Inconsistent MQ tlsSecretName variable logic

[meathead23]

Issue:

When setting variables for MQ as follows:

  mq:
    version: 9.1.3.0
    # Set to True if running MQ in HA mode
    useConnectionNameList: true
    tlsSecretName: 'spm-dev01-mq-secret'

The pods for mqserver-curam and mqserver-rest don't start correctly and throw the following error:

MountVolume.SetUp failed for volume "service-certs" : secret "spm-dev01-spm-dev01-mq-secret" not found

This seems to be caused by inconsistencies between apps/templates/deployment-consumer.yaml, apps/templates/deployment-producer.yaml and mqserver/templates/deployment.yaml

the Apps producer/consumer deployment scripts set the mq-cert secret volume as such:

        {{- if $.Values.global.mq.tlsSecretName }}
        - name: mq-certs
          secret:
            {{- if $.Values.global.mq.useConnectionNameList }}
            secretName: {{ $.Values.global.mq.tlsSecretName }}
            {{- else }}
            secretName: {{ $.Release.Name }}-mq-secret
            {{- end }}
        {{- end}}

Whereas the MQ deployment.yaml sets service-certs as:

        {{- if $.Values.global.mq.tlsSecretName }}
        - name: service-certs
          secret:
            secretName: {{ $.Release.Name }}-{{ $.Values.global.mq.tlsSecretName }}
        {{- end}}

This leads the the namespace, in the this case spm-dev01 been suffixed to service-certs but not to mq-certs

If tlsSecretName is left at the default of mq-secret the opposite occurs and the consumer/producer pods fail to deploy.

Solution:

Changing mqserver/templates/deployment.yaml and mqserver/templates/statefulset.yaml

from:

        {{- if $.Values.global.mq.tlsSecretName }}
        - name: service-certs
          secret:
            secretName: {{ $.Release.Name }}-{{ $.Values.global.mq.tlsSecretName }}
        {{- end}}

to:

        {{- if $.Values.global.mq.tlsSecretName }}
        - name: service-certs
          secret:
            {{- if $.Values.global.mq.useConnectionNameList }}
            secretName: {{ $.Values.global.mq.tlsSecretName }}
            {{- else }}
            secretName: {{ $.Release.Name }}-mq-secret
            {{- end }}
        {{- end}}

Fixes the issue, although i'm a bit unsure on some of the logic here, don't the if statements need to be other other way round e.g

        {{- if $.Values.global.mq.useConnectionNameList }}
        - name: service-certs
          secret:
            {{- if $.Values.global.mq.tlsSecretName }}
            secretName: {{ $.Values.global.mq.tlsSecretName }}
            {{- else }}
            secretName: {{ $.Release.Name }}-mq-secret
            {{- end }}
        {{- end}}

[andreyzher]

Sorry, a couple of issues slipped off the radar.

Whether certificates are used or not was never supposed to be conditional - certificates must always be available, it is a matter of whether they are system-generated, or provided externally, specifically in the case of MQ hosted outside the cluster (on VMs).

We will look at getting the logic cleaned up.