diff --git a/content/blog/expose_mgmt_console.md b/content/blog/expose_mgmt_console.md new file mode 100644 index 0000000..dcd0014 --- /dev/null +++ b/content/blog/expose_mgmt_console.md @@ -0,0 +1,214 @@ +--- +title: "Accessing Broker Management Console from outside Kubernetes" +type: "regular" +description: "A demo case of exposing broker console via K8s ingress with ArtemisCloud Operator" +draft: false +--- +With ArtemisCloud operator you can choose to expose the management console of a deployed broker so that it can be connected from outside the kubernetes cluster. + +### About the Management Console +Apache ActiveMQ Artemis broker comes with a web-based management console powered by [Hawt.io](http://hawt.io). The broker hosts the management console in an embedded jetty server and listening on HTTP port 8161 (default port). + +When the broker runs in a pod, however, it can't be accessed directly from outside the cluster unless we configure properly. + +With the operator the broker management console can be secured with HTTPS and login accounts. We'll demonstrate how. + +### Prerequisite +Before you start you need have access to a running Kubernetes cluster environment(or an Openshift cluster). A [Minikube](https://minikube.sigs.k8s.io/docs/start/) running on your laptop will just do fine. The ArtemisCloud operator also runs in a Openshift cluster environment like [CodeReady Container](https://developers.redhat.com/products/codeready-containers/overview). In this blog we introduce ways to expose the broker management console in both Kubernetes cluster and openshift environment. + +### Enable Ingress Controller in Minikube +If you are using Minikube you need first to enable the ingress controller before +deploying the CR if you haven't done so already. To enable ingress run the following +command: +```shell script +minikube addons enable ingress +``` +To verify that the ingress controller is active, run the command and check the output: +```shell script +kubectl get pods -n kube-system +NAME READY STATUS RESTARTS AGE +... +ingress-nginx-controller-558664778f-8prxb 1/1 Running 2 32h +... +``` + +### Deploy the ArtemisCloud Operator +First you need to deploy the ArtemisCloud operator. +If you are not sure how to deploy the operator take a look at [this blog]({{< relref "/blog/using_operator.md" >}}). + +Assume you deployed the operator to a namespace called **myproject**. + +Make sure the operator is in "Running" status before going to the next step. +You can run this command and observe the output: + +```shell script +$ kubectl get pod -n myproject +NAME READY STATUS RESTARTS AGE +activemq-artemis-operator-6657d9859f-k2zrd 1/1 Running 0 25m +``` + +### Preparing the Broker Custome Resource (CR) +Create a file named "broker-console.yaml" with the following contents: + +```yaml +apiVersion: broker.amq.io/v2alpha4 +kind: ActiveMQArtemis +metadata: + name: ex-aao +spec: + deploymentPlan: + size: 1 + image: quay.io/artemiscloud/activemq-artemis-broker-kubernetes:0.2.1 + console: + expose: true +``` +Notice in the yaml file we define **expose: true** under **console** property. It means to expose the management console via ingress. + +### Deploy Broker Custom resource +Run the following command to deploy the CR just created: +```shell script +$ kubectl create -f broker-console.yaml -n myproject +activemqartemis.broker.amq.io/ex-aao created +``` +and checking that the broker pod is up and running: +```shell script +$ kubectl get pod -n myproject +NAME READY STATUS RESTARTS AGE +activemq-artemis-operator-6657d9859f-k2zrd 1/1 Running 0 3h18m +ex-aao-ss-0 1/1 Running 0 4m11s +``` +Now you can check out details about the ingress: +```shell script +$ kubectl get ingress -n myproject +NAME CLASS HOSTS ADDRESS PORTS AGE +ex-aao-wconsj-0-svc-ing * 192.168.99.116 80 12h +``` +Notice the **ADDRESS** and **PORTS** fields. They tell that the ingress is +listening on 192.168.99.116:80. For Minikube the IP address is only meaningful +within the host where it is installed. + +On the minikube host open a browser and go to **http://192.168.99.116** (port omitted as it's default http port) and you'll see the management console's front page: + +![The management console](/website/images/blog/mgmt-console/console-http.png) + +Click "Management Console" and the login page is shown. As in this deployment anonymous login is allowed, just arbitrary username/password will do. + +Explore the various links after you log in. + +### Secure the Management console +It is recommended that the broker management console should be accessed with a valid account and the communication should be secured with SSL (https) in a production environment. + +Ingress supports HTTPS communications over port 443. The TLS termination at ingress point so the communication between ingress and the backend services (e.g. the management console) are plain HTTP. + +A few more options are needed in the broker CR to make a secured management console. + +First undeploy the previous broker CR. + +```shell script +$ kubectl delete -f broker-console.yaml -n myproject +activemqartemis.broker.amq.io "ex-aao" deleted +``` + +Create another custom resource file "broker-console-secured.yaml" with the following content: + +```yaml +apiVersion: broker.amq.io/v2alpha4 +kind: ActiveMQArtemis +metadata: + name: ex-aao +spec: + deploymentPlan: + size: 1 + image: quay.io/artemiscloud/activemq-artemis-broker-kubernetes:0.2.1 + requireLogin: true + console: + expose: true + sslEnabled: true + sslSecret: console-secret + adminUser: consoleadmin + adminPassword: consolepassword +``` +In the above broker CR file we explicitly configure a **adminUser** and a **adminPassword** which will be used to log in the console. Also there are two more new parameters that are used for secure the ingress point: + +- **sslEanbled** Setting it to true to let operator to configure a https ingress. +- **sslSecret** This is the name of the secret that the ingress is used for its certificate and key files. + +As you see that the above **sslSecret** is set to **console-secret** which must exist before deployment. Now let's create it. + +First let's generate a self-signed certificate file and a key file. +```shell script +$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout consolekey -out consolecert -subj "/CN=www.mgmtconsole.com/O=www.mgmtconsole.com" +Generating a RSA private key +..........+++++ +..................................................................+++++ +writing new private key to 'consolekey' +----- +``` +The above command generates a cert file **consolecert** and a key file **consolekey** under the current dir. Note that the value of CN is **www.mgmtconsole.com** which later we take as the management console's host name in its url. + +Now with the cert file and key file generated let's create the needed secret **console-secret**: +```shell script +$ kubectl create secret tls console-secret --key consolekey --cert consolecert -n myproject +secret/console-secret created +``` +Verify the secret is created: +```shell script +$ kubectl get secret -n myproject +NAME TYPE DATA AGE +activemq-artemis-operator-token-6zmg9 kubernetes.io/service-account-token 3 3d19h +console-secret kubernetes.io/tls 2 5m18s +default-token-2mrq9 kubernetes.io/service-account-token 3 3d22h +``` +Then deploy the broker: +```shell script +$ kubectl create -f broker-console-secured.yaml -n myproject +activemqartemis.broker.amq.io/ex-aao created +``` +Wait for the pod to be in **RUNNING** status. To check the status you can run the following command: + +```shell script +$ kubectl get pod -n myproject +NAME READY STATUS RESTARTS AGE +activemq-artemis-operator-6fcbbb75f8-vs4hg 1/1 Running 0 51m +ex-aao-ss-0 1/1 Running 0 95s +``` +At this moment there will be an ingress object created for us. To check it out use the following command and see the ouput: +```shell script +$ kubectl get ingress -n myproject +NAME CLASS HOSTS ADDRESS PORTS AGE +ex-aao-wconsj-0-svc-ing www.mgmtconsole.com 192.168.99.116 80, 443 3m51s + +``` +The above output shows the ingress is ready and available through HTTPS port 443. + +You may have noticed that the http default port 80 is also available. If you try visit the management console using http rather https the ingress will redirect you to https. + +Before we can open up the browser and visit the management console, there is one more thing to do with minikube. As in the certificate we set up the host to be **www.mgmtconsole.com** which is a 'fake' DNS name. When you input that 'fake' host name in the browser it should be resolved properly. To do that we can add the host name to the /etc/hosts file on the local machine which runs the Minikube. + +Open the **/etc/hosts** with root permissions (e.g. using sudo) and append the following record to the file. +``` +192.168.99.116 www.mgmtconsole.com +``` +where **192.168.99.116** being the Minikube's IP. + +Now at the Minikube local machine open up your browser and go "https://www.mgmtconsole.com". Because our ingress has a self-signed certificate the browser often prompts to you a message saying that the site is not trusted. Ignore the message and choose the option to go ahead. + +You will see the front page of the management console. + +![The management console](/website/images/blog/mgmt-console/console-front-ssl.png) + +When the front page shows up click on **Management Console** and it brings you to the login page. + +![The management console](/website/images/blog/mgmt-console/console-login-ssl.png) + +You need to use the username/password defined in the CR to log in. +Input **consoleadmin** as Username and **consolepassword** as Password and then click login. The main management web page will show up. Try click on different links and tabs in it to explore. + +![The management console](/website/images/blog/mgmt-console/console-main-ssl.png) + +Now you have successfully secured your management console. + +### Further information + +* [ArtemisCloud Github Repo](https://github.com/artemiscloud) +* For more information on ActiveMQ Artemis please read the [Artemis Documentation](https://activemq.apache.org/components/artemis/documentation/) diff --git a/content/blog/expose_mgmt_console_route.md b/content/blog/expose_mgmt_console_route.md new file mode 100644 index 0000000..d9121c0 --- /dev/null +++ b/content/blog/expose_mgmt_console_route.md @@ -0,0 +1,203 @@ +--- +title: "Accessing Broker Management Console from outside Openshift" +type: "regular" +description: "A demo case of exposing broker console via Openshift route object with ArtemisCloud Operator" +draft: false +--- +With ArtemisCloud operator you can choose to expose the management console of a deployed broker so that it can be connected from outside the Openshift cluster. + +In [another article]({{< relref "/blog/expose_mgmt_console.md" >}}). we described how to expose the management console from a Kubernetes cluster using ingress. +In an Openshift environment it still use the same configuration. Similarly we can expose the management console via plain HTTP protocol with anonymous log in and via HTTPS protocol with a credential. However under the hood the management console is exposed by [Route](https://docs.openshift.com/container-platform/3.9/architecture/networking/routes.html). We'll explain more details later on. + +### Prerequisite +Before you start you need have access to a running Openshift cluster environment. For this article we will use [CodeReady Container](https://developers.redhat.com/products/codeready-containers/overview). If you don't have an Openshift cluster already you can follow the instructions on the website to install CodeReady. + +### Deploy the ArtemisCloud Operator +Assume you deployed the operator to a project called **myproject**. Use the following command to create it in Openshift: + +```shell script +$ oc new-project myproject +Now using project "myproject" on server "https://api.crc.testing:6443". + +You can add applications to this project with the 'new-app' command. For example, try: + + oc new-app rails-postgresql-example + +to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application: + + kubectl create deployment hello-node --image=k8s.gcr.io/serve_hostname +``` +Deploy an ArtemiCloud operator into your project. + +If you are not sure how to deploy the operator take a look at [this blog]({{< relref "/blog/using_operator.md" >}}). + +Make sure the operator is in "Running" status before going to the next step. +You can run this command and observe the output: + +```shell script +$ oc get pod -n myproject +NAME READY STATUS RESTARTS AGE +activemq-artemis-operator-5c86c49f88-fvnjm 1/1 Running 0 10m +``` + +### Preparing the Broker Custome Resource (CR) +Create a file named "broker-console.yaml" with the following contents: + +```yaml +apiVersion: broker.amq.io/v2alpha4 +kind: ActiveMQArtemis +metadata: + name: ex-aao +spec: + deploymentPlan: + size: 1 + image: quay.io/artemiscloud/activemq-artemis-broker-kubernetes:0.2.1 + console: + expose: true +``` +Notice in the yaml file we define **expose: true** under **console** property. It means to expose the management console via route in Openshift. + +### Deploy Broker Custom resource +Run the following command to deploy the CR just created: +```shell script +$ oc create -f broker-console.yaml -n myproject +activemqartemis.broker.amq.io/ex-aao created +``` +and checking that the broker pod is up and running: +```shell script +$ oc get pod -n myproject +NAME READY STATUS RESTARTS AGE +activemq-artemis-operator-6657d9859f-k2zrd 1/1 Running 0 3h18m +ex-aao-ss-0 1/1 Running 0 4m11s +``` +Now you can check out details about the route: +```shell script +$ oc get route -n myproject +NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD +ex-aao-wconsj-0-svc-rte ex-aao-wconsj-0-svc-rte-myproject.apps-crc.testing ex-aao-wconsj-0-svc wconsj-0 None + +``` +Notice the **HOST/PORT** field. It tells that the route is +listening on host **ex-aao-wconsj-0-svc-rte-myproject.apps-crc.testing** and port is default 80. + +On the Openshift host open a browser and go to **http://ex-aao-wconsj-0-svc-rte-myproject.apps-crc.testing** (port omitted as it's default http port) and you'll see the management console's front page: + +![The management console](/website/images/blog/mgmt-console/console-route-http-front.png) + +Different from Minikube, CodeReady modifies the DNS service properly for you so that the host **ex-aao-wconsj-0-svc-rte-myproject.apps-crc.testing** is automatically resolvable on the host machine. + +Click "**Management Console**" and the login page is shown. As in this deployment anonymous login is allowed, just arbitrary username/password will do. + +Explore the various links after you log in. + +### Secure the Management console +It is recommended that the broker management console should be accessed with a valid account and the communication should be secured with SSL (https) in a production environment. + +Openshift route supports HTTPS communications like ingress. Unlike ingress however the ArtemisCloud operator sets up a route with [Passthrough Termination](https://docs.openshift.com/container-platform/3.9/architecture/networking/routes.html#passthrough-termination). It means that the TLS termination does not happen at the route, instead the route passes the encrypted traffic directly to the endpoint. In this case it is the broker that handles the TLS processing. This will affects how the certificate is prepared in next steps. + +To make the management console secure a few more options are needed. But First undeploy the previous broker CR. + +```shell script +$ oc delete -f broker-console.yaml -n myproject +activemqartemis.broker.amq.io "ex-aao" deleted +``` + +Create another custom resource file "broker-console-secured.yaml" with the following content: + +```yaml +apiVersion: broker.amq.io/v2alpha4 +kind: ActiveMQArtemis +metadata: + name: ex-aao +spec: + deploymentPlan: + size: 1 + image: quay.io/artemiscloud/activemq-artemis-broker-kubernetes:0.2.1 + requireLogin: true + console: + expose: true + sslEnabled: true + sslSecret: console-secret + adminUser: consoleadmin + adminPassword: consolepassword +``` +In the above broker CR file we explicitly configure a **adminUser** and a **adminPassword** which will be used to log in the console. Also there are two more new parameters that are used for secure the route point: + +- **sslEanbled** Setting it to true to let operator to configure a https transport via route. +- **sslSecret** This is the name of the secret that the broker is used for the management console. + +As you see that the above **sslSecret** is set to **console-secret** which must exist before deployment. Now let's create it. + +The secret must contain a keystore and the keystore's password. Here we use the [keytool](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html) that comes with Java Development Kit(JDK). + +```shell script +$ keytool -genkeypair -alias amq7 -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore broker.ks -validity 3000 +Enter keystore password: +Re-enter new password: +What is your first and last name? + [Unknown]: Howard Gao +What is the name of your organizational unit? + [Unknown]: Red Hat +What is the name of your organization? + [Unknown]: Red Hat +What is the name of your City or Locality? + [Unknown]: Beijing +What is the name of your State or Province? + [Unknown]: Beijing +What is the two-letter country code for this unit? + [Unknown]: CN +Is CN=Howard Gao, OU=Red Hat, O=Red Hat, L=Beijing, ST=Beijing, C=CN correct? + [no]: yes +``` +As shown above the **keytool** will ask you some questions in order to generate the keystore file. The first question is the password for the keystore. Assume the password is **password**. + +When the above command completed it generates a keystore file called "**broker.ks**" in the current directory. + +Now we create the needed secret **console-secret** with the generated keystore and keystore password: +```shell script +$ oc create secret generic console-secret --from-file=broker.ks --from-literal=keyStorePassword='password' -n myproject +secret/console-secret created +``` + +Then deploy the broker: +```shell script +$ oc create -f broker-console-secured.yaml -n myproject +activemqartemis.broker.amq.io/ex-aao created +``` +Wait for the pod to be in **RUNNING** status. To check the status you can run the following command: + +```shell script +$ oc get pod -n myproject +NAME READY STATUS RESTARTS AGE +activemq-artemis-operator-5c86c49f88-fvnjm 1/1 Running 0 6h23m +ex-aao-ss-0 1/1 Running 0 115s +``` +At this moment there should be a route object created for us. To check it out use the following command and see the ouput: +```shell script +$ oc get route -n myproject +NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD +ex-aao-wconsj-0-svc-rte ex-aao-wconsj-0-svc-rte-myproject.apps-crc.testing ex-aao-wconsj-0-svc wconsj-0 passthrough/None None +``` +As with the plain HTTP case the route provides us with a host name **ex-aao-wconsj-0-svc-rte-myproject.apps-crc.testing**. What's different is that the **TERMINATION** field now has value **passthrough/None**. It means when we visit the management console through the route it passes the request directly to the broker's embedded web server which will eventually handles all the TLS operations. + +Now at the CodeReady hosting machine open up your browser and go to "https://ex-aao-wconsj-0-svc-rte-myproject.apps-crc.testing". Because we use a self-signed certificate the browser often prompts to you a message saying that the site is not trusted. Ignore the message and choose the option to go ahead. + +You will see the front page of the management console. + +![The management console](/website/images/blog/mgmt-console/console-route-front-ssl.png) + +When the front page shows up click on **Management Console** and it brings you to the login page. + +![The management console](/website/images/blog/mgmt-console/console-route-login-ssl.png) + +You need to use the username/password defined in the CR to log in. +Input **consoleadmin** as Username and **consolepassword** as Password and then click login. The main management web page will show up. Try click on different links and tabs in it to explore. + +![The management console](/website/images/blog/mgmt-console/console-route-main-ssl.png) + +Now you have successfully secured your management console in Openshift. + +### Further information + +* [ArtemisCloud Github Repo](https://github.com/artemiscloud) +* For more information on ActiveMQ Artemis please read the [Artemis Documentation](https://activemq.apache.org/components/artemis/documentation/) diff --git a/content/blog/ssl_broker_setup.md b/content/blog/ssl_broker_setup.md index 1ee9b25..ee257c4 100644 --- a/content/blog/ssl_broker_setup.md +++ b/content/blog/ssl_broker_setup.md @@ -20,7 +20,7 @@ If you are not sure how to deploy the operator take a look at [this blog]({{< re In this blog post we assume you deployed the operator to a namespace called **myproject**. -Make sure the operator is in "Runing" status before going to the next step. +Make sure the operator is in "Running" status before going to the next step. You can run this command and observe the output: ```shell script diff --git a/static/images/blog/mgmt-console/console-front-ssl.png b/static/images/blog/mgmt-console/console-front-ssl.png new file mode 100755 index 0000000..79779ec Binary files /dev/null and b/static/images/blog/mgmt-console/console-front-ssl.png differ diff --git a/static/images/blog/mgmt-console/console-http.png b/static/images/blog/mgmt-console/console-http.png new file mode 100755 index 0000000..06b3574 Binary files /dev/null and b/static/images/blog/mgmt-console/console-http.png differ diff --git a/static/images/blog/mgmt-console/console-login-ssl.png b/static/images/blog/mgmt-console/console-login-ssl.png new file mode 100755 index 0000000..e166647 Binary files /dev/null and b/static/images/blog/mgmt-console/console-login-ssl.png differ diff --git a/static/images/blog/mgmt-console/console-main-ssl.png b/static/images/blog/mgmt-console/console-main-ssl.png new file mode 100755 index 0000000..f0d82cc Binary files /dev/null and b/static/images/blog/mgmt-console/console-main-ssl.png differ diff --git a/static/images/blog/mgmt-console/console-route-front-ssl.png b/static/images/blog/mgmt-console/console-route-front-ssl.png new file mode 100755 index 0000000..ccf974a Binary files /dev/null and b/static/images/blog/mgmt-console/console-route-front-ssl.png differ diff --git a/static/images/blog/mgmt-console/console-route-http-front.png b/static/images/blog/mgmt-console/console-route-http-front.png new file mode 100755 index 0000000..bd37f9d Binary files /dev/null and b/static/images/blog/mgmt-console/console-route-http-front.png differ diff --git a/static/images/blog/mgmt-console/console-route-login-ssl.png b/static/images/blog/mgmt-console/console-route-login-ssl.png new file mode 100755 index 0000000..9828579 Binary files /dev/null and b/static/images/blog/mgmt-console/console-route-login-ssl.png differ diff --git a/static/images/blog/mgmt-console/console-route-main-ssl.png b/static/images/blog/mgmt-console/console-route-main-ssl.png new file mode 100755 index 0000000..261a55a Binary files /dev/null and b/static/images/blog/mgmt-console/console-route-main-ssl.png differ