Skip to content

Instantly share code, notes, and snippets.

@headconnect

headconnect/rabbitmq.ts Secret

Last active April 9, 2021 19:09
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save headconnect/f9e1ce508c253eda9dc0dadebaa9d807 to your computer and use it in GitHub Desktop.
Save headconnect/f9e1ce508c253eda9dc0dadebaa9d807 to your computer and use it in GitHub Desktop.
Download ZIP
Crazy wabbit.
Raw
rabbitmq.ts
const fs = require('fs');
const yaml = require('js-yaml');
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure-native";
import * as k8s from "@pulumi/kubernetes";
import * as crd from "../crds/nodejs";
import * as random from "@pulumi/random";
import {createHash, randomBytes} from 'crypto'
export const createRabbit = async (cluster : k8s.Provider, environment: any, helmRepos : { [index: string]: any }) => {
const rabbitPassHasher = (pass2hash : string, salt?: Buffer) => {
//let salt = Buffer.from([0x90,0x8D,0xC6,0x0A])
if (salt) {
} else {
salt = randomBytes(32)
}
//console.log(salt)
//let concated = Buffer.concat([salt, Buffer.from("test12")])
let pass = Buffer.from(pass2hash)
let concated : Buffer = Buffer.concat([salt, pass])
let hash = createHash('sha256')
hash.write(concated)
let hashDigest = hash.digest()
return Buffer.concat([salt, hashDigest]).toString('base64')
}
const salt = Buffer.from([0xDE,0xAD,0xCA,0xFE])
const rabbitUsers : { [index: string]: random.RandomPassword } = {
orchestratorclient: new random.RandomPassword("orchestratorclient", {length:32}),
orchestratoruser: new random.RandomPassword("orchestratoruser", {length:32}),
subscriptionuser: new random.RandomPassword("subscriptionuser", {length:32}),
orchestrator: new random.RandomPassword("orchestrator", {length:32}),
admin: new random.RandomPassword("admin", {length:32}),
producer: new random.RandomPassword("producer", {length:32}),
testreader: new random.RandomPassword("testreader", {length:32})
}
/***
* Just the first user password + the rest of the object so I don't have to repeat myself
*/
let orchestratorclientLoadFile = rabbitUsers.orchestratorclient.result.apply(pass => {
return {
"rabbit_version": "3.8.14",
"users": [{
"name": "orchestratorclient",
"password_hash": rabbitPassHasher(pass, salt),
"hashing_algorithm": "rabbit_password_hashing_sha256",
"tags": ""
}],
"vhosts": [{"name": "xyz"}, {"name": "/"}],
"permissions": [{
"user": "admin",
"vhost": "/",
"configure": ".*",
"write": ".*",
"read": ".*"
}, {
"user": "admin",
"vhost": "xyz",
"configure": ".*",
"write": ".*",
"read": ".*"
}, {
"user": "subscriptionuser",
"vhost": "/",
"configure": ".*",
"write": ".*",
"read": ".*"
}, {
"user": "orchestratorclient",
"vhost": "xyz",
"configure": ".*",
"write": ".*",
"read": ".*"
}, {
"user": "testreader",
"vhost": "/",
"configure": "subscription|amq.*",
"write": "subscription",
"read": ".*"
}, {
"user": "orchestratoruser",
"vhost": "xyz",
"configure": ".*",
"write": ".*",
"read": ".*"
}, {
"user": "producer",
"vhost": "/",
"configure": ".*",
"write": ".*",
"read": ".*"
}, {
"user": "orchestrator",
"vhost": "xyz",
"configure": ".*",
"write": ".*",
"read": ".*"
}],
"topic_permissions": [{
"user": "admin",
"vhost": "/",
"exchange": "",
"write": ".*",
"read": ".*"
}, {
"user": "producer",
"vhost": "/",
"exchange": "",
"write": ".*",
"read": ".*"
}]
}
})
/**
* Now for the rest of the users
*/
const orchestratoruserLoadfile = pulumi.all([orchestratorclientLoadFile, rabbitUsers.orchestratoruser.result]).apply(([loadfile, pass]) => {
loadfile.users.push({
"name": "orchestratoruser",
"password_hash": rabbitPassHasher(pass, salt),
"hashing_algorithm": "rabbit_password_hashing_sha256",
"tags": ""
})
return loadfile;
})
const subscriptionuserLoadfile = pulumi.all([orchestratoruserLoadfile, rabbitUsers.subscriptionuser.result]).apply(([loadfile, pass]) => {
loadfile.users.push({
"name": "subscriptionuser",
"password_hash": rabbitPassHasher(pass, salt),
"hashing_algorithm": "rabbit_password_hashing_sha256",
"tags": ""
})
return loadfile;
})
const orchestratorLoadfile = pulumi.all([subscriptionuserLoadfile, rabbitUsers.orchestrator.result]).apply(([loadfile, pass]) => {
loadfile.users.push({
"name": "orchestrator",
"password_hash": rabbitPassHasher(pass, salt),
"hashing_algorithm": "rabbit_password_hashing_sha256",
"tags": ""
})
return loadfile;
})
const adminLoadfile = pulumi.all([orchestratorLoadfile, rabbitUsers.admin.result]).apply(([loadfile, pass]) => {
loadfile.users.push({
"name": "admin",
"password_hash": rabbitPassHasher(pass, salt),
"hashing_algorithm": "rabbit_password_hashing_sha256",
"tags": ""
})
return loadfile;
})
const producerLoadfile = pulumi.all([adminLoadfile, rabbitUsers.producer.result]).apply(([loadfile, pass]) => {
loadfile.users.push({
"name": "producer",
"password_hash": rabbitPassHasher(pass, salt),
"hashing_algorithm": "rabbit_password_hashing_sha256",
"tags": ""
})
return loadfile;
})
const rabbitLoadFile = pulumi.all([producerLoadfile, rabbitUsers.testreader.result]).apply(([loadfile, pass]) => {
loadfile.users.push({
"name": "testreader",
"password_hash": rabbitPassHasher(pass, salt),
"hashing_algorithm": "rabbit_password_hashing_sha256",
"tags": ""
})
return loadfile;
})
/**
* Lets get those passwords into the vault, and propegated back to the cluster
*/
for (const user in rabbitUsers) {
let userSecret = new azure.keyvault.Secret(`rabbit-user-${user}`, {
resourceGroupName: environment.rg,
vaultName: environment.vault.name,
secretName: `rabbit-user-${user}`,
properties: {
value: rabbitUsers[user].result
}
})
new crd.spv.v2beta1.AzureKeyVaultSecret(`akv2k8s-rabbit-user-${user}`, {
metadata: {
name: `rabbit-user-${user}`,
namespace: "default"
},
spec: {
vault: {
name: environment.vault.name,
object: {
name: userSecret.name.apply(name => name),
type: "secret"
}
},
output:{
secret: {
name: userSecret.name.apply(name => name),
dataKey: "password"
}
}
}
},{
provider: cluster,
dependsOn: userSecret
})
}
/**
* LoadFile to the vault, and back to cluster
*/
const rabbitLoadSecret = new azure.keyvault.Secret(`rabbit-load-definition`, {
resourceGroupName: environment.rg,
vaultName: environment.vault.name,
secretName: `rabbit-load-definition`,
properties: {
value: rabbitLoadFile.apply(x => { return JSON.stringify(x)})
}
})
const rabbitLoadSecretReplication = new crd.spv.v2beta1.AzureKeyVaultSecret(`akv2k8s-rabbit-load-definition`, {
metadata: {
name: `rabbitmq-load-definition`,
namespace: "default"
},
spec: {
vault: {
name: environment.vault.name,
object: {
name: rabbitLoadSecret.name,
type: "secret"
}
},
output:{
secret: {
name: "rabbitmq-load-definition",
dataKey: "load_definition.json"
}
}
}
},{
provider: cluster
})
//const rabbitPass = new random.RandomPassword("rabbitpass", {length: 42, special: true})
//rabbitValues.auth.rootPassword = rabbitPass;
let rabbitValues = yaml.load(fs.readFileSync("./components/chart-values/rabbitmq-production.yml"))
rabbitValues.loadDefinition.existingSecret = "rabbitmq-load-definition"
const rabbit = new k8s.helm.v3.Chart("rabbit",{
chart: "rabbitmq",
version: "8.11.5",
fetchOpts: {
repo: helmRepos.bitnami.url
},
values: rabbitValues
},{
provider: cluster,
dependsOn: [rabbitLoadSecretReplication]
})
return true
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment