global: defaultStorageClass: "azure-disk-std-lrs" storageClass: "azure-disk-std-lrs" security: allowInsecureImages: false image: registry: docker.io repository: bitnami/rabbitmq tag: 4.0.6-debian-12-r0 pullPolicy: IfNotPresent debug: true namespaceOverride: "freeleaps-alpha" clusterDomain: freeleaps.cluster automountServiceAccountToken: true resources: requests: cpu: 100m memory: 256Mi limits: cpu: 300m memory: 512Mi auth: username: user password: "" securePassword: true updatePassword: true enableLoopbackUser: false tls: enabled: false logs: "-" ulimitNofiles: "65535" plugins: "rabbitmq_management rabbitmq_peer_discovery_k8s" queue_master_locator: min-masters clustering: ## @param clustering.enabled Enable RabbitMQ clustering ## enabled: true ## @param clustering.name RabbitMQ cluster name ## If not set, a name is generated using the common.names.fullname template ## name: "freeleaps-alpha" addressType: hostname rebalance: false forceBoot: false partitionHandling: autoheal # See: https://github.com/bitnami/charts/issues/25698#issuecomment-2110562416 podManagementPolicy: Parallel terminationGracePeriodSeconds: 120 volumePermissions: enabled: true containerPorts: amqp: 5672 amqpTls: 5671 dist: 25672 manager: 15672 epmd: 4369 metrics: 9419 tcpListenOptions: enabled: true backlog: 128 nodelay: true linger: lingerOn: true timeout: 0 keepalive: false configuration: |- ## Username and password default_user = {{ .Values.auth.username }} {{- if and (not .Values.auth.securePassword) .Values.auth.password }} default_pass = {{ .Values.auth.password }} {{- end }} {{- if .Values.clustering.enabled }} ## Clustering ## cluster_name = {{ default (include "common.names.fullname" .) .Values.clustering.name }} cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s cluster_formation.k8s.host = kubernetes.default cluster_formation.k8s.address_type = {{ .Values.clustering.addressType }} {{- $svcName := printf "%s-%s" (include "common.names.fullname" .) (default "headless" .Values.servicenameOverride) }} cluster_formation.k8s.service_name = {{ $svcName }} cluster_formation.k8s.hostname_suffix = .{{ $svcName }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }} cluster_formation.node_cleanup.interval = 10 cluster_formation.node_cleanup.only_log_warning = true cluster_partition_handling = {{ .Values.clustering.partitionHandling }} {{- end }} {{ if and .Values.clustering.enabled .Values.loadDefinition.enabled }} cluster_formation.target_cluster_size_hint = {{ .Values.replicaCount }} {{ end }} {{- if .Values.loadDefinition.enabled }} load_definitions = {{ .Values.loadDefinition.file }} {{- end }} # queue master locator queue_master_locator = {{ .Values.queue_master_locator }} # enable loopback user {{- if not (empty .Values.auth.username) }} loopback_users.{{ .Values.auth.username }} = {{ .Values.auth.enableLoopbackUser }} {{- else}} loopback_users.guest = {{ .Values.auth.enableLoopbackUser }} {{- end }} {{ template "rabbitmq.extraConfiguration" . }} {{- if .Values.auth.tls.enabled }} ssl_options.verify = {{ .Values.auth.tls.sslOptionsVerify }} listeners.ssl.default = {{ .Values.service.ports.amqpTls }} ssl_options.fail_if_no_peer_cert = {{ .Values.auth.tls.failIfNoPeerCert }} ssl_options.cacertfile = /opt/bitnami/rabbitmq/certs/ca_certificate.pem ssl_options.certfile = /opt/bitnami/rabbitmq/certs/server_certificate.pem ssl_options.keyfile = /opt/bitnami/rabbitmq/certs/server_key.pem {{- if .Values.auth.tls.sslOptionsPassword.enabled }} ssl_options.password = {{ include "common.secrets.passwords.manage" (dict "secret" .Values.auth.tls.sslOptionsPassword.existingSecret "key" .Values.auth.tls.sslOptionsPassword.key "providedValues" (list "auth.tls.sslOptionsPassword.password") "skipB64enc" true "failOnNew" false "context" $) }} {{- end }} {{- end }} {{- if .Values.ldap.enabled }} auth_backends.1.authn = ldap auth_backends.1.authz = {{ ternary "ldap" "internal" .Values.ldap.authorisationEnabled }} auth_backends.2 = internal {{- $host := list }} {{- $port := ternary 636 389 .Values.ldap.tls.enabled }} {{- if .Values.ldap.uri }} {{- $hostPort := get (urlParse .Values.ldap.uri) "host" }} {{- $host = list (index (splitList ":" $hostPort) 0) -}} {{- if (contains ":" $hostPort) }} {{- $port = index (splitList ":" $hostPort) 1 -}} {{- end }} {{- end }} {{- range $index, $server := concat $host .Values.ldap.servers }} auth_ldap.servers.{{ add $index 1 }} = {{ $server }} {{- end }} auth_ldap.port = {{ coalesce .Values.ldap.port $port }} {{- if or .Values.ldap.user_dn_pattern .Values.ldap.userDnPattern }} auth_ldap.user_dn_pattern = {{ coalesce .Values.ldap.user_dn_pattern .Values.ldap.userDnPattern }} {{- end }} {{- if .Values.ldap.basedn }} auth_ldap.dn_lookup_base = {{ .Values.ldap.basedn }} {{- end }} {{- if .Values.ldap.uidField }} auth_ldap.dn_lookup_attribute = {{ .Values.ldap.uidField }} {{- end }} {{- if .Values.ldap.binddn }} auth_ldap.dn_lookup_bind.user_dn = {{ .Values.ldap.binddn }} auth_ldap.dn_lookup_bind.password = {{ required "'ldap.bindpw' is required when 'ldap.binddn' is defined" .Values.ldap.bindpw }} {{- end }} {{- if .Values.ldap.tls.enabled }} auth_ldap.use_ssl = {{ not .Values.ldap.tls.startTls }} auth_ldap.use_starttls = {{ .Values.ldap.tls.startTls }} {{- if .Values.ldap.tls.CAFilename }} auth_ldap.ssl_options.cacertfile = {{ .Values.ldap.tls.certificatesMountPath }}/{{ .Values.ldap.tls.CAFilename }} {{- end }} {{- if .Values.ldap.tls.certFilename }} auth_ldap.ssl_options.certfile = {{ .Values.ldap.tls.certificatesMountPath }}/{{ .Values.ldap.tls.certFilename }} auth_ldap.ssl_options.keyfile = {{ .Values.ldap.tls.certificatesMountPath }}/{{ required "'ldap.tls.certKeyFilename' is required when 'ldap.tls.certFilename' is defined" .Values.ldap.tls.certKeyFilename }} {{- end }} {{- if .Values.ldap.tls.skipVerify }} auth_ldap.ssl_options.verify = verify_none auth_ldap.ssl_options.fail_if_no_peer_cert = false {{- else if .Values.ldap.tls.verify }} auth_ldap.ssl_options.verify = {{ .Values.ldap.tls.verify }} {{- end }} {{- end }} {{- end }} ## Prometheus metrics ## prometheus.tcp.port = {{ .Values.containerPorts.metrics }} {{- if .Values.memoryHighWatermark.enabled }} ## Memory Threshold ## {{- if (dig "limits" "memory" "" .Values.resources) }} total_memory_available_override_value = {{ include "rabbitmq.toBytes" (dig "limits" "memory" "" .Values.resources) }} {{- end }} {{- if (eq .Values.memoryHighWatermark.type "absolute") }} vm_memory_high_watermark.{{ .Values.memoryHighWatermark.type }} = {{ include "rabbitmq.toBytes" .Values.memoryHighWatermark.value }} {{- else if (eq .Values.memoryHighWatermark.type "relative") }} vm_memory_high_watermark.{{ .Values.memoryHighWatermark.type }} = {{ .Values.memoryHighWatermark.value }} {{- end }} {{- end }} {{- if .Values.tcpListenOptions.enabled }} ## TCP Listen Options ## tcp_listen_options.backlog = {{ .Values.tcpListenOptions.backlog }} tcp_listen_options.nodelay = {{ .Values.tcpListenOptions.nodelay }} tcp_listen_options.linger.on = {{ .Values.tcpListenOptions.linger.lingerOn }} tcp_listen_options.linger.timeout = {{ .Values.tcpListenOptions.linger.timeout }} tcp_listen_options.keepalive = {{ .Values.tcpListenOptions.keepalive }} {{- end }} extraConfiguration: |- #default_vhost = {{ .Release.Namespace }}-vhost #disk_free_limit.absolute = 50MB replicaCount: 1 updateStrategy: type: RollingUpdate podSecurityContext: enabled: true fsGroupChangePolicy: Always sysctls: [] supplementalGroups: [] fsGroup: 1001 containerSecurityContext: enabled: true seLinuxOptions: {} runAsUser: 1001 runAsGroup: 1001 runAsNonRoot: true allowPrivilegeEscalation: false readOnlyRootFilesystem: true resourcesPreset: "medium" livenessProbe: enabled: true initialDelaySeconds: 120 timeoutSeconds: 20 periodSeconds: 30 failureThreshold: 6 successThreshold: 1 readinessProbe: enabled: true initialDelaySeconds: 120 timeoutSeconds: 20 periodSeconds: 30 failureThreshold: 3 successThreshold: 1 pdb: create: true minAvailable: "1" persistence: enabled: true accessModes: - ReadWriteOnce mountPath: /opt/bitnami/rabbitmq/.rabbitmq/mnesia size: 5Gi service: type: ClusterIP portEnabled: true distPortEnabled: true managerPortEnabled: true epmdPortEnabled: true ports: amqp: 5672 amqpTls: 5671 dist: 25672 manager: 15672 metrics: 9419 epmd: 4369 portNames: amqp: "amqp" amqpTls: "amqp-tls" dist: "dist" manager: "http-stats" metrics: "metrics" epmd: "epmd" networkPolicy: enabled: true kubeAPIServerPorts: [443, 6443, 8443] allowExternal: true allowExternalEgress: true addExternalClientAccess: true metrics: enabled: true plugins: "rabbitmq_prometheus" podAnnotations: prometheus.io/scrape: "true" prometheus.io/port: "{{ .Values.service.ports.metrics }}" serviceMonitor: namespace: "freeleaps-monitoring-system" default: enabled: true interval: 30s perObject: enabled: true interval: 30s detailed: enabled: true interval: 30s prometheusRule: enabled: true namespace: "freeleaps-monitoring-system" rules: - alert: RabbitmqDown expr: rabbitmq_up{service="{{ template "common.names.fullname" . }}"} == 0 for: 5m labels: severity: error annotations: summary: Rabbitmq down (instance {{ "{{ $labels.instance }}" }}) description: RabbitMQ node down - alert: ClusterDown expr: | sum(rabbitmq_running{service="{{ template "common.names.fullname" . }}"}) < {{ .Values.replicaCount }} for: 5m labels: severity: error annotations: summary: Cluster down (instance {{ "{{ $labels.instance }}" }}) description: | Less than {{ .Values.replicaCount }} nodes running in RabbitMQ cluster VALUE = {{ "{{ $value }}" }} - alert: ClusterPartition expr: rabbitmq_partitions{service="{{ template "common.names.fullname" . }}"} > 0 for: 5m labels: severity: error annotations: summary: Cluster partition (instance {{ "{{ $labels.instance }}" }}) description: | Cluster partition VALUE = {{ "{{ $value }}" }} - alert: OutOfMemory expr: | rabbitmq_node_mem_used{service="{{ template "common.names.fullname" . }}"} / rabbitmq_node_mem_limit{service="{{ template "common.names.fullname" . }}"} * 100 > 90 for: 5m labels: severity: warning annotations: summary: Out of memory (instance {{ "{{ $labels.instance }}" }}) description: | Memory available for RabbmitMQ is low (< 10%)\n VALUE = {{ "{{ $value }}" }} LABELS: {{ "{{ $labels }}" }} - alert: TooManyConnections expr: rabbitmq_connectionsTotal{service="{{ template "common.names.fullname" . }}"} > 1000 for: 5m labels: severity: warning annotations: summary: Too many connections (instance {{ "{{ $labels.instance }}" }}) description: | RabbitMQ instance has too many connections (> 1000) VALUE = {{ "{{ $value }}" }}\n LABELS: {{ "{{ $labels }}" }} ingress: enabled: true path: / pathType: Prefix hostname: alpha.rabbitmq.freeleaps.mathmast.com tls: true existingSecret: "alpha.rabbitmq.freeleaps.mathmast.com-cert" ingressClassName: "nginx"