[bitnami/rabbitmq].tlsSslOptionsPassword

[HubertPe]

Name and Version

bitnami/rabbbitmq

What architecture are you using?

None

What steps will reproduce the bug?

I try to read a secret value form Kubernetes as an SSL Password. I'll do the following call in the values.yaml file:

{{- if .Values.auth.tls.sslOptionsPassword.enabled }}
  management.ssl.password = {{ template "rabbitmq.tlsSslOptionsPassword" . }}
{{- end }}

The configuration in the auth.tls.ssqlOptionsPassword is this:

sslOptionsPassword:
      enabled: true
      existingSecret: "{{ .Release.Name }}-rabbitmq-certificates"
      key: keypass
      password: ""

The secret yaml looks like this:

apiVersion: v1
kind: Secret
metadata:
  name: test-secret
data:
   keypass: Vkp6bmpZSWUVK1YUpiM0gzd1Y5NEM=

Are you using any custom parameters or values?

No response

What is the expected behavior?

No response

What do you see instead?

So when I have a look to the rabbitmq.conf the password, after helm install, it's not the expected password. It looks like there is a bug in the _helpers.tpl, because it always return the random password. For the other secrets it works well.

Additional information

No response

[aoterolorenzo]

Hi @HubertPe ,

Could you provide the result manifest for the StatefulSet and Secret?

[HubertPe]

Hi @aoterolorenzo

This is the Statefulset after a helm install:

apiVersion: apps/v1
kind: StatefulSet
metadata:
  annotations:
    meta.helm.sh/release-name: xxxx
    meta.helm.sh/release-namespace: xxxx-voting-system
  creationTimestamp: "2023-04-18T07:29:12Z"
  generation: 1
  labels:
    app.kubernetes.io/instance: xxxx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: messagebroker
    helm.sh/chart: rabbitmq-11.12.0
  name: xxxx-messagebroker
  namespace: xxxx-voting-system
  resourceVersion: "143290256"
  uid: cf9b379f-124e-451c-aa2b-86851dc5e
spec:
  podManagementPolicy: OrderedReady
  replicas: 3
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app.kubernetes.io/instance: xxxx
      app.kubernetes.io/name: messagebroker
  serviceName: xxxx-messagebroker-headless
  template:
    metadata:
      annotations:
        checksum/config: 1570af64be8b0a4d8a78a3e64ab8fd8de6379b10ce4a7c2bd53681f33e99c3a1
        checksum/secret: fcdb81f555a55cf93f35a14e2b86941591ac9fae3d6ff76838dff59b4e0bf697
        prometheus.io/port: "9419"
        prometheus.io/scrape: "true"
      creationTimestamp: null
      labels:
        app.kubernetes.io/instance: xxxx
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: messagebroker
        helm.sh/chart: rabbitmq-11.12.0
    spec:
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - podAffinityTerm:
                labelSelector:
                  matchLabels:
                    app.kubernetes.io/instance: xxxx
                    app.kubernetes.io/name: messagebroker
                topologyKey: kubernetes.io/hostname
              weight: 1
      containers:
        - env:
            - name: BITNAMI_DEBUG
              value: "false"
            - name: MY_POD_IP
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: status.podIP
            - name: MY_POD_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.name
            - name: MY_POD_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
            - name: K8S_SERVICE_NAME
              value: xxxx-messagebroker-headless
            - name: K8S_ADDRESS_TYPE
              value: hostname
            - name: RABBITMQ_FEATURE_FLAGS
            - name: RABBITMQ_FORCE_BOOT
              value: "yes"
            - name: RABBITMQ_NODE_NAME
              value: rabbit@$(MY_POD_NAME).$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.cluster.local
            - name: K8S_HOSTNAME_SUFFIX
              value: .$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.cluster.local
            - name: RABBITMQ_MNESIA_DIR
              value: /bitnami/rabbitmq/mnesia/$(RABBITMQ_NODE_NAME)
            - name: RABBITMQ_LDAP_ENABLE
              value: "no"
            - name: RABBITMQ_LOGS
              value: '-'
            - name: RABBITMQ_ULIMIT_NOFILES
              value: "65536"
            - name: RABBITMQ_USE_LONGNAME
              value: "true"
            - name: RABBITMQ_ERL_COOKIE
              valueFrom:
                secretKeyRef:
                  key: rabbitmq-erlang-cookie
                  name: xxxx-rabbitmq-certificates
            - name: RABBITMQ_LOAD_DEFINITIONS
              value: "yes"
            - name: RABBITMQ_DEFINITIONS_FILE
              value: /app/messagebroker-load_definition.json
            - name: RABBITMQ_SECURE_PASSWORD
              value: "no"
            - name: RABBITMQ_USERNAME
              value: user
            - name: RABBITMQ_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: rabbitmq-password
                  name: xxxx-messagebroker
            - name: RABBITMQ_PLUGINS
              value: rabbitmq_management, rabbitmq_management_agent, rabbitmq_peer_discovery_k8s,
                rabbitmq_federation, rabbitmq_federation_management, rabbitmq_prometheus
            - name: RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS
              value: +stbt nnts +sbwt none +sbwtdcpu none +sbwtdio none
          image: docker.io/bitnami/rabbitmq:3.11.11-debian-11-r0
          imagePullPolicy: IfNotPresent
          lifecycle:
            preStop:
              exec:
                command:
                  - /bin/bash
                  - -ec
                  - |
                    if [[ -f /opt/bitnami/scripts/rabbitmq/nodeshutdown.sh ]]; then
                        /opt/bitnami/scripts/rabbitmq/nodeshutdown.sh -t "120" -d "false"
                    else
                        rabbitmqctl stop_app
                    fi
          livenessProbe:
            exec:
              command:
                - /bin/bash
                - -ec
                - rabbitmq-diagnostics -q ping
            failureThreshold: 4
            initialDelaySeconds: 60
            periodSeconds: 20
            successThreshold: 1
            timeoutSeconds: 10
          name: rabbitmq
          ports:
            - containerPort: 5672
              name: amqp
              protocol: TCP
            - containerPort: 25672
              name: dist
              protocol: TCP
            - containerPort: 15672
              name: stats
              protocol: TCP
            - containerPort: 4369
              name: epmd
              protocol: TCP
            - containerPort: 9419
              name: metrics
              protocol: TCP
            - containerPort: 5671
              name: amqp-ssl
              protocol: TCP
          readinessProbe:
            exec:
              command:
                - /bin/bash
                - -ec
                - rabbitmq-diagnostics -q check_running && rabbitmq-diagnostics -q check_local_alarms
            failureThreshold: 3
            initialDelaySeconds: 30
            periodSeconds: 15
            successThreshold: 1
            timeoutSeconds: 10
          resources:
            limits:
              memory: 6Gi
          securityContext:
            runAsNonRoot: true
            runAsUser: 1001
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          volumeMounts:
            - mountPath: /bitnami/rabbitmq/conf
              name: configuration
            - mountPath: /bitnami/rabbitmq/mnesia
              name: data
            - mountPath: /opt/bitnami/rabbitmq/certs
              name: certs
            - mountPath: /app
              name: load-definition-volume
              readOnly: true
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext:
        fsGroup: 1001
      serviceAccount: xxxx-messagebroker
      serviceAccountName: xxxx-messagebroker
      terminationGracePeriodSeconds: 120
      volumes:
        - name: certs
          projected:
            defaultMode: 420
            sources:
              - secret:
                  items:
                    - key: ca.crt
                      path: ca_certificate.pem
                    - key: tls.crt
                      path: server_certificate.pem
                    - key: tls.key
                      path: server_key.pem
                  name: xxxx-rabbitmq-certificates
        - name: configuration
          projected:
            defaultMode: 420
            sources:
              - secret:
                  name: xxxx-messagebroker-config
        - name: load-definition-volume
          secret:
            defaultMode: 420
            secretName: xxxx-rabbitmq-definitions
  updateStrategy:
    type: RollingUpdate
  volumeClaimTemplates:
    - apiVersion: v1
      kind: PersistentVolumeClaim
      metadata:
        creationTimestamp: null
        labels:
          app.kubernetes.io/instance: xxxx
          app.kubernetes.io/name: messagebroker
        name: data
      spec:
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 20Gi
        storageClassName: longhorn
        volumeMode: Filesystem
      status:
        phase: Pending
status:
  collisionCount: 0
  currentReplicas: 1
  currentRevision: xxxx-messagebroker-775fff7cc7
  observedGeneration: 1
  replicas: 1
  updateRevision: xxxx-messagebroker-775fff7cc7
  updatedReplicas: 1
  
