aoterolorenzo
commented
1 year ago Hi @HubertPe ,
Could you provide the result manifest for the StatefulSet and Secret?
Open HubertPe opened 1 year ago
aoterolorenzo
commented
1 year ago Hi @HubertPe ,
Could you provide the result manifest for the StatefulSet and Secret?
HubertPe
commented
1 year ago Hi @aoterolorenzo
This is the Statefulset after a helm install:
apiVersion: apps/v1
kind: StatefulSet
metadata:
annotations:
meta.helm.sh/release-name: xxxx
meta.helm.sh/release-namespace: xxxx-voting-system
creationTimestamp: "2023-04-18T07:29:12Z"
generation: 1
labels:
app.kubernetes.io/instance: xxxx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: messagebroker
helm.sh/chart: rabbitmq-11.12.0
name: xxxx-messagebroker
namespace: xxxx-voting-system
resourceVersion: "143290256"
uid: cf9b379f-124e-451c-aa2b-86851dc5e
spec:
podManagementPolicy: OrderedReady
replicas: 3
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/instance: xxxx
app.kubernetes.io/name: messagebroker
serviceName: xxxx-messagebroker-headless
template:
metadata:
annotations:
checksum/config: 1570af64be8b0a4d8a78a3e64ab8fd8de6379b10ce4a7c2bd53681f33e99c3a1
checksum/secret: fcdb81f555a55cf93f35a14e2b86941591ac9fae3d6ff76838dff59b4e0bf697
prometheus.io/port: "9419"
prometheus.io/scrape: "true"
creationTimestamp: null
labels:
app.kubernetes.io/instance: xxxx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: messagebroker
helm.sh/chart: rabbitmq-11.12.0
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/instance: xxxx
app.kubernetes.io/name: messagebroker
topologyKey: kubernetes.io/hostname
weight: 1
containers:
- env:
- name: BITNAMI_DEBUG
value: "false"
- name: MY_POD_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: MY_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: K8S_SERVICE_NAME
value: xxxx-messagebroker-headless
- name: K8S_ADDRESS_TYPE
value: hostname
- name: RABBITMQ_FEATURE_FLAGS
- name: RABBITMQ_FORCE_BOOT
value: "yes"
- name: RABBITMQ_NODE_NAME
value: rabbit@$(MY_POD_NAME).$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.cluster.local
- name: K8S_HOSTNAME_SUFFIX
value: .$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.cluster.local
- name: RABBITMQ_MNESIA_DIR
value: /bitnami/rabbitmq/mnesia/$(RABBITMQ_NODE_NAME)
- name: RABBITMQ_LDAP_ENABLE
value: "no"
- name: RABBITMQ_LOGS
value: '-'
- name: RABBITMQ_ULIMIT_NOFILES
value: "65536"
- name: RABBITMQ_USE_LONGNAME
value: "true"
- name: RABBITMQ_ERL_COOKIE
valueFrom:
secretKeyRef:
key: rabbitmq-erlang-cookie
name: xxxx-rabbitmq-certificates
- name: RABBITMQ_LOAD_DEFINITIONS
value: "yes"
- name: RABBITMQ_DEFINITIONS_FILE
value: /app/messagebroker-load_definition.json
- name: RABBITMQ_SECURE_PASSWORD
value: "no"
- name: RABBITMQ_USERNAME
value: user
- name: RABBITMQ_PASSWORD
valueFrom:
secretKeyRef:
key: rabbitmq-password
name: xxxx-messagebroker
- name: RABBITMQ_PLUGINS
value: rabbitmq_management, rabbitmq_management_agent, rabbitmq_peer_discovery_k8s,
rabbitmq_federation, rabbitmq_federation_management, rabbitmq_prometheus
- name: RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS
value: +stbt nnts +sbwt none +sbwtdcpu none +sbwtdio none
image: docker.io/bitnami/rabbitmq:3.11.11-debian-11-r0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /bin/bash
- -ec
- |
if [[ -f /opt/bitnami/scripts/rabbitmq/nodeshutdown.sh ]]; then
/opt/bitnami/scripts/rabbitmq/nodeshutdown.sh -t "120" -d "false"
else
rabbitmqctl stop_app
fi
livenessProbe:
exec:
command:
- /bin/bash
- -ec
- rabbitmq-diagnostics -q ping
failureThreshold: 4
initialDelaySeconds: 60
periodSeconds: 20
successThreshold: 1
timeoutSeconds: 10
name: rabbitmq
ports:
- containerPort: 5672
name: amqp
protocol: TCP
- containerPort: 25672
name: dist
protocol: TCP
- containerPort: 15672
name: stats
protocol: TCP
- containerPort: 4369
name: epmd
protocol: TCP
- containerPort: 9419
name: metrics
protocol: TCP
- containerPort: 5671
name: amqp-ssl
protocol: TCP
readinessProbe:
exec:
command:
- /bin/bash
- -ec
- rabbitmq-diagnostics -q check_running && rabbitmq-diagnostics -q check_local_alarms
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 10
resources:
limits:
memory: 6Gi
securityContext:
runAsNonRoot: true
runAsUser: 1001
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /bitnami/rabbitmq/conf
name: configuration
- mountPath: /bitnami/rabbitmq/mnesia
name: data
- mountPath: /opt/bitnami/rabbitmq/certs
name: certs
- mountPath: /app
name: load-definition-volume
readOnly: true
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
fsGroup: 1001
serviceAccount: xxxx-messagebroker
serviceAccountName: xxxx-messagebroker
terminationGracePeriodSeconds: 120
volumes:
- name: certs
projected:
defaultMode: 420
sources:
- secret:
items:
- key: ca.crt
path: ca_certificate.pem
- key: tls.crt
path: server_certificate.pem
- key: tls.key
path: server_key.pem
name: xxxx-rabbitmq-certificates
- name: configuration
projected:
defaultMode: 420
sources:
- secret:
name: xxxx-messagebroker-config
- name: load-definition-volume
secret:
defaultMode: 420
secretName: xxxx-rabbitmq-definitions
updateStrategy:
type: RollingUpdate
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/instance: xxxx
app.kubernetes.io/name: messagebroker
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
storageClassName: longhorn
volumeMode: Filesystem
status:
phase: Pending
status:
collisionCount: 0
currentReplicas: 1
currentRevision: xxxx-messagebroker-775fff7cc7
observedGeneration: 1
replicas: 1
updateRevision: xxxx-messagebroker-775fff7cc7
updatedReplicas: 1
**And the Secret:**
apiVersion: v1
data:
ca.crt:
keypass: VGhpc0lzTXlTZWNyZXQ=
rabbitmq-erlang-cookie:
tls.crt:
tls.key:
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"ca.crt":"","tls.crt":"","tls.key":"","keypass":"VGhpc0lzTXlTZWNyZXQ="},"kind":"Secret","metadata":{"annotations":{},"name":"ittest-rabbitmq-certificates","namespace":"ittest-voting-system"},"type":"Opaque"}
creationTimestamp: "2023-04-18T08:23:10Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:ca.crt: {}
f:keypass: {}
f:rabbitmq-erlang-cookie: {}
f:tls.crt: {}
f:tls.key: {}
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:type: {}
manager: agent
operation: Update
time: "2023-04-18T08:23:10Z"
name: xxxx-rabbitmq-certificates
namespace: xxxx-voting-system
resourceVersion: "143305559"
uid: 5bf5bcd1-32d9-40e5-a215-89d4a9c7b354
type: OpaqueFor what I see:
The configuration in the auth.tls.ssqlOptionsPassword is this:
sslOptionsPassword: enabled: true existingSecret: "{{ .Release.Name }}-rabbitmq-certificates" key: keypass password: ""The secret yaml looks like this:
apiVersion: v1 kind: Secret metadata: name: test-secret data: keypass: Vkp6bmpZSWUVK1YUpiM0gzd1Y5NEM=
The configuration should match your secret, I mean, should point your secret (it's pointing "{{ .Release.Name }}-rabbitmq-certificates"). How about trying:
sslOptionsPassword:
enabled: true
existingSecret: "test-secret"
key: keypass
password: ""Oh sorry my mistake in the first post, please have a look to the second one, there are the names the same ("{{ .Release.Name }}-rabbitmq-certificates"), that what I sent you was a test with a different secret and name, but I get the same result.
In the HELM documentation I found an example of using the line of code from the _helpers.tpl ( {{- $obj := (lookup "v1" "Secret" .Namespace .Name).data -}} ) shows. The difference here, however, was that items were accessed instead of data directly:
{{- $obj := (lookup "v1" "Secret" .Namespace .Name).items -}}
aoterolorenzo
commented
1 year ago Hi @HubertPe,
Sorry for the delay, I completely missed this case.
In the HELM documentation I found an example of using the line of code from the _helpers.tpl ( {{- $obj := (lookup "v1" "Secret" .Namespace .Name).data -}} ) shows. The difference here, however, was that items were accessed instead of data directly:
{{- $obj := (lookup "v1" "Secret" .Namespace .Name).items -}}
I'm afraid I don't follow you here. Could you explain a little further?
HubertPe
commented
1 year ago Hi @aoterolorenzo
No problem.
What I mean is that the function does not work properly. It doesn't matter how I configure the secret, the call never finds it. The $obj is always empty. So I took a look at the helmet documentation and the example there is different from the one in the functions. They work with the .item property and not the .data property.
Please see here: https://helm.sh/docs/chart_template_guide/functions_and_pipelines/#using-the-lookup-function
github-actions[bot]
commented
1 year ago This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.
aoterolorenzo
commented
1 year ago Hi @HubertPe,
Sorry for the late response, I completely missed this one.
I will take a deeper look during the day and reach you back.
aoterolorenzo
commented
1 year ago Seems indeed a logic error there, but I cannot see it. I will create an internal task for the team to dig around the issue. We will reach you back here as soon as the team backlog allow us to work on it.
Name and Version
bitnami/rabbbitmq
What architecture are you using?
None
What steps will reproduce the bug?
I try to read a secret value form Kubernetes as an SSL Password. I'll do the following call in the values.yaml file:
The configuration in the auth.tls.ssqlOptionsPassword is this:
The secret yaml looks like this:
Are you using any custom parameters or values?
No response
What is the expected behavior?
No response
What do you see instead?
So when I have a look to the rabbitmq.conf the password, after helm install, it's not the expected password. It looks like there is a bug in the _helpers.tpl, because it always return the random password. For the other secrets it works well.
Additional information
No response