Enable SSL for connection to RabbitMQ by default and make RabbitMQ po…

…rt configurable (#1012)

* feat: make port configurable

* feat: enable SSL by default and add possibility to disable it

* fix: remove `*` from ingress path

* chore: add values to helm chart

* chore: disable ssl in case of usage of builtin eventbus

---------

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

.ci/appsettings.override.postgres.docker.json

@@ -10,6 +10,7 @@
         "EventBus": {
             "Vendor": "RabbitMQ",
             "ConnectionInfo": "rabbitmq",
+            "RabbitMQEnableSsl": false,
             "RabbitMQUsername": "guest",
             "RabbitMQPassword": "guest"
         },

.ci/appsettings.override.postgres.local.json

@@ -10,6 +10,7 @@
         "EventBus": {
             "Vendor": "RabbitMQ",
             "ConnectionInfo": "localhost",
+            "RabbitMQEnableSsl": false,
             "RabbitMQUsername": "guest",
             "RabbitMQPassword": "guest"
         },

.ci/appsettings.override.sqlserver.docker.json

@@ -10,6 +10,7 @@
         "EventBus": {
             "Vendor": "RabbitMQ",
             "ConnectionInfo": "rabbitmq",
+            "RabbitMQEnableSsl": false,
             "RabbitMQUsername": "guest",
             "RabbitMQPassword": "guest"
         },

.ci/appsettings.override.sqlserver.local.json

@@ -10,6 +10,7 @@
         "EventBus": {
             "Vendor": "RabbitMQ",
             "ConnectionInfo": "localhost",
+            "RabbitMQEnableSsl": false,
             "RabbitMQUsername": "guest",
             "RabbitMQPassword": "guest"
         },

BuildingBlocks/src/BuildingBlocks.Infrastructure/EventBus/RabbitMQ/RabbitMQServiceCollectionExtensions.cs

@@ -21,12 +21,24 @@ public static void AddRabbitMq(this IServiceCollection services, Action<RabbitMq
 
             var factory = new ConnectionFactory
             {
-                HostName = options.HostName
+                HostName = options.HostName,
+                Port = options.Port,
             };
 
-            if (!string.IsNullOrEmpty(options.Username)) factory.UserName = options.Username;
+            if (options.EnableSsl)
+            {
+                factory.Ssl = new SslOption
+                {
+                    Enabled = true,
+                    ServerName = options.HostName
+                };
+            }
+
+            if (!string.IsNullOrEmpty(options.Username))
+                factory.UserName = options.Username;
 
-            if (!string.IsNullOrEmpty(options.Password)) factory.Password = options.Password;
+            if (!string.IsNullOrEmpty(options.Password))
+                factory.Password = options.Password;
 
             return new DefaultRabbitMqPersistentConnection(factory, logger, options.ConnectionRetryCount);
         });
@@ -48,9 +60,11 @@ public static void AddRabbitMq(this IServiceCollection services, Action<RabbitMq
 
 public class RabbitMqOptions : BasicBusOptions
 {
+    public bool EnableSsl { get; set; } = true;
     public string ExchangeName { get; set; } = null!;
     public string QueueName { get; set; } = null!;
     public string HostName { get; set; } = null!;
+    public int Port { get; set; } = 5672;
     public string Username { get; set; } = null!;
     public string Password { get; set; } = null!;
     public int ConnectionRetryCount { get; set; } = 5;

Infrastructure/EventBus/EventBusConfiguration.cs

@@ -14,6 +14,8 @@ public class EventBusConfiguration
     [Required]
     public string SubscriptionClientName { get; set; } = null!;
 
+    public bool RabbitMqEnableSsl { get; set; } = true;
+    public int RabbitMqPort { get; set; } = 5672;
     public string RabbitMqUsername { get; set; } = null!;
     public string RabbitMqPassword { get; set; } = null!;
     public string RabbitMqExchangeName { get; set; } = "enmeshed";

Infrastructure/EventBus/EventBusServiceCollectionExtensions.cs

@@ -36,7 +36,9 @@ public static void AddEventBus(this IServiceCollection services, EventBusConfigu
                 services.AddRabbitMq(options =>
                 {
                     LoadBasicBusOptions(configuration, options);
+                    options.EnableSsl = configuration.RabbitMqEnableSsl;
                     options.HostName = configuration.ConnectionInfo;
+                    options.Port = configuration.RabbitMqPort;
                     options.Username = configuration.RabbitMqUsername;
                     options.Password = configuration.RabbitMqPassword;
                     options.ExchangeName = configuration.RabbitMqExchangeName;

appsettings.override.json

@@ -1,4 +1,4 @@
-{
+{
     "RunMigrations": true,
     "Authentication": {
         "JwtSigningCertificate": "MIIJ7wIBAzCCCaUGCSqGSIb3DQEHAaCCCZYEggmSMIIJjjCCBAIGCSqGSIb3DQEHBqCCA/MwggPvAgEAMIID6AYJKoZIhvcNAQcBMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAiIVEGIEnzbyAICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEC1tOaulJJjkAl2W7xeF3G6AggOAm1VdXzAQ6MhHabp6+rzEuaAyBpuMi8zD8OEl8/xMv47UsFUor38aZjQd14qTTLz5MnksI/qgjQHLuMEmN1eWARsUBkeYvLuz0icl2q9A5Rn9CaKHIemQWq9mIobq3XnXhwDFEd+G/WgjNoK65Ndu20pnuc9LDlfq6fx2eXDbHAWLeUTnlQsEY4M/owNKIjlO/VsYJCshvEPlbtCnyzXwkrtQ5i2XufIJsfX0qoK/dXfoMVUjPxa/L8uR40bAWc1LVkvO0Ox4rY9VCtC1eHe3fcS48AaYCGRMpkZ7N+nDOb7lPs7BcxVoIrj/PkqiNI4rMOZVEgz21OWhueIjBv4gxfV+vW7IZ7xWvC1uUYIKEKEl6mk8KJ5zruO3tObX70+4saBiTNd/76+CVR4qCSwYcD7bZjpMOiaVFyxy0ay3dCwoivLK1jWNFJ25tngYpXKGCtOP0/Zi1fyseo4C54Ef5Yoo+BG3bkKR9VHChWzbB+b1p2lOwfBWIWlGjoZ+expyBjnk+FWrFDZeMknpW3PANCtcT/zqzqPKG3g4DAnSx9xDqvR7GBEgUlaUBAsCM3NvbahzevFFNE21aVajmTpSdejqvgNgvHPHA+BHfhMYx3mcMEkZ+phEHrWRSg925Iy64afL9/XvxoB/uFOYta/ir4ZqCbOy+yrc4+ppQlvLEIUnL4BGWcZ7d2NNRHWOHg0UqzxakezWhoGh1DDWfNdEj+eoa8DTvQr9hX0DQljym1I51qYdrv18rSf+MQj9jhBgQ77WBCX4sDkj4W9d7kKah8Fa0v+4bB1CqrETAsCESvBzSNyYEXKpyjdR/m8w/dti13Kz9ptvi8zd70tcqsqjaB3Qaz3gZRzRlPJORrg2cjWm+xLTOIQ+thk+O3U7l5R47h7QT44eSroKmX8Ptt/wkn9HRcI9bjylzrjTFw45/Re61RpHm3+NXUfvTPLaaXYSolldAgYN1gq+yYZJvBViWQB7gE05fpph6t6DYhEr2VtkLljxDclRPF14AKZaQCIndTiUX69eQfIpD4edHyBvFWSkf+fC1whOE/tqKY0vDflhBDrWFsvDwnEo0iYy671nu19RnBnZws0vseJeikQdCWBY6m0Wq7oViCyFCWyJPDukz3E9uCRrckki2i5+V2MM2IMtgImVFvRqaRbi7vF+Qjccs9Ri0+evcsc9dWjsnHkwggWEBgkqhkiG9w0BBwGgggV1BIIFcTCCBW0wggVpBgsqhkiG9w0BDAoBAqCCBTEwggUtMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAj06Hc+Gh2z5wICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEOwPSnf4F479I2AKr8i0TLYEggTQFtwGZHL6BF2++nDi2EAjc7XXIxp0u4qM17eZjafdltFpketf6pQCD/hDry+mVeIapTY9hOPE