A service to manage Pulse credentials for anything using Taskcluster credentials. This allows us self-service and greater control within the Taskcluster project.
Services using pulse credentials call this service's claimNamespace endpoint
to claim a "namespace" in pulse, allowing access to exchanges and queues based
on that namespace.
The service must call the endpoint periodically, each time getting a fresh username and password to access pulse. Access is checked each time using Taskcluster credentials.
The service monitors the existing credentials:
- rotating the password on unclaimed credentials
- notifying owners of, and eventually deleting queues which grow too large
- deleting queues and exchanges when the corresponding namespace expires
This service works with RabbitMQ 3.6.x. Later versions come with changes to the management interface that are not yet supported.
Steps before running the test:
- Run rabbitmq:
docker run -ti --rm --env RABBITMQ_DEFAULT_VHOST=/test -p 15672:15672 -p 5672:5672 rabbitmq:3.6-management-alpine. You can do this another way if you'd like, but installation, configuration and so on are up to you! - Copy
user-config-example.ymltouser-config.ymlunmodified yarn install
To run the test, use yarn test. You can set DEBUG=taskcluster-pulse,test if you want to
see what's going on.
Note that you can run the tests with no user-config.yml, but most are skipped because they
require a RabbitMQ instance.
After each test, flush rabbitmq database with rabbitmqctl reset or by
stopping and re-starting the docker container.. (The test suite adds and
removes users during the test. Flushing the database ensures nothing is leaked
between tests.)
The rotateNamespaces app should run more often than once an hour. The
expireNamespaces app need only run daily. The monitorRabbit is a
long-running daemon, one of which should be running at all times.
Access the listNamespaces endpoint using curl, and examine logs for any issues with rotation or monitoring.
Servie Owner: [email protected]