create pw/creds secret manually

tylerstanczak · tylerstanczak · commit 195ab72f4671 · 2024-09-05T02:34:15.000-05:00
diff --git a/charts/ibm-mq/README.md b/charts/ibm-mq/README.md
@@ -109,6 +109,8 @@ Alternatively, each parameter can be specified by using the `--set key=value[,ke
 | `image.tag`                     | Image tag                                                       | `9.4.0.0-r3`                               |
 | `image.pullPolicy`              | Setting that controls when the kubelet attempts to pull the specified image.                                               | `IfNotPresent`                             |
 | `image.pullSecret`              | An optional list of references to secrets in the same namespace to use for pulling any of the images used by this QueueManager. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honoured. For more information, see [here](https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod)   | `nil`                                      |
+| `credentials.enable`            | Enable MQ to utilize credentials from a Secret for the default "app" and "admin" users. MQ no longer sets a default password for these users, so it is highly recommended to set your own by creating a Secret.    | `false`      |
+| `credentials.secretRef`         | Provide the name of a Secret that contains keys "mqAdminPassword" and "mqAppPassword" with passwords as their respective values. This Secret will be mounted into MQ.    | `mq-credentials`      |
 | `metadata.labels`               | The labels field serves as a pass-through for Pod labels. Users can add any label to this field and have it apply to the Pod.                      | `{}`                                       |
 | `metadata.annotations`          | Additional annotations to be added to the Pod annotations. This is required for licensing. Please consult [here](#Supplying-licensing-annotations)                 |`{}`                                      |
 | `persistence.dataPVC.enable`           | By default all data and recovery logs are persisted to a Pod's qmPVC. dataPVC is an optional PersistentVolume which can be enabled using this field. This PersistentVolume is used for MQ persisted data, including configuration, queues and messages. If Multi-instance is enabled this value is set to true.                  | `false`                                     |
@@ -208,6 +210,13 @@ By default, the MQ container output is in a basic human-readable format.  You ca
 
 The MQ image includes the MQ web server.  The web server runs the web console, and the MQ REST APIs.  By default, the MQ server deployed by this chart is accessible via a `ClusterIP` [Service](https://kubernetes.io/docs/concepts/services-networking/service/), which is only accessible from within the Kubernetes cluster.  Optionally an OpenShift Route, Load balancer or Kubernetes NodePort can be configured to connect to the web console from outside of the Kubernetes cluster.
 
+## Setting default passwords
+
+MQ requires a Secret to set passwords for the "admin" and "app" default users. If one would like to set these passwords, create a secret using the below example command.
+```
+kubectl create secret generic mq-credentials --from-literal=mqAdminPassword=YOUR_ADMIN_PASSWORD --from-literal=mqAppPassword=YOUR-APP-PASSWORD
+```
+
 ## Considerations when upgrading the Kubernetes cluster
 
 During a Kubernetes cluster upgrade the worker nodes are made unschedulable, to avoid new pods from being deployed, and drained to move the current workload to other worker nodes. Once all pods are removed, the worker node can be safely upgraded. Often additional worker nodes are created during the upgrade process to provide capacity for these drained pods. To preserve an applications availability pod disruption budget (PDB) allows you to declare the number of pods that should be available. This acts as a break in the upgrade process assuring a balance between the speed of the upgrade and application availability. The exact semantics of the upgrade process differs from one Kubernetes distribution to another but the high level process remains similar.
diff --git a/charts/ibm-mq/templates/secret-credentials.yaml b/charts/ibm-mq/templates/secret-credentials.yaml
diff --git a/charts/ibm-mq/templates/stateful-set.yaml b/charts/ibm-mq/templates/stateful-set.yaml
@@ -131,7 +131,7 @@ spec:
       volumes:
       {{- else if .Values.security.readOnlyRootFilesystem }}
       volumes:
-      {{- else if .Values.secretCredentials.enable }}
+      {{- else if .Values.credentials.enable }}
       volumes:
       {{- end}}
       {{- if .Values.queueManager.multiinstance.enable }}
@@ -262,11 +262,11 @@ spec:
       - name: tmp-volume
         emptyDir: {}
       {{- end }}
-      {{- if or .Values.secretCredentials.enable }}
+      {{- if .Values.credentials.enable }}
       - name: mq-credentials
         secret:
           defaultMode: 420
-          secretName: {{ include "ibm-mq.fullname" . }}-credentials
+          secretName: {{ .Values.credentials.secretRef }}
       {{- end }}
       terminationGracePeriodSeconds: {{.Values.queueManager.terminationGracePeriodSeconds}}
       containers:
@@ -360,7 +360,7 @@ spec:
           volumeMounts:
           {{- else if .Values.security.readOnlyRootFilesystem }}
           volumeMounts:
-          {{- else if .Values.secretCredentials.enable }}
+          {{- else if .Values.credentials.enable }}
           volumeMounts:
           {{- end}}
           {{- if .Values.queueManager.nativeha.tls }}
@@ -453,7 +453,7 @@ spec:
           - mountPath: "/tmp"
             name: tmp-volume
           {{- end }}
-          {{- if .Values.secretCredentials.enable }}
+          {{- if .Values.credentials.enable }}
           - name: mq-credentials
             mountPath: "/var/run/secrets"
           {{- end }}
diff --git a/charts/ibm-mq/values.yaml b/charts/ibm-mq/values.yaml
@@ -25,14 +25,12 @@ image:
   # pullPolicy is either IfNotPresent or Always (https://kubernetes.io/docs/concepts/containers/images/)
   pullPolicy: IfNotPresent
 
-# User credentials configuration
-secretCredentials:
+# set passwords for users: "admin" and "app"
+credentials:
   # enabled is whether to configure user credentials via secret or not. (in MQ /run/secrets directory)
-  enable: false
-  # set the admin user password
-  admin: ""
-  # set the app user password
-  app: ""
+  enable: true
+  # If enabled, provide the name of the secret that contains your user passwords. See adjacent README.md for instructions on how to create this Secret.
+  secretRef: "mq-credentials"
 
 # metadata allows setting of additional labels and annottations to be added to all resources. Set on helm install using --set metadata.labels.KEY=VALUE,metadata.labels.=VALUE,...
 metadata:
