Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-7862

[LTS] Allow to use the same secret in multiple spec configurations

XMLWordPrintable

      It's a common case to use only one certificate for all exposed endpoints by the broker.

      For example, when applying a new Custom Resource and exposing the console using SSL, if you want to use the same certificate for both acceptor and the console, you need to create different secrets.

       

      The following configuration fails:

      apiVersion: broker.amq.io/v2alpha3
kind: ActiveMQArtemis
metadata:
  name: my-cluster
  application: my-cluster-app
spec:
  version: 7.7.0
  adminUser: adminuser
  adminPassword: adminpass
  deploymentPlan:
    size: 1
    image: registry.redhat.io/amq7/amq-broker:7.7
    requireLogin: true
    persistenceEnabled: true
    storage:
      size: "1Gi"
    journalType: nio
    messageMigration: true
  console:
    expose: true
    sslEnabled: true
    sslSecret: my-tls-secret
  acceptors:
    - name: amqp-ssl
      protocols: amqp
      port: 5671
      sslEnabled: true
      sslSecret: my-tls-secret
      enabledProtocols: TLSv1,TLSv1.1,TLSv1.2
      needClientAuth: false
      wantClientAuth: false
      expose: true
      anycastPrefix: jms.queue.
      multicastPrefix: /topic/
      connectionsAllowed: 5
  upgrades:
    enabled: false
    minor: false

      The above CR will throw the event:

      Warning   FailedCreate        statefulset/my-cluster-ss                   create Pod my-cluster-ss-0 in StatefulSet my-cluster-ss failed error: Pod "my-cluster-ss-0" is invalid: [spec.volumes[2].name: Duplicate value: "my-tls-secret-volume", spec.containers[0].volumeMounts[2].mountPath: Invalid value: "/etc/my-tls-secret-volume": must be unique]

      The same problem occurs if you are using the same certificate-secret in more than one acceptor. Example: when configuring one AMQP-SSL and one CORE-SSL acceptors, you have to set different secret names in every acceptor configuration. If you don't do it, the same event shown above is raised.

       

      With the current operator, if you want to expose the five protocols (core, amqp, openwire, mqtt, stomp) and also the web-console, everything using SSL with the same certificate, you'll need to create six secrets containing that single certificate.

       

       

              gaohoward Howard Gao
              ryanezil Rafael Yáñez Illescas
              Tiago Bueno Tiago Bueno
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: