ActiveMQ running in Kubernetes minikube: how to configure admin password

Question

I am setting up a minikube which contains an activeMQ message queue together with InfluxDB and Grafana.

For Grafana, I was able to set the admin password via the deployment:

  containers:
  - env:
    - name: GF_INSTALL_PLUGINS
      value: grafana-piechart-panel, blackmirror1-singlestat-math-panel
    - name: GF_SECURITY_ADMIN_USER
      value: <grafanaadminusername>
    - name: GF_SECURITY_ADMIN_PASSWORD
      value: <grafanaadminpassword>
    image: grafana/grafana:6.6.0
    name: grafana
    volumeMounts:
    - mountPath: /etc/grafana/provisioning
      name: grafana-volume
      subPath: provisioning/
    - mountPath: /var/lib/grafana/dashboards
      name: grafana-volume
      subPath: dashboards/
    - mountPath: /etc/grafana/grafana.ini
      name: grafana-volume
      subPath: grafana.ini
      readOnly: true
  restartPolicy: Always
  volumes:
  - name: grafana-volume
    hostPath:
      path: /grafana

For influxdb I set the user/passwd via a secret:

apiVersion: v1  

kind: Secret  
metadata:  
  name: influxdb
  namespace: default
type: Opaque  
stringData:  
  INFLUXDB_CONFIG_PATH: /etc/influxdb/influxdb.conf  
  INFLUXDB_ADMIN_USER: <influxdbadminuser>
  INFLUXDB_ADMIN_PASSWORD: <influxdbbadminpassword>
  INFLUXDB_DB: <mydb>

Currently, my ActiveMQ deployment looks like this:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: activemq
spec:
  replicas: 1
  selector:
    matchLabels:
      app: activemq
  template:
    metadata:
      labels:
        app: activemq
    spec:
      containers:
      - name: web
        image: rmohr/activemq:5.15.9
        imagePullPolicy: IfNotPresent
        ports:
          - containerPort: 61616
          - containerPort: 8161
        resources:
          limits:
            memory: 512Mi

How do I achieve the similar result (password and admin user via config file) for ActiveMQ? Even better if this is achieved via encrypted secret, which I didn't manage yet in case of influxDB and Grafana

Answer 1

I would do this the following way:

Here you have nicely described encrypted passwords in ActiveMQ.

First you need to prepare such encrypted password. ActiveMQ has a built-in utility for that:

As of ActiveMQ 5.4.1 you can encrypt your passwords and safely store them in configuration files. To encrypt the password, you can use the newly added encrypt command like:

$ bin/activemq encrypt --password activemq --input mypassword
...
Encrypted text: eeWjNyX6FY8Fjp3E+F6qTytV11bZItDp

Where the password you want to encrypt is passed with the input argument, while the password argument is a secret used by the encryptor. In a similar fashion you can test-out your passwords like:

$ bin/activemq decrypt  --password activemq --input eeWjNyX6FY8Fjp3E+F6qTytV11bZItDp
...
Decrypted text: mypassword

Note: It is recommended that you use only alphanumeric characters for the password. Special characters, such as $/^&, are not supported.

The next step is to add the password to the appropriate configuration file, $ACTIVEMQ_HOME/conf/credentials-enc.properties by default.

activemq.username=system
activemq.password=ENC(mYRkg+4Q4hua1kvpCCI2hg==)
guest.password=ENC(Cf3Jf3tM+UrSOoaKU50od5CuBa8rxjoL)
...
jdbc.password=ENC(eeWjNyX6FY8Fjp3E+F6qTytV11bZItDp)

You probably don't even have to rebuilt your image so it contains the appropriate configuration file with encrypted password. You can add it as ConfigMap data to a volume. You can read how to do that here so I'll rather avoid another copy-pasting from documentation. Alternatively you may want to use secret volume. It's not the most important point here as it is just a way of substituting your original ActiveMQ configuration file in your Pod by your custom configuration file and you probably already know how to do that.

There is one more step on ActiveMQ side to configure. This config file can be also passed via ConfigMaP like in the previous example.

Finally, you need to instruct your property loader to encrypt variables when it loads properties to the memory. Instead of standard property loader we’ll use the special one (see \$ACTIVEMQ_HOME/conf/activemq-security.xml) to achieve this.

<bean id="environmentVariablesConfiguration" class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
  <property name="algorithm" value="PBEWithMD5AndDES" />
  <property name="passwordEnvName" value="ACTIVEMQ\_ENCRYPTION\_PASSWORD" />
</bean>

<bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
  <property name="config" ref="environmentVariablesConfiguration" />
</bean> 

<bean id="propertyConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer">

  <constructor-arg ref="configurationEncryptor" /> 
  <property name="location" value="file:${activemq.base}/conf/credentials-enc.properties"/> 
</bean>

This way we instructed our ActiveMQ to load our encryptor password from the ACTIVEMQ_ENCRYPTION_PASSWORD environment variable and then use it to decrypt passwords from credential-enc.properties file.

Now let's take care about ACTIVEMQ_ENCRYPTION_PASSWORD env var content.

We can set such environment variable in our Pod via Secret. First we need to create one. Then we need to use it as environment variable.

I hope it helps.

Answer 2

It seems like this active mq dockerfile does not provide much in this regard. But it notes that you can specify the location of configuration files on the host system. You would have to prepare these files:

By default data and configuration is stored inside the container and will be lost after the container has been shut down and removed. To persist these files you can mount these directories to directories on your host system:

docker run -p 61616:61616 -p 8161:8161 \
           -v /your/persistent/dir/conf:/opt/activemq/conf \
           -v /your/persistent/dir/data:/opt/activemq/data \
           rmohr/activemq

But maybe you can use a different active mq container implementation? This one seems to provide the credentials configuration via environment variables just like you are using for the other containers: https://hub.docker.com/r/webcenter/activemq