RabbitMQ Backend - Manage secrets across multiple clients #2680
Comments
|
@reid-harrison can you add more detail around why the same secrets are managed for multiple independent clusters? |
|
Sure, thanks for asking, @pantocrator27 ! These clusters are deployed in the cloud - cross region and cross AZ (1 cluster per AZ, nodes are not clustered across AZs). RabbitMQ producers connect to any of these clusters [randomly] through a load balancer. The producer is unaware of which cluster it connects to so all clusters are configured with the same secrets so that producers can connect through the LB using the correct Rabbit credentials. This deployment strategy is designed for resiliency/availability and there is no cluster-specific state. I hope this makes sense. I am open to hearing thoughts on this or any other approach. |
|
Hi, Same use case for the same reasons here, multiple RabbitMQ connections would be greatly appreciated ! Thanks |
|
Hi, I also maintain many rabbitmq servers and I am using the secret engine as follow: hope it helps meanwhile. EDIT: Just realized you need to 'replicate' secrets across the clusters, my mistake |
Currently, only one connection URI is configured for the RabbitMQ backend: https://www.vaultproject.io/docs/secrets/rabbitmq/#quick-start
For my RabbitMQ architecture, several clusters are managed with the same secrets. For this type of setup, Vault cannot be used to manage secrets across multiple RabbitMQ hosts/clusters.
It would be great if the RabbitMQ backend could be enhanced to allow the configuration of multiple connection URIs (comma separated?) and then Vault will manage the same secrets and leases across all of the supplied hosts.
With my architecture, eventual consistency of RabbitMQ secrets is acceptable.
Is this kind of enhancement feasible? I would be happy to contribute the changes but I understand there would be some concurrency and availability considerations.
The text was updated successfully, but these errors were encountered: