fix(infra): rabbitmq-tls-unify-insecure-skip-verify

apps/backend/libs/amqp/src/amqp.module.ts

@@ -1,7 +1,6 @@
 import { Module } from '@nestjs/common'
 import { ConfigModule, ConfigService } from '@nestjs/config'
 import { RabbitMQModule } from '@golevelup/nestjs-rabbitmq'
-import { readFileSync } from 'fs'
 import { CONSUME_CHANNEL, PUBLISH_CHANNEL } from '@libs/constants'
 import { CheckAMQPService, JudgeAMQPService } from './amqp.service'
 
@@ -40,7 +39,7 @@ import { CheckAMQPService, JudgeAMQPService } from './amqp.service'
           ...(config.get('RABBITMQ_SSL') === 'true' && {
             connectionManagerOptions: {
               connectionOptions: {
-                ca: [readFileSync('/etc/ssl/rabbitmq/ca.crt')]
+                rejectUnauthorized: false
               }
             }
           })

apps/iris/src/connector/rabbitmq/consumer.go

@@ -2,7 +2,6 @@ package rabbitmq
 
 import (
 	"crypto/tls"
-	"crypto/x509"
 	"fmt"
 	"os"
 
@@ -40,13 +39,7 @@ func NewConsumer(config ConsumerConfig, logger logger.Logger) (*consumer, error)
 		Properties: amqp.NewConnectionProperties(),
 	}
 	if os.Getenv("RABBITMQ_SSL") == "true" {
-		caCert, err := os.ReadFile("/etc/ssl/rabbitmq/ca.crt")
-		if err != nil {
-			return nil, fmt.Errorf("consumer: failed to read RabbitMQ CA cert: %w", err)
-		}
-		caCertPool := x509.NewCertPool()
-		caCertPool.AppendCertsFromPEM(caCert)
-		amqpConfig.TLSClientConfig = &tls.Config{RootCAs: caCertPool}
+		amqpConfig.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
 	}
 	amqpConfig.Properties.SetClientConnectionName(config.ConnectionName)
 	connection, err := amqp.DialConfig(config.AmqpURI, amqpConfig)

apps/iris/src/connector/rabbitmq/producer.go

@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"fmt"
 	"net/http"
+	"os"
 
 	amqp "github.com/rabbitmq/amqp091-go"
 	instrumentation "github.com/skkuding/codedang/apps/iris/src"
@@ -41,8 +42,10 @@ func NewProducer(config ProducerConfig, logger logger.Logger) (*producer, error)
 
 	// Create New RabbitMQ Connection (go <-> RabbitMQ)
 	amqpConfig := amqp.Config{
-		Properties:      amqp.NewConnectionProperties(),
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		Properties: amqp.NewConnectionProperties(),
+	}
+	if os.Getenv("RABBITMQ_SSL") == "true" {
+		amqpConfig.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
 	}
 	amqpConfig.Properties.SetClientConnectionName(config.ConnectionName)
 	connection, err := amqp.DialConfig(config.AmqpURI, amqpConfig)

apps/plag/src/connector/rabbitmq/consumer.go

@@ -3,6 +3,7 @@ package rabbitmq
 import (
 	"crypto/tls"
 	"fmt"
+	"os"
 
 	amqp "github.com/rabbitmq/amqp091-go"
 	"github.com/skkuding/codedang/apps/plag/src/service/logger"
@@ -35,8 +36,10 @@ func NewConsumer(config ConsumerConfig, logger logger.Logger) (*consumer, error)
 
 	// Create New RabbitMQ Connection (go <-> RabbitMQ)
 	amqpConfig := amqp.Config{
-		Properties:      amqp.NewConnectionProperties(),
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		Properties: amqp.NewConnectionProperties(),
+	}
+	if os.Getenv("RABBITMQ_SSL") == "true" {
+		amqpConfig.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
 	}
 	amqpConfig.Properties.SetClientConnectionName(config.ConnectionName)
 	connection, err := amqp.DialConfig(config.AmqpURI, amqpConfig)

apps/plag/src/connector/rabbitmq/producer.go

@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"fmt"
 	"net/http"
+	"os"
 
 	amqp "github.com/rabbitmq/amqp091-go"
 	instrumentation "github.com/skkuding/codedang/apps/plag/src"
@@ -41,8 +42,10 @@ func NewProducer(config ProducerConfig, logger logger.Logger) (*producer, error)
 
 	// Create New RabbitMQ Connection (go <-> RabbitMQ)
 	amqpConfig := amqp.Config{
-		Properties:      amqp.NewConnectionProperties(),
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		Properties: amqp.NewConnectionProperties(),
+	}
+	if os.Getenv("RABBITMQ_SSL") == "true" {
+		amqpConfig.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
 	}
 	amqpConfig.Properties.SetClientConnectionName(config.ConnectionName)
 	connection, err := amqp.DialConfig(config.AmqpURI, amqpConfig)

infra/k8s/admin-api/base/deployment.yaml

@@ -32,10 +32,6 @@ spec:
                 name: database-credentials
             - secretRef:
                 name: security-keys
-          volumeMounts:
-            - name: rabbitmq-ca-cert
-              mountPath: /etc/ssl/rabbitmq
-              readOnly: true
           env:
             - name: RABBITMQ_DEFAULT_USER
               valueFrom:
@@ -52,10 +48,3 @@ spec:
                 secretKeyRef:
                   name: redis-credentials
                   key: password
-      volumes:
-        - name: rabbitmq-ca-cert
-          secret:
-            secretName: rabbitmq-ca-cert
-            items:
-              - key: ca.crt
-                path: ca.crt

infra/k8s/admin-api/base/kustomization.yaml

@@ -7,7 +7,6 @@ resources:
   - deployment.yaml
   - ingress.yaml
   - namespace.yaml
-  - rabbitmq-ca-cert.yaml
   - rabbitmq-credentials.yaml
   - redis-credentials.yaml
   - service.yaml

infra/k8s/client-api/base/deployment.yaml

@@ -34,10 +34,6 @@ spec:
                 name: oauth-credentials
             - secretRef:
                 name: security-keys
-          volumeMounts:
-            - name: rabbitmq-ca-cert
-              mountPath: /etc/ssl/rabbitmq
-              readOnly: true
           env:
             - name: RABBITMQ_DEFAULT_USER
               valueFrom:
@@ -54,10 +50,3 @@ spec:
                 secretKeyRef:
                   name: redis-credentials
                   key: password
-      volumes:
-        - name: rabbitmq-ca-cert
-          secret:
-            secretName: rabbitmq-ca-cert
-            items:
-              - key: ca.crt
-                path: ca.crt

infra/k8s/client-api/base/kustomization.yaml

@@ -7,7 +7,6 @@ resources:
   - deployment.yaml
   - ingress.yaml
   - namespace.yaml
-  - rabbitmq-ca-cert.yaml
   - rabbitmq-credentials.yaml
   - redis-credentials.yaml
   - service.yaml

infra/k8s/iris/base/deployment.yaml

@@ -27,9 +27,6 @@ spec:
             - name: cgroup
               mountPath: /sys/fs/cgroup
               readOnly: false
-            - name: rabbitmq-ca-cert
-              mountPath: /etc/ssl/rabbitmq
-              readOnly: true
           securityContext:
             privileged: true
           envFrom:
@@ -55,9 +52,3 @@ spec:
           hostPath:
             path: /sys/fs/cgroup
             type: Directory
-        - name: rabbitmq-ca-cert
-          secret:
-            secretName: rabbitmq-ca-cert
-            items:
-              - key: ca.crt
-                path: ca.crt

infra/k8s/iris/base/kustomization.yaml

@@ -6,7 +6,6 @@ resources:
   - configmap.yaml
   - deployment.yaml
   - namespace.yaml
-  - rabbitmq-ca-cert.yaml
   - rabbitmq-credentials.yaml
 
 commonAnnotations:

infra/k8s/plag/base/deployment.yaml

@@ -32,10 +32,6 @@ spec:
                 name: aws-credentials
             - secretRef:
                 name: database-credentials
-          volumeMounts:
-            - name: rabbitmq-ca-cert
-              mountPath: /etc/ssl/rabbitmq
-              readOnly: true
           env:
             - name: RABBITMQ_DEFAULT_USER
               valueFrom:
@@ -47,10 +43,3 @@ spec:
                 secretKeyRef:
                   name: rabbitmq-credentials
                   key: password
-      volumes:
-        - name: rabbitmq-ca-cert
-          secret:
-            secretName: rabbitmq-ca-cert
-            items:
-              - key: ca.crt
-                path: ca.crt

infra/k8s/plag/base/kustomization.yaml

@@ -6,7 +6,6 @@ resources:
   - configmap.yaml
   - deployment.yaml
   - namespace.yaml
-  - rabbitmq-ca-cert.yaml
   - rabbitmq-credentials.yaml
 
 commonAnnotations: