[bitnami/rabbitmq] Set usePasswordFiles=true by default (#32768)

* [bitnami/rabbitmq] Set `usePasswordFiles=true` by default

Signed-off-by: Miguel Ruiz <[email protected]>

* Update CHANGELOG.md

Signed-off-by: Bitnami Bot <[email protected]>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Bot <[email protected]>

* Update CHANGELOG.md

Signed-off-by: Bitnami Bot <[email protected]>

* Fix probes

Signed-off-by: Miguel Ruiz <[email protected]>

* Use ternary

Signed-off-by: Miguel Ruiz <[email protected]>

---------

Signed-off-by: Miguel Ruiz <[email protected]>
Signed-off-by: Bitnami Bot <[email protected]>
Co-authored-by: Bitnami Bot <[email protected]>

Author: migruiz4

bitnami/rabbitmq/CHANGELOG.md

@@ -1,8 +1,12 @@
 # Changelog
 
-## 15.4.2 (2025-04-03)
+## 15.5.0 (2025-04-04)
 
-* [bitnami/rabbitmq] Release 15.4.2 ([#32793](https://github.com/bitnami/charts/pull/32793))
+* [bitnami/rabbitmq] Set `usePasswordFiles=true` by default ([#32768](https://github.com/bitnami/charts/pull/32768))
+
+## <small>15.4.2 (2025-04-03)</small>
+
+* [bitnami/rabbitmq] Release 15.4.2 (#32793) ([b6e252b](https://github.com/bitnami/charts/commit/b6e252bd85d43b7686ff0c9b525b91563e557af8)), closes [#32793](https://github.com/bitnami/charts/issues/32793)
 
 ## <small>15.4.1 (2025-03-28)</small>
 

bitnami/rabbitmq/Chart.yaml

@@ -31,4 +31,4 @@ maintainers:
 name: rabbitmq
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/rabbitmq
-version: 15.4.2
+version: 15.5.0

bitnami/rabbitmq/README.md

@@ -413,6 +413,7 @@ Because they expose different sets of data, a valid use case is to scrape metric
 | `commonLabels`                               | Labels to add to all deployed objects                                                                                                                                   | `{}`                                              |
 | `serviceBindings.enabled`                    | Create secret for service binding (Experimental)                                                                                                                        | `false`                                           |
 | `enableServiceLinks`                         | Whether information about services should be injected into pod's environment variable                                                                                   | `true`                                            |
+| `usePasswordFiles`                           | Mount credentials as files instead of using environment variables                                                                                                       | `true`                                            |
 | `diagnosticMode.enabled`                     | Enable diagnostic mode (all probes will be disabled and the command will be overridden)                                                                                 | `false`                                           |
 | `diagnosticMode.command`                     | Command to override all containers in the deployment                                                                                                                    | `["sleep"]`                                       |
 | `diagnosticMode.args`                        | Args to override all containers in the deployment                                                                                                                       | `["infinity"]`                                    |

