Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to create AMQ Statefulset when using the same SSL secret on different acceptors #270

Closed
ammachado opened this issue Jul 19, 2022 · 2 comments
Closed

Unable to create AMQ Statefulset when using the same SSL secret on different acceptors #270

ammachado opened this issue Jul 19, 2022 · 2 comments
Assignees
@RoddieKieley
Labels
bug Something isn't working

Comments

@ammachado
Copy link

Describe the bug
The StatefulSet created by the operator does not run because the operator creates a duplicate volume mounting the acceptors' SSL secret

To Reproduce
Steps to reproduce the behavior:

  1. Create an ActiveMQArtemis instance with two acceptors with SSL enabled using the same SSL secret

Platform (please complete the following information):

  • Openshift 4.10
  • Latest operator version

Expected behavior
Expected to have an AMQ instance running

Screenshots
Optional, add screenshots to help explain your problem.

Additional context
Can be duplicated using this manifest:

apiVersion: broker.amq.io/v1beta1
kind: ActiveMQArtemis
metadata:
  name: amq-demo
  application: amq-demo-app
  namespace: amq-demo
spec:
  acceptors:
    - name: all-61617
      needClientAuth: false
      port: 61617
      protocols: all
      sslEnabled: true
      sslSecret: amq-demo-ssl-secret
      verifyHost: false
      wantClientAuth: false
    - name: amqp-5671
      needClientAuth: false
      port: 5671
      protocols: all
      sslEnabled: true
      sslSecret: amq-demo-ssl-secret
      verifyHost: false
      wantClientAuth: false
  adminPassword: admin
  adminUser: admin
  console:
    expose: true
  deploymentPlan:
    image: placeholder
    size: 2
    requireLogin: false
    persistenceEnabled: false
    journalType: nio
    messageMigration: false
    jolokiaAgentEnabled: false
    managementRBACEnabled: true
@ammachado ammachado added the bug Something isn't working label Jul 19, 2022
@ammachado
Copy link
Author

Duplicate of #267

@bergner
Copy link

bergner commented Mar 31, 2023

This was closed as duplicate but is still an issue as far as I can tell. In Openshift 4.10 it fails when the same "sslSecret" is referenced by an acceptor and the console. I looked at the latest in the master branch and activemqartemis_reconciler.go is still only appending volume definitions, without anything that looks like duplicate checks.

I ended up doing the following on Openshift:

  1. Extract the Openshift router wildcard certificate and key (for the *.apps.domain), also extract the Openshift CA certificate
  2. Package Openshift router certificate and key as a Java keystore
  3. Similarly package Openshift CA cert as a Java truststore
  4. Save 2+3 above in two different Openshift secrets, one for the acceptor and one for the console, and use key naming conventions used by Artemis operator (broker.ks + keyStorePassword and client.ts + trustStorePassword)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RoddieKieley RoddieKieley

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ammachado @RoddieKieley @bergner