The External Secrets Enterprise product suite is a premium product.
It requires a specific subscription. Contact us for more information.
To use the RabbitMQ Generator, you must have the Enterprise Distribution of ESO available via ESI Agent or via our Helm chart bundle

Introduction

The RabbitMQ Generator allows you to rotate passwords for existing RabbitMQ users automatically.
It supports secure password generation via ESO’s internal password generator or by referencing a Kubernetes Secret. This is useful for enforcing password rotation policies, avoiding manual interaction with RabbitMQ APIs, and improving security for RabbitMQ deployments.

Output Keys and Values

KeyDescription
passwordThe rotated RabbitMQ user password (plain text)

Parameters

KeyDefaultDescription
server.hostRequiredThe hostname of the RabbitMQ server.
server.port15672Port to connect to the RabbitMQ HTTP API.
server.tlsfalseUse TLS for connection to the RabbitMQ API.
auth.basicAuth.usernameRequiredAdmin username with sufficient privileges.
auth.basicAuth.passwordSecretRefRequiredSecret containing the admin password.
config.usernameRequiredThe RabbitMQ user to rotate the password for.
config.passwordPolicy.passwordGeneratorRefOptionalReference to a Password Generator.
config.passwordPolicy.secretRefOptionalReference to a static password in a Secret.

Set up

Required RabbitMQ Permissions

The credentials provided under auth.basicAuth must belong to a user that has permission to view and update users via the RabbitMQ HTTP API. In most setups, this means the user must have the administrator tag in RabbitMQ.

Generator Config

You can either use a Password Generator or a fixed Secret. Below are examples for both approaches. 
apiVersion: generators.external-secrets.io/v1alpha1
kind: RabbitMQ
metadata:
  name: rabbitmq-generator
  namespace: default
spec:
  server:
    host: rabbitmq.default.svc.cluster.local
    port: 15672
    tls: false
  auth:
    basicAuth:
      username: admin
      passwordSecretRef:
        name: rabbitmq-admin-secret
        key: password
  config:
    username: my-app-user
    passwordPolicy:
      passwordGeneratorRef:
        name: app-password-generator
        kind: Password

ExternalSecret Config

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: rabbitmq-password
  namespace: default
spec:
  refreshInterval: 1h
  dataFrom:
    - sourceRef:
        generatorRef:
          apiVersion: generators.external-secrets.io/v1alpha1
          kind: RabbitMQ
          name: rabbitmq-generator

Using the Generated Secret

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
        - name: my-container
          image: my-image:latest
          env:
            - name: RABBITMQ_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: rabbitmq-password
                  key: password

Notes and Considerations

  • The generator does not create new users; it only updates the password for an existing RabbitMQ user.
  • Passwords are hashed using the SHA-256 algorithm and sent via the RabbitMQ HTTP API.
  • If the password is already up to date (i.e., the hash matches), no update request is sent.
  • Only one password source must be provided: either passwordGeneratorRef or secretRef.
  • TLS should be enabled in production environments for secure communication with the RabbitMQ API.