Certificate manangement with RabbitMQ on K8s

[mscbpi]

Hi !

I struggle to find information about the best/easiest way to manage certificate rotation for amqps connection, in case of rabbit deployed on k8s being exposed on Internet with a LB.

We need to expose rabbitmq publicly and would like client to connect through a tls connection, ideally with a valid server certificate.

While http workload (incl. rabbit admin) is easily handled with cert-manager and ingress, when it comes to amqps behind a LB, is there a better way but update the secret manually every year with a new cert?

Also considering this valid certificate would not be that valid for internal connections (inside the cluster where rabbit runs), since it uses ClusterIP endpoint (rabbit.namespace.svc.cluster.local). Internal connections could still use amqp though.

How would you manage your tls certs for this use case?

[ChunyiLyu]

Hi @mscbpi, thanks for using the cluster operator.

Cluster operator works with cert manager managed certificates and you can specify different names in your provided certs as well. Certificates and caCert can be provided in the CRD manifest through spec.tls (related doc).

We have several example deployments with tls too. I recommend to check them out here:

1. tls
2. mtls
3. inter-node tls

If none of the example helps your use case, please provide more details on your rmq deployment architecture and your tls requirements.

[mscbpi]

Hi ! Thanks a lot. The problem is not to use an existing certificate but lies in how to create this secret / cert with least effort possible especially when it comes to renewal/rotation.

I am conscious it's a beginner question dealing with cert-manager.

With an https workload the ingress triggers ACME cert issuer let's encrypt (for instance) and provisions the cert automatically. One condition in the process is that let's encrypt reaches http://fqdn to issue the cert and test the challenge.

Can we replicate this kind of automatism when it comes to non-http workload such as rabbit?

I'll dig into cert-manager to understand how to trigger a certificate issuance outside of creating an ingress rule and use DNS challenge to validate the request since I have no http endpoint on rabbit hostname, just amqp.

Let me know what you think.

[mscbpi]

Ok got it, using cert-manager / acme with DNS01 solver instead of HTTP01 since I cannot have http on the IP where rabbit is exposing amqp.

[mscbpi]

@ChunyiLyu can you tell me if this statement is specific to the operator or does RabbitMQ monitors/reloads its certificates whatever the deployment type ?

RabbitMQ can reload certificates produced by the same CA without a node restart. This makes on-the-fly certificate rotation (renewal) possible. To rotate the TLS certificate, update the TLS Secret object with the new certificate directly and this change will be picked up by the RabbitMQ pods within several minutes.

[ChunyiLyu]

Rotating without restarting the server is a function from the rabbitmq-server, so not limited from using the cluster operator.

[mscbpi]

Great !