test fix ports

Author: lmiccini

internal/controller/rabbitmq/proxy.go

@@ -109,6 +109,37 @@ func (r *Reconciler) addProxySidecar(
 	// Add proxy sidecar container
 	podSpec.Containers = append(podSpec.Containers, r.buildProxySidecarContainer(instance))
 
+	// Update RabbitMQ container's readiness probe and ports to match backend configuration
+	// The RabbitMQ cluster operator sets a probe on port 5671 and exposes ports by default,
+	// but with the proxy enabled, RabbitMQ only listens on localhost:5673
+	for i, container := range podSpec.Containers {
+		if container.Name == "rabbitmq" {
+			// Override the readiness probe to check the backend port
+			podSpec.Containers[i].ReadinessProbe = &corev1.Probe{
+				ProbeHandler: corev1.ProbeHandler{
+					TCPSocket: &corev1.TCPSocketAction{
+						Host: "127.0.0.1",
+						Port: intstr.FromInt32(int32(rabbitmqBackendPort)),
+					},
+				},
+				InitialDelaySeconds: 10,
+				TimeoutSeconds:      5,
+				PeriodSeconds:       10,
+				SuccessThreshold:    1,
+				FailureThreshold:    3,
+			}
+
+			// Note: We don't override container ports here because:
+			// 1. Ports are just metadata declarations, not actual network configuration
+			// 2. What RabbitMQ actually listens on is controlled by our listener config
+			// 3. Overriding ports can cause conflicts with cluster operator defaults
+
+			Log.Info("Updated RabbitMQ container readiness probe for proxy mode",
+				"readinessProbePort", rabbitmqBackendPort)
+			break
+		}
+	}
+
 	// Add volume for proxy script
 	if podSpec.Volumes == nil {
 		podSpec.Volumes = []corev1.Volume{}
@@ -137,6 +168,55 @@ func (r *Reconciler) addProxySidecar(
 		})
 	}
 
+	// Add rabbitmq-tls volume for TLS certificates (used by both RabbitMQ inter-node and proxy)
+	// When proxy is enabled, we clear cluster.Spec.TLS to prevent RabbitMQ from configuring
+	// SSL listeners, but we still need the TLS volumes mounted for:
+	// 1. RabbitMQ inter-node encryption
+	// 2. Proxy TLS termination
+	if instance.Spec.TLS.SecretName != "" {
+		// Check if rabbitmq-tls volume already exists
+		tlsVolumeExists := false
+		for _, vol := range podSpec.Volumes {
+			if vol.Name == "rabbitmq-tls" {
+				tlsVolumeExists = true
+				break
+			}
+		}
+
+		if !tlsVolumeExists {
+			podSpec.Volumes = append(podSpec.Volumes, corev1.Volume{
+				Name: "rabbitmq-tls",
+				VolumeSource: corev1.VolumeSource{
+					Secret: &corev1.SecretVolumeSource{
+						SecretName:  instance.Spec.TLS.SecretName,
+						DefaultMode: ptr.To[int32](0400), // Read-only
+					},
+				},
+			})
+		}
+
+		// Ensure RabbitMQ container has the TLS volume mounted (for inter-node TLS)
+		for i, container := range podSpec.Containers {
+			if container.Name == "rabbitmq" {
+				hasTLSMount := false
+				for _, mount := range container.VolumeMounts {
+					if mount.Name == "rabbitmq-tls" {
+						hasTLSMount = true
+						break
+					}
+				}
+				if !hasTLSMount {
+					podSpec.Containers[i].VolumeMounts = append(podSpec.Containers[i].VolumeMounts, corev1.VolumeMount{
+						Name:      "rabbitmq-tls",
+						MountPath: "/etc/rabbitmq-tls",
+						ReadOnly:  true,
+					})
+				}
+				break
+			}
+		}
+	}
+
 	// Add rabbitmq-tls-ca volume if CA is in a separate secret
 	if instance.Spec.TLS.CaSecretName != "" && instance.Spec.TLS.CaSecretName != instance.Spec.TLS.SecretName {
 		caVolumeExists := false
@@ -317,10 +397,23 @@ func (r *Reconciler) removeProxySidecar(cluster *rabbitmqv2.RabbitmqCluster) {
 	}
 	podSpec.Containers = newContainers
 
-	// Remove proxy-script volume
+	// Restore RabbitMQ container's readiness probe to default
+	// When proxy is removed, RabbitMQ listens on standard ports again
+	// Setting probe to nil allows the cluster operator to restore its default
+	if removed {
+		for i, container := range podSpec.Containers {
+			if container.Name == "rabbitmq" {
+				podSpec.Containers[i].ReadinessProbe = nil
+				Log.Info("Restored RabbitMQ container readiness probe to default")
+				break
+			}
+		}
+	}
+
+	// Remove proxy-script and rabbitmq-tls-ca volumes
 	newVolumes := []corev1.Volume{}
 	for _, vol := range podSpec.Volumes {
-		if vol.Name != "proxy-script" {
+		if vol.Name != "proxy-script" && vol.Name != "rabbitmq-tls-ca" {
 			newVolumes = append(newVolumes, vol)
 		}
 	}

internal/controller/rabbitmq/rabbitmq_controller.go

@@ -535,6 +535,17 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ct
 		return ctrl.Result{}, fmt.Errorf("error creating RabbitmqCluster Spec: %w", err)
 	}
 
+	// IMPORTANT: If proxy will be enabled, clear TLS from cluster spec NOW
+	// before any configuration is generated. The proxy will handle TLS termination.
+	// This must happen immediately after MarshalInto to prevent the cluster operator
+	// from generating conflicting SSL listener configuration.
+	if r.shouldEnableProxy(instance) {
+		rabbitmqCluster.Spec.TLS.SecretName = ""
+		rabbitmqCluster.Spec.TLS.CaSecretName = ""
+		rabbitmqCluster.Spec.TLS.DisableNonTLSListeners = false
+		Log.Info("Proxy will be enabled - cleared TLS from RabbitMQ cluster spec (proxy will handle TLS)")
+	}
+
 	instance.Status.Conditions.MarkTrue(condition.ServiceConfigReadyCondition, condition.ServiceConfigReadyMessage)
 
 	//