freeleaps-ops/freeleaps/helm-pkg/3rd/rabbitmq/values.alpha.yaml

global:
  defaultStorageClass: "azure-disk-std-lrs"
  storageClass: "azure-disk-std-lrs"
  security:
    allowInsecureImages: false
image:
  registry: docker.io
  repository: bitnami/rabbitmq
  tag: 4.0.6-debian-12-r0
  pullPolicy: IfNotPresent
  debug: true
namespaceOverride: "freeleaps-alpha"
clusterDomain: freeleaps.cluster
automountServiceAccountToken: true
resources:
  requests:
    cpu: 100m
    memory: 256Mi
  limits:
    cpu: 300m
    memory: 512Mi
auth:
  username: user
  password: "NjlhHFvnDuC7K0ir"
  securePassword: true
  updatePassword: false
  enableLoopbackUser: false
  erlangCookie: "iGF4ZVjeaXgHW2xELZTxJl8a6aFY7nes"
  tls:
    enabled: false
logs: "-"
ulimitNofiles: "65535"
plugins: "rabbitmq_management rabbitmq_peer_discovery_k8s"
queue_master_locator: min-masters
clustering:
  ## @param clustering.enabled Enable RabbitMQ clustering
  ##
  enabled: true
  ## @param clustering.name RabbitMQ cluster name
  ## If not set, a name is generated using the common.names.fullname template
  ##
  name: "freeleaps-alpha"
  addressType: hostname
  rebalance: false
  forceBoot: false
  partitionHandling: autoheal
# See: https://github.com/bitnami/charts/issues/25698#issuecomment-2110562416
podManagementPolicy: Parallel
terminationGracePeriodSeconds: 120
volumePermissions:
  enabled: true
containerPorts:
  amqp: 5672
  amqpTls: 5671
  dist: 25672
  manager: 15672
  epmd: 4369
  metrics: 9419
tcpListenOptions:
  enabled: true
  backlog: 128
  nodelay: true
  linger:
    lingerOn: true
    timeout: 0
  keepalive: false
configuration: |-
  ## Username and password
  default_user = {{ .Values.auth.username }}
  {{- if and (not .Values.auth.securePassword) .Values.auth.password }}
  default_pass = {{ .Values.auth.password }}
  {{- end }}
  {{- if .Values.clustering.enabled }}
  ## Clustering
  ##
  cluster_name = {{ default (include "common.names.fullname" .) .Values.clustering.name }}
  cluster_formation.peer_discovery_backend  = rabbit_peer_discovery_k8s
  cluster_formation.k8s.host = kubernetes.default
  cluster_formation.k8s.address_type = {{ .Values.clustering.addressType }}
  {{- $svcName := printf "%s-%s" (include "common.names.fullname" .) (default "headless" .Values.servicenameOverride) }}
  cluster_formation.k8s.service_name = {{ $svcName }}
  cluster_formation.k8s.hostname_suffix = .{{ $svcName }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}
  cluster_formation.node_cleanup.interval = 10
  cluster_formation.node_cleanup.only_log_warning = true
  cluster_partition_handling = {{ .Values.clustering.partitionHandling }}
  {{- end }}
  {{ if and .Values.clustering.enabled .Values.loadDefinition.enabled }}
  cluster_formation.target_cluster_size_hint = {{ .Values.replicaCount }}
  {{ end }}
  {{- if .Values.loadDefinition.enabled }}
  load_definitions = {{ .Values.loadDefinition.file }}
  {{- end }}
  # queue master locator
  queue_master_locator = {{ .Values.queue_master_locator }}
  # enable loopback user
  {{- if not (empty .Values.auth.username) }}
  loopback_users.{{ .Values.auth.username }} = {{ .Values.auth.enableLoopbackUser }}
  {{- else}}
  loopback_users.guest = {{ .Values.auth.enableLoopbackUser }}
  {{- end }}
  {{ template "rabbitmq.extraConfiguration" . }}
  {{- if .Values.auth.tls.enabled }}
  ssl_options.verify = {{ .Values.auth.tls.sslOptionsVerify }}
  listeners.ssl.default = {{ .Values.service.ports.amqpTls }}
  ssl_options.fail_if_no_peer_cert = {{ .Values.auth.tls.failIfNoPeerCert }}
  ssl_options.cacertfile = /opt/bitnami/rabbitmq/certs/ca_certificate.pem
  ssl_options.certfile = /opt/bitnami/rabbitmq/certs/server_certificate.pem
  ssl_options.keyfile = /opt/bitnami/rabbitmq/certs/server_key.pem
  {{- if .Values.auth.tls.sslOptionsPassword.enabled }}
  ssl_options.password = {{ include "common.secrets.passwords.manage" (dict "secret" .Values.auth.tls.sslOptionsPassword.existingSecret "key" .Values.auth.tls.sslOptionsPassword.key "providedValues" (list "auth.tls.sslOptionsPassword.password") "skipB64enc" true "failOnNew" false "context" $) }}
  {{- end }}
  {{- end }}
  {{- if .Values.ldap.enabled }}
  auth_backends.1.authn = ldap
  auth_backends.1.authz = {{ ternary "ldap" "internal" .Values.ldap.authorisationEnabled }}
  auth_backends.2 = internal
  {{- $host :=  list }}
  {{- $port :=  ternary 636 389 .Values.ldap.tls.enabled }}
  {{- if .Values.ldap.uri }}
  {{- $hostPort := get (urlParse .Values.ldap.uri) "host" }}
  {{- $host = list (index (splitList ":" $hostPort) 0) -}}
  {{- if (contains ":" $hostPort) }}
  {{- $port = index (splitList ":" $hostPort) 1 -}}
  {{- end }}
  {{- end }}
  {{- range $index, $server := concat $host .Values.ldap.servers }}
  auth_ldap.servers.{{ add $index 1 }} = {{ $server }}
  {{- end }}
  auth_ldap.port = {{ coalesce .Values.ldap.port $port }}
  {{- if or .Values.ldap.user_dn_pattern .Values.ldap.userDnPattern }}
  auth_ldap.user_dn_pattern = {{ coalesce .Values.ldap.user_dn_pattern .Values.ldap.userDnPattern }}
  {{- end }}
  {{- if .Values.ldap.basedn }}
  auth_ldap.dn_lookup_base = {{ .Values.ldap.basedn }}
  {{- end }}
  {{- if .Values.ldap.uidField }}
  auth_ldap.dn_lookup_attribute = {{ .Values.ldap.uidField }}
  {{- end }}
  {{- if .Values.ldap.binddn }}
  auth_ldap.dn_lookup_bind.user_dn = {{ .Values.ldap.binddn }}
  auth_ldap.dn_lookup_bind.password = {{ required "'ldap.bindpw' is required when 'ldap.binddn' is defined" .Values.ldap.bindpw }}
  {{- end }}
  {{- if .Values.ldap.tls.enabled }}
  auth_ldap.use_ssl = {{ not .Values.ldap.tls.startTls }}
  auth_ldap.use_starttls = {{ .Values.ldap.tls.startTls }}
  {{- if .Values.ldap.tls.CAFilename }}
  auth_ldap.ssl_options.cacertfile = {{ .Values.ldap.tls.certificatesMountPath }}/{{ .Values.ldap.tls.CAFilename }}
  {{- end }}
  {{- if .Values.ldap.tls.certFilename }}
  auth_ldap.ssl_options.certfile = {{ .Values.ldap.tls.certificatesMountPath }}/{{ .Values.ldap.tls.certFilename }}
  auth_ldap.ssl_options.keyfile = {{ .Values.ldap.tls.certificatesMountPath }}/{{ required "'ldap.tls.certKeyFilename' is required when 'ldap.tls.certFilename' is defined" .Values.ldap.tls.certKeyFilename }}
  {{- end }}
  {{- if .Values.ldap.tls.skipVerify }}
  auth_ldap.ssl_options.verify = verify_none
  auth_ldap.ssl_options.fail_if_no_peer_cert = false
  {{- else if .Values.ldap.tls.verify }}
  auth_ldap.ssl_options.verify = {{ .Values.ldap.tls.verify }}
  {{- end }}
  {{- end }}
  {{- end }}
  ## Prometheus metrics
  ##
  prometheus.tcp.port = {{ .Values.containerPorts.metrics }}
  {{- if .Values.memoryHighWatermark.enabled }}
  ## Memory Threshold
  ##
  {{- if (dig "limits" "memory" "" .Values.resources) }}
  total_memory_available_override_value = {{ include "rabbitmq.toBytes" (dig "limits" "memory" "" .Values.resources) }}
  {{- end }}
  {{- if (eq .Values.memoryHighWatermark.type "absolute") }}
  vm_memory_high_watermark.{{ .Values.memoryHighWatermark.type }} = {{ include "rabbitmq.toBytes" .Values.memoryHighWatermark.value }}
  {{- else if (eq .Values.memoryHighWatermark.type "relative") }}
  vm_memory_high_watermark.{{ .Values.memoryHighWatermark.type }} = {{ .Values.memoryHighWatermark.value }}
  {{- end }}
  {{- end }}
  {{- if .Values.tcpListenOptions.enabled }}
  ## TCP Listen Options
  ##
  tcp_listen_options.backlog = {{ .Values.tcpListenOptions.backlog }}
  tcp_listen_options.nodelay = {{ .Values.tcpListenOptions.nodelay }}
  tcp_listen_options.linger.on      = {{ .Values.tcpListenOptions.linger.lingerOn }}
  tcp_listen_options.linger.timeout = {{ .Values.tcpListenOptions.linger.timeout }}
  tcp_listen_options.keepalive = {{ .Values.tcpListenOptions.keepalive }}
  {{- end }}
extraConfiguration: |-
  #default_vhost = {{ .Release.Namespace }}-vhost
  disk_free_limit.absolute = 50MB
replicaCount: 1
updateStrategy:
  type: RollingUpdate
podSecurityContext:
  enabled: true
  fsGroupChangePolicy: Always
  sysctls: []
  supplementalGroups: []
  fsGroup: 1001
containerSecurityContext:
  enabled: true