  
  **And the Secret:**
apiVersion: v1
data:
  ca.crt:
  keypass: VGhpc0lzTXlTZWNyZXQ=
  rabbitmq-erlang-cookie:
  tls.crt:
  tls.key:
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"ca.crt":"","tls.crt":"","tls.key":"","keypass":"VGhpc0lzTXlTZWNyZXQ="},"kind":"Secret","metadata":{"annotations":{},"name":"ittest-rabbitmq-certificates","namespace":"ittest-voting-system"},"type":"Opaque"}
  creationTimestamp: "2023-04-18T08:23:10Z"
  managedFields:
    - apiVersion: v1
      fieldsType: FieldsV1
      fieldsV1:
        f:data:
          .: {}
          f:ca.crt: {}
          f:keypass: {}
          f:rabbitmq-erlang-cookie: {}
          f:tls.crt: {}
          f:tls.key: {}
        f:metadata:
          f:annotations:
            .: {}
            f:kubectl.kubernetes.io/last-applied-configuration: {}
        f:type: {}
      manager: agent
      operation: Update
      time: "2023-04-18T08:23:10Z"
  name: xxxx-rabbitmq-certificates
  namespace: xxxx-voting-system
  resourceVersion: "143305559"
  uid: 5bf5bcd1-32d9-40e5-a215-89d4a9c7b354
type: Opaque

[aoterolorenzo]

For what I see:

The configuration in the auth.tls.ssqlOptionsPassword is this:

sslOptionsPassword:
      enabled: true
      existingSecret: "{{ .Release.Name }}-rabbitmq-certificates"
      key: keypass
      password: ""

The secret yaml looks like this:

apiVersion: v1
kind: Secret
metadata:
  name: test-secret
data:
   keypass: Vkp6bmpZSWUVK1YUpiM0gzd1Y5NEM=

The configuration should match your secret, I mean, should point your secret (it's pointing "{{ .Release.Name }}-rabbitmq-certificates"). How about trying:

sslOptionsPassword:
      enabled: true
      existingSecret: "test-secret"
      key: keypass
      password: ""

[HubertPe]

Oh sorry my mistake in the first post, please have a look to the second one, there are the names the same ("{{ .Release.Name }}-rabbitmq-certificates"), that what I sent you was a test with a different secret and name, but I get the same result.

In the HELM documentation I found an example of using the line of code from the
_helpers.tpl ( {{- $obj := (lookup "v1" "Secret" .Namespace .Name).data -}} ) shows.
The difference here, however, was that items were accessed instead of data directly:

{{- $obj := (lookup "v1" "Secret" .Namespace .Name).items -}}

[aoterolorenzo]

Hi @HubertPe,

Sorry for the delay, I completely missed this case.

In the HELM documentation I found an example of using the line of code from the
_helpers.tpl ( {{- $obj := (lookup "v1" "Secret" .Namespace .Name).data -}} ) shows.
The difference here, however, was that items were accessed instead of data directly:

{{- $obj := (lookup "v1" "Secret" .Namespace .Name).items -}}

I'm afraid I don't follow you here. Could you explain a little further?

[HubertPe]

Hi @aoterolorenzo

No problem.

What I mean is that the function does not work properly. It doesn't matter how I configure the secret, the call never finds it. The $obj is always empty. So I took a look at the helmet documentation and the example there is different from the one in the functions. They work with the .item property and not the .data property.

Please see here: https://helm.sh/docs/chart_template_guide/functions_and_pipelines/#using-the-lookup-function

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[aoterolorenzo]

Hi @HubertPe,

Sorry for the late response, I completely missed this one.

I will take a deeper look during the day and reach you back.

[aoterolorenzo]

Seems indeed a logic error there, but I cannot see it. I will create an internal task for the team to dig around the issue. We will reach you back here as soon as the team backlog allow us to work on it.