[rabbitmq] Add credential-updater sidecar

- Add [user-credential-updater](https://github.com/sapcc/rabbitmq-user-credential-updater) sidecar container
- Use sidecar container for runtime password updates
- Chart version bumped

Author: s10

Diff for: common/rabbitmq/CHANGELOG.md

@@ -2,6 +2,12 @@
 
 This file is used to list changes made in each version of the common chart rabbitmq.
 
+## 0.16.0
+
+- Add [user-credential-updater](https://github.com/sapcc/rabbitmq-user-credential-updater) sidecar container
+- Use sidecar container for runtime password updates
+- Chart version bumped
+
 ## 0.15.0
 
 - Remove the following helm template helper functions:
@@ -49,6 +55,7 @@ The default is a `ClusterIssuer`, but it can be changed with the respective valu
 It is imporant there, that all names entered are accepted by the certificate-issuer.
 
 ## 0.12.1
+
 - `app` selector label returned, because deployment selector is immutable
 - chart version bumped
 

Diff for: common/rabbitmq/Chart.yaml

@@ -1,7 +1,7 @@
 ---
 apiVersion: v1
 name: rabbitmq
-version: 0.15.0
+version: 0.16.0
 appVersion: 4.0.6
 description: A Helm chart for RabbitMQ
 sources:

Diff for: common/rabbitmq/ci/test-values.yaml

@@ -1,9 +1,12 @@
+---
 # Test values for rabbitmq.
-
 global:
   user_suffix: ""
   master_password: ""
-  dockerHubMirrorAlternateRegion: "other.dockerhub.mirror"
+  registry: my.docker.registry
+  registryAlternateRegion: other.docker.registry
+  dockerHubMirror: my.dockerhub.mirror
+  dockerHubMirrorAlternateRegion: other.dockerhub.mirro
   region: "region"
   tld: "tld"
 

Diff for: common/rabbitmq/templates/_helpers.tpl

@@ -47,6 +47,14 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 {{- end -}}
 
+{{- define "dockerRegistry" -}}
+{{- if .Values.use_alternate_registry -}}
+{{- .Values.global.registryAlternateRegion -}}
+{{- else -}}
+{{- .Values.global.registry -}}
+{{- end -}}
+{{- end -}}
+
 {{- define "rabbitmq_maintenance_affinity" }}
           - weight: 1
             preference:

Diff for: common/rabbitmq/templates/deployment.yaml

@@ -25,7 +25,6 @@ spec:
       annotations:
         kubectl.kubernetes.io/default-container: rabbitmq
         checksum/container.init: {{ include (print $.Template.BasePath "/bin-configmap.yaml") . | sha256sum }}
-        checksum/users: {{ include (print $.Template.BasePath "/users-secret.yaml") . | sha256sum }}
 {{- if and (and $.Values.global.linkerd_enabled $.Values.global.linkerd_requested) $.Values.linkerd.enabled }}
         linkerd.io/inject: enabled
         config.linkerd.io/opaque-ports: "{{ default 5672 .Values.ports.public }}"
@@ -136,6 +135,14 @@ spec:
           - mountPath: /etc/rabbitmq/ssl
             name: ssl
         {{- end }}
+      - name: user-credential-updater
+        image: "{{ include "dockerRegistry" . }}/{{ .Values.credentialUpdater.image }}:{{.Values.credentialUpdater.imageTag }}"
+        imagePullPolicy: {{ default "IfNotPresent" .Values.imagePullPolicy | quote }}
+        volumeMounts:
+          - mountPath: /etc/rabbitmq/secrets
+            name: rabbitmq-users-config
+          - mountPath: /var/lib/rabbitmq
+            name: rabbitmq-persistent-storage
       priorityClassName: {{ .Values.priority_class | default "critical-infrastructure" | quote }}
       volumes:
         - name: rabbitmq-persistent-storage

Diff for: common/rabbitmq/templates/statefulset.yaml

@@ -23,7 +23,6 @@ spec:
         config.linkerd.io/opaque-ports: "{{ default 5672 .Values.ports.public }}"
 {{- end }}
         checksum/container.init: {{ include (print $.Template.BasePath "/bin-configmap.yaml") . | sha256sum }}
-        checksum/users: {{ include (print $.Template.BasePath "/users-secret.yaml") . | sha256sum }}
 {{- if .Values.customConfig }}
         checksum/custom.conf: {{ include (print .Template.BasePath "/etc/_rabbitmq-custom-config.tpl") . | sha256sum }}
 {{- end }}
@@ -128,6 +127,14 @@ spec:
           - mountPath: /etc/rabbitmq/ssl
             name: ssl
         {{- end }}
+      - name: user-credential-updater
+        image: "{{ include "dockerRegistry" . }}/{{ .Values.credentialUpdater.image }}:{{.Values.credentialUpdater.imageTag }}"
+        imagePullPolicy: {{ default "IfNotPresent" .Values.imagePullPolicy | quote }}
+        volumeMounts:
+          - mountPath: /etc/rabbitmq/secrets
+            name: rabbitmq-users-config
+          - mountPath: /var/lib/rabbitmq
+            name: rabbitmq-persistent-storage
       priorityClassName: {{ .Values.priority_class | default "critical-infrastructure" | quote }}
       volumes:
       {{- if not .Values.persistence.enabled }}

Diff for: common/rabbitmq/values.yaml

@@ -123,6 +123,11 @@ customConfig: {}
   # if not set default value of 50MB will be used
   # disk_free_limit.absolute: 500MB
 
+credentialUpdater:
+  enabled: true
+  image: rabbitmq-user-credential-updater
+  imageTag: '20250218131234'
+
 enableSsl: false
 certificate:
   issuerRef: