test fix ports

Author: lmiccini

internal/controller/rabbitmq/proxy.go

@@ -109,6 +109,37 @@ func (r *Reconciler) addProxySidecar(
 	// Add proxy sidecar container
 	podSpec.Containers = append(podSpec.Containers, r.buildProxySidecarContainer(instance))
 
+	// Update RabbitMQ container's readiness probe and ports to match backend configuration
+	// The RabbitMQ cluster operator sets a probe on port 5671 and exposes ports by default,
+	// but with the proxy enabled, RabbitMQ only listens on localhost:5673
+	for i, container := range podSpec.Containers {
+		if container.Name == "rabbitmq" {
+			// Override the readiness probe to check the backend port
+			podSpec.Containers[i].ReadinessProbe = &corev1.Probe{
+				ProbeHandler: corev1.ProbeHandler{
+					TCPSocket: &corev1.TCPSocketAction{
+						Host: "127.0.0.1",
+						Port: intstr.FromInt32(int32(rabbitmqBackendPort)),
+					},
+				},
+				InitialDelaySeconds: 10,
+				TimeoutSeconds:      5,
+				PeriodSeconds:       10,
+				SuccessThreshold:    1,
+				FailureThreshold:    3,
+			}
+
+			// Note: We don't override container ports here because:
+			// 1. Ports are just metadata declarations, not actual network configuration
+			// 2. What RabbitMQ actually listens on is controlled by our listener config
+			// 3. Overriding ports can cause conflicts with cluster operator defaults
+
+			Log.Info("Updated RabbitMQ container readiness probe for proxy mode",
+				"readinessProbePort", rabbitmqBackendPort)
+			break
+		}
+	}
+
 	// Add volume for proxy script
 	if podSpec.Volumes == nil {
 		podSpec.Volumes = []corev1.Volume{}
@@ -137,6 +168,10 @@ func (r *Reconciler) addProxySidecar(
 		})
 	}
 
+	// Note: rabbitmq-tls volume is automatically added by the cluster operator when
+	// cluster.Spec.TLS.SecretName is set (which we keep for inter-node TLS).
+	// The proxy container will mount this volume via buildProxySidecarContainer().
+
 	// Add rabbitmq-tls-ca volume if CA is in a separate secret
 	if instance.Spec.TLS.CaSecretName != "" && instance.Spec.TLS.CaSecretName != instance.Spec.TLS.SecretName {
 		caVolumeExists := false
@@ -317,10 +352,23 @@ func (r *Reconciler) removeProxySidecar(cluster *rabbitmqv2.RabbitmqCluster) {
 	}
 	podSpec.Containers = newContainers
 
-	// Remove proxy-script volume
+	// Restore RabbitMQ container's readiness probe to default
+	// When proxy is removed, RabbitMQ listens on standard ports again
+	// Setting probe to nil allows the cluster operator to restore its default
+	if removed {
+		for i, container := range podSpec.Containers {
+			if container.Name == "rabbitmq" {
+				podSpec.Containers[i].ReadinessProbe = nil
+				Log.Info("Restored RabbitMQ container readiness probe to default")
+				break
+			}
+		}
+	}
+
+	// Remove proxy-script and rabbitmq-tls-ca volumes
 	newVolumes := []corev1.Volume{}
 	for _, vol := range podSpec.Volumes {
-		if vol.Name != "proxy-script" {
+		if vol.Name != "proxy-script" && vol.Name != "rabbitmq-tls-ca" {
 			newVolumes = append(newVolumes, vol)
 		}
 	}
@@ -404,15 +452,18 @@ func (r *Reconciler) configureRabbitMQBackendPort(
 		tlsStatus = "with TLS"
 	}
 
-	// Configure RabbitMQ to listen on localhost:5673 without TLS
+	// Configure RabbitMQ to listen on localhost:5673 without TLS for AMQP
 	// The proxy will handle TLS termination (if enabled) on 0.0.0.0:5671 or 0.0.0.0:5672
+	// Override the default listeners set by the cluster operator
 	additionalConfig := fmt.Sprintf(`
 # Proxy sidecar configuration
-# RabbitMQ listens on localhost:%d without TLS (proxy handles encryption)
+# RabbitMQ listens on localhost:%d without TLS for AMQP (proxy handles client encryption)
 # External clients connect to proxy on port %d %s
-# Disable all default listeners to prevent bypassing the proxy and port conflicts
-listeners.tcp = none
-listeners.ssl = none
+# Override default AMQP listeners set by cluster operator
+# Management and Prometheus SSL listeners remain active
+listeners.ssl.default = none
+listeners.tcp.default = none
+# Configure AMQP to listen on localhost only (proxy forwards to this)
 listeners.tcp.1 = 127.0.0.1:%d
 `, rabbitmqBackendPort, listenPort, tlsStatus, rabbitmqBackendPort)
 

internal/controller/rabbitmq/rabbitmq_controller.go

@@ -535,6 +535,15 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ct
 		return ctrl.Result{}, fmt.Errorf("error creating RabbitmqCluster Spec: %w", err)
 	}
 
+	// IMPORTANT: If proxy will be enabled, configure TLS for inter-node only
+	// We keep TLS enabled for secure inter-node communication, but disable client-facing
+	// SSL listeners. The proxy will handle client TLS termination instead.
+	// Set DisableNonTLSListeners=false so the operator doesn't force SSL listeners.
+	if r.shouldEnableProxy(instance) {
+		rabbitmqCluster.Spec.TLS.DisableNonTLSListeners = false
+		Log.Info("Proxy will be enabled - configured TLS for inter-node only (proxy will handle client TLS)")
+	}
+
 	instance.Status.Conditions.MarkTrue(condition.ServiceConfigReadyCondition, condition.ServiceConfigReadyMessage)
 
 	//