Drop rabbitmq-cluster-operator dependency and manage RabbitMQ directly

Remove the dependency on the external rabbitmq-cluster-operator and have
the infra-operator manage RabbitMQ StatefulSets, Services, ConfigMaps,
and Secrets directly.

Core controller changes:
- Direct StatefulSet management with volume mounts, config generation,
  and TLS support (client and inter-node)
- Service creation for client (AMQP/AMQPS) and headless node discovery
- ConfigMap generation for server config, plugins, and config-data
- Secret management for default-user credentials and Erlang cookie
- PodDisruptionBudget for multi-replica deployments
- Fix stale ownerReferences in volumeClaimTemplates from adopted
  StatefulSets (orphan-delete + recreate with annotation-based storage
  class preservation)
- Label pods with skipPreStopChecks before StatefulSet deletion so the
  Downward API volume is populated when cascade deletion triggers the
  PreStop hook, preventing 7-day termination hangs
- Set ObservedGeneration at end of reconciliation so consumers only see
  it after the spec has been fully processed
- Add nil-safe DefaultUser checks in checkClusterReadiness and all
  reconcile-delete paths to prevent nil dereference during startup
- Handle error from helper.NewHelper in sub-resource controllers

Version upgrade workflow (3.x to 4.x):
- State machine with phases: None -> DeletingResources -> WaitingForCluster -> None
- Detect targetVersion changes and trigger storage wipe when crossing
  major versions (required by RabbitMQ for 3.x -> 4.x upgrades)
- Set wipeReason=VersionUpgrade in status to track upgrade progress
- Delete StatefulSet to stop all pods atomically, then recreate with
  a wipe-data init container that clears /var/lib/rabbitmq on the
  existing PVs (marker files prevent re-wipes across pod restarts)
- Track currentVersion in status after successful upgrade
- Reject version downgrades in validation webhook
- Reject scale-down in validation webhook (both RabbitMq and SpecCore)

Queue type migration (Mirrored to Quorum):
- Support migrating from classic mirrored (ha-all policy) queues to
  quorum queues via spec.queueType change
- Trigger storage wipe with wipeReason=QueueTypeMigration
- Manage ha-all policy lifecycle: apply for Mirrored (replicas > 1),
  remove when transitioning away from Mirrored
- Force queueType from Mirrored to Quorum in defaulting webhook when
  targetVersion is 4.x+, since mirrored queues are not supported in
  RabbitMQ 4.x. This enables the openstack-operator to upgrade from
  3.x (Mirrored) to 4.x and have the migration handled automatically
- Reject Mirrored+4.x in validation webhook as a safety net after
  defaulting

AMQP proxy sidecar:
- Python-based TCP proxy injected as a sidecar container when
  status.proxyRequired is true (after version upgrade or queue migration)
- Rewrite AMQP queue.declare frames to force durable=True and
  x-queue-type=quorum, and exchange.declare frames to force durable=True
- Listen on port 5672 (plain) or 5671 (TLS) depending on TLS config
- Forward connections to RabbitMQ backend on port 5673
- Remove via clients-reconfigured annotation once consumers reconnect
- RabbitMQProxyActive condition provides visibility into proxy state
  with actionable message explaining how to clear it
- Include liveness/readiness probes and TLS certificate mounting

Migration from rabbitmq-cluster-operator:
- Detect migration by checking for an existing RabbitmqCluster CR with
  the same name; if none is found (or the CRD is not installed), the
  controller skips all migration logic and sets OldCRCleaned=True,
  allowing both operators to run side-by-side managing their own
  independent resources without conflict
- Reparent existing StatefulSets, Services, and Secrets from old
  RabbitmqCluster owner to new RabbitMq CR
- Strip old ownerReferences from PVCs before deleting old CR to prevent
  cascade garbage collection
- Clean up old RabbitmqCluster CR after successful adoption
- Fix stale volumeClaimTemplate ownerReferences that cause new PVCs
  to be garbage-collected when scaling up adopted StatefulSets
- Migrate deprecated fields (persistence, rabbitmq, override.service)
  to new fields in webhook; remove CRD-level default from storage to
  avoid double-defaulting during migration

Transport URL:
- URL-encode username and password in transport URL to handle special
  characters in user-provided credentials

Testing:
- Functional tests (envtest): RabbitMQ controller reconciliation,
  RabbitMQPolicy lifecycle, TransportURL (plain, TLS, custom user/vhost,
  credential rotation), VCT fix, combined version+queue migration,
  proxy sidecar, operator coexistence (OldCRCleaned set when no old CR
  exists, unrelated RabbitmqCluster CRs not touched), webhook migration
  (persistence, config, override.service field migration with defaults)
- Transport URL secret unit tests for password URL-encoding with special
  characters
- Kuttl integration tests: basic cluster deployment, cluster resource
  ownership, credential rotation with cleanup-blocked finalizer,
  deletion with dependent resources, plugin enable/disable, policy
  enforcement via rabbitmqctl, queue migration (Mirrored to Quorum)
  with AMQP proxy rewrite verification (classic non-durable -> quorum
  durable), resource management (vhost/user/policy), scale-up with PDB,
  TLS configuration, TLS TransportURL, custom TransportURL, migration
  from old operator, version upgrades (3.9->4.2 with/without TLS,
  Mirrored upgrade), operator coexistence (both operators managing
  independent clusters without interference)
- Kuttl tests use quay.io/openstack-k8s-operators/rabbitmq:3.9 for 3.x
  and quay.io/podified-antelope-centos9/openstack-rabbitmq:current-podified
  for 4.x

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: lmiccini

.gitignore

@@ -45,3 +45,7 @@ go.work.sum
 .coverage
 __pycache__/
 *.pyc
+
+# claude and AI tools
+.claude
+CLAUDE.md

Makefile

@@ -121,11 +121,18 @@ tidy: ## Run go mod tidy on every mod file in the repo
 PROCS?=$(shell expr $(shell nproc --ignore 2) / 2)
 PROC_CMD = --procs ${PROCS}
 
+# Skip instanceha tests if --focus or --skip is used (focused test run)
+ifeq (,$(findstring --focus,$(GINKGO_ARGS))$(findstring --skip,$(GINKGO_ARGS)))
+INSTANCEHA_DEP = test-instanceha
+else
+INSTANCEHA_DEP =
+endif
+
 .PHONY: test
-test: manifests generate gowork fmt vet envtest ginkgo test-instanceha ## Run tests.
+test: manifests generate gowork fmt vet envtest ginkgo $(INSTANCEHA_DEP) ## Run tests.
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) -v debug --bin-dir $(LOCALBIN) use $(ENVTEST_K8S_VERSION) -p path)" \
 	OPERATOR_TEMPLATES="$(PWD)/templates" \
-	$(GINKGO) --trace --cover --coverpkg=./pkg/...,./internal/...,./apis/network/v1beta1/...,./apis/rabbitmq/v1beta1/... --coverprofile cover.out --covermode=atomic ${PROC_CMD} $(GINKGO_ARGS) ./test/... ./apis/network/... ./apis/rabbitmq/... ./internal/webhook/...
+	$(GINKGO) --trace --cover --coverpkg=./pkg/...,./internal/...,./apis/network/v1beta1/...,./apis/rabbitmq/v1beta1/... --coverprofile cover.out --covermode=atomic ${PROC_CMD} $(GINKGO_ARGS) ./test/... ./apis/network/... ./apis/rabbitmq/... ./internal/webhook/... ./internal/controller/...
 
 .PHONY: test-instanceha
 test-instanceha: ## Run instanceha tests.

apis/bases/rabbitmq.openstack.org_rabbitmqs.yaml

@@ -6,7 +6,6 @@ require (
 	github.com/go-logr/logr v1.4.3
 	github.com/onsi/gomega v1.39.1
 	github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260331122750-ecff41ebb61d
-	github.com/rabbitmq/cluster-operator/v2 v2.16.0
 	k8s.io/api v0.31.14
 	k8s.io/apiextensions-apiserver v0.33.2
 	k8s.io/apimachinery v0.31.14
@@ -19,6 +18,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
+	github.com/evanphx/json-patch v5.9.11+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
@@ -90,9 +90,6 @@ replace k8s.io/code-generator => k8s.io/code-generator v0.31.14 //allow-merging
 
 replace k8s.io/component-base => k8s.io/component-base v0.31.14 //allow-merging
 
-// custom RabbitmqClusterSpecCore for OpenStackControlplane (v2.16.0_patches)
-replace github.com/rabbitmq/cluster-operator/v2 => github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec //allow-merging
-
 replace k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20250627150254-e9823e99808e //allow-merging
 
 replace github.com/cert-manager/cmctl/v2 => github.com/cert-manager/cmctl/v2 v2.1.2-0.20241127223932-88edb96860cf //allow-merging

apis/go.mod

@@ -1,4 +1,3 @@
-github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
 github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -86,8 +85,6 @@ github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e h1:E1OdwSpqWuDPCedyU
 github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260331122750-ecff41ebb61d h1:qbH09BzypLy1+N133JVgfkRmDZaQKpDLwi/InqqOzGM=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260331122750-ecff41ebb61d/go.mod h1:XUUV+h1nZC4kra5oF+cXPkviWYJ3ELhccHxnVO7CvQQ=
-github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec h1:saovr368HPAKHN0aRPh8h8n9s9dn3d8Frmfua0UYRlc=
-github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec/go.mod h1:Nh2NEePLjovUQof2krTAg4JaAoLacqtPTZQXK6izNfg=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=

apis/go.sum

@@ -19,6 +19,14 @@ import (
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 )
 
+// RabbitMQ Condition Types used by API objects.
+const (
+	// RabbitMQProxyActiveCondition indicates that the AMQP proxy sidecar is running.
+	// Status=True means the proxy is active and must be cleared by setting the
+	// clients-reconfigured annotation. Status=False means no proxy is running.
+	RabbitMQProxyActiveCondition condition.Type = "RabbitMQProxyActive"
+)
+
 // TransportURL Condition Types used by API objects.
 const (
 	// TransportURLReadyCondition Status=True condition which indicates if TransportURL is configured and operational
@@ -39,6 +47,17 @@ const ()
 
 // Common Messages used by API objects.
 const (
+	//
+	// RabbitMQProxyActive condition messages
+	//
+
+	// RabbitMQProxyActiveMessage is the message when the proxy is active
+	RabbitMQProxyActiveMessage = "AMQP proxy sidecar is active for queue migration. " +
+		"To remove it, set annotation '%s: \"true\"' on the RabbitMq CR after all clients have been reconfigured for quorum queues"
+
+	// RabbitMQProxyInactiveMessage is the message when the proxy is not active
+	RabbitMQProxyInactiveMessage = "AMQP proxy sidecar is not active"
+
 	//
 	// TransportURLReady condition messages
 	//

apis/rabbitmq/v1beta1/conditions.go

@@ -0,0 +1,193 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+// DEPRECATED TYPES
+// These types are local mirrors of the old rabbitmq-cluster-operator types,
+// kept only for backward compatibility with existing CRs during migration.
+// They will be removed in a future release once all CRs have been migrated
+// to use the new explicit fields in RabbitMqSpecCore.
+
+import (
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// DeprecatedEmbeddedLabelsAnnotations is an embedded subset of the fields included in
+// k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta. Only labels and annotations are included.
+type DeprecatedEmbeddedLabelsAnnotations struct {
+	// Map of string keys and values that can be used to organize and categorize (scope and select) objects.
+	// +optional
+	Labels map[string]string `json:"labels,omitempty"`
+	// Annotations is an unstructured key value map stored with a resource.
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
+
+// DeprecatedStatefulSetOverride mirrors the old rabbitmq-cluster-operator StatefulSet type.
+// Used for webhook validation of the override.statefulSet JSON field.
+type DeprecatedStatefulSetOverride struct {
+	// +optional
+	*DeprecatedEmbeddedLabelsAnnotations `json:"metadata,omitempty"`
+	// +optional
+	Spec *DeprecatedStatefulSetSpec `json:"spec,omitempty"`
+}
+
+// DeprecatedStatefulSetSpec mirrors a subset of the old rabbitmq-cluster-operator StatefulSetSpec type.
+type DeprecatedStatefulSetSpec struct {
+	// +optional
+	Replicas *int32 `json:"replicas,omitempty"`
+	// +optional
+	Selector *metav1.LabelSelector `json:"selector,omitempty"`
+	// +optional
+	Template *DeprecatedPodTemplateSpec `json:"template,omitempty"`
+	// +optional
+	VolumeClaimTemplates []corev1.PersistentVolumeClaim `json:"volumeClaimTemplates,omitempty"`
+	// +optional
+	ServiceName string `json:"serviceName,omitempty"`
+	// +optional
+	PodManagementPolicy appsv1.PodManagementPolicyType `json:"podManagementPolicy,omitempty"`
+	// +optional
+	UpdateStrategy *appsv1.StatefulSetUpdateStrategy `json:"updateStrategy,omitempty"`
+	// +optional
+	MinReadySeconds int32 `json:"minReadySeconds,omitempty"`
+	// +optional
+	PersistentVolumeClaimRetentionPolicy *appsv1.StatefulSetPersistentVolumeClaimRetentionPolicy `json:"persistentVolumeClaimRetentionPolicy,omitempty"`
+}
+
+// DeprecatedPodTemplateSpec mirrors the old rabbitmq-cluster-operator PodTemplateSpec type.
+type DeprecatedPodTemplateSpec struct {
+	// +optional
+	*DeprecatedEmbeddedObjectMeta `json:"metadata,omitempty"`
+	// +optional
+	Spec *corev1.PodSpec `json:"spec,omitempty"`
+}
+
+// DeprecatedEmbeddedObjectMeta mirrors the old rabbitmq-cluster-operator EmbeddedObjectMeta type.
+type DeprecatedEmbeddedObjectMeta struct {
+	// +optional
+	Name string `json:"name,omitempty"`
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+	// +optional
+	Labels map[string]string `json:"labels,omitempty"`
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+}
+
+// DeprecatedPersistenceSpec mirrors the old rabbitmq-cluster-operator RabbitmqClusterPersistenceSpec type.
+type DeprecatedPersistenceSpec struct {
+	// The name of the StorageClass to claim a PersistentVolume from.
+	StorageClassName *string `json:"storageClassName,omitempty"`
+	// The requested size of the persistent volume attached to each Pod in the RabbitmqCluster.
+	// The format of this field matches that defined by kubernetes/apimachinery.
+	// See https://pkg.go.dev/k8s.io/apimachinery/pkg/api/resource#Quantity for more info on the format of this field.
+	// +kubebuilder:default:="10Gi"
+	Storage *resource.Quantity `json:"storage,omitempty"`
+}
+
+// DeprecatedRabbitmqConfigSpec mirrors the old rabbitmq-cluster-operator RabbitmqClusterConfigurationSpec type.
+type DeprecatedRabbitmqConfigSpec struct {
+	// List of plugins to enable in addition to essential plugins: rabbitmq_management,
+	// rabbitmq_prometheus, and rabbitmq_peer_discovery_k8s.
+	// +optional
+	// +kubebuilder:validation:MaxItems=100
+	AdditionalPlugins []string `json:"additionalPlugins,omitempty"`
+	// Modify to add to the rabbitmq.conf file in addition to default configurations set by the operator.
+	// Modifying this property on an existing RabbitmqCluster will trigger a StatefulSet rolling restart
+	// and will cause rabbitmq downtime.
+	// For more information on this config, see https://www.rabbitmq.com/configure.html#config-file
+	// +optional
+	// +kubebuilder:validation:MaxLength=100000
+	AdditionalConfig string `json:"additionalConfig,omitempty"`
+	// Specify any rabbitmq advanced.config configurations to apply to the cluster.
+	// For more information on advanced config, see https://www.rabbitmq.com/configure.html#advanced-config-file
+	// +optional
+	// +kubebuilder:validation:MaxLength=100000
+	AdvancedConfig string `json:"advancedConfig,omitempty"`
+	// Modify to add to the rabbitmq-env.conf file. Modifying this property on an existing
+	// RabbitmqCluster will trigger a StatefulSet rolling restart and will cause rabbitmq downtime.
+	// For more information on env config, see https://www.rabbitmq.com/man/rabbitmq-env.conf.5.html
+	// +optional
+	// +kubebuilder:validation:MaxLength=100000
+	EnvConfig string `json:"envConfig,omitempty"`
+	// Erlang Inet configuration to apply to the Erlang VM running rabbit.
+	// See also: https://www.erlang.org/doc/apps/erts/inet_cfg.html
+	// +optional
+	// +kubebuilder:validation:MaxLength=2000
+	ErlangInetConfig string `json:"erlangInetConfig,omitempty"`
+}
+
+// DeprecatedSecretBackendSpec mirrors the old rabbitmq-cluster-operator SecretBackend type.
+type DeprecatedSecretBackendSpec struct {
+	// +optional
+	ExternalSecret *corev1.LocalObjectReference `json:"externalSecret,omitempty"`
+	// +optional
+	Vault *DeprecatedVaultSpec `json:"vault,omitempty"`
+}
+
+// DeprecatedVaultSpec mirrors the old rabbitmq-cluster-operator VaultSpec type.
+// VaultSpec will add Vault annotations (see https://www.vaultproject.io/docs/platform/k8s/injector/annotations)
+// to RabbitMQ Pods. It requires a Vault Agent Sidecar Injector
+// (https://www.vaultproject.io/docs/platform/k8s/injector) to be installed in the K8s cluster.
+type DeprecatedVaultSpec struct {
+	// Role in Vault.
+	// If vault.defaultUserPath is set, this role must have capability to read the pre-created default user
+	// credential in Vault.
+	// If vault.tls is set, this role must have capability to create and update certificates in the Vault PKI
+	// engine for the domains "<namespace>" and "<namespace>.svc".
+	// +optional
+	Role string `json:"role,omitempty"`
+	// Vault annotations that override the Vault annotations set by the cluster-operator.
+	// For a list of valid Vault annotations, see
+	// https://www.vaultproject.io/docs/platform/k8s/injector/annotations
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+	// Path in Vault to access a KV (Key-Value) secret with the fields username and password
+	// for the default user. For example "secret/data/rabbitmq/config".
+	// +optional
+	DefaultUserPath string `json:"defaultUserPath,omitempty"`
+	// Sidecar container that updates the default user's password in RabbitMQ when it changes in Vault.
+	// Additionally, it updates /var/lib/rabbitmq/.rabbitmqadmin.conf (used by rabbitmqadmin CLI).
+	// Set to empty string to disable the sidecar container.
+	// +optional
+	DefaultUserUpdaterImage string `json:"defaultUserUpdaterImage,omitempty"`
+	// +optional
+	TLS *DeprecatedVaultTLSSpec `json:"tls,omitempty"`
+}
+
+// DeprecatedVaultTLSSpec mirrors the old rabbitmq-cluster-operator VaultSpec TLS fields.
+type DeprecatedVaultTLSSpec struct {
+	// Path in Vault PKI engine. For example "pki/issue/hashicorp-com". Required.
+	// +optional
+	PkiIssuerPath string `json:"pkiIssuerPath,omitempty"`
+	// Specifies an optional path to retrieve the root CA from vault.
+	// Useful if certificates are issued by an intermediate CA.
+	// +optional
+	PkiRootPath string `json:"pkiRootPath,omitempty"`
+	// Specifies the requested Subject Alternative Names (SANs), in a comma-delimited list.
+	// These will be appended to the SANs added by the cluster-operator.
+	// +optional
+	AltNames string `json:"altNames,omitempty"`
+	// Specifies the requested certificate Common Name (CN).
+	// Defaults to <serviceName>.<namespace>.svc if not provided.
+	// +optional
+	CommonName string `json:"commonName,omitempty"`
+	// Specifies the requested IP Subject Alternative Names, in a comma-delimited list.
+	// +optional
+	IpSans string `json:"ipSans,omitempty"`
+}