VIO Configuring external access to RabbitMQ Management Interface
search cancel

VIO Configuring external access to RabbitMQ Management Interface

book

Article ID: 321840

calendar_today

Updated On:

Products

VMware VMware Integrated OpenStack

Issue/Introduction

Symptoms:
  • RabbitMQ can not be accessed  from the outside world because the configured service type is ClusterIP.
  • ClusterIP means it is exposed on an internal IP that is only reachable from within the cluster.


Environment

VMware Integrated OpenStack 6.x
VMware Integrated Openstack 7.x

Cause

To make it externally available, you need to modify that definition and change the type to NodePort. NodePort  “OpenStack Controller” in our case.  It sets up a proxy entry using a particular port on an external address. Since NodePort is a proxy, the service should also still be reachable internally via ClusterIP.

Resolution

  1. To expose RabbitMQ via NodePort, we would need to change type: ClusterIP to type: NodePort.
osctl edit service rabbitmq

..
sessionAffinity: None
  type: ClusterIP      <<<<
status:
..
  1. Check that the service is exposed
root@vio7 [ ~ ]# osctl describe service rabbitmq
Name:                     rabbitmq
Namespace:                openstack
Labels:                   <none>
Annotations:              <none>
Selector:                 application=rabbitmq,component=server,release_group=rabbitmq1
Type:                     NodePort
IP:                       172.16.0.222
Port:                     amqp  5672/TCP
TargetPort:               5672/TCP
NodePort:                 amqp  5928/TCP
Endpoints:                180.10.14.60:5672
Port:                     clustering  25672/TCP
TargetPort:               25672/TCP
NodePort:                 clustering  26986/TCP
Endpoints:                180.10.14.60:25672
Port:                     http  15672/TCP
TargetPort:               15672/TCP
NodePort:                 http  18716/TCP
Endpoints:                180.10.14.60:15672
Session Affinity:         None
External Traffic Policy:  Cluster
Events:                   <none>

If you set the type field to NodePort, the Kubernetes control plane allocates port from a range specified by --service-node-port-range flag (default: 30000-32767).
  1. Check the service port range in VIO run:
cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep service-node-port-range

- --service-node-port-range=53-35357
  1. To use a specific port in the in the 53-35357 range edit the service definition again.
Example:   To change http service port to 30000 from 18716:

osctl edit service rabbitmq
- name: http
nodePort: 30000
port: 15672
protocol: TCP
targetPort: 15672

root@vio7 [ ~ ]# osctl get service rabbitmq
NAME       TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)                                         AGE
rabbitmq   NodePort   172.16.0.222   <none>        5672:5928/TCP,25672:26986/TCP,15672:30000/TCP   34d
  1. To verify configuration we can use netcat to send a CONNECT message, we should see an AMQP connection close since that's actually not a valid AMQP header:
Example:
toolbox
[root@vioadmin1-vioshim-847ff7cb6f-c7k7n /]# nc -v 192.168.30.90 5928
192-168-30-90.ingress.openstack.svc.cluster.local [192.168.30.90] 5928 open
CONNECT
AMQP read(net): Connection reset by peer

Type CONNECT upon connection.
  1. Check logs:
root@vio7 [ ~ ]# osctl logs rabbitmq1-rabbitmq-0 | tail -3
2021-06-23 10:27:47.388 [info] <0.3561.12> accepting AMQP connection <0.3561.12> (169.254.169.10:56287 -> 180.10.14.60:5672)
2021-06-23 10:27:47.389 [error] <0.3561.12> closing AMQP connection <0.3561.12> (169.254.169.10:56287 -> 180.10.14.60:5672):
{bad_header,<<"CONNECT\n">>}
 
  1. Add RabbitMQ admin user to login to the UI:
osctl -it exec rabbitmq1-rabbitmq-0 bash
rabbitmqctl add_user <username> <password>
rabbitmqctl set_user_tags <username> administrator
rabbitmqctl set_permissions -p / <username> ".*" ".*" ".*"
  1. Access the RabbitMQ management UI via the external public IP:
Example
http://192.168.30.90:30000/


Workaround:
  1.  


Powered by Wolken Software