Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RabbitMQ - default-user-credential-updater using Doppler Secrets #48

Open
sky29 opened this issue Sep 1, 2023 · 3 comments
Open

RabbitMQ - default-user-credential-updater using Doppler Secrets #48

sky29 opened this issue Sep 1, 2023 · 3 comments

Comments

@sky29
Copy link

sky29 commented Sep 1, 2023

Hello,

RabbitMQ has a repository "default-user-credential-updater" which works against Hashicorp Vault: https://github.com/rabbitmq/default-user-credential-updater

Is there any way we can achieve the same through Dopppler ?

I created an enhancement ticket (or query) on their repository, which describes the problem in detail: rabbitmq/default-user-credential-updater#66

Let me know, If anyone has any suggestion.

@nmanoogian
Copy link
Member

Hi @sky29, thanks for writing in!

Could you share a bit more about what you're trying to achieve with Doppler and RabbitMQ?

@sky29
Copy link
Author

sky29 commented Sep 2, 2023

@nmanoogian

I want to change RabbitMQ default User's password, when I change it in Doppler.

Step by Step Process/Scenario:

  • I use Doppler to hold secrets (rabbitmq: default_user and default_password)

  • I am having my own helm chart to deploy rabbitmq in HA mode (with external pvc mounted at: /var/lib/rabbitmq/mnesia : to keep data safe while pod restart). IT is DIY kind of helm chart: https://github.com/rabbitmq/diy-kubernetes-examples

  • I have configmap that disables guest user (loopback_users.guest = false). I am injecting secrets in rabbitmq statefulset as environment variable (default_user, default_pass) ..... this all are working fine and I am able to login to rabbitmq management UI using doppler secrets.

  • Now I change the password in Doppler, which reloads rabbitmq deployment, but it doesn't change the password in rabbitmq database. It might be because I am using external PVC, which keeps old passwords. I didn't find any way to implement this step.

This issue is more on RabbitMQ side then Doppler.
They seems to have a solution for this using Hashicorp Vault: https://github.com/rabbitmq/default-user-credential-updater
but I don't think, it will work with other secret managers like doppler.

@nmanoogian
Copy link
Member

Ah, I see! Thanks for walking me through that. Doppler doesn't support this kind of thing out-of-the-box today but there's almost certainly a way to make it work.

I haven't checked out this sidecar before but it looks like it's watching /etc/rabbitmq/conf.d/11-default_user.conf for changes. If that's the case, you might be able to mount that file using volumeMounts or write your own service which copies the username/password from Doppler into that volume.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants