
   brokerProperties:
@@ -74,4 +116,16 @@ spec:
 
     # Even with persistenceEnabled set to false above, the broker.xml shows peristence-enabled true... override that
     - persistenceEnabled=false
-  resourceTemplates: []
+  resourceTemplates:
+    - # Empty template to facilitate patching init containers into broker pods if needed
+      selector:
+        apiGroup: apps/v1
+        kind: StatefulSet
+      patch:
+        apiVersion: apps/v1
+        kind: StatefulSet
+        spec:
+          template:
+            spec:
+              volumes: []
+              initContainers: []
diff --git a/amq-broker-operator/instance/components/acceptors/mutual-tls/kustomization.yaml b/amq-broker-operator/instance/components/acceptors/mutual-tls/kustomization.yaml
@@ -16,10 +16,13 @@ patches:
           port: 61617
           protocols: all
 
-          multicastPrefix: jms.topic.
-          anycastPrefix: jms.queue.
-
           sslEnabled: true
           needClientAuth: true
+          verifyHost: true
           sslSecret: acceptor-ssl-keystore
           trustSecret: acceptor-ssl-truststore
+
+          multicastPrefix: jms.topic.
+          anycastPrefix: jms.queue.
+          supportAdvisory: true
+          suppressInternalManagementObjects: false
diff --git a/amq-broker-operator/instance/components/acceptors/one-way-tls/kustomization.yaml b/amq-broker-operator/instance/components/acceptors/one-way-tls/kustomization.yaml
@@ -16,10 +16,13 @@ patches:
           port: 61617
           protocols: all
 
-          multicastPrefix: jms.topic.
-          anycastPrefix: jms.queue.
-
           sslEnabled: true
           needClientAuth: false
+          wantClientAuth: false
           sslSecret: acceptor-ssl-keystore
           trustSecret: acceptor-ssl-truststore
+
+          multicastPrefix: jms.topic.
+          anycastPrefix: jms.queue.
+          supportAdvisory: true
+          suppressInternalManagementObjects: false
diff --git a/amq-broker-operator/instance/components/addresses/broker-address-security-bp.yaml b/amq-broker-operator/instance/components/addresses/broker-address-security-bp.yaml
@@ -4,12 +4,26 @@ metadata:
   name: broker-address-security-bp
 type: Opaque
 stringData:
-  brokerProperties: |
+  admin-permissions.broker.properties: |
+    securityRoles.#.admin.createAddress=true
+    securityRoles.#.admin.deleteAddress=true
+    securityRoles.#.admin.createDurableQueue=true
+    securityRoles.#.admin.deleteDurableQueue=true
+    securityRoles.#.admin.createNonDurableQueue=true
+    securityRoles.#.admin.deleteNonDurableQueue=true
+    securityRoles.#.admin.send=true
+    securityRoles.#.admin.consume=true
+    securityRoles.#.admin.manage=true
+    securityRoles.#.admin.browse=true
+    securityRoles.#.admin.view=true
+    securityRoles.#.admin.edit=true
+  other-permissions.broker.properties: |
+    # Example to be replaced in an overlay
     securityRoles.#.group2.send=true
     securityRoles.#.group1.consume=true
     securityRoles.#.group1.createAddress=true
     securityRoles.#.group1.createNonDurableQueue=true
     securityRoles.#.group1.browse=true
 
     # FQQN example. Colon (:) is a reserved character and must be escaped
-    'securityRoles."my-address\:\:my-queue".group2.send=true'
+    securityRoles."my-address\:\:my-queue".group2.send=true
diff --git a/...tor/instance/components/certificates/init-build-keystore/init-container/patch-broker.yaml b/...tor/instance/components/certificates/init-build-keystore/init-container/patch-broker.yaml
@@ -2,7 +2,8 @@
   path: /spec/deploymentPlan/extraVolumes/-
   value:
     name: built-keystore
-    emptyDir: {}
+    emptyDir:
+      sizeLimit: 100Mi
 
 # The extraVolumeMounts here is optional, but is included to explicitly set readOnly to true
 - op: add
@@ -13,76 +14,82 @@
     readOnly: true
 
 - op: add
-  path: /spec/resourceTemplates/-
+  path: /spec/resourceTemplates/0/patch/spec/template/spec/volumes/-
   value:
-    selector:
-      apiGroup: apps/v1
-      kind: StatefulSet
-    patch:
-      apiVersion: apps/v1
-      kind: StatefulSet
-      spec:
-        template:
-          spec:
-            volumes:
-              - name: keystore-build-input
-                secret:
-                  secretName: keystore-inputs
-                  defaultMode: 0400
-            initContainers:
-              - name: build-keystore
-                image: 'image-registry.openshift-image-registry.svc:5000/openshift/java-runtime:latest'
-                imagePullPolicy: Always
-                resources:
-                  requests:
-                    cpu: 250m
-                    memory: 250Mi
-                  limits:
-                    memory: 250Mi
-                volumeMounts:
-                  - name: keystore-build-input
-                    mountPath: /amq/extra/volumes/keystore-build-input
-                    readOnly: true
-                  - name: built-keystore
-                    mountPath: /amq/extra/volumes/built-keystore
-                env:
-                  - name: SUBJECT_ALTERNATE_NAME
-                    value: default-ssl-0-svc-rte-target-namespace.apps.cluster.example.com
+    name: keystore-build-input
+    secret:
+      secretName: keystore-inputs
+      defaultMode: 0400
 
-                  - name: KEYSTORE_OUTPUT_FILE
-                    value: /amq/extra/volumes/built-keystore/keystore.jks
-                  - name: KEYSTORE_PASSWORD
-                    valueFrom:
-                      secretKeyRef:
-                        name: keystore-inputs
-                        key: keyStorePassword
+- op: add
+  path: /spec/resourceTemplates/0/patch/spec/template/spec/initContainers/-
+  value:
+    name: build-keystore
+    image: 'image-registry.openshift-image-registry.svc:5000/openshift/java-runtime:latest'
+    imagePullPolicy: Always
+    resources:
+      requests:
+        cpu: 250m
+        memory: 250Mi
+      limits:
+        memory: 250Mi
+    volumeMounts:
+      - name: keystore-build-input
+        mountPath: /amq/extra/volumes/keystore-build-input
+        readOnly: true
+      - name: built-keystore
+        mountPath: /amq/extra/volumes/built-keystore
+    env:
+      - name: INGRESS_DOMAIN
+        value: apps.cluster.example.com
+
+      - name: SUBJECT_ALTERNATE_NAME
+        value: 'dns:${BROKER_NAME}-ssl-${POD_ORDINAL}-svc-rte-${NAMESPACE}.${INGRESS_DOMAIN},dns:${BROKER_NAME}-wconsj-${POD_ORDINAL}-svc-rte-${NAMESPACE}.${INGRESS_DOMAIN}'
+
+      - name: KEYSTORE_OUTPUT_FILE
+        value: /amq/extra/volumes/built-keystore/keystore.jks
+      - name: KEYSTORE_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: keystore-inputs
+            key: keyStorePassword
+
+      - name: TRUSTSTORE_OUTPUT_FILE
+        value: /amq/extra/volumes/built-keystore/truststore.jks
+      - name: TRUSTSTORE_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: keystore-inputs
+            key: trustStorePassword
+    command:
+      - /bin/bash
+      - '-e'
+      - '-c'
+    args:
+      - |-
+
+        NAMESPACE="$(< /var/run/secrets/kubernetes.io/serviceaccount/namespace)"
+        BROKER_NAME="${HOSTNAME%%-ss-*}"
+        POD_ORDINAL="${HOSTNAME##${BROKER_NAME}-ss-}"
+
+        SUBJECT_ALTERNATE_NAME="$(eval echo "$SUBJECT_ALTERNATE_NAME")"
 
-                  - name: TRUSTSTORE_OUTPUT_FILE
-                    value: /amq/extra/volumes/built-keystore/truststore.jks
-                  - name: TRUSTSTORE_PASSWORD
-                    valueFrom:
-                      secretKeyRef:
-                        name: keystore-inputs
-                        key: trustStorePassword
-                command:
-                  - /bin/bash
-                  - '-e'
-                  - '-c'
-                args:
-                  - |-
+        echo Constructued SAN:
+        echo "  $SUBJECT_ALTERNATE_NAME"
+        echo ""
 
-                    keytool -genkey -keyalg "RSA" -keysize 2048 \
-                      -storetype jks -keystore "$KEYSTORE_OUTPUT_FILE" -storepass "$KEYSTORE_PASSWORD" \
-                      -keypass "$KEYSTORE_PASSWORD" \
-                      -alias server -dname "CN=AMQ Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" \
-                      -validity 365 -ext bc=ca:false -ext eku=sA \
-                      -ext san=dns:"$SUBJECT_ALTERNATE_NAME"
+        keytool -genkey -keyalg "RSA" -keysize 2048 \
+          -storetype jks -keystore "$KEYSTORE_OUTPUT_FILE" -storepass "$KEYSTORE_PASSWORD" \
+          -keypass "$KEYSTORE_PASSWORD" \
+          -alias server -dname "CN=AMQ Server #$POD_ORDINAL, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" \
+          -validity 365 -ext bc=ca:false -ext eku=sA \
+          -ext san="$SUBJECT_ALTERNATE_NAME"
 
-                    keytool -exportcert \
-                      -storetype jks -keystore "$KEYSTORE_OUTPUT_FILE" -storepass "$KEYSTORE_PASSWORD" \
-                      -keypass "$KEYSTORE_PASSWORD" \
-                      -alias server -rfc > server.crt
+        keytool -exportcert \
+          -storetype jks -keystore "$KEYSTORE_OUTPUT_FILE" -storepass "$KEYSTORE_PASSWORD" \
+          -keypass "$KEYSTORE_PASSWORD" \
+          -alias server -rfc > server.crt
 
-                    keytool -importcert \
-                      -storetype jks -keystore "$TRUSTSTORE_OUTPUT_FILE" -storepass "$TRUSTSTORE_PASSWORD" \
-                      -alias server -file server.crt -noprompt
+        keytool -importcert \
+          -storetype jks -keystore "$TRUSTSTORE_OUTPUT_FILE" -storepass "$TRUSTSTORE_PASSWORD" \
+          -alias server -file server.crt -noprompt
diff --git a/amq-broker-operator/instance/components/metrics/address-metrics/kustomization.yaml b/amq-broker-operator/instance/components/metrics/address-metrics/kustomization.yaml
@@ -1,9 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 
-resources:
-  - address-metrics-bp.yaml
-
 patches:
   - target:
       group: broker.amq.io
@@ -18,3 +15,7 @@ patches:
       - op: replace
         path: /spec/addressSettings/addressSetting/0/enableMetrics
         value: true
+
+      - op: replace
+        path: /spec/addressSettings/addressSetting/0/messageCounterHistoryDayLimit
+        value: 7
diff --git a/amq-broker-operator/instance/components/persistence/jdbc/_copy-driver/kustomization.yaml b/amq-broker-operator/instance/components/persistence/jdbc/_copy-driver/kustomization.yaml
@@ -26,29 +26,19 @@ patches:
               name: broker-jdbc-driver
               key: driver-jar-source-path
 
-      # Add the script to copy JDBC driver JAR during init
+      # Add the script to copy JDBC driver JAR during pod init
       - op: add
-        path: /spec/resourceTemplates/-
+        path: /spec/resourceTemplates/0/patch/spec/template/spec/initContainers/-
         value:
-          selector:
-            apiGroup: apps/v1
-            kind: StatefulSet
-          patch:
-            apiVersion: apps/v1
-            kind: StatefulSet
-            spec:
-              template:
-                spec:
-                  initContainers:
-                    - name: jdbc-driver-init
-                      image: __REPLACE_IMAGE_VALUE__
-                      volumeMounts:
-                        - name: jdbc-jars
-                          mountPath: /opt/jdbc-jars
-                      command:
-                        - /bin/sh
-                      args:
-                        - '-c'
-                        - |
-                          cp "$DB_DRIVER_SOURCE_PATH"/"$DB_DRIVER_JAR_FILENAME" /opt/jdbc-jars/"$DB_DRIVER_JAR_FILENAME"
+          name: jdbc-driver-init
+          image: __REPLACE_IMAGE_VALUE__
+          volumeMounts:
+            - name: jdbc-jars
+              mountPath: /opt/jdbc-jars
+          command:
+            - /bin/sh
+          args:
+            - '-c'
+            - |-
+              cp "$DB_DRIVER_SOURCE_PATH"/"$DB_DRIVER_JAR_FILENAME" /opt/jdbc-jars/"$DB_DRIVER_JAR_FILENAME"
 
diff --git a/amq-broker-operator/instance/components/persistence/jdbc/_download-driver/kustomization.yaml b/amq-broker-operator/instance/components/persistence/jdbc/_download-driver/kustomization.yaml
@@ -32,28 +32,18 @@ patches:
 
       # Add initContainer to automatically download JDBC driver if necessary
       - op: add
-        path: /spec/resourceTemplates/-
+        path: /spec/resourceTemplates/0/patch/spec/template/spec/initContainers/-
         value:
-          selector:
-            apiGroup: apps/v1
-            kind: StatefulSet
-          patch:
-            apiVersion: apps/v1
-            kind: StatefulSet
-            spec:
-              template:
-                spec:
-                  initContainers:
-                    - name: jdbc-driver-init
-                      image: 'curlimages/curl:8.6.0'
-                      volumeMounts:
-                        - name: jdbc-jars
-                          mountPath: /opt/jdbc-jars
-                      command:
-                        - /bin/sh
-                      args:
-                        - '-c'
-                        - |
-                          if ! [ -f /opt/jdbc-jars/"$DB_DRIVER_JAR_FILENAME" ]; then
-                            curl "$DB_DRIVER_URL" --output /opt/jdbc-jars/"$DB_DRIVER_JAR_FILENAME"
-                          fi
+          name: jdbc-driver-init
+          image: 'curlimages/curl:8.6.0'
+          volumeMounts:
+            - name: jdbc-jars
+              mountPath: /opt/jdbc-jars
+          command:
+            - /bin/sh
+          args:
+            - '-c'
+            - |-
+              if ! [ -f /opt/jdbc-jars/"$DB_DRIVER_JAR_FILENAME" ]; then
+                curl "$DB_DRIVER_URL" --output /opt/jdbc-jars/"$DB_DRIVER_JAR_FILENAME"
+              fi