chore(gr26): swap MQTT auth from gr26 user → mapache fleet user#73
Merged
Conversation
The dedicated `gr26` MQTT user (PR #45) and the `mapache` fleet user (PR #70) both exist on the gr-mqtt broker. Standardizing the in-cluster gr26 service onto the fleet credential so all mapache services share a single broker identity that rotates together — keeps the `gr26` user free for the on-vehicle ingest path if we ever want it there. - MQTT_USER: gr26 → mapache - MQTT_PASSWORD secretKeyRef.key: MQTT_PASSWORD → MQTT_MAPACHE_PASSWORD - mapache-secrets already has both keys populated (MQTT_PASSWORD untouched, MQTT_MAPACHE_PASSWORD added manually via `kubectl patch` before this PR) Rollout: ArgoCD sync → new pods come up with the new env, paho connects fresh under the mapache identity. Old gr26-user MQTT sessions hold their TCP socket until pod termination then drop cleanly.
Switching strategy: instead of adding a new MQTT_MAPACHE_PASSWORD key, the mapache-secrets MQTT_PASSWORD value got updated in place to hold the mapache user's password (out-of-band patch). All consumers stay pointed at the same secret key, the env diff is just MQTT_USER. The temporary MQTT_MAPACHE_PASSWORD key was removed from the secret.
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Standardize the in-cluster gr26 service onto the shared `mapache` MQTT credential (PR #70) instead of the dedicated `gr26` user.
Net manifest diff is one line — `MQTT_USER: gr26 → mapache`. The secret key stays as `MQTT_PASSWORD` because the value was rotated in place to hold the mapache user's password (out-of-band patch); no manifest re-wiring needed.
What changed out-of-band
`mapache-secrets.MQTT_PASSWORD` now holds the mapache user's password (was the gr26 user's). The gr26 user's password is still recoverable from terraform output if we ever need to roll back:
```bash
terraform -chdir=infra/environments/prod output -raw mqtt_password # gr26 user pw (unchanged in TF)
```
Why this is safe to ship
Existing gr26 pods read `MQTT_PASSWORD` into env at container start; the in-place secret change doesn't affect already-running pods, which keep talking to the broker using their cached (old gr26) credentials. The swap only takes effect when ArgoCD spins up a new pod for the rolling update — and that pod has `MQTT_USER=mapache` paired with `MQTT_PASSWORD=` → clean auth on first connect.
Rollout
ArgoCD sync → rolling restart of 3 gr26 pods → each new pod connects to the broker as `mapache` cleanly. Brief paho reconnect window per pod.
Test plan
Follow-up
The `gr26` MQTT user on the broker is now unused. Drop it from the mqtt-ec2 module as a future cleanup PR if we don't end up giving the on-vehicle TCM a distinct identity from `tcm26`.