The issue I have is that while I can mount a configuration file and specify the TLS configuration, the problem exists where the SSL certificates that I am attempting to use within the RabbitMQ container are defined on the host and are owned by the root user and thus when RabbitMQ starts, it is unable to access the SSL KEY file as its permissions on the host are 400 root:root.
I am not able to change the permissions of this file on the host machine as it is managed by puppet so that it can dynamically define the certificates Subject Alternative Names as the certificate is used for many different things and Puppet will automatically renew the certificate before expiration. With that in mind, I can't rely on a "copy cert into container" and would very much prefer to just mount the certificate and key files into the container with Read Only permissions (as I don't want to allow the container to modify the actual host files since Puppet would detect these changes and rever them) and then as part of the RabbitMQ entrypoint script it could copy these files somewhere else so that they can be owned and accessible to the rabbitmq user and leveraged when starting up the application.
This appears to have been an issue that was opened in the past (https://github.com/docker-library/rabbitmq/issues/59 & https://github.com/docker-library/rabbitmq/issues/283) and was subsequently resolved / fixed (https://github.com/docker-library/rabbitmq/pull/285), however, it seems that a few years back these changes were removed in an effort to simplify the entrypoint script as most of the rabbitmq configuration was moved from Environment Variables to using a configuration file (see https://github.com/docker-library/rabbitmq/pull/467/files#diff-79738685a656fe6b25061bb14181442210b599f746faeaba408a2401de45038aL85).
The issue I have is that while I can mount a configuration file and specify the TLS configuration, the problem exists where the SSL certificates that I am attempting to use within the RabbitMQ container are defined on the host and are owned by the root user and thus when RabbitMQ starts, it is unable to access the SSL KEY file as its permissions on the host are 400 root:root.
I am not able to change the permissions of this file on the host machine as it is managed by puppet so that it can dynamically define the certificates Subject Alternative Names as the certificate is used for many different things and Puppet will automatically renew the certificate before expiration. With that in mind, I can't rely on a "copy cert into container" and would very much prefer to just mount the certificate and key files into the container with Read Only permissions (as I don't want to allow the container to modify the actual host files since Puppet would detect these changes and rever them) and then as part of the RabbitMQ entrypoint script it could copy these files somewhere else so that they can be owned and accessible to the
rabbitmq
user and leveraged when starting up the application.