Implemented logic for optional postStart script#1439
Implemented logic for optional postStart script#1439groundhog2k wants to merge 2 commits intomasterfrom
Conversation
groundhog2k
changed the title
groundhog2k
changed the title
DiamondJoseph
left a comment
DiamondJoseph
left a comment
There was a problem hiding this comment.
The Secret change is the only one I am blocking on, as we are potentially allowing exposing credentials we should do it in a safer way.
| if [ -f /extrascripts/poststart.sh ]; then | ||
| /extrascripts/poststart.sh & | ||
| else | ||
| echo "PostStart: /extrascripts/poststart.sh not found!" >/proc/1/fd/1 |
There was a problem hiding this comment.
Can we exit with a non-zero code here? We're configured to use a post-start script, which may include authentication/authorization configuration but it is not present, rather than starting insecurely.
There was a problem hiding this comment.
I think for single instance mode that would be no problem, but in case of a real HA cluster it could potentially harm/disturb the cluster because of rebalance or forced reboot, if these options were enabled. My personal focus lays on the HA cluster. So every change I do must be stable for the cluster mode, not only for single instance developer mode. I'm not 100% sure if this is a good idea.
If the code inside the script fails it will be ignored anyway, because it is running in background.
I would like to think another minute about it - the whole feature is experimental. :-)
| ## A name of a K8s configMap containing a script file named `poststart.sh` that will be executed in background at the end of the postStart phase | ||
| postStartScriptConfig: | ||
|
|
There was a problem hiding this comment.
Could we make this a configMap OR secret? Means we can have authentication information mounted slightly more securely.
e.g.
postStartScript:
configMap:
name: RMQPostStart
key: poststart.sh
# or
secret:
name: RMQUserImport
key: poststart.sh
# or maybe even
script: >
sleep 30
rabbitmqctl add_user test test
rabbitmqctl set_permissions test ".*" ".*" ".*"There was a problem hiding this comment.
I would prefer a solution that clearly separates code from sensitive data (logins etc.). The configMap can take the script code logic and extraSecrets: mounted into the container can transport the sensitive data. The script will take the data from mounted secret to process it. A clear separation of concerns.
But I will take the suggested solution of configMap vs. inline script.
2 participants
Closes #1400