bitnami/rabbitmq/templates/statefulset.yaml

@@ -250,11 +250,16 @@ spec:
             {{- end }}
             - name: RABBITMQ_USE_LONGNAME
               value: "true"
+            {{- if .Values.usePasswordFiles }}
+            - name: RABBITMQ_ERL_COOKIE_FILE
+              value: {{ printf "/opt/bitnami/rabbitmq/secrets/%s" (include "rabbitmq.secretErlangKey" .) }}
+            {{- else }}
             - name: RABBITMQ_ERL_COOKIE
               valueFrom:
                 secretKeyRef:
                   name: {{ template "rabbitmq.secretErlangName" . }}
                   key: {{ template "rabbitmq.secretErlangKey" . }}
+            {{- end }}
             {{- if and .Values.clustering.rebalance (gt (.Values.replicaCount | int) 1) }}
             - name: RABBITMQ_CLUSTER_REBALANCE
               value: "true"
@@ -267,11 +272,16 @@ spec:
               value: {{ ternary "yes" "no" (or .Values.auth.securePassword (not .Values.auth.password)) | quote }}
             - name: RABBITMQ_USERNAME
               value: {{ .Values.auth.username | quote }}
+            {{- if .Values.usePasswordFiles }}
+            - name: RABBITMQ_PASSWORD_FILE
+              value: {{ printf "/opt/bitnami/rabbitmq/secrets/%s" (include "rabbitmq.secretPasswordKey" .) }}
+            {{- else }}
             - name: RABBITMQ_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: {{ template "rabbitmq.secretPasswordName" . }}
                   key: {{ template "rabbitmq.secretPasswordKey" . }}
+            {{- end }}
             - name: RABBITMQ_PLUGINS
               value: {{ include "rabbitmq.plugins" . | quote }}
             {{- if .Values.communityPlugins }}
@@ -327,12 +337,12 @@ spec:
           livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }}
             exec:
               command:
-                - sh
+                - /bin/bash
                 - -ec
                 {{- if or (.Values.loadDefinition.enabled) (not (contains "rabbitmq_management" .Values.plugins )) }}
                 - rabbitmq-diagnostics -q ping
                 {{- else }}
-                - curl -f --user {{ .Values.auth.username }}:$RABBITMQ_PASSWORD 127.0.0.1:{{ .Values.containerPorts.manager }}/api/health/checks/virtual-hosts
+                - curl -f --user {{ .Values.auth.username }}:{{ ternary "$(< $RABBITMQ_PASSWORD_FILE)" "$RABBITMQ_PASSWORD"  .Values.usePasswordFiles }} 127.0.0.1:{{ .Values.containerPorts.manager }}/api/health/checks/virtual-hosts
                 {{- end }}
           {{- end }}
           {{- if .Values.customReadinessProbe }}
@@ -341,12 +351,12 @@ spec:
           readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }}
             exec:
               command:
-                - sh
+                - /bin/bash
                 - -ec
                 {{- if or (.Values.loadDefinition.enabled) (not (contains "rabbitmq_management" .Values.plugins )) }}
                 - rabbitmq-diagnostics -q check_running && rabbitmq-diagnostics -q check_local_alarms
                 {{- else }}
-                - curl -f --user {{ .Values.auth.username }}:$RABBITMQ_PASSWORD 127.0.0.1:{{ .Values.containerPorts.manager }}/api/health/checks/local-alarms
+                - curl -f --user {{ .Values.auth.username }}:{{ ternary "$(< $RABBITMQ_PASSWORD_FILE)" "$RABBITMQ_PASSWORD"  .Values.usePasswordFiles }} 127.0.0.1:{{ .Values.containerPorts.manager }}/api/health/checks/local-alarms
                 {{- end }}
           {{- end }}
           {{- if .Values.customStartupProbe }}
@@ -388,6 +398,10 @@ spec:
               {{- if .Values.persistence.subPath }}
               subPath: {{ .Values.persistence.subPath }}
               {{- end }}
+            {{- if  .Values.usePasswordFiles }}
+            - name: rabbitmq-secrets
+              mountPath: /opt/bitnami/rabbitmq/secrets
+            {{- end }}
             {{- if .Values.auth.tls.enabled }}
             - name: certs
               mountPath: /opt/bitnami/rabbitmq/certs
@@ -429,10 +443,10 @@ spec:
               - secret:
                   name: {{ template "rabbitmq.tlsSecretName" . }}
                   items:
-                    {{- if not .Values.auth.tls.overrideCaCertificate }}                  
+                    {{- if not .Values.auth.tls.overrideCaCertificate }}
                     - key: {{ ternary "tls.crt" "ca.crt" .Values.auth.tls.existingSecretFullChain }}
                       path: ca_certificate.pem
-                    {{- end }}                      
+                    {{- end }}
                     - key: tls.crt
                       path: server_certificate.pem
                     - key: tls.key
@@ -456,7 +470,7 @@ spec:
               {{- if or (and (empty .Values.configurationExistingSecret) .Values.configuration) (and (not .Values.advancedConfigurationExistingSecret) .Values.advancedConfiguration) }}
               - secret:
                   name: {{ printf "%s-config" (include "common.names.fullname" .) }}
-              {{- end }}    
+              {{- end }}
               {{- if and .Values.advancedConfigurationExistingSecret (not .Values.advancedConfiguration) }}
               - secret:
                   name: {{ tpl .Values.advancedConfigurationExistingSecret . | quote }}
@@ -465,6 +479,15 @@ spec:
               - secret:
                   name: {{ tpl .Values.configurationExistingSecret . | quote }}
               {{- end }}
+        {{- if .Values.usePasswordFiles }}
+        - name: rabbitmq-secrets
+          projected:
+            sources:
+              - secret:
+                  name: {{ template "rabbitmq.secretPasswordName" . }}
+              - secret:
+                  name: {{ template "rabbitmq.secretErlangName" . }}
+        {{- end }}
         {{- if .Values.loadDefinition.enabled }}
         - name: load-definition-volume
           secret:
@@ -498,7 +521,7 @@ spec:
             {{- with .Values.persistence.existingClaim }}
             claimName: {{ tpl . $ }}
             {{- end }}
-  {{- else }} 
+  {{- else }}
   {{- if .Values.persistentVolumeClaimRetentionPolicy.enabled }}
   persistentVolumeClaimRetentionPolicy:
     whenDeleted: {{ .Values.persistentVolumeClaimRetentionPolicy.whenDeleted }}

bitnami/rabbitmq/values.yaml

@@ -107,6 +107,9 @@ serviceBindings:
 ## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`.
 ##
 enableServiceLinks: true
+## @param usePasswordFiles Mount credentials as files instead of using environment variables
+##
+usePasswordFiles: true
 ## Enable diagnostic mode in the deployment
 ##
 diagnosticMode: