From 734fc8b8f8c7bbbb32034180c57f949354be15ec Mon Sep 17 00:00:00 2001
From: Vlad Gusev <vlad.esten@gmail.com>
Date: Fri, 7 Feb 2025 16:37:22 +0200
Subject: [PATCH] [rabbitmq] Add credential-updater sidecar

---
 common/rabbitmq/CHANGELOG.md                | 7 +++++++
 common/rabbitmq/Chart.yaml                  | 2 +-
 common/rabbitmq/ci/test-values.yaml         | 7 +++++--
 common/rabbitmq/templates/_helpers.tpl      | 8 ++++++++
 common/rabbitmq/templates/deployment.yaml   | 9 ++++++++-
 common/rabbitmq/templates/statefulset.yaml  | 9 ++++++++-
 common/rabbitmq/templates/users-secret.yaml | 5 -----
 common/rabbitmq/values.yaml                 | 5 +++++
 8 files changed, 42 insertions(+), 10 deletions(-)

diff --git a/common/rabbitmq/CHANGELOG.md b/common/rabbitmq/CHANGELOG.md
index 00956736f5b..8cd3d269166 100644
--- a/common/rabbitmq/CHANGELOG.md
+++ b/common/rabbitmq/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 This file is used to list changes made in each version of the common chart rabbitmq.
 
+## 0.15.0
+
+- Add [user-credential-updater](https://github.com/sapcc/default-user-credential-updater) sidecar container
+- Use sidecar container for runtime password updates
+- Remove `metrics` user, because it's not needed with native prometheus metrics
+
 ## 0.14.0
 
 [@businessbean](https://github.com/businessbean)
@@ -33,6 +39,7 @@ The default is a `ClusterIssuer`, but it can be changed with the respective valu
 It is imporant there, that all names entered are accepted by the certificate-issuer.
 
 ## 0.12.1
+
 - `app` selector label returned, because deployment selector is immutable
 - chart version bumped
 
diff --git a/common/rabbitmq/Chart.yaml b/common/rabbitmq/Chart.yaml
index 4f0d5fb2147..e06f5e6a8b8 100644
--- a/common/rabbitmq/Chart.yaml
+++ b/common/rabbitmq/Chart.yaml
@@ -1,7 +1,7 @@
 ---
 apiVersion: v1
 name: rabbitmq
-version: 0.14.0
+version: 0.15.0
 appVersion: 4.0.5
 description: A Helm chart for RabbitMQ
 sources:
diff --git a/common/rabbitmq/ci/test-values.yaml b/common/rabbitmq/ci/test-values.yaml
index 3dc26ab704d..2cb1c71a156 100644
--- a/common/rabbitmq/ci/test-values.yaml
+++ b/common/rabbitmq/ci/test-values.yaml
@@ -1,9 +1,12 @@
+---
 # Test values for rabbitmq.
-
 global:
   user_suffix: ""
   master_password: ""
-  dockerHubMirrorAlternateRegion: "other.dockerhub.mirror"
+  registry: my.docker.registry
+  registryAlternateRegion: other.docker.registry
+  dockerHubMirror: my.dockerhub.mirror
+  dockerHubMirrorAlternateRegion: other.dockerhub.mirro
   region: "region"
   tld: "tld"
 
diff --git a/common/rabbitmq/templates/_helpers.tpl b/common/rabbitmq/templates/_helpers.tpl
index 1dfd3938300..0a7acd16440 100644
--- a/common/rabbitmq/templates/_helpers.tpl
+++ b/common/rabbitmq/templates/_helpers.tpl
@@ -70,6 +70,14 @@ rabbit://{{- $_prefix -}}{{- $_username -}}:{{- $_password -}}@{{- $_rhost -}}:{
 {{- end -}}
 {{- end -}}
 
+{{- define "dockerRegistry" -}}
+{{- if .Values.use_alternate_registry -}}
+{{- .Values.global.registryAlternateRegion -}}
+{{- else -}}
+{{- .Values.global.registry -}}
+{{- end -}}
+{{- end -}}
+
 {{- define "rabbitmq_maintenance_affinity" }}
           - weight: 1
             preference:
diff --git a/common/rabbitmq/templates/deployment.yaml b/common/rabbitmq/templates/deployment.yaml
index 41de0e51901..fff9fec69ed 100644
--- a/common/rabbitmq/templates/deployment.yaml
+++ b/common/rabbitmq/templates/deployment.yaml
@@ -25,7 +25,6 @@ spec:
       annotations:
         kubectl.kubernetes.io/default-container: rabbitmq
         checksum/container.init: {{ include (print $.Template.BasePath "/bin-configmap.yaml") . | sha256sum }}
-        checksum/users: {{ include (print $.Template.BasePath "/users-secret.yaml") . | sha256sum }}
 {{- if and (and $.Values.global.linkerd_enabled $.Values.global.linkerd_requested) $.Values.linkerd.enabled }}
         linkerd.io/inject: enabled
         config.linkerd.io/opaque-ports: "{{ default 5672 .Values.ports.public }}"
@@ -136,6 +135,14 @@ spec:
           - mountPath: /etc/rabbitmq/ssl
             name: ssl
         {{- end }}
+      - name: user-credential-updater
+        image: "{{ include "dockerRegistry" . }}/{{ .Values.credentialUpdater.image }}:{{.Values.credentialUpdater.imageTag }}"
+        imagePullPolicy: {{ default "IfNotPresent" .Values.imagePullPolicy | quote }}
+        volumeMounts:
+          - mountPath: /etc/rabbitmq/secrets
+            name: rabbitmq-users-config
+          - mountPath: /var/lib/rabbitmq
+            name: rabbitmq-persistent-storage
       priorityClassName: {{ .Values.priority_class | default "critical-infrastructure" | quote }}
       volumes:
         - name: rabbitmq-persistent-storage
diff --git a/common/rabbitmq/templates/statefulset.yaml b/common/rabbitmq/templates/statefulset.yaml
index 0c806910c9e..f7a1b249295 100644
--- a/common/rabbitmq/templates/statefulset.yaml
+++ b/common/rabbitmq/templates/statefulset.yaml
@@ -23,7 +23,6 @@ spec:
         config.linkerd.io/opaque-ports: "{{ default 5672 .Values.ports.public }}"
 {{- end }}
         checksum/container.init: {{ include (print $.Template.BasePath "/bin-configmap.yaml") . | sha256sum }}
-        checksum/users: {{ include (print $.Template.BasePath "/users-secret.yaml") . | sha256sum }}
 {{- if .Values.customConfig }}
         checksum/custom.conf: {{ include (print .Template.BasePath "/etc/_rabbitmq-custom-config.tpl") . | sha256sum }}
 {{- end }}
@@ -128,6 +127,14 @@ spec:
           - mountPath: /etc/rabbitmq/ssl
             name: ssl
         {{- end }}
+      - name: user-credential-updater
+        image: "{{ include "dockerRegistry" . }}/{{ .Values.credentialUpdater.image }}:{{.Values.credentialUpdater.imageTag }}"
+        imagePullPolicy: {{ default "IfNotPresent" .Values.imagePullPolicy | quote }}
+        volumeMounts:
+          - mountPath: /etc/rabbitmq/secrets
+            name: rabbitmq-users-config
+          - mountPath: /var/lib/rabbitmq
+            name: rabbitmq-persistent-storage
       priorityClassName: {{ .Values.priority_class | default "critical-infrastructure" | quote }}
       volumes:
       {{- if not .Values.persistence.enabled }}
diff --git a/common/rabbitmq/templates/users-secret.yaml b/common/rabbitmq/templates/users-secret.yaml
index a096092c9a6..975f21211bb 100644
--- a/common/rabbitmq/templates/users-secret.yaml
+++ b/common/rabbitmq/templates/users-secret.yaml
@@ -11,11 +11,6 @@ data:
   user_{{ $key }}_password: {{ $user.password | b64enc }}
   user_{{ $key }}_tag: {{ $user.tag | default "" | b64enc }}
 {{- end }}
-{{- if and .Values.metrics.enabled (not .Values.users.metrics) }}
-  user_metrics_username: {{ .Values.metrics.user | b64enc }}
-  user_metrics_password: {{ .Values.metrics.password | b64enc }}
-  user_metrics_tag: {{ "monitoring" | b64enc }}
-{{- end }}
 {{- if .Values.addDevUser }}
   user_dev_username: {{ "dev" | b64enc }}
   user_dev_password: {{ "dev" | b64enc }}
diff --git a/common/rabbitmq/values.yaml b/common/rabbitmq/values.yaml
index 3291df51a07..a4e602ef732 100644
--- a/common/rabbitmq/values.yaml
+++ b/common/rabbitmq/values.yaml
@@ -123,6 +123,11 @@ customConfig: {}
   # if not set default value of 50MB will be used
   # disk_free_limit.absolute: 500MB
 
+credentialUpdater:
+  enabled: true
+  image: rabbitmq-user-credential-updater
+  imageTag: '20250211130035'
+
 enableSsl: false
 certificate:
   issuerRef: