Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: AMQ 7.10.3.OPR.1.GA
Affects Version/s: AMQ 7.9.1.GA
Component/s: operator
Labels:

Blocked:
False
Ready:
False
QE Test Coverage:
+
Release Note Text:
Undefined
Target Release:

AMQ 7.10.3.OPR.1.GA
Upstream Jira:
https://github.com/artemiscloud/activemq-artemis-operator/issues/499

SFDC Cases Counter:
SFDC Cases Links:

Description

It's a common case to use only one certificate for all exposed endpoints by the broker.

For example, when applying a new Custom Resource and exposing the console using SSL, if you want to use the same certificate for both acceptor and the console, you need to create different secrets.

The following configuration fails:

apiVersion: broker.amq.io/v2alpha3
kind: ActiveMQArtemis
metadata:
  name: my-cluster
  application: my-cluster-app
spec:
  version: 7.7.0
  adminUser: adminuser
  adminPassword: adminpass
  deploymentPlan:
    size: 1
    image: registry.redhat.io/amq7/amq-broker:7.7
    requireLogin: true
    persistenceEnabled: true
    storage:
      size: "1Gi"
    journalType: nio
    messageMigration: true
  console:
    expose: true
    sslEnabled: true
    sslSecret: my-tls-secret
  acceptors:
    - name: amqp-ssl
      protocols: amqp
      port: 5671
      sslEnabled: true
      sslSecret: my-tls-secret
      enabledProtocols: TLSv1,TLSv1.1,TLSv1.2
      needClientAuth: false
      wantClientAuth: false
      expose: true
      anycastPrefix: jms.queue.
      multicastPrefix: /topic/
      connectionsAllowed: 5
  upgrades:
    enabled: false
    minor: false

The above CR will throw the event:

Warning   FailedCreate        statefulset/my-cluster-ss                   create Pod my-cluster-ss-0 in StatefulSet my-cluster-ss failed error: Pod "my-cluster-ss-0" is invalid: [spec.volumes[2].name: Duplicate value: "my-tls-secret-volume", spec.containers[0].volumeMounts[2].mountPath: Invalid value: "/etc/my-tls-secret-volume": must be unique]

The same problem occurs if you are using the same certificate-secret in more than one acceptor. Example: when configuring one AMQP-SSL and one CORE-SSL acceptors, you have to set different secret names in every acceptor configuration. If you don't do it, the same event shown above is raised.

With the current operator, if you want to expose the five protocols (core, amqp, openwire, mqtt, stomp) and also the web-console, everything using SSL with the same certificate, you'll need to create six secrets containing that single certificate.

Attachments

Issue Links

clones

ENTMQBR-4268 Allow to use the same secret in multiple spec configurations

Closed

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(14 mentioned in)

Activity

People

Assignee:: Howard Gao

Reporter:: Rafael Yáñez Illescas

Tester:: Tiago Bueno

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2023/03/31 3:09 PM

Updated:: 2023/05/17 1:53 PM

Resolved:: 2023/04/26 7:41 PM