[bitnami/rabbitmq] Don't regenerate self-signed certs on upgrade (#14653)

* [bitnami/rabbitmq] Don't regenerate self-signed certs on upgrade Signed-off-by: Miguel Ruiz <miruiz@vmware.com> * Fix deployment Signed-off-by: Miguel Ruiz <miruiz@vmware.com> --------- Signed-off-by: Miguel Ruiz <miruiz@vmware.com>
2026-03-15 06:47:24 +08:00 · 2023-02-02 16:12:03 +01:00
parent 9cb34348e6
commit 1369f8eca6
4 changed files with 20 additions and 26 deletions
--- a/bitnami/rabbitmq/Chart.yaml
+++ b/bitnami/rabbitmq/Chart.yaml
@@ -23,4 +23,4 @@ name: rabbitmq
 sources:
  - https://github.com/bitnami/containers/tree/main/bitnami/rabbitmq
  - https://www.rabbitmq.com
-version: 11.7.0
+version: 11.7.1
--- a/bitnami/rabbitmq/templates/ingress.yaml
+++ b/bitnami/rabbitmq/templates/ingress.yaml
@@ -51,11 +51,7 @@ spec:
    {{- if and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned) }}
    - hosts:
        - {{ .Values.ingress.hostname | quote }}
-      {{- if .Values.ingress.existingSecret }}
-      secretName: {{ .Values.ingress.existingSecret }}
-      {{- else }}
-      secretName: {{ printf "%s-tls" .Values.ingress.hostname | trunc 63 | trimSuffix "-" }}
-      {{- end }}
+      secretName: {{ default (printf "%s-tls" .Values.ingress.hostname | trunc 63 | trimSuffix "-") .Values.ingress.existingSecret }}
    {{- end }}
    {{- if .Values.ingress.extraTls }}
    {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }}
--- a/bitnami/rabbitmq/templates/tls-secrets.yaml
+++ b/bitnami/rabbitmq/templates/tls-secrets.yaml
@@ -20,17 +20,14 @@ data:
 ---
 {{- end }}
 {{- end }}
-{{- if and .Values.ingress.tls .Values.ingress.selfSigned }}
+{{- if and .Values.ingress.tls .Values.ingress.selfSigned (not .Values.ingress.existingSecret) }}
+{{- $secretName := printf "%s-tls" .Values.ingress.hostname }}
 {{- $ca := genCA "rabbitmq-ca" 365 }}
 {{- $cert := genSignedCert .Values.ingress.hostname nil (list .Values.ingress.hostname) 365 $ca }}
 apiVersion: v1
 kind: Secret
 metadata:
-  {{- if .Values.ingress.existingSecret }}
-  name: {{ .Values.ingress.existingSecret }}
-  {{- else }}
-  name: {{ printf "%s-tls" .Values.ingress.hostname | trunc 63 | trimSuffix "-" }}
-  {{- end }}
+  name: {{ $secretName }}
  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" . | nindent 4 }}
    {{- if .Values.commonLabels }}
@@ -41,17 +38,18 @@ metadata:
  {{- end }}
 type: kubernetes.io/tls
 data:
-  tls.crt: {{ $cert.Cert | b64enc | quote }}
-  tls.key: {{ $cert.Key | b64enc | quote }}
-  ca.crt: {{ $ca.Cert | b64enc | quote }}
+  tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
+  tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
+  ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
 {{- end }}
 {{- end }}
 {{- if (include "rabbitmq.createTlsSecret" . ) }}
+{{- $secretName := printf "%s-certs" (include "common.names.fullname" .) }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "common.names.fullname" . }}-certs
+  name: {{ $secretName }}
  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" . | nindent 4 }}
    {{- if .Values.commonLabels }}
@@ -62,10 +60,10 @@ metadata:
  {{- end }}
 type: kubernetes.io/tls
 data:
-  {{- if or (not .Values.auth.tls.autoGenerated ) (and .Values.auth.tls.caCertificate .Values.auth.tls.serverCertificate .Values.auth.tls.serverKey) }}
-  ca.crt: {{ required "A valid .Values.auth.tls.caCertificate entry required!" .Values.auth.tls.caCertificate | b64enc | quote }}
-  tls.crt: {{ required "A valid .Values.auth.tls.serverCertificate entry required!" .Values.auth.tls.serverCertificate| b64enc | quote }}
+  {{- if not .Values.auth.tls.autoGenerated }}
+  tls.crt: {{ required "A valid .Values.auth.tls.serverCertificate entry required!" .Values.auth.tls.serverCertificate | b64enc | quote }}
  tls.key: {{ required "A valid .Values.auth.tls.serverKey entry required!" .Values.auth.tls.serverKey | b64enc | quote }}
+  ca.crt: {{ required "A valid .Values.auth.tls.caCertificate entry required!" .Values.auth.tls.caCertificate | b64enc | quote }}
  {{- else }}
  {{- $ca := genCA "rabbitmq-internal-ca" 365 }}
  {{- $fullname := include "common.names.fullname" . }}
@@ -73,9 +71,9 @@ data:
  {{- $clusterDomain := .Values.clusterDomain }}
  {{- $serviceName := include "common.names.fullname" . }}
  {{- $altNames := list (printf "*.%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) $fullname }}
-  {{- $crt := genSignedCert $fullname nil $altNames 365 $ca }}
-  ca.crt: {{ $ca.Cert | b64enc | quote }}
-  tls.crt: {{ $crt.Cert | b64enc | quote }}
-  tls.key: {{ $crt.Key | b64enc | quote }}
+  {{- $cert := genSignedCert $fullname nil $altNames 365 $ca }}
+  tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
+  tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
+  ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
  {{- end }}
 {{- end }}
--- a/bitnami/rabbitmq/values.yaml
+++ b/bitnami/rabbitmq/values.yaml
@@ -175,9 +175,9 @@ auth:
      existingSecret: ""
      key: ""
      password: ""
-    caCertificate: |-
-    serverCertificate: |-
-    serverKey: |-
+    caCertificate: ""
+    serverCertificate: ""
+    serverKey: ""
    existingSecret: ""
    existingSecretFullChain: false
    overrideCaCertificate: ""