changes

Author: Avinash Dongre

modules/securing-amq-broker-on-openshift/pages/enabling-rbac-role-based-access-control.adoc

@@ -32,15 +32,15 @@ metadata:
 spec:
   # ... other broker configurations ...
   brokerProperties:
-    - 'securityRoles.group2.send=#' // <1>
-    - 'securityRoles.group1.consume=#' // <2>
-    - 'securityRoles.group1.createAddress=#'
-    - 'securityRoles.group1.createNonDurableQueue=#'
-    - 'securityRoles.group1.browse=#'
+    - 'securityRoles.#.group1.send=true' // <1>
+    - 'securityRoles.#.group2.consume=true' // <2>
+    - 'securityRoles.#.group2.createAddress=true'
+    - 'securityRoles.#.group2.createNonDurableQueue=true'
+    - 'securityRoles.#.group2.browse=true'
   # ...
 ----
-<1> The `group2` role is granted `send` permissions to all addresses (`#`).
-<2> The `group1` role is granted `consume`, `createAddress`, `createNonDurableQueue`, and `browse` permissions to all addresses (`#`).
+<1> The `group1` role is granted `send` permissions to all addresses (`#`).
+<2> The `group2` role is granted `consume`, `createAddress`, `createNonDurableQueue`, and `browse` permissions to all addresses (`#`).
 
 [NOTE]
 In a Java properties file (which `brokerProperties` effectively translates into), a colon (`:`) is a reserved character used to separate a key and a value. If you need to grant permissions to a Fully Qualified Queue Name (FQQN) that contains a colon, ensure it is properly escaped or handled according to the broker's configuration parsing rules.
@@ -89,13 +89,13 @@ metadata:
 spec:
   # ... existing configurations ...
   brokerProperties:
-    - 'securityRoles.order-producers.send=orders.queue' // <1>
-    - 'securityRoles.order-consumers.consume=orders.queue' // <2>
-    - 'securityRoles.system-admin.createAddress=#' // <3>
-    - 'securityRoles.system-admin.createNonDurableQueue=#'
-    - 'securityRoles.system-admin.send=#'
-    - 'securityRoles.system-admin.consume=#'
-    - 'securityRoles.system-admin.browse=#'
+    - 'securityRoles."orders\.queue".order-producers.send=true' // <1>
+    - 'securityRoles."orders\.queue".order-consumers.consume=true' // <2>
+    - 'securityRoles.#.system-admin.createAddress=true' // <3>
+    - 'securityRoles.#.system-admin.createNonDurableQueue=true'
+    - 'securityRoles.#.system-admin.send=true'
+    - 'securityRoles.#.system-admin.consume=true'
+    - 'securityRoles.#.system-admin.browse=true'
   # ...
 ----
 <1> The `order-producers` role is allowed to send messages only to `orders.queue`.
@@ -157,14 +157,19 @@ spec:
   deploymentPlan:
     size: 1 # Example size, adjust as needed
     image: placeholder # Ensure this matches your broker image version
-    resourceTemplates:
-      initContainers:
-        - name: remove-default-rbac-config
-          image: busybox:latest # Use a lightweight image like busybox for init containers
-          command: ["sh", "-c", "rm -f /amq/init/config/amq-broker/etc/management.xml"]
-          volumeMounts:
-            - name: my-broker-instance-instance-volume # <1>
-              mountPath: /amq/init/config/amq-broker/etc/
+  resourceTemplates:
+    - patch:
+        kind: StatefulSet
+        spec:
+          template:
+            spec:
+              initContainers:
+                - args:
+                    - '-c'
+                    - '/opt/amq/bin/launch.sh && /opt/amq-broker/script/default.sh; echo "Empty management.xml";echo "<management-context xmlns=\"http://activemq.apache.org/schema\" />" > /amq/init/config/amq-broker/etc/management.xml'
+                  name: my-broker-instance-container-init
+      selector:
+        kind: StatefulSet      
   # ...
 ----
 <1> Replace `my-broker-instance-instance-volume` with the actual volume name used by your broker deployment. This name typically follows the pattern `<BROKER_NAME>-instance-volume`. You can verify the exact volume name by inspecting an existing broker pod's YAML (`oc get pod <broker_pod_name> -o yaml`) and looking under `spec.volumes`.
@@ -210,24 +215,25 @@ spec:
   - name: JAVA_ARGS_APPEND
     value: "-Dhawtio.roles=* -Djavax.management.builder.initial=org.apache.activemq.artemis.core.server.management.ArtemisRbacMBeanServerBuilder"
   resourceTemplates:
-  - selector:
-      kind: "StatefulSet"
-    patch:
-      kind: "StatefulSet"
-      spec:
-      template:
-       spec:
-        initContainers:
-        - name: "<BROKER_NAME>-container-init"
-          args:
-          -  '-c'
-          -  '/opt/amq/bin/launch.sh && /opt/amq-broker/script/default.sh; echo "Empty management.xml";echo "<management-context xmlns=\"http://activemq.apache.org/schema\" />" > /amq/init/config/amq-broker/etc/management.xml'
+    - patch:
+        kind: StatefulSet
+        spec:
+          template:
+            spec:
+              initContainers:
+                - args:
+                    - '-c'
+                    - '/opt/amq/bin/launch.sh && /opt/amq-broker/script/default.sh; echo "Empty management.xml";echo "<management-context xmlns=\"http://activemq.apache.org/schema\" />" > /amq/init/config/amq-broker/etc/management.xml'
+                  name: my-broker-instance-container-init
+      selector:
+        kind: StatefulSet
 
   # ... existing configurations ...
   brokerProperties:
     # ... existing messaging RBAC if any ...
-    - securityRoles."mops.address.activemq.management.*".manager.view=true
-    - securityRoles."mops.address.activemq.management.*".manager.edit=true
+   - securityRoles."mops.#".amq.view=true
+   - securityRoles."mops.#".amq.edit=true  
+   - securityRoles."mops.#".admin.manage=true  
   deploymentPlan:
     size: 1
     image: placeholder
@@ -265,17 +271,13 @@ kind: ActiveMQArtemis
 metadata:
   name: my-broker-instance
 spec:
-  # ... other broker configurations ...
-  extraMounts:
-    - name: custom-jaas-config // <1>
-      mountPath: /home/amq/broker/etc/custom-jaas-config/ // <2>
-  secrets:
-    - custom-jaas-config // <3>
+  deploymentPlan:
+   extraMounts:
+     secrets:
+        - simple-jaas-config <1>
   # ...
 ----
-<1> `name`: A unique name for the mount, referencing the secret.
-<2> `mountPath`: The path inside the broker container where the secret's contents will be available.
-<3> `secrets`: A list of OpenShift Secrets to be mounted, by name. This Secret (`custom-jaas-config`) would contain your `login.config` file.
+<1> `secrets`: A list of OpenShift Secrets to be mounted, by name. This Secret (`custom-jaas-config`) would contain your `login.config` file.
 
 In this configuration:
 

modules/securing-amq-broker-on-openshift/pages/enabling-secure-listeners.adoc

@@ -138,49 +138,29 @@ spec:
   deploymentPlan:
     size: 1
     image: placeholder
-    journalStorage:
-      size: 2Gi
-    brokerProperties:
-      - "security.enabled=true" # Ensure security is enabled if you plan to configure users later
+    requireLogin: true
   acceptors:
     - name: amqp-secure
       port: 5671
-      protocols: [AMQP]
+      protocols: AMQP
       sslEnabled: true
       sslSecret: amq-broker-tls-secret # Name of the Secret created in Step 2
-      # The keyStorePath refers to the file name *inside* the secret
-      keyStorePath: broker.ks
-      # The keyStorePassword refers to the literal key name *inside* the secret
-      keyStorePassword: keyStorePassword
-      enabledProtocols: [TLSv1.2, TLSv1.3]
-      # Uncomment and configure if you need mutual TLS
-      # trustStorePath: client.ts
-      # trustStorePassword: trustStorePassword
+      enabledProtocols: TLSv1.2,TLSv1.3
     - name: core-secure
       port: 61617
-      protocols: [CORE]
+      protocols: CORE
       sslEnabled: true
       sslSecret: amq-broker-tls-secret
-      keyStorePath: broker.ks
-      keyStorePassword: keyStorePassword
-      enabledProtocols: [TLSv1.2, TLSv1.3]
+      enabledProtocols: TLSv1.2,TLSv1.3
   # Expose the secure AMQP port via an OpenShift Route
   console:
     expose: true
-  addressSettings:
-    - name: "#"
-      redeliveryDelay: 1000
-      maxDeliveryAttempts: 3
-  # Example for external exposure - use a Route for secure external access
-  # routes:
-  #   - name: amqp-secure-external
-  #     host: amqp-broker-secure.apps.<cluster-hostname>
-  #     servicePort: 5671
-  #     termination: passthrough # Important for TLS termination at the broker
+  brokerProperties:
+  - addressSettings."#".redeliveryDelay=1000
+  - addressSettings."#".maxDeliveryAttempts=3
 ----
 *   We've defined two acceptors (`amqp-secure` and `core-secure`) with `sslEnabled: true`.
 *   `sslSecret` points to `amq-broker-tls-secret`, the secret we created.
-*   `keyStorePath` and `keyStorePassword` reference the file and literal key within that secret.
 *   `enabledProtocols` explicitly sets `TLSv1.2` and `TLSv1.3` for stronger security.
 
 .Apply the Custom Resource to deploy the broker:
@@ -207,7 +187,8 @@ Once the broker pod is running, check its logs to confirm that the secure listen
 oc logs $(oc get pod -l activemq-artemis-name=amq-broker-secure-example -o jsonpath='{.items[0].metadata.name}') -n $(oc project -q) | grep "acceptor"
 ----
 You should see log entries indicating that the secure acceptors are starting up on the specified ports (e.g., 5671 and 61617) with SSL enabled. Look for messages similar to:
-`INFO  [org.apache.activemq.artemis.core.server] AMQ221007: Server will be started. AMQP Acceptor 'amqp-secure' is listening on nio://0.0.0.0:5671 for protocols [AMQP] with SSL.`
+`INFO  [org.apache.activemq.artemis.core.server] AMQ221020: Started EPOLL Acceptor at amq-broker-secure-example-ss-0.amq-broker-secure-example-hdls-svc.broker.svc.cluster.local:5671 for protocols [AMQP]
+`
 
 === Step 5: Test Client Connectivity (Overview)