[rabbitmq] Add credential-updater sidecar

sapcc · Feb 11, 2025 · 734fc8b · 734fc8b
1 parent 1496795
commit 734fc8b
Show file tree

Hide file tree

Showing 8 changed files with 42 additions and 10 deletions.
diff --git a/common/rabbitmq/CHANGELOG.md b/common/rabbitmq/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 This file is used to list changes made in each version of the common chart rabbitmq.
 
+## 0.15.0
+
+- Add [user-credential-updater](https://github.com/sapcc/default-user-credential-updater) sidecar container
+- Use sidecar container for runtime password updates
+- Remove `metrics` user, because it's not needed with native prometheus metrics
+
 ## 0.14.0
 
 [@businessbean](https://github.com/businessbean)
@@ -33,6 +39,7 @@ The default is a `ClusterIssuer`, but it can be changed with the respective valu
 It is imporant there, that all names entered are accepted by the certificate-issuer.
 
 ## 0.12.1
+
 - `app` selector label returned, because deployment selector is immutable
 - chart version bumped
 

diff --git a/common/rabbitmq/Chart.yaml b/common/rabbitmq/Chart.yaml
@@ -1,7 +1,7 @@
 ---
 apiVersion: v1
 name: rabbitmq
-version: 0.14.0
+version: 0.15.0
 appVersion: 4.0.5
 description: A Helm chart for RabbitMQ
 sources:

diff --git a/common/rabbitmq/ci/test-values.yaml b/common/rabbitmq/ci/test-values.yaml
@@ -1,9 +1,12 @@
+---
 # Test values for rabbitmq.
-
 global:
   user_suffix: ""
   master_password: ""
-  dockerHubMirrorAlternateRegion: "other.dockerhub.mirror"
+  registry: my.docker.registry
+  registryAlternateRegion: other.docker.registry
+  dockerHubMirror: my.dockerhub.mirror
+  dockerHubMirrorAlternateRegion: other.dockerhub.mirro
   region: "region"
   tld: "tld"
 

diff --git a/common/rabbitmq/templates/_helpers.tpl b/common/rabbitmq/templates/_helpers.tpl
@@ -70,6 +70,14 @@ rabbit://{{- $_prefix -}}{{- $_username -}}:{{- $_password -}}@{{- $_rhost -}}:{
 {{- end -}}
 {{- end -}}
 
+{{- define "dockerRegistry" -}}
+{{- if .Values.use_alternate_registry -}}
+{{- .Values.global.registryAlternateRegion -}}
+{{- else -}}
+{{- .Values.global.registry -}}
+{{- end -}}
+{{- end -}}
+
 {{- define "rabbitmq_maintenance_affinity" }}
           - weight: 1
             preference:

diff --git a/common/rabbitmq/templates/deployment.yaml b/common/rabbitmq/templates/deployment.yaml
@@ -25,7 +25,6 @@ spec:
       annotations:
         kubectl.kubernetes.io/default-container: rabbitmq
         checksum/container.init: {{ include (print $.Template.BasePath "/bin-configmap.yaml") . | sha256sum }}
-        checksum/users: {{ include (print $.Template.BasePath "/users-secret.yaml") . | sha256sum }}
 {{- if and (and $.Values.global.linkerd_enabled $.Values.global.linkerd_requested) $.Values.linkerd.enabled }}
         linkerd.io/inject: enabled
         config.linkerd.io/opaque-ports: "{{ default 5672 .Values.ports.public }}"
@@ -136,6 +135,14 @@ spec:
           - mountPath: /etc/rabbitmq/ssl
             name: ssl
         {{- end }}
+      - name: user-credential-updater
+        image: "{{ include "dockerRegistry" . }}/{{ .Values.credentialUpdater.image }}:{{.Values.credentialUpdater.imageTag }}"
+        imagePullPolicy: {{ default "IfNotPresent" .Values.imagePullPolicy | quote }}
+        volumeMounts:
+          - mountPath: /etc/rabbitmq/secrets
+            name: rabbitmq-users-config
+          - mountPath: /var/lib/rabbitmq
+            name: rabbitmq-persistent-storage
       priorityClassName: {{ .Values.priority_class | default "critical-infrastructure" | quote }}
       volumes:
         - name: rabbitmq-persistent-storage

diff --git a/common/rabbitmq/templates/statefulset.yaml b/common/rabbitmq/templates/statefulset.yaml
@@ -23,7 +23,6 @@ spec:
         config.linkerd.io/opaque-ports: "{{ default 5672 .Values.ports.public }}"
 {{- end }}
         checksum/container.init: {{ include (print $.Template.BasePath "/bin-configmap.yaml") . | sha256sum }}
-        checksum/users: {{ include (print $.Template.BasePath "/users-secret.yaml") . | sha256sum }}
 {{- if .Values.customConfig }}
         checksum/custom.conf: {{ include (print .Template.BasePath "/etc/_rabbitmq-custom-config.tpl") . | sha256sum }}
 {{- end }}
@@ -128,6 +127,14 @@ spec:
           - mountPath: /etc/rabbitmq/ssl
             name: ssl
         {{- end }}
+      - name: user-credential-updater
+        image: "{{ include "dockerRegistry" . }}/{{ .Values.credentialUpdater.image }}:{{.Values.credentialUpdater.imageTag }}"
+        imagePullPolicy: {{ default "IfNotPresent" .Values.imagePullPolicy | quote }}
+        volumeMounts:
+          - mountPath: /etc/rabbitmq/secrets
+            name: rabbitmq-users-config
+          - mountPath: /var/lib/rabbitmq
+            name: rabbitmq-persistent-storage
       priorityClassName: {{ .Values.priority_class | default "critical-infrastructure" | quote }}
       volumes:
       {{- if not .Values.persistence.enabled }}

diff --git a/common/rabbitmq/templates/users-secret.yaml b/common/rabbitmq/templates/users-secret.yaml
@@ -11,11 +11,6 @@ data:
   user_{{ $key }}_password: {{ $user.password | b64enc }}
   user_{{ $key }}_tag: {{ $user.tag | default "" | b64enc }}
 {{- end }}
-{{- if and .Values.metrics.enabled (not .Values.users.metrics) }}
-  user_metrics_username: {{ .Values.metrics.user | b64enc }}
-  user_metrics_password: {{ .Values.metrics.password | b64enc }}
-  user_metrics_tag: {{ "monitoring" | b64enc }}
-{{- end }}
 {{- if .Values.addDevUser }}
   user_dev_username: {{ "dev" | b64enc }}
   user_dev_password: {{ "dev" | b64enc }}

diff --git a/common/rabbitmq/values.yaml b/common/rabbitmq/values.yaml
@@ -123,6 +123,11 @@ customConfig: {}
   # if not set default value of 50MB will be used
   # disk_free_limit.absolute: 500MB
 
+credentialUpdater:
+  enabled: true
+  image: rabbitmq-user-credential-updater
+  imageTag: '20250211130035'
+
 enableSsl: false
 certificate:
   issuerRef: