How to config Shovel over SSL

[marcelloraffaele]

Hi Team,
I am going to configure a Shovel to replicate messages from a RabbitMQ cluster to another, both clusters can use only SSL (amqps).
In the documentation I noticed that there's a way to pass the destination server certificate inside the url specified inside the shovel configuration (shovel-dynamic). I would like to know if I need to mount the secret somewhere and if yes where ? Do you have some examples about this configuration?

Thank you,
R

[ChunyiLyu]

Hi @marcelloraffaele, thanks for using our Operators. If your RabbitmqCluster is TLS only, you first need to follow this Topology Operator TLS guide to ensure that the Topology Operator trust your RabbitmqCluster CA. After this step, Topology Operator can connect to the RabbitMQ server successfully and create queues, exchanges, and shovels etc.

For configuring shovel, cacertfile , certfile, and keyfile for both the src and destination URI should be path to them in that particular RabbitmqCluster you are declaring shovel in. If cert files for your destination RabbitMQ is not in that RabbitmqCluster yet, you could mount the secret containing these TLS certs by using statefulSetOverride, for example:

apiVersion: rabbitmq.com/v1beta1
kind: RabbitmqCluster
metadata:
  name: example
spec:
...
  override:
    statefulSet:
      spec:
        template:
          spec:
            containers:
            - name: rabbitmq
              volumeMounts:
              - mountPath: /path/to/certs
                name: a-secret-volume-name
            volumes:
            - name: a-secret-volume-name
              secret:
                secretName: additional-tls-secret

Please let me know if it works! The team hasn't personally tested using topology operator to configure TLS only federation and shovels before (there is no reason why it shouldn't work tho). It will be a good example to add our docs/examples to help others in the future.

[marcelloraffaele]

Do you have any information on how to setup the src uri and dest uri in order to specify the certs?
On dest uri should I specify the client cert or dest ca cert?

[ChunyiLyu]

uri specification can be found here: https://www.rabbitmq.com/uri-query-parameters.html#basics

The configuration really depends on your own set up. Shovel acts as a client APP for both the source and destination RabbitMQ. Depends on how you've signed your server certs and where you are configuring shovel, you might not need to specify path to any of these certs.

For example, if you are 1) not using mTLS 2) both your dest&src RabbitMQ are set up to trust the same CA 3) you are configuring shovel in either the source or the destination RabbitMQ, you don't need to configure the ca cert in your URI because it should already be trusted. On the other hand, you are configuring Shovel in a third RabbitMQ cluster, not source or destination, and that third RabbitMQ does not trust the source and destination RabbitMQ's CAs, you will need to provide path to CA certs in both the destination and source URI.

The cert file and key file are needed for mTLS. You can find more information here: https://www.rabbitmq.com/ssl.html#java-client-connecting-with-peer-verification