components-contrib
components-contrib copied to clipboard
dapr
Does dapr support the AMPQs (Secure AMPQ) protocol when using rabbitmq for pubsub?
Does dapr support the AMPQs (Secure AMPQ) protocol when using rabbitmq for pubsub?
When we specify the following in our dapr pubsub config our setup works:
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: pubsub
namespace: backend
spec:
type: pubsub.rabbitmq
version: v1
metadata:
- name: host
value: "amqp://username:[email protected]:5672"
- name: exchangeKind
value: topic
- name: durable
value: true
- name: deleteWhenUnused
value: false
When we switch the config as follows it breaks:
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: pubsub
namespace: backend
spec:
type: pubsub.rabbitmq
version: v1
metadata:
- name: host
value: "amqps://username:[email protected]:5671"
- name: exchangeKind
value: topic
- name: durable
value: true
- name: deleteWhenUnused
value: false
Note all we've changed is the protocol from ampq to ampqs and the port from 5672 to 5671.
We are using our own internal CA when securing rabbitmq so I don't know if there is some way to get the daprd sidecar to trust our internal CA's cert when connecting to rabbitmq?
Thanks, Brad
Moved to correct repository. Thanks for reporting this @bab5470, it's currently not supported it seems.
According to my findings, currently secure amqp is supported.
Based on official rabbitmq documentation, you can set the parameters for tls in the uri, eg. amqps://localhost:5671?cacertfile=/path/to/ca_cert.pem&keyfile=/path/to/key.pem&certfile=/path/to/cert.pem.
We are currently using the dial method of amqp library(ref: https://github.com/dapr/components-contrib/blob/bcea284c7b0c1a5a07294021a2bb6cc74909da35/bindings/rabbitmq/rabbitmq.go#L79), which supports the establishment of TLS connections.
I've done tests in my local development env and found nothing wrong.
@yaron2 @bab5470 Could you confirm it, not sure I fully understand the intent of this issue.
@yaron2 Hi, do you have time to confirm this? https://github.com/dapr/components-contrib/issues/2008#issuecomment-1232489072
How would I load the ca.pem file (or the certs) in the sidecar so this works?
On Thu, Sep 1, 2022 at 10:40 PM spike @.***> wrote:
@yaron2 https://github.com/yaron2 @bab5470 https://github.com/bab5470 Could you confirm it, not sure I fully understand the intent of this issue.
— Reply to this email directly, view it on GitHub https://github.com/dapr/components-contrib/issues/2008#issuecomment-1235004484, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB6OR6CBPOT54OYTEUEHA5TV4FSKFANCNFSM57NGV6MQ . You are receiving this because you were mentioned.Message ID: @.***>
In Kubernetes you need to mount those certs as storage (PVC) or as secret into the file system of the sidecar itself. The connection string referring to the certs as suggested above would then specify the path to the certs mounted into the sidecar container.
In standalone mode you can use the local file system absolute path.
I haven't verified this for RabbitMQ specifically but it should work.
https://github.com/dapr/components-contrib/issues/2246 this seems related
comment by anoymouscoder and comment by berndverst can support AMPQs for sure. But this way request users know rabbitmq and kubernetes well.
@anoymouscoder I think you should add cacertfile、certfile、keyfile to metadata, who's value are there pem content. Just as what kafka pubsub dose. And then form them into a tlsConfig, use amqp.DialTLS("amqps://localhost:5671/", tlsConf) to connect to the server. this pr may help you know how to add these to metadata.
Docs issue: https://github.com/dapr/docs/issues/2953 - @SpikeWong is working on it