Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-4268

Allow to use the same secret in multiple spec configurations

XMLWordPrintable

      It's a common case to use only one certificate for all exposed endpoints by the broker.

      For example, when applying a new Custom Resource and exposing the console using SSL, if you want to use the same certificate for both acceptor and the console, you need to create different secrets.

       

      The following configuration fails:

      apiVersion: broker.amq.io/v2alpha3
      kind: ActiveMQArtemis
      metadata:
        name: my-cluster
        application: my-cluster-app
      spec:
        version: 7.7.0
        adminUser: adminuser
        adminPassword: adminpass
        deploymentPlan:
          size: 1
          image: registry.redhat.io/amq7/amq-broker:7.7
          requireLogin: true
          persistenceEnabled: true
          storage:
            size: "1Gi"
          journalType: nio
          messageMigration: true
        console:
          expose: true
          sslEnabled: true
          sslSecret: my-tls-secret
        acceptors:
          - name: amqp-ssl
            protocols: amqp
            port: 5671
            sslEnabled: true
            sslSecret: my-tls-secret
            enabledProtocols: TLSv1,TLSv1.1,TLSv1.2
            needClientAuth: false
            wantClientAuth: false
            expose: true
            anycastPrefix: jms.queue.
            multicastPrefix: /topic/
            connectionsAllowed: 5
        upgrades:
          enabled: false
          minor: false
      
      

      The above CR will throw the event:

      Warning   FailedCreate        statefulset/my-cluster-ss                   create Pod my-cluster-ss-0 in StatefulSet my-cluster-ss failed error: Pod "my-cluster-ss-0" is invalid: [spec.volumes[2].name: Duplicate value: "my-tls-secret-volume", spec.containers[0].volumeMounts[2].mountPath: Invalid value: "/etc/my-tls-secret-volume": must be unique]
      

      The same problem occurs if you are using the same certificate-secret in more than one acceptor. Example: when configuring one AMQP-SSL and one CORE-SSL acceptors, you have to set different secret names in every acceptor configuration. If you don't do it, the same event shown above is raised.

       

      With the current operator, if you want to expose the five protocols (core, amqp, openwire, mqtt, stomp) and also the web-console, everything using SSL with the same certificate, you'll need to create six secrets containing that single certificate.

       

       

        1. broker_cr.yml
          1 kB
        2. operator.log
          72 kB

              gaohoward Howard Gao
              ryanezil Rafael Yáñez Illescas
              Michal Toth Michal Toth
              Votes:
              3 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated:
                Resolved: