Merge pull request #98 from tylerstanczak/main

Set Passwords for Default Users: Admin & App

charts/ibm-mq/Chart.yaml

@@ -14,7 +14,7 @@
 apiVersion: v2
 name: ibm-mq
 description: IBM MQ queue manager
-version: 10.0.0
+version: 10.1.0
 type: application
 appVersion: 9.4.0.0
 kubeVersion: ">=1.18.0-0"

charts/ibm-mq/README.md

@@ -106,9 +106,11 @@ Alternatively, each parameter can be specified by using the `--set key=value[,ke
 | ------------------------------- | --------------------------------------------------------------- | ------------------------------------------ |
 | `license`                       | Set to `accept` to accept the terms of the IBM license          | `"not accepted"`                           |
 | `image.repository`              | Image full name including repository                            | `ibmcom/mq`                                |
-| `image.tag`                     | Image tag                                                       | `9.4.0.0-r1`                               |
+| `image.tag`                     | Image tag                                                       | `9.4.0.0-r3`                               |
 | `image.pullPolicy`              | Setting that controls when the kubelet attempts to pull the specified image.                                               | `IfNotPresent`                             |
 | `image.pullSecret`              | An optional list of references to secrets in the same namespace to use for pulling any of the images used by this QueueManager. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honoured. For more information, see [here](https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod)   | `nil`                                      |
+| `credentials.enable`            | Enable MQ to utilize credentials from a Secret for the default "app" and "admin" users. MQ no longer sets a default password for these users, so it is highly recommended to set your own by creating a Secret.    | `false`      |
+| `credentials.secret`         | Provide the name of a Secret that contains keys "mqAdminPassword" and "mqAppPassword" with passwords as their respective values. This Secret will be mounted into MQ.    | `mq-credentials`      |
 | `metadata.labels`               | The labels field serves as a pass-through for Pod labels. Users can add any label to this field and have it apply to the Pod.                      | `{}`                                       |
 | `metadata.annotations`          | Additional annotations to be added to the Pod annotations. This is required for licensing. Please consult [here](#Supplying-licensing-annotations)                 |`{}`                                      |
 | `persistence.dataPVC.enable`           | By default all data and recovery logs are persisted to a Pod's qmPVC. dataPVC is an optional PersistentVolume which can be enabled using this field. This PersistentVolume is used for MQ persisted data, including configuration, queues and messages. If Multi-instance is enabled this value is set to true.                  | `false`                                     |
@@ -208,6 +210,13 @@ By default, the MQ container output is in a basic human-readable format.  You ca
 
 The MQ image includes the MQ web server.  The web server runs the web console, and the MQ REST APIs.  By default, the MQ server deployed by this chart is accessible via a `ClusterIP` [Service](https://kubernetes.io/docs/concepts/services-networking/service/), which is only accessible from within the Kubernetes cluster.  Optionally an OpenShift Route, Load balancer or Kubernetes NodePort can be configured to connect to the web console from outside of the Kubernetes cluster.
 
+## Setting default passwords
+
+MQ requires a Secret to set passwords for the "admin" and "app" default users. If one would like to set these passwords, create a secret using the below example command.
+```
+kubectl create secret generic mq-credentials --from-literal=mqAdminPassword=YOUR_ADMIN_PASSWORD --from-literal=mqAppPassword=YOUR-APP-PASSWORD
+```
+
 ## Considerations when upgrading the Kubernetes cluster
 
 During a Kubernetes cluster upgrade the worker nodes are made unschedulable, to avoid new pods from being deployed, and drained to move the current workload to other worker nodes. Once all pods are removed, the worker node can be safely upgraded. Often additional worker nodes are created during the upgrade process to provide capacity for these drained pods. To preserve an applications availability pod disruption budget (PDB) allows you to declare the number of pods that should be available. This acts as a break in the upgrade process assuring a balance between the speed of the upgrade and application availability. The exact semantics of the upgrade process differs from one Kubernetes distribution to another but the high level process remains similar.

charts/ibm-mq/templates/stateful-set.yaml

@@ -131,6 +131,8 @@ spec:
       volumes:
       {{- else if .Values.security.readOnlyRootFilesystem }}
       volumes:
+      {{- else if .Values.credentials.enable }}
+      volumes:
       {{- end}}
       {{- if .Values.queueManager.multiinstance.enable }}
       - name: {{ $dataVolumeClaimName }}
@@ -260,6 +262,12 @@ spec:
       - name: tmp-volume
         emptyDir: {}
       {{- end }}
+      {{- if .Values.credentials.enable }}
+      - name: mq-credentials
+        secret:
+          defaultMode: 420
+          secretName: {{ .Values.credentials.secret }}
+      {{- end }}
       terminationGracePeriodSeconds: {{.Values.queueManager.terminationGracePeriodSeconds}}
       containers:
         - name: qmgr
@@ -352,6 +360,8 @@ spec:
           volumeMounts:
           {{- else if .Values.security.readOnlyRootFilesystem }}
           volumeMounts:
+          {{- else if .Values.credentials.enable }}
+          volumeMounts:
           {{- end}}
           {{- if .Values.queueManager.nativeha.tls }}
           {{- if .Values.queueManager.nativeha.tls.secretName }}
@@ -443,6 +453,10 @@ spec:
           - mountPath: "/tmp"
             name: tmp-volume
           {{- end }}
+          {{- if .Values.credentials.enable }}
+          - name: mq-credentials
+            mountPath: "/var/run/secrets"
+          {{- end }}
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: {{ .Values.security.readOnlyRootFilesystem }}

charts/ibm-mq/values.yaml

@@ -19,12 +19,19 @@ image:
   # repository is the container repository to use
   repository: icr.io/ibm-messaging/mq
   # tag is the tag to use for the container repository
-  tag: 9.4.0.0-r1
+  tag: 9.4.0.0-r3
   # pullSecret is the secret to use when pulling the image from a private registry
   pullSecret:
   # pullPolicy is either IfNotPresent or Always (https://kubernetes.io/docs/concepts/containers/images/)
   pullPolicy: IfNotPresent
 
+# set passwords for users: "admin" and "app"
+credentials:
+  # enabled is whether to configure user credentials via secret or not. (in MQ /run/secrets directory)
+  enable: false
+  # If enabled, provide the name of the secret that contains your user passwords. See adjacent README.md for instructions on how to create this Secret.
+  secret: "mq-credentials"
+
 # metadata allows setting of additional labels and annottations to be added to all resources. Set on helm install using --set metadata.labels.KEY=VALUE,metadata.labels.=VALUE,...
 metadata:
   labels: {}

samples/OpenShiftIBMPower/deploy/ibmpower.yaml

@@ -14,7 +14,7 @@
 license: accept
 image:
   repository: cp.icr.io/cp/ibm-mqadvanced-server
-  tag: 9.4.0.0-r1-ppc64le
+  tag: 9.4.0.0-r3-ppc64le
   pullSecret: ibm-entitlement-key
 queueManager:
   mqscConfigMaps:

samples/OpenShiftNativeHAMQAdvancedContainer/deploy/secureapp_nativeha.yaml

@@ -13,7 +13,7 @@
 # limitations under the License.
 image:
   repository: cp.icr.io/cp/ibm-mqadvanced-server
-  tag: 9.4.0.0-r1-amd64
+  tag: 9.4.0.0-r3-amd64
   pullSecret: ibm-entitlement-key
 license: accept
 queueManager: