Skip to content

Commit

Permalink
Merge pull request #60 from ibm-messaging/Release7.1
Browse files Browse the repository at this point in the history
Updates for trust store and web console
  • Loading branch information
callumpjackson authored Oct 10, 2023
2 parents 024f930 + dfc9037 commit 6e87aa9
Show file tree
Hide file tree
Showing 4 changed files with 57 additions and 9 deletions.
2 changes: 1 addition & 1 deletion charts/ibm-mq/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
apiVersion: v2
name: ibm-mq
description: IBM MQ queue manager
version: 7.0.1
version: 7.1.0
type: application
appVersion: 9.3.3.0
kubeVersion: ">=1.18.0-0"
Expand Down
38 changes: 30 additions & 8 deletions charts/ibm-mq/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -127,11 +127,6 @@ Alternatively, each parameter can be specified by using the `--set key=value[,ke
| `resources.limits.memory` | Kubernetes memory limit for each Pod of the Queue Manager container | `0124Mi` |
| `resources.requests.cpu` | Kubernetes CPU request for each Pod of the Queue Manager container | `100m` |
| `resources.requests.memory` | Kubernetes memory request for each Pod of the Queue Manager container | `512Mi` |
| `security.context.fsGroup` | A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume. | `nil` |
| `security.context.seccompProfile.type` | Seccomp stands for secure computing mode and when enabled restricts the calls that can be made to the kernel. For more information, see https://kubernetes.io/docs/tutorials/security/seccomp/ | `nil` |
| `security.context.supplementalGroups` | A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container. | `nil` |
| `security.initVolumeAsRoot` | This affects the securityContext used by the container which initializes the PersistentVolume. Set this to true if you are using a storage provider which requires you to be the root user to access newly provisioned volumes. Setting this to true affects which Security Context Constraints (SCC) object you can use, and the Queue Manager may fail to start if you are not authorized to use an SCC which allows the root user. Defaults to false. For more information, see https://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html. | `false` |
| `security.runAsUser` | Controls which user ID the containers are run with. | `nil` |
| `queueManager.multiinstance.enable` | Whether to run in Multi-instance mode, with two Pods (one active and one passive Pods). | `false` |
| `queueManager.name` | By default the Queue Manager will match the Helm release name. Use this field to change the Queue Manager name, for example if the Helm release name does not conform to the rules for naming a Queue Manager name (for example, a name longer than 48 characters). | Helm release name |
| `queueManager.nativeha.enable` | Whether to run in Native HA mode, with three Pods (one active and two replica Pods). Native HA is available on x86, Linux on IBM Power and Linux on IBM Z. | `false` |
Expand All @@ -144,8 +139,14 @@ Alternatively, each parameter can be specified by using the `--set key=value[,ke
| `queueManager.envVariables` | An array of YAML objects (name / value pairs) that detail the environment variables that should be associated with the Queue Manager container | `[]` |
| `queueManager.terminationGracePeriodSeconds` | Optional duration in seconds the Pod needs to terminate gracefully. Value must be non-negative integer. The value zero indicates delete immediately. The target time in which ending the queue manager is attempted, escalating the phases of application disconnection. Essential queue manager maintenance tasks are interrupted and applications disconnected if necessary. Defaults to 30 seconds. | 30 |
| `queueManager.updateStrategy` | Specify the update strategy for the StatefulSet. In the case of Native HA and Multi-instance this should always be onDelete, and therefore this parameter has no affect. For further details regarding Native HA and Multi-instance update process consult the [Updating Native HA and Multi-instance section](#Updating-the-Chart). In the case of a single instance queue manager the default is RollingUpdate. | `RollingUpdate` - single instance, `onDelete` - Native HA and Multi-instance |
| `web.enable` | Whether or not to enable the web server. Default is empty string, which causes the default behaviour of the container. Set to `true` to enable the web console, and `false` to disable. | ``
| `pki.keys` | An array of YAML objects that detail Kubernetes secrets containing TLS Certificates with private keys. For further details regarding how this is specified consult [Supplying certificates to be used for TLS](#Supplying-certificates-to-be-used-for-TLS) | `[]` |
| `pki.trust` | An array of YAML objects that detail Kubernetes secrets containing TLS Certificates. For further details regarding how this is specified consult [Supplying certificates to be used for TLS](#Supplying-certificates-to-be-used-for-TLS) | `[]` |
| `pki.trust` | An array of YAML objects that detail Kubernetes secrets or configMaps containing TLS Certificates. For further details regarding how this is specified consult [Supplying certificates using secrets to be used for TLS](#Supplying-certificates-to-be-used-for-TLS) and [Supplying certificates using a configMap](#Supplying-certificates-using-a-configMap) | `[]` |
| `security.context.fsGroup` | A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume. | `nil` |
| `security.context.seccompProfile.type` | Seccomp stands for secure computing mode and when enabled restricts the calls that can be made to the kernel. For more information, see https://kubernetes.io/docs/tutorials/security/seccomp/ | `nil` |
| `security.context.supplementalGroups` | A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container. | `nil` |
| `security.initVolumeAsRoot` | This affects the securityContext used by the container which initializes the PersistentVolume. Set this to true if you are using a storage provider which requires you to be the root user to access newly provisioned volumes. Setting this to true affects which Security Context Constraints (SCC) object you can use, and the Queue Manager may fail to start if you are not authorized to use an SCC which allows the root user. Defaults to false. For more information, see https://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html. | `false` |
| `security.runAsUser` | Controls which user ID the containers are run with. | `nil` |
| `livenessProbe.initialDelaySeconds` | Number of seconds after the container has started before the probe is initiated. Defaults to 90 seconds for SingleInstance. Defaults to 0 seconds for a Native HA and Multi-instance deployments. | `90` - single instance, `0` - Native HA and Multi-instance |
| `livenessProbe.periodSeconds` | How often (in seconds) to perform the probe. | 10 |
| `livenessProbe.timeoutSeconds` | Number of seconds after which the probe times out | 5 |
Expand Down Expand Up @@ -222,9 +223,9 @@ The [drainMQContainer](../../samples/genericresources/kubernetesupgrade/drainMQC

## Supplying certificates to be used for TLS

The `pki.trust` and `pki.keys` allow you to supply details of Kubernetes secrets that contain TLS certificates. By doing so the TLS certificates will be imported into the container at runtime and MQ will be configured to use them.
The `pki.trust` and `pki.keys` allow you to supply details of Kubernetes secrets and configMaps that contain TLS certificates. Supplying certificates using configMaps is only permitted for `pki.trust`. By doing so the TLS certificates will be imported into the container at runtime and MQ will be configured to use them.

If you supply invalid configuration then the container will terminate with an appropriate termination message. The next 2 sections will detail the requirements for supplying each type of certificate.
If you supply invalid configuration then the container will terminate with an appropriate termination message. The next 3 sections will detail the requirements for how this is specified.

### Supplying certificates which contain the public and private keys

Expand Down Expand Up @@ -273,6 +274,27 @@ pki:

If you supply multiple YAML objects then all of the certificates specified will be added into the queue manager trust store.

## Supplying certificates using a configMap
When supplying a Kubernetes configMap that contains a certificate file with only the public key you must ensure that the configMap contains files that have the extension `.crt`. For example: `ca.crt`.

The format of the YAML objects for `pki.trust` value is as follows:

```YAML
pki:
trust:
- name: default
configMap:
configMapName: helmsecure
items:
- ca.crt
```

`configMap.configMapName` must match the name of a Kubernetes configMap that contains the TLS certificates you wish to add.

`configMap.items` must list the TLS certificate files contained in `configMap.configMapName` you want to add.

If you supply multiple YAML objects then all of the certificates specified will be added into the queue manager trust store.

## Supplying custom mqsc using a ConfigMap
Configuration of Queue Manager resources can be applied at Queue Manager creation and start time by providing mqsc ConfigMaps.

Expand Down
23 changes: 23 additions & 0 deletions charts/ibm-mq/templates/stateful-set.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,17 @@ spec:
path: {{ . }}
{{- end }}
{{- end }}
{{- if $source.configMap }}
- name: trust{{- $index }}
configMap:
name: {{ $source.configMap.configMapName }}
defaultMode: 420
items:
{{- range $source.configMap.items }}
- key: {{ . }}
path: {{ . }}
{{- end }}
{{- end }}
{{- end }}
{{- range $index, $source := .Values.pki.keys }}
{{- if $source.secret }}
Expand Down Expand Up @@ -245,6 +256,18 @@ spec:
- name: MQ_MULTI_INSTANCE
value: "{{ .Values.queueManager.multiinstance.enable | default false }}"
{{- end }}
{{- /*
The following IF statement for the MQ_ENABLE_EMBEDDED_WEB_SERVER may initially look confusing.
Originally the helm chart did not set the environment variable. To protect backwards
compatibility as much as possible we wanted to maintain this behaviour.
The first condition checks it is set to a non-false value, excludes both unset and false.
In our case we want to explicitly set if it is NOT unset, hence the reason for the complex IF
statement.
*/}}
{{- if or .Values.web.enable (eq .Values.web.enable false)}}
- name: MQ_ENABLE_EMBEDDED_WEB_SERVER
value: "{{ .Values.web.enable | default false }}"
{{- end }}
{{- if .Values.queueManager.nativeha.enable }}
- name: MQ_NATIVE_HA_INSTANCE_0_NAME
value: {{ include "ibm-mq.pod0.name" . }}
Expand Down
3 changes: 3 additions & 0 deletions charts/ibm-mq/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -187,3 +187,6 @@ affinity:
matchExpressions: []

tolerations: []

web:
enabled:

0 comments on commit 6e87aa9

Please sign in to comment.