  seLinuxOptions: {}
  runAsUser: 1001
  runAsGroup: 1001
  runAsNonRoot: true
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
resourcesPreset: "medium"
livenessProbe:
  enabled: true
  initialDelaySeconds: 120
  timeoutSeconds: 20
  periodSeconds: 30
  failureThreshold: 6
  successThreshold: 1
readinessProbe:
  enabled: true
  initialDelaySeconds: 120
  timeoutSeconds: 20
  periodSeconds: 30
  failureThreshold: 3
  successThreshold: 1
pdb:
  create: true
  minAvailable: "1"
persistence:
  enabled: true
  accessModes:
    - ReadWriteOnce
  mountPath: /opt/bitnami/rabbitmq/.rabbitmq/mnesia
  size: 5Gi
service:
  type: ClusterIP
  portEnabled: true
  distPortEnabled: true
  managerPortEnabled: true
  epmdPortEnabled: true
  ports:
    amqp: 5672
    amqpTls: 5671
    dist: 25672
    manager: 15672
    metrics: 9419
    epmd: 4369
  portNames:
    amqp: "amqp"
    amqpTls: "amqp-tls"
    dist: "dist"
    manager: "http-stats"
    metrics: "metrics"
    epmd: "epmd"
networkPolicy:
  enabled: true
  kubeAPIServerPorts: [443, 6443, 8443]
  allowExternal: true
  allowExternalEgress: true
  addExternalClientAccess: true
metrics:
  enabled: true
  plugins: "rabbitmq_prometheus"
  podAnnotations:
    prometheus.io/scrape: "true"
    prometheus.io/port: "{{ .Values.service.ports.metrics }}"
  serviceMonitor:
    namespace: "freeleaps-monitoring-system"
    default:
      enabled: true
      interval: 30s
    perObject:
      enabled: true
      interval: 30s
    detailed:
      enabled: true
      interval: 30s
  prometheusRule:
    enabled: true
    namespace: "freeleaps-monitoring-system"
    rules:
      - alert: RabbitmqDown
        expr: rabbitmq_up{service="{{ template "common.names.fullname" . }}"} == 0
        for: 5m
        labels:
          severity: error
        annotations:
          summary: Rabbitmq down (instance {{ "{{ $labels.instance }}" }})
          description: RabbitMQ node down
      - alert: ClusterDown
        expr: |
          sum(rabbitmq_running{service="{{ template "common.names.fullname" . }}"})
          < {{ .Values.replicaCount }}
        for: 5m
        labels:
          severity: error
        annotations:
          summary: Cluster down (instance {{ "{{ $labels.instance }}" }})
          description: |
              Less than {{ .Values.replicaCount }} nodes running in RabbitMQ cluster
              VALUE = {{ "{{ $value }}" }}
      - alert: ClusterPartition
        expr: rabbitmq_partitions{service="{{ template "common.names.fullname" . }}"} > 0
        for: 5m
        labels:
          severity: error
        annotations:
          summary: Cluster partition (instance {{ "{{ $labels.instance }}" }})
          description: |
              Cluster partition
              VALUE = {{ "{{ $value }}" }}
      - alert: OutOfMemory
        expr: |
          rabbitmq_node_mem_used{service="{{ template "common.names.fullname" . }}"}
          / rabbitmq_node_mem_limit{service="{{ template "common.names.fullname" . }}"}
          * 100 > 90
        for: 5m
        labels:
          severity: warning
        annotations:
          summary: Out of memory (instance {{ "{{ $labels.instance }}" }})
          description: |
              Memory available for RabbmitMQ is low (< 10%)\n  VALUE = {{ "{{ $value }}" }}
              LABELS: {{ "{{ $labels }}" }}
      - alert: TooManyConnections
        expr: rabbitmq_connectionsTotal{service="{{ template "common.names.fullname" . }}"} > 1000
        for: 5m
        labels:
          severity: warning
        annotations:
          summary: Too many connections (instance {{ "{{ $labels.instance }}" }})
          description: |
              RabbitMQ instance has too many connections (> 1000)
              VALUE = {{ "{{ $value }}" }}\n  LABELS: {{ "{{ $labels }}" }}
ingress:
  enabled: true
  path: /
  pathType: Prefix
  hostname: alpha.rabbitmq.freeleaps.mathmast.com
  tls: true
  existingSecret: "alpha.rabbitmq.freeleaps.mathmast.com-cert"
  ingressClassName: "nginx"