search

enaml-ops / omg-product-bundle

a bundle of supported omg compatible product plugins
Apache License 2.0
2 stars 2 forks source link

[p-rabbitmq] nats password is autogenerated #24

Closed allomov closed 7 years ago

allomov commented 7 years ago

Hey, all.

After I missed to provide some number of parameters through Vault I've got RabbitMQ deployed, but not working properly. I had the following error in broker-route-registrar:

{"timestamp":"1485027118.331179857","source":"Route Registrar","message":"Route Registrar.Exiting with error","log_level":3,"data":{"error":"nats:  'Authorization Violation'\r\n","trace":"goroutine 1 [running]:\ngithub.com/cloudfoundry-incubator/route-registrar/Godeps/_workspace/src/github.com/pivotal-golang/lager.(*logger).Fatal(0xc82004e240, 0x7e0d30, 0x12, 0x7f403cb54028, 0xc8200f0290, 0x0, 0x0, 0x0)\n\t/var/vcap/data/compile/route-registrar/route-registrar/src/github.com/cloudfoundry-incubator/route-registrar/Godeps/_workspace/src/github.com/pivotal-golang/lager/logger.go:131 +0xc5\nmain.main()\n\t/var/vcap/data/compile/route-registrar/route-registrar/src/github.com/cloudfoundry-incubator/route-registrar/main.go:85 +0x129b\n"}}

The problem was that CF NATS password (used to connect to existing CF) was auto-generated by omg-plugin. In my opinion omg command should exit with error status when it can't find NATS password.

This issue is actual for other products.

zmb3 commented 7 years ago

The NATS password (and most of the other passwords in the manifest) are only auto generated if you don't provide it via one of the following:

Generally when you deploy rabbitmq (or other services) on top of ERT, you pass the same Vault hash(es) you used when deploying ERT, this way omg will be able to look up the values.

For example, if you used--vault-hash-password secret/pcf-np-1-password when deploying ERT, then you include that when you deploy rabbit with --vault-hash secret/pcf-np-1-password.

allomov commented 7 years ago

That's a nice idea, I'm updating pipeline in order to use --vault-hash (it looks like different products have different values for --vault-hash, for instance --vault-hash-ert).

Still when I've got it running in first time I was confused by the fact it created nats password for me. Thank you for the answer.

allomov commented 7 years ago

@zmb3 @sushiandbeer I have several small questions, but they may be very important and hard, this questions are about naming.

  1. First, why do you call the parameter --vault-hash? Because Vault docs call the same things "paths".

  2. Second, you reference your PCF deployments as np-1 or nonprod in your Vault hashes (or "Vault paths"). What is the best way to call PCF deployment here (since it can also be an opensource CF) - FOUNDATION_NAME, ENVIRONMENT_NAME, RUNTIME_NAME?

zmb3 commented 7 years ago

I don't know where the term hash came from. You're right that path would have been a better choice, but changing it now would cause more harm than good.

As for how you want to name things in Vault, that's totally up to you. Naming things is indeed hard :-)