set password default users: admin & app

Author: tylerstanczak

charts/ibm-mq/templates/secret-credentials.yaml

@@ -0,0 +1,29 @@
+# © Copyright IBM Corporation 2022, 2023, 2024
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.secretCredentials.enable }}
+kind: Secret
+apiVersion: v1
+metadata:
+  name: {{ include "ibm-mq.fullname" . }}-credentials
+  labels:
+  {{- include "ibm-mq.labels" . | nindent 4 }}
+stringData:
+  {{- if .Values.secretCredentials.admin }}
+  mqAdminPassword: {{ .Values.secretCredentials.admin }}
+  {{- end }}
+  {{- if .Values.secretCredentials.app }}
+  mqAppPassword: {{ .Values.secretCredentials.app }}
+  {{- end}}
+type: Opaque
+{{- end }}

charts/ibm-mq/templates/stateful-set.yaml

@@ -131,6 +131,8 @@ spec:
       volumes:
       {{- else if .Values.security.readOnlyRootFilesystem }}
       volumes:
+      {{- else if .Values.secretCredentials.enable }}
+      volumes:
       {{- end}}
       {{- if .Values.queueManager.multiinstance.enable }}
       - name: {{ $dataVolumeClaimName }}
@@ -260,6 +262,12 @@ spec:
       - name: tmp-volume
         emptyDir: {}
       {{- end }}
+      {{- if or .Values.secretCredentials.enable }}
+      - name: mq-credentials
+        secret:
+          defaultMode: 420
+          secretName: {{ include "ibm-mq.fullname" . }}-credentials
+      {{- end }}
       terminationGracePeriodSeconds: {{.Values.queueManager.terminationGracePeriodSeconds}}
       containers:
         - name: qmgr
@@ -352,6 +360,8 @@ spec:
           volumeMounts:
           {{- else if .Values.security.readOnlyRootFilesystem }}
           volumeMounts:
+          {{- else if .Values.secretCredentials.enable }}
+          volumeMounts:
           {{- end}}
           {{- if .Values.queueManager.nativeha.tls }}
           {{- if .Values.queueManager.nativeha.tls.secretName }}
@@ -443,6 +453,10 @@ spec:
           - mountPath: "/tmp"
             name: tmp-volume
           {{- end }}
+          {{- if .Values.secretCredentials.enable }}
+          - name: mq-credentials
+            mountPath: "/var/run/secrets"
+          {{- end }}
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: {{ .Values.security.readOnlyRootFilesystem }}

charts/ibm-mq/values.yaml

@@ -25,6 +25,15 @@ image:
   # pullPolicy is either IfNotPresent or Always (https://kubernetes.io/docs/concepts/containers/images/)
   pullPolicy: IfNotPresent
 
+# User credentials configuration
+secretCredentials:
+  # enabled is whether to configure user credentials via secret or not. (in MQ /run/secrets directory)
+  enable: false
+  # set the admin user password
+  admin: ""
+  # set the app user password
+  app: ""
+
 # metadata allows setting of additional labels and annottations to be added to all resources. Set on helm install using --set metadata.labels.KEY=VALUE,metadata.labels.=VALUE,...
 metadata:
   labels: {}