From 0f523e6baac2e326b2acf5bc5c175674b6569118 Mon Sep 17 00:00:00 2001 From: Robert Grimm Date: Fri, 30 Aug 2024 12:22:33 -0500 Subject: [PATCH] Collapse to single resourceTemplate; other clean-ups --- .../instance/base/activemq-artemis-cr.yaml | 56 ++++++- .../acceptors/mutual-tls/kustomization.yaml | 9 +- .../acceptors/one-way-tls/kustomization.yaml | 9 +- .../addresses/broker-address-security-bp.yaml | 18 ++- .../init-container/patch-broker.yaml | 143 +++++++++--------- .../address-metrics/kustomization.yaml | 7 +- .../jdbc/_copy-driver/kustomization.yaml | 36 ++--- .../jdbc/_download-driver/kustomization.yaml | 38 ++--- .../kustomization.yaml | 26 ++++ .../backup/kustomization.yaml | 0 .../primary/kustomization.yaml | 0 .../follower/kustomization.yaml | 10 ++ .../leader/kustomization.yaml | 10 ++ 13 files changed, 235 insertions(+), 127 deletions(-) create mode 100644 amq-broker-operator/instance/overlays/clustered-ephemeral-mtls-letsencrypt/kustomization.yaml rename amq-broker-operator/instance/overlays/{cross-ocp-postgres-primary-backup-letsencrypt => cross-ocp-postgres-primary-backup-tls-letsencrypt}/backup/kustomization.yaml (100%) rename amq-broker-operator/instance/overlays/{cross-ocp-postgres-primary-backup-letsencrypt => cross-ocp-postgres-primary-backup-tls-letsencrypt}/primary/kustomization.yaml (100%) create mode 100644 amq-broker-operator/instance/overlays/non-clustered-postgres-leader-follower/follower/kustomization.yaml create mode 100644 amq-broker-operator/instance/overlays/non-clustered-postgres-leader-follower/leader/kustomization.yaml diff --git a/amq-broker-operator/instance/base/activemq-artemis-cr.yaml b/amq-broker-operator/instance/base/activemq-artemis-cr.yaml index 95482796..c776d543 100644 --- a/amq-broker-operator/instance/base/activemq-artemis-cr.yaml +++ b/amq-broker-operator/instance/base/activemq-artemis-cr.yaml @@ -60,12 +60,54 @@ spec: - match: '#' enableMetrics: false + messageCounterHistoryDayLimit: 0 + enableIngressTimestamp: false addressFullPolicy: BLOCK + pageMaxCacheSize: 5 + pageSizeBytes: 10Mb + + retroactiveMessageCount: 0 + maxSizeMessages: -1 + maxSizeBytes: '-1' + maxSizeBytesRejectThreshold: -1 + + redistributionDelay: -1 + + slowConsumerPolicy: NOTIFY + slowConsumerCheckPeriod: 5 + slowConsumerThreshold: -1 + autoCreateAddresses: true autoCreateQueues: true autoCreateDeadLetterResources: true + autoCreateExpiryResources: true + + autoDeleteAddresses: true + # delay is in milliseconds + autoDeleteAddressesDelay: 0 + + autoDeleteQueues: true + # delay is in milliseconds + autoDeleteQueuesDelay: 0 + + deadLetterAddress: DLQ + deadLetterQueuePrefix: DLQ. + #deadLetterQueueSuffix: + + sendToDlaOnNoRoute: false + maxDeliveryAttempts: 10 + # delay in milliseconds + redeliveryDelay: 0 + maxRedeliveryDelay: 0 + + expiryAddress: ExpiryQueue + expiryQueuePrefix: EXP. + #expiryQueueSuffix: + expiryDelay: -1 + minExpiryDelay: -1 + maxExpiryDelay: -1 env: [] brokerProperties: @@ -74,4 +116,16 @@ spec: # Even with persistenceEnabled set to false above, the broker.xml shows peristence-enabled true... override that - persistenceEnabled=false - resourceTemplates: [] + resourceTemplates: + - # Empty template to facilitate patching init containers into broker pods if needed + selector: + apiGroup: apps/v1 + kind: StatefulSet + patch: + apiVersion: apps/v1 + kind: StatefulSet + spec: + template: + spec: + volumes: [] + initContainers: [] diff --git a/amq-broker-operator/instance/components/acceptors/mutual-tls/kustomization.yaml b/amq-broker-operator/instance/components/acceptors/mutual-tls/kustomization.yaml index 5647bacc..17390e8b 100644 --- a/amq-broker-operator/instance/components/acceptors/mutual-tls/kustomization.yaml +++ b/amq-broker-operator/instance/components/acceptors/mutual-tls/kustomization.yaml @@ -16,10 +16,13 @@ patches: port: 61617 protocols: all - multicastPrefix: jms.topic. - anycastPrefix: jms.queue. - sslEnabled: true needClientAuth: true + verifyHost: true sslSecret: acceptor-ssl-keystore trustSecret: acceptor-ssl-truststore + + multicastPrefix: jms.topic. + anycastPrefix: jms.queue. + supportAdvisory: true + suppressInternalManagementObjects: false diff --git a/amq-broker-operator/instance/components/acceptors/one-way-tls/kustomization.yaml b/amq-broker-operator/instance/components/acceptors/one-way-tls/kustomization.yaml index 7ac6b82d..2a5aab2c 100644 --- a/amq-broker-operator/instance/components/acceptors/one-way-tls/kustomization.yaml +++ b/amq-broker-operator/instance/components/acceptors/one-way-tls/kustomization.yaml @@ -16,10 +16,13 @@ patches: port: 61617 protocols: all - multicastPrefix: jms.topic. - anycastPrefix: jms.queue. - sslEnabled: true needClientAuth: false + wantClientAuth: false sslSecret: acceptor-ssl-keystore trustSecret: acceptor-ssl-truststore + + multicastPrefix: jms.topic. + anycastPrefix: jms.queue. + supportAdvisory: true + suppressInternalManagementObjects: false diff --git a/amq-broker-operator/instance/components/addresses/broker-address-security-bp.yaml b/amq-broker-operator/instance/components/addresses/broker-address-security-bp.yaml index b32fd84e..f0b58130 100644 --- a/amq-broker-operator/instance/components/addresses/broker-address-security-bp.yaml +++ b/amq-broker-operator/instance/components/addresses/broker-address-security-bp.yaml @@ -4,7 +4,21 @@ metadata: name: broker-address-security-bp type: Opaque stringData: - brokerProperties: | + admin-permissions.broker.properties: | + securityRoles.#.admin.createAddress=true + securityRoles.#.admin.deleteAddress=true + securityRoles.#.admin.createDurableQueue=true + securityRoles.#.admin.deleteDurableQueue=true + securityRoles.#.admin.createNonDurableQueue=true + securityRoles.#.admin.deleteNonDurableQueue=true + securityRoles.#.admin.send=true + securityRoles.#.admin.consume=true + securityRoles.#.admin.manage=true + securityRoles.#.admin.browse=true + securityRoles.#.admin.view=true + securityRoles.#.admin.edit=true + other-permissions.broker.properties: | + # Example to be replaced in an overlay securityRoles.#.group2.send=true securityRoles.#.group1.consume=true securityRoles.#.group1.createAddress=true @@ -12,4 +26,4 @@ stringData: securityRoles.#.group1.browse=true # FQQN example. Colon (:) is a reserved character and must be escaped - 'securityRoles."my-address\:\:my-queue".group2.send=true' + securityRoles."my-address\:\:my-queue".group2.send=true diff --git a/amq-broker-operator/instance/components/certificates/init-build-keystore/init-container/patch-broker.yaml b/amq-broker-operator/instance/components/certificates/init-build-keystore/init-container/patch-broker.yaml index 9558a228..8ef3db29 100644 --- a/amq-broker-operator/instance/components/certificates/init-build-keystore/init-container/patch-broker.yaml +++ b/amq-broker-operator/instance/components/certificates/init-build-keystore/init-container/patch-broker.yaml @@ -2,7 +2,8 @@ path: /spec/deploymentPlan/extraVolumes/- value: name: built-keystore - emptyDir: {} + emptyDir: + sizeLimit: 100Mi # The extraVolumeMounts here is optional, but is included to explicitly set readOnly to true - op: add @@ -13,76 +14,82 @@ readOnly: true - op: add - path: /spec/resourceTemplates/- + path: /spec/resourceTemplates/0/patch/spec/template/spec/volumes/- value: - selector: - apiGroup: apps/v1 - kind: StatefulSet - patch: - apiVersion: apps/v1 - kind: StatefulSet - spec: - template: - spec: - volumes: - - name: keystore-build-input - secret: - secretName: keystore-inputs - defaultMode: 0400 - initContainers: - - name: build-keystore - image: 'image-registry.openshift-image-registry.svc:5000/openshift/java-runtime:latest' - imagePullPolicy: Always - resources: - requests: - cpu: 250m - memory: 250Mi - limits: - memory: 250Mi - volumeMounts: - - name: keystore-build-input - mountPath: /amq/extra/volumes/keystore-build-input - readOnly: true - - name: built-keystore - mountPath: /amq/extra/volumes/built-keystore - env: - - name: SUBJECT_ALTERNATE_NAME - value: default-ssl-0-svc-rte-target-namespace.apps.cluster.example.com + name: keystore-build-input + secret: + secretName: keystore-inputs + defaultMode: 0400 - - name: KEYSTORE_OUTPUT_FILE - value: /amq/extra/volumes/built-keystore/keystore.jks - - name: KEYSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: keystore-inputs - key: keyStorePassword +- op: add + path: /spec/resourceTemplates/0/patch/spec/template/spec/initContainers/- + value: + name: build-keystore + image: 'image-registry.openshift-image-registry.svc:5000/openshift/java-runtime:latest' + imagePullPolicy: Always + resources: + requests: + cpu: 250m + memory: 250Mi + limits: + memory: 250Mi + volumeMounts: + - name: keystore-build-input + mountPath: /amq/extra/volumes/keystore-build-input + readOnly: true + - name: built-keystore + mountPath: /amq/extra/volumes/built-keystore + env: + - name: INGRESS_DOMAIN + value: apps.cluster.example.com + + - name: SUBJECT_ALTERNATE_NAME + value: 'dns:${BROKER_NAME}-ssl-${POD_ORDINAL}-svc-rte-${NAMESPACE}.${INGRESS_DOMAIN},dns:${BROKER_NAME}-wconsj-${POD_ORDINAL}-svc-rte-${NAMESPACE}.${INGRESS_DOMAIN}' + + - name: KEYSTORE_OUTPUT_FILE + value: /amq/extra/volumes/built-keystore/keystore.jks + - name: KEYSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: keystore-inputs + key: keyStorePassword + + - name: TRUSTSTORE_OUTPUT_FILE + value: /amq/extra/volumes/built-keystore/truststore.jks + - name: TRUSTSTORE_PASSWORD + valueFrom: + secretKeyRef: + name: keystore-inputs + key: trustStorePassword + command: + - /bin/bash + - '-e' + - '-c' + args: + - |- + + NAMESPACE="$(< /var/run/secrets/kubernetes.io/serviceaccount/namespace)" + BROKER_NAME="${HOSTNAME%%-ss-*}" + POD_ORDINAL="${HOSTNAME##${BROKER_NAME}-ss-}" + + SUBJECT_ALTERNATE_NAME="$(eval echo "$SUBJECT_ALTERNATE_NAME")" - - name: TRUSTSTORE_OUTPUT_FILE - value: /amq/extra/volumes/built-keystore/truststore.jks - - name: TRUSTSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: keystore-inputs - key: trustStorePassword - command: - - /bin/bash - - '-e' - - '-c' - args: - - |- + echo Constructued SAN: + echo " $SUBJECT_ALTERNATE_NAME" + echo "" - keytool -genkey -keyalg "RSA" -keysize 2048 \ - -storetype jks -keystore "$KEYSTORE_OUTPUT_FILE" -storepass "$KEYSTORE_PASSWORD" \ - -keypass "$KEYSTORE_PASSWORD" \ - -alias server -dname "CN=AMQ Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" \ - -validity 365 -ext bc=ca:false -ext eku=sA \ - -ext san=dns:"$SUBJECT_ALTERNATE_NAME" + keytool -genkey -keyalg "RSA" -keysize 2048 \ + -storetype jks -keystore "$KEYSTORE_OUTPUT_FILE" -storepass "$KEYSTORE_PASSWORD" \ + -keypass "$KEYSTORE_PASSWORD" \ + -alias server -dname "CN=AMQ Server #$POD_ORDINAL, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" \ + -validity 365 -ext bc=ca:false -ext eku=sA \ + -ext san="$SUBJECT_ALTERNATE_NAME" - keytool -exportcert \ - -storetype jks -keystore "$KEYSTORE_OUTPUT_FILE" -storepass "$KEYSTORE_PASSWORD" \ - -keypass "$KEYSTORE_PASSWORD" \ - -alias server -rfc > server.crt + keytool -exportcert \ + -storetype jks -keystore "$KEYSTORE_OUTPUT_FILE" -storepass "$KEYSTORE_PASSWORD" \ + -keypass "$KEYSTORE_PASSWORD" \ + -alias server -rfc > server.crt - keytool -importcert \ - -storetype jks -keystore "$TRUSTSTORE_OUTPUT_FILE" -storepass "$TRUSTSTORE_PASSWORD" \ - -alias server -file server.crt -noprompt + keytool -importcert \ + -storetype jks -keystore "$TRUSTSTORE_OUTPUT_FILE" -storepass "$TRUSTSTORE_PASSWORD" \ + -alias server -file server.crt -noprompt diff --git a/amq-broker-operator/instance/components/metrics/address-metrics/kustomization.yaml b/amq-broker-operator/instance/components/metrics/address-metrics/kustomization.yaml index fec77216..2dd682b4 100644 --- a/amq-broker-operator/instance/components/metrics/address-metrics/kustomization.yaml +++ b/amq-broker-operator/instance/components/metrics/address-metrics/kustomization.yaml @@ -1,9 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component -resources: - - address-metrics-bp.yaml - patches: - target: group: broker.amq.io @@ -18,3 +15,7 @@ patches: - op: replace path: /spec/addressSettings/addressSetting/0/enableMetrics value: true + + - op: replace + path: /spec/addressSettings/addressSetting/0/messageCounterHistoryDayLimit + value: 7 diff --git a/amq-broker-operator/instance/components/persistence/jdbc/_copy-driver/kustomization.yaml b/amq-broker-operator/instance/components/persistence/jdbc/_copy-driver/kustomization.yaml index 0f225e90..e6785a07 100644 --- a/amq-broker-operator/instance/components/persistence/jdbc/_copy-driver/kustomization.yaml +++ b/amq-broker-operator/instance/components/persistence/jdbc/_copy-driver/kustomization.yaml @@ -26,29 +26,19 @@ patches: name: broker-jdbc-driver key: driver-jar-source-path - # Add the script to copy JDBC driver JAR during init + # Add the script to copy JDBC driver JAR during pod init - op: add - path: /spec/resourceTemplates/- + path: /spec/resourceTemplates/0/patch/spec/template/spec/initContainers/- value: - selector: - apiGroup: apps/v1 - kind: StatefulSet - patch: - apiVersion: apps/v1 - kind: StatefulSet - spec: - template: - spec: - initContainers: - - name: jdbc-driver-init - image: __REPLACE_IMAGE_VALUE__ - volumeMounts: - - name: jdbc-jars - mountPath: /opt/jdbc-jars - command: - - /bin/sh - args: - - '-c' - - | - cp "$DB_DRIVER_SOURCE_PATH"/"$DB_DRIVER_JAR_FILENAME" /opt/jdbc-jars/"$DB_DRIVER_JAR_FILENAME" + name: jdbc-driver-init + image: __REPLACE_IMAGE_VALUE__ + volumeMounts: + - name: jdbc-jars + mountPath: /opt/jdbc-jars + command: + - /bin/sh + args: + - '-c' + - |- + cp "$DB_DRIVER_SOURCE_PATH"/"$DB_DRIVER_JAR_FILENAME" /opt/jdbc-jars/"$DB_DRIVER_JAR_FILENAME" diff --git a/amq-broker-operator/instance/components/persistence/jdbc/_download-driver/kustomization.yaml b/amq-broker-operator/instance/components/persistence/jdbc/_download-driver/kustomization.yaml index 29a4199e..88fe9133 100644 --- a/amq-broker-operator/instance/components/persistence/jdbc/_download-driver/kustomization.yaml +++ b/amq-broker-operator/instance/components/persistence/jdbc/_download-driver/kustomization.yaml @@ -32,28 +32,18 @@ patches: # Add initContainer to automatically download JDBC driver if necessary - op: add - path: /spec/resourceTemplates/- + path: /spec/resourceTemplates/0/patch/spec/template/spec/initContainers/- value: - selector: - apiGroup: apps/v1 - kind: StatefulSet - patch: - apiVersion: apps/v1 - kind: StatefulSet - spec: - template: - spec: - initContainers: - - name: jdbc-driver-init - image: 'curlimages/curl:8.6.0' - volumeMounts: - - name: jdbc-jars - mountPath: /opt/jdbc-jars - command: - - /bin/sh - args: - - '-c' - - | - if ! [ -f /opt/jdbc-jars/"$DB_DRIVER_JAR_FILENAME" ]; then - curl "$DB_DRIVER_URL" --output /opt/jdbc-jars/"$DB_DRIVER_JAR_FILENAME" - fi + name: jdbc-driver-init + image: 'curlimages/curl:8.6.0' + volumeMounts: + - name: jdbc-jars + mountPath: /opt/jdbc-jars + command: + - /bin/sh + args: + - '-c' + - |- + if ! [ -f /opt/jdbc-jars/"$DB_DRIVER_JAR_FILENAME" ]; then + curl "$DB_DRIVER_URL" --output /opt/jdbc-jars/"$DB_DRIVER_JAR_FILENAME" + fi diff --git a/amq-broker-operator/instance/overlays/clustered-ephemeral-mtls-letsencrypt/kustomization.yaml b/amq-broker-operator/instance/overlays/clustered-ephemeral-mtls-letsencrypt/kustomization.yaml new file mode 100644 index 00000000..9345926a --- /dev/null +++ b/amq-broker-operator/instance/overlays/clustered-ephemeral-mtls-letsencrypt/kustomization.yaml @@ -0,0 +1,26 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../clustered-ephemeral + +components: + - ../../components/acceptors/mutual-tls + - ../../components/certificates/cert-manager/console-ssl-keystore + - ../../components/certificates/cert-manager/acceptor-ssl-keystore + - ../../components/certificates/public-ca-truststores/letsencrypt-prod + - ../../components/certificates/public-ca-truststores/letsencrypt-prod/console-ssl-keystore + - ../../components/certificates/public-ca-truststores/letsencrypt-prod/acceptor-ssl-truststore + +patches: + - target: + group: cert-manager.io + version: v1 + kind: Certificate + patch: |- + - op: replace + path: /spec/issuerRef + value: + group: cert-manager.io + kind: ClusterIssuer + name: letsencrypt-prod diff --git a/amq-broker-operator/instance/overlays/cross-ocp-postgres-primary-backup-letsencrypt/backup/kustomization.yaml b/amq-broker-operator/instance/overlays/cross-ocp-postgres-primary-backup-tls-letsencrypt/backup/kustomization.yaml similarity index 100% rename from amq-broker-operator/instance/overlays/cross-ocp-postgres-primary-backup-letsencrypt/backup/kustomization.yaml rename to amq-broker-operator/instance/overlays/cross-ocp-postgres-primary-backup-tls-letsencrypt/backup/kustomization.yaml diff --git a/amq-broker-operator/instance/overlays/cross-ocp-postgres-primary-backup-letsencrypt/primary/kustomization.yaml b/amq-broker-operator/instance/overlays/cross-ocp-postgres-primary-backup-tls-letsencrypt/primary/kustomization.yaml similarity index 100% rename from amq-broker-operator/instance/overlays/cross-ocp-postgres-primary-backup-letsencrypt/primary/kustomization.yaml rename to amq-broker-operator/instance/overlays/cross-ocp-postgres-primary-backup-tls-letsencrypt/primary/kustomization.yaml diff --git a/amq-broker-operator/instance/overlays/non-clustered-postgres-leader-follower/follower/kustomization.yaml b/amq-broker-operator/instance/overlays/non-clustered-postgres-leader-follower/follower/kustomization.yaml new file mode 100644 index 00000000..783545e9 --- /dev/null +++ b/amq-broker-operator/instance/overlays/non-clustered-postgres-leader-follower/follower/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../base + +components: + - ../../../components/clustering/none + - ../../../components/persistence/jdbc/postgresql + - ../../../components/high-availability/ha-leader-follower/follower diff --git a/amq-broker-operator/instance/overlays/non-clustered-postgres-leader-follower/leader/kustomization.yaml b/amq-broker-operator/instance/overlays/non-clustered-postgres-leader-follower/leader/kustomization.yaml new file mode 100644 index 00000000..2db88ae3 --- /dev/null +++ b/amq-broker-operator/instance/overlays/non-clustered-postgres-leader-follower/leader/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../base + +components: + - ../../../components/clustering/none + - ../../../components/persistence/jdbc/postgresql + - ../../../components/high-availability/ha-leader-follower/leader