5XdjdFoJtOZPZHfvrrb0Jn+rgGAPYGBzqGK4NPVWHiDZ3uA4R4Tiwhgqd/ZQIdRshUEPVfu4EzTIAEhmHl+1g8JiD8EcYAXO1IRCLm17IsIYXT6d8cYe3Zy3AgULsF0/OwQIPVqaJCIwPR3qw68GXNA4iWWHuXJhdtrqHrGrkfBRuZZ5+7R838RM9Bk+ljWphidPmIFZmhjACt/c1qorGPhQTil0WT9VU9rN/gJ1rKcu3RQ1TRJDTjZYaPSMu9ycvFLpsP8XBJUpfHnczPS25bclKaJRUvou6aiwtyQsqWCDLGRuwN06Oins28R5/QQNYbcOr77WBlgh28K1TLcnQopE9xp12XBj8iOeUlVMiMVlph02TrGMXOqU0rlRpsYECMSfHw4xdH87GBUxmE4ndE7JI7wu73MsHQ+3kDTTvGG6xzY6rbNg+V6CfOZc102645sJskdCD6ygzUfgDwDcxjyky2u86qBFR/9d3M7Vh+PQpijYxQ/w4FzwgHUPII+JqqY8secPSA64L8qXj4daG74Wc3y+veajJzkFBUiaJnCER1WEJf0b4eBAEG1gaJ/B2hrp+lEd30qbE//iJWna5gYboIzMENfJ4RsqxlW4hZs6aqBuDr8QXL1chc11g0nMY9sI0kZVwF8+13eFh4ypt4H34usOiWHft2eeA/Z2h8agrT8UFkRfy3/1dGoNwqicXgqY3MgoxqlfDQ6hjPkO5JAbRc0cuZQMPu38dO66+qoI/Db4zdo+8G6sXOgZkzduQlARhx6VORq2QFoufsyqXvsUWFWSXEOjWLbLwKK5og8sV4OmWXGRPbTo+Hc3pmmuYcpEwtH6wFCb0vXVeOhSd7GX8Yv2V0yVt19IjgUGtukVWt9DUe6uImzsPm9ZdivWUB3RlKYRGpS16yhG0ZdRwBJweDoitK091ooN6Um74eO17dH0jAQw3XPBxgJ64qEdSzfJ/xybM45BSUPAft2wXXlckLOId9Us56oV7WeszTOkOPDKz9GnKT05xPXNDgAqstVZc0nXEq0eFzTORREBP0w2ijwPu9mfPvRACY8p7YMnNbZzMGBvpa3ILezRIgThMbnzf+YiBP2Ddt9bWoxDsIj7jaqDzxjG2WtI1qGEqFyLCeUkSx2UpkbGViCkx8CsMwXJwLrYdoxqjyOg2Oz09EFF5eI1wkLqEtez8dOTLEn7oFjTyFbRkNoynuwvNqHEG2qzbw02Rb82qyrurKmOnNHog7FXLDe0kGFgKuNXbCw+to2lAhWY0CmEe8qfQLeAiV3TsGHSrGSkoegmfPHsuboCdez/ETJZWoodryUPdY3PFNa0xZOJvbtkiG2Vo55Rjq9wbd+MWAGcxhaCVEmEJ0UWWsn3Oe+h4mn3wT9+P+hkAR9duXT6tq+5DmKB2RD3fR3vIc4H5eLaIzOOmjSdfGFvIaj+06jS7SGicuKqF5ND4HPtXJrQgQUdO/gIHCkE9nn4hXCoz/bGkU4FN2WPz5TTMVsYuxMVp1I2UayoQppltkp3oaDb/S36FeO644d5zb7ARayF68NL5MrM/MRK24jhtx2WV4ZN9HIxJTAjBgkqhkiG9w0BCRUxFgQU/S6zDu6S3P4i1WdDz+j3esGxT4UwQTAxMA0GCWCGSAFlAwQCAQUABCCiOwVWGDHil8dA7XvoQNTLTJDm7EwdfGC4KJUV9smgUgQI4ZRrDNXXl8cCAggA",
@@ -15,6 +15,8 @@
             "Vendor": "RabbitMQ", // possible values: InMemory, RabbitMQ, GoogleCloud, Azure
             "ConnectionInfo": "localhost",
 
+            "RabbitMQEnableSsl": false,
+
             "RabbitMQUsername": "guest", // only available for RabbitMQ
             "RabbitMQPassword": "guest", // only available for RabbitMQ
             "ConnectionRetryCount": 5, // only available for RabbitMQ

docker-compose/adminui.appsettings.override.json

@@ -12,6 +12,7 @@
             "Vendor": "RabbitMQ", // possible values: InMemory, RabbitMQ, GoogleCloud, Azure
             "ConnectionInfo": "rabbitmq",
 
+            "RabbitMQEnableSsl": false,
             "RabbitMQUsername": "guest", // only available for RabbitMQ
             "RabbitMQPassword": "guest", // only available for RabbitMQ
             "ConnectionRetryCount": 5, // only available for RabbitMQ

docker-compose/appsettings.override.json

@@ -14,6 +14,7 @@
             "Vendor": "RabbitMQ", // possible values: InMemory, RabbitMQ, GoogleCloud, Azure
             "ConnectionInfo": "rabbitmq",
 
+            "RabbitMQEnableSsl": false,
             "RabbitMQUsername": "guest", // only available for RabbitMQ
             "RabbitMQPassword": "guest", // only available for RabbitMQ
             "ConnectionRetryCount": 5, // only available for RabbitMQ

helm/templates/actualidentitydeletion/cronjob.yaml

@@ -56,6 +56,8 @@ spec:
                 {{- if .Values.global.useBuiltInEventbus }}
                 - name: infrastructure__eventBus__vendor
                   value: RabbitMQ
+                - name: infrastructure__eventBus__rabbitMqEnableSsl
+                  value: "false"
                 - name: infrastructure__eventBus__connectionInfo
                   value: "rabbitmq"
                 - name: infrastructure__eventBus__rabbitMQUsername

helm/templates/adminui/deployment.yaml

@@ -84,6 +84,8 @@ spec:
             {{- if .Values.global.useBuiltInEventbus }}
             - name: infrastructure__eventBus__vendor
               value: RabbitMQ
+            - name: infrastructure__eventBus__rabbitMqEnableSsl
+              value: "false"
             - name: infrastructure__eventBus__connectionInfo
               value: "rabbitmq"
             - name: infrastructure__eventBus__rabbitMQUsername

helm/templates/cancelstaledeletionprocesses/cronjob.yaml

@@ -56,6 +56,8 @@ spec:
                 {{- if .Values.global.useBuiltInEventbus }}
                 - name: infrastructure__eventBus__vendor
                   value: RabbitMQ
+                - name: infrastructure__eventBus__rabbitMqEnableSsl
+                  value: "false"
                 - name: infrastructure__eventBus__connectionInfo
                   value: "rabbitmq"
                 - name: infrastructure__eventBus__rabbitMQUsername

helm/templates/consumerapi/deployment.yaml

@@ -68,6 +68,8 @@ spec:
             {{- if .Values.global.useBuiltInEventbus }}
             - name: infrastructure__eventBus__vendor
               value: RabbitMQ
+            - name: infrastructure__eventBus__rabbitMqEnableSsl
+              value: "false"
             - name: infrastructure__eventBus__connectionInfo
               value: "rabbitmq"
             - name: infrastructure__eventBus__rabbitMQUsername

helm/templates/consumerapi/ingress.yaml

@@ -14,7 +14,7 @@ spec:
     - host: {{ .Values.consumerapi.ingress.hostnameOverride | default .Values.global.defaultHostname }}
       http:
         paths:
-          - path: "/*"
+          - path: "/"
             pathType: Prefix
             backend:
               service:

helm/templates/eventhandler/deployment.yaml

@@ -58,6 +58,8 @@ spec:
             {{- if .Values.global.useBuiltInEventbus }}
             - name: infrastructure__eventBus__vendor
               value: RabbitMQ
+            - name: infrastructure__eventBus__rabbitMqEnableSsl
+              value: "false"
             - name: infrastructure__eventBus__connectionInfo
               value: "rabbitmq"
             - name: infrastructure__eventBus__rabbitMQUsername

helm/templates/sendidentitydeletionreminders/cronjob.yaml

@@ -56,6 +56,8 @@ spec:
                 {{- if .Values.global.useBuiltInEventbus }}
                 - name: infrastructure__eventBus__vendor
                   value: RabbitMQ
+                - name: infrastructure__eventBus__rabbitMqEnableSsl
+                  value: "false"
                 - name: infrastructure__eventBus__connectionInfo
                   value: "rabbitmq"
                 - name: infrastructure__eventBus__rabbitMQUsername

helm/templates/sseserver/deployment.yaml

@@ -69,6 +69,8 @@ spec:
             {{- if .Values.global.useBuiltInEventbus }}
             - name: infrastructure__eventBus__vendor
               value: RabbitMQ
+            - name: infrastructure__eventBus__rabbitMqEnableSsl
+              value: "false"
             - name: infrastructure__eventBus__connectionInfo
               value: "rabbitmq"
             - name: infrastructure__eventBus__rabbitMQUsername

helm/values.yaml

@@ -579,10 +579,14 @@ global:
         connectionInfo: ""
         # subscriptionClientName - the name of the subscription that should be used to receive events
         subscriptionClientName: "consumerapi"
+        # enableSsl - only applicable if Vendor is "RabbitMQ"; whether to use SSL to connect to the RabbitMQ service
+        rabbitMqEnableSsl: true
+        # rabbitMQPort - only applicable if Vendor is "RabbitMQ"; the port under which the RabbitMQ service is reachable
+        rabbitMqPort: 5672
         # rabbitMQUsername - only applicable if Vendor is "RabbitMQ"; should be set via environment variable
-        rabbitMQUsername: ""
+        rabbitMqUsername: ""
         # rabbitMQPassword - only applicable if Vendor is "RabbitMQ"; should be set via environment variable
-        rabbitMQPassword: ""
+        rabbitMqPassword: ""
         # rabbitMqExchangeName - only applicable if Vendor is "RabbitMQ"; the name of the exchange that should be used
         rabbitMqExchangeName: ""
         # rabbitMqQueueName - only applicable if Vendor is "RabbitMQ"; the name of the queue the Consumer API should listen to