Update user credentials does not work

[anthonyhaussman]

Describe the bug

Trying to update the credentials of test-user via its secret and update an annotation to the User object to trigger a Reconcile does not update the password even if the reconciliation is run by the messaging-topology-operator.

To Reproduce

Steps to reproduce the behavior:
Apply simple user creation:

---
apiVersion: rabbitmq.com/v1beta1
kind: Vhost
metadata:
  name: test-vhost
spec:
  name: test # vhost name
  rabbitmqClusterReference:
    name: rabbitmq-cluster # rabbitmqCluster must exist in the same namespace as this resource
---
apiVersion: v1
kind: Secret
metadata:
  name: test-user-credentials
type: Opaque
stringData:
  username: test-user # Note that Messaging Topology Operator does not watch this secret. Updating this secret object won't update actual user credentials.
  password: verysecurepw # As a workaround, you can add a label or annotation to the User object to trigger a Reconile loop and credentials will be updated.
---
apiVersion: rabbitmq.com/v1beta1
kind: User
metadata:
  name: test-user
  annotations:
    user-revision: "1"
spec:
  tags:
  - administrator # available tags are 'management', 'policymaker', 'monitoring' and 'administrator'
  rabbitmqClusterReference:
    name: rabbitmq-cluster
  importCredentialsSecret:
    name: test-user-credentials
---
apiVersion: rabbitmq.com/v1beta1
kind: Permission
metadata:
  name: testuser-permission
spec:
  vhost: "test"
  user: "test-user" # name corresponds to the username we provided in "test-user-credentials" secret
  permissions:
    write: ".*"
    configure: ""
    read: ".*"
  rabbitmqClusterReference:
    name: rabbitmq-cluster

Update the secret password and update the annotation in the User object:

---
apiVersion: v1
kind: Secret
metadata:
  name: test-user-credentials
type: Opaque
stringData:
  username: test-user # Note that Messaging Topology Operator does not watch this secret. Updating this secret object won't update actual user credentials.
  password: verysecurepw1 # As a workaround, you can add a label or annotation to the User object to trigger a Reconile loop and credentials will be updated.
---
apiVersion: rabbitmq.com/v1beta1
kind: User
metadata:
  name: test-user
  annotations:
    user-revision: "2"
spec:
  tags:
  - administrator # available tags are 'management', 'policymaker', 'monitoring' and 'administrator'
  rabbitmqClusterReference:
    name: rabbitmq-cluster
  importCredentialsSecret:
    name: test-user-credentials

Login to the management UI panel via the test-user accepts only the old password.

Expected behavior
New updated password is working.

Version and environment information

• Messaging Topology Operator: 1.10.1
• RabbitMQ: 3.9.16
• RabbitMQ Cluster Operator: 2.1.0
• Kubernetes: 1.24.10
• Cloud provider or hardware configuration: AWS EKS - c6g.large

[DanielePalaia]

Hi @anthonyhaussman. Thank you to have opened this issue.
I also tried to reproduce it. In fact when you provide a secret to the user it happens that internally the operator create a new different secret. So in your case you provided test-user-credentials but you will see that another secret will be created in the same namespace: test-user-user-credentials and this is the one really taken for credentials.

So to let it works (and it seems is working) you need to modify this other secret and then add the annotation to the User to trigger a reconciliation.

I understand that probably it is not really an approach very "user-friendly" but indeed is just a workaround anyway.

[anthonyhaussman]

Hi @DanielePalaia,

Indeed modifying the other secret and putting the annotation on the user resource do the work.
It's not ideal from an application management point of view but I can live with that for now.

Thanks for the sharing and information. 🙏