Replacing default API keys

Question

Replacing default API keys

shailesh-bear opened this issue a year ago · 3 comments

Describe the bug

Unable to replace the default API keys. Currently, the operator automatically creates a api key bootstrap file, and mounts it to the pods. I am not able to override it.
If I set EMQX_API_KEY__BOOTSTRAP_FILE env variable, then the pod does not start as it has already been set by the operator, so there is duplicate entry and it fails. If I set the api_key.bootstrap_file in config, it has no effect as the env variable will override this setting.

To Reproduce
Steps to reproduce the behavior:

Create secret

apiVersion: v1
kind: Secret
metadata:
  name: api-keys
type: Opaque
data:
  bootstrap_api_key: "test:qt4o8U1eD132zq5uKf10r9AaEQGwAgdJ9AjUlT0uHYFNA"

Deploy cluster

apiVersion: apps.emqx.io/v2beta1
kind: EMQX
  name: emqx-cluster
spec:
  image: emqx:5.3.0
  config:
    data: |
      api_key.bootstrap_file = "/opt/emqx/etc/bootstrap_api_key"
  coreTemplate:
    spec:
      replicas: 1
      extraVolumes:
        - name: api-keys
          secret:
            secretName: api-keys
      extraVolumeMounts:
        - mountPath: "/opt/emqx/etc/bootstrap_api_key"
          name: api-keys
          subPath: bootstrap_api_key
  dashboardServiceTemplate:
    enabled: true
    spec:
      type: LoadBalancer

Check API keys in deployed cluster, they are not the ones from secret above.

Expected behavior
EMQX should use the API key provided as a secret, and it should allow overriding default API keys.

Anything else we need to know?:

Environment details::

Kubernetes version: 1.26.6-gke.1700
Cloud-provider/provisioner: Google
emqx-operator version: v2beta1
Install method: Helm

Answer 1 · 2023-10-18T06:26:25.000Z

Hi @shailesh-bear sorry, you can't replacing default API keys, because the EMQX operator controller need it to request EMQX API.
If you want add yourself bootstrap api keys, you can set it in .spec.bootstrapAPIKeys, for now, we just support plaintext, but we will support external secret soon
In this discussion: #953 (comment), I propose a plan to support external secret, if you have any idea, please let me know.

Answer 2 · 2023-10-18T09:18:19.000Z

@Rory-Z How is the default API keys generated? If it is not a predefined, but rather randomly generated for each deployment, then it is not a security concern and those keys can be kept.

Answer 3 · 2023-10-18T09:55:46.000Z

Yes，it is randomly generated for each deployment, you can check this: https://github.com/emqx/emqx-operator/blob/86c69622955f91c5857d1193627ac7dfa5efc10c/controllers/apps/v2beta1/add_bootstrap_resource.go#L72C20-L72C28