RabbitMQ - default-user-credential-updater using Doppler Secrets about kubernetes-operator HOT 3 OPEN

Hi @sky29, thanks for writing in!

Could you share a bit more about what you're trying to achieve with Doppler and RabbitMQ?

from kubernetes-operator.

@nmanoogian

I want to change RabbitMQ default User's password, when I change it in Doppler.

Step by Step Process/Scenario:

• I use Doppler to hold secrets (rabbitmq: default_user and default_password)

• I am having my own helm chart to deploy rabbitmq in HA mode (with external pvc mounted at: /var/lib/rabbitmq/mnesia : to keep data safe while pod restart). IT is DIY kind of helm chart: https://github.com/rabbitmq/diy-kubernetes-examples

• I have configmap that disables guest user (loopback_users.guest = false). I am injecting secrets in rabbitmq statefulset as environment variable (default_user, default_pass) ..... this all are working fine and I am able to login to rabbitmq management UI using doppler secrets.

• Now I change the password in Doppler, which reloads rabbitmq deployment, but it doesn't change the password in rabbitmq database. It might be because I am using external PVC, which keeps old passwords. I didn't find any way to implement this step.

This issue is more on RabbitMQ side then Doppler.
They seems to have a solution for this using Hashicorp Vault: https://github.com/rabbitmq/default-user-credential-updater
but I don't think, it will work with other secret managers like doppler.

from kubernetes-operator.

Ah, I see! Thanks for walking me through that. Doppler doesn't support this kind of thing out-of-the-box today but there's almost certainly a way to make it work.

I haven't checked out this sidecar before but it looks like it's watching /etc/rabbitmq/conf.d/11-default_user.conf for changes. If that's the case, you might be able to mount that file using volumeMounts or write your own service which copies the username/password from Doppler into that volume.

from kubernetes-operator.