Add loadBalancerSourceRanges for RabbitMQ Service

[sdibernardo]

Is your feature request related to a problem? Please describe.
In our current setup we use the rabbitmq cluster operater in order to provision multiple rabbitmq clusters for different clients. I'd like to allow access based on IP whitelists, which generally can be done, but not out of the box with the operator.

Describe the solution you'd like
I'd like to have the additional configuration to specify whitelists for services of type LoadBalancer, based on the implementation of regular Services (https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/).

kind: RabbitmqCluster
metadata:
  name: rabbitmq
spec:
  replicas: {{ .Values.replicas }}
  image: "{{ .Values.image.repository }}:{{ .Values.image.version }}"
  service:
     type: LoadBalancer
     loadBalancerSourceRanges: []

Describe alternatives you've considered

• Patching the resource directly on the cluster and disable automatic Argo Sync
• Mutating Webhook to alter the creation of rabbitmq services

Additional context
I saw that the requested field exists in the CRD (

cluster-operator/config/crd/bases/rabbitmq.com_rabbitmqclusters.yaml

Line 1031 in d08d570

type: string

) but when I configure the RabbitMQ Cluster with the ranges specified, Argo stays OutOfSync and does not apply the changes. The logs of the operator do not give any hints regarding errors, just emitting logs with regards to the reconciliation of the provisioned resources.

After a quick glance over https://github.com/rabbitmq/cluster-operator/blob/d08d5700721bc332ff5852334dea97d1f63b62e7/internal/resource/service.go it seems to me, that specifying the ranges doesnt do anything codewise.

Any feedback will be appreciated ❤️

[mkuratczyk]

My feedback: if you need this feature - by all means please contribute it.

[Zerpet]

You can achieve this with a service override, see the following example:

example-override.yaml

---
kind: RabbitmqCluster
apiVersion: rabbitmq.com/v1beta1
metadata:
  name: rabbitmq
spec:
  replicas: 3
  resources:
    limits: {}
    requests: {}
  persistence:
    storage: "0"
  service:
    type: LoadBalancer
  override:
    service:
      spec:
        loadBalancerSourceRanges:
          - 192.168.0.0/16
          - 10.0.0.0/8
          - 172.16.0.0/12
          - 100.64.0.0/10
          - 100.96.0.0/10
          - 100.128.0.0/10
          - 100.160.0.0/10
          - 100.192.0.0/10
          - 100.224.0.0/10

We try to leave the rabbitmq cluster spec as minimal as possible, because we can't keep up with native resource updates. We usually add a field to the spec when we observe many reports of its use via overrides, or when the override to achieve something is awfully complicated. For example #1474 introduced support for dual stack IPv4 and IPv6. Prior to the PR, it was required an override to the service and to the STS template, to mount a specific configuration file in the rabbit container, plus an external ConfigMap as source of the config. In summary, awfully complicated 🙂

You use case seems straightforward to achieve with the service override. Hope the example helps.

Edit: feel free to re-open the issue if this example doesn't help

[sdibernardo]

This is exactly what I needed and works just fine.
Thank you for revisting the issue ❤️