RabbitMQ: advanced.config format for prometheus plugins
search cancel

RabbitMQ: advanced.config format for prometheus plugins

book

Article ID: 441270

calendar_today

Updated On:

Products

RabbitMQ

Issue/Introduction

According to this page, there is only a small set of configuration keys that can be encrypted in the new config format (rabbitmq.conf). The "ssl_options.password" key can be encrypted for the main core/amqp RabbitMQ certificate, but what about the Prometheus plugin which uses a different key: "prometheus.ssl.password"? If this cannot be encrypted, can the Prometheus plugin configuration be done in the old config format (advanced.config) to support encoding of the password?

Environment

All supported RabbitMQ versions

Resolution

Since  "prometheus.ssl.password" in rabbitmq.conf does not support encrypted values, the only option is to use the advanced.config format.

All configuration for prometheus would be under "rabbitmq_prometheus" and the individual keys are listed in the example below. The values would vary depending on your environment. Please note that all prometheus keys, would have to moved to advanced.config format in this scenario.

Refer to schema definition and mapping in the "Additional Information" section of this article.

 

[
  %% ===========================================================================
  %% RabbitMQ Prometheus Plugin — Complete Advanced Configuration Mapping
  %% ===========================================================================
  {rabbitmq_prometheus, [
    
    %% Core Metrics & Global Endpoint Configuration
    {return_per_object_metrics, false}, % Options: true | false
    {path, "/metrics"},                 % Endpoint URI path string
    
    %% Authentication Options
    {authentication, [
        {enabled, false}                % Options: true | false
    ]},

    %% HTTP (TCP) Listener Options
    %% Set to `[]` to completely disable the TCP listener.
    {tcp_config, [
        {port, 15692},
        {ip, "127.0.0.1"},
        
        %% Cowboy Network Optimization Options for TCP
        {cowboy_opts, [
            {compress, false},              % Options: true | false
            {idle_timeout, 60000},          % Integer (milliseconds)
            {inactivity_timeout, 60000},    % Integer (milliseconds)
            {request_timeout, 60000},       % Integer (milliseconds)
            {shutdown_timeout, 5000},       % Integer (milliseconds)
            {max_keepalive, 100}            % Integer
        ]}
    ]},

    %% HTTPS (TLS) Listener Options
    {ssl_config, [
        {port, 15691},
        {ip, "127.0.0.1"},
        {backlog, 1024},
        
        %% TLS Cryptographic Options
        {ssl_opts, [
            {cacertfile, "/path/to/cacert.pem"},
            {certfile,   "/path/to/cert.pem"},
            {keyfile,    "/path/to/key.pem"},
            
            %% Encrypted Private Key Password Configuration
            %% Replace passphrase block in 'rabbit' application to decrypt this payload
            {password, 
              {encrypted, 
                <<"cPAymwqmMnbPXXRVqVzpxJdrS8mHEKuo2V+3vt1u/fymexD9oztQ2G/oJ4PAaSb2c5N/hRJ2aqP/X0VAfx8xOQ==">>
              }
            },
            
            {verify, verify_peer},               % Options: verify_peer | verify_none
            {fail_if_no_peer_cert, true},        % Options: true | false
            {honor_cipher_order, true},          % Options: true | false
            {honor_ecc_order, true},             % Options: true | false
            {reuse_sessions, true},              % Options: true | false
            {secure_renegotiate, true},          % Options: true | false
            {client_renegotiation, true},        % Options: true | false
            {depth, 1},                          % Integer (verification depth)
            
            %% TLS Protocol Versions (Mapped as an array of Erlang Atoms)
            {versions, ['tlsