Configure RabbitMQ to require mutual TLS (ssl_options.fail_if_no_peer_cert
= true) so every service must present a client certificate, the messaging
analog of the MariaDB REQUIRE X509 change.
Instead of rendering separate MariaDB and RabbitMQ client certificates, each
chart now renders a single per-chart client certificate (<chart>-client) used
for all mTLS backend connections. The MariaDB client certificate secret is
renamed from <chart>-mariadb-client to <chart>-client and the
secrets.tls.oslo_db.<chart> value moves to secrets.tls.client.<chart>.
The RabbitMQ client certificate mount is gated on tls.oslo_messaging so
messaging TLS can be toggled independently of API and DB TLS, and uses the
shared client certificate. A distinct pod volume name (rabbitmq-certs) lets
the same secret be mounted alongside the MariaDB certificate without a
duplicate volume.
The helm-toolkit rabbit-init job manifest gates its client certificate mount
and the REQUIRE X509 environment on the presence of a TLS secret instead of
manifests.certificates.
Add values_overrides/<chart>/messaging-tls.yaml, the server-side
values_overrides/rabbitmq/messaging-tls.yaml with mTLS enforced, and
tools/deployment/common/verify-rabbitmq-tls.sh wired into the compute-kit-tls
gate.
Applied to keystone, nova, neutron, glance, cinder, heat, barbican, manila and
blazar (messaging) and freezer, horizon, placement and zaqar (cert rename).
Signed-off-by: Vladimir Kozhukalov <kozhukalov@gmail.com>
Change-Id: I8067412384008d27345763c11c8c011594d8f718
Vladimir Kozhukalov
9d891d3e67