RabbitMQ Secrets Engine in Kubernetes

Hi all!

I am trying to setup rotating rabbitmq credentials in kubernetes, following the instructions from this guide here. I have found success in running a local kubernetes cluster with a Rabbitmq cluster and local instance of vault.

However when trying to deploy in a larger environment, I am encountering a 500 error with no additional logs. For context, I am using self signed certs in the cluster. These are the steps to reproduce:

vault login -tls-skip-verify <TOKEN>

# create rabbitmq creds
vault secrets enable -tls-skip-verify -path=data kv
vault kv put -tls-skip-verify data/rabbitmq RABBIT_USER=user RABBIT_PASSWORD=password

# enable secrets engine
vault secrets enable -tls-skip-verify rabbitmq

# create connection with service name
vault write -tls-skip-verify rabbitmq/config/connection \
    connection_uri='https://rabbitmq.app-amqp01:15671' \
    verify_connection=false \
    username='user' \
    password='password' \
    username_template='{{.RoleName}}_{{.DisplayName}}_{{uuid}}'

# create role
vault write -tls-skip-verify rabbitmq/roles/rabbitrole \
    vhosts='{"/":{"write": ".*", "read": ".*", "configure": ".*"}}' \
    tags='management'

# add policy
vault policy write -tls-skip-verify rabbitmq-role - <<EOF
path "rabbitmq/creds/rabbitrole" {
    capabilities = ["read"]
}
EOF

# configure lease
vault write -tls-skip-verify rabbitmq/config/lease \
    ttl=60s \
    max_ttl=120s

# fails at this step
vault read -tls-skip-verify rabbitmq/creds/rabbitrole 

When looking at the logs, there is only this one liner

status_code=500 request_path=/v1/rabbitmq/creds/rabbitrole request_method=GET

Any assistance in this matter would be greatly appreciated!

Thanks!

Check and see if Vault has actually spoken to your RabbitMQ cluster, this error can occur when it hasn’t been able to create the user in RabbitMQ.

I’ve relooked at the issue and found that I am getting an error on my broker

TLS server: In state wait_finished received CLIENT ALERT: Fatal - Bad Certificate

I’ve tried to pass my ca_file as such:

vault write -tls-skip-verify rabbitmq/config/connection \
    connection_uri='https://rabbitmq.app-amqp01:15671' \
    verify_connection=false \
    username='user' \
    password='password' \
    username_template='{{.RoleName}}_{{.DisplayName}}_{{uuid}}' \
    tls_ca_file=<(echo "$VAULT_CA_CHAIN")