Need help to set up RabbitMQ SSL to use certificates from azure key vault

[nikhithamantri]

Hi Team,
We are running RabbitMQ with SSL certificates residing in RabbitMQ config path in respective VMs.
As per project recommendation, these certs should be migrated from RabbitMQ VMs to azure key vault for security reason.
Does RabbitMQ support reading the certificates remotely from azure key vault rather than on the same VM?
If yes,Is there a documentation or guidance available to achieve this objective?
Currently we have the certs in path
ssl_options.cacertfile = /etc/rabbitmq/testca/DigiCertCA.crt
ssl_options.certfile = /etc/rabbitmq/testca/cbxprrabbit_prod_etransfercbx_cibc_com.crt
ssl_options.keyfile = /etc/rabbitmq/testca/cbxprrabbit.prod.etransfercbx.cibc.com.key

We are trying to pull it from Rabbit MQ using azure key vault API like below.
ssl_options.certfile: https://common-kv-nonprod.vault.azure.net/certificates/sitmiddleware-etransfercbx-cibc-com/90b4c522e178428cbb00eea61cd3d63e
Any help would be much appreciated.

[michaelklishin]

I will convert this issue to a GitHub discussion. Currently GitHub will automatically close and lock the issue even though your question will be transferred and responded to elsewhere. This is to let you know that we do not intend to ignore this but this is how the current GitHub conversion mechanism makes it seem for the users :(

[michaelklishin]

Nodes can only load certificates from local files. rabbitmq-trust-store also supports updated directories or HTTPS endpoints that follow a certain convention but all of that covers trusted certificates, not node's own certificate/key pair.

[nikhithamantri]

Does that mean to serve purpose of SSL we need to have certificates in local file system?? please confirm

[ansd]

Hey @nikhithamantri, if you want to fetch certificates from external secret providers, you need some tooling around RabbitMQ.
In https://github.com/rabbitmq/cluster-operator/tree/main/docs/examples/vault-tls and https://youtu.be/twCzPEAjy8M we explain for example how you can use HashiCorp Vault to generate certificates and have them placed to RabbitMQ local files (running on Kubernetes). If you just want to fetch some secrets (in your case it seems certificate and private key) from Azure Key Vault, you would need to use similar tooling. https://github.com/Azure/secrets-store-csi-driver-provider-azure has a featureMounts secrets/keys/certs to pod using a CSI Inline volume. Supporting Secrets Store CSI Driver is something we plan for https://github.com/rabbitmq/cluster-operator. If you don't use K8s, but run on VMs, you'd need your own RabbitMQ external tooling to place secrets into RabbitMQ local files.