RabbitMQ - default-user-credential-updater using Doppler Secrets

[sky29]

Hello,

RabbitMQ has a repository "default-user-credential-updater" which works against Hashicorp Vault: https://github.com/rabbitmq/default-user-credential-updater

Is there any way we can achieve the same through Dopppler ?

I created an enhancement ticket (or query) on their repository, which describes the problem in detail: https://github.com/rabbitmq/default-user-credential-updater/issues/66

Let me know, If anyone has any suggestion.

[nmanoogian]

Hi @sky29, thanks for writing in!

Could you share a bit more about what you're trying to achieve with Doppler and RabbitMQ?

[sky29]

@nmanoogian

I want to change RabbitMQ default User's password, when I change it in Doppler.

Step by Step Process/Scenario:

• I use Doppler to hold secrets (rabbitmq: default_user and default_password)

• I am having my own helm chart to deploy rabbitmq in HA mode (with external pvc mounted at: /var/lib/rabbitmq/mnesia : to keep data safe while pod restart). IT is DIY kind of helm chart: https://github.com/rabbitmq/diy-kubernetes-examples

• I have configmap that disables guest user (loopback_users.guest = false). I am injecting secrets in rabbitmq statefulset as environment variable (default_user, default_pass) ..... this all are working fine and I am able to login to rabbitmq management UI using doppler secrets.

• Now I change the password in Doppler, which reloads rabbitmq deployment, but it doesn't change the password in rabbitmq database. It might be because I am using external PVC, which keeps old passwords. I didn't find any way to implement this step.

This issue is more on RabbitMQ side then Doppler. They seems to have a solution for this using Hashicorp Vault: https://github.com/rabbitmq/default-user-credential-updater but I don't think, it will work with other secret managers like doppler.

[nmanoogian]

Ah, I see! Thanks for walking me through that. Doppler doesn't support this kind of thing out-of-the-box today but there's almost certainly a way to make it work.

I haven't checked out this sidecar before but it looks like it's watching /etc/rabbitmq/conf.d/11-default_user.conf for changes. If that's the case, you might be able to mount that file using volumeMounts or write your own service which copies the username/password from Doppler into that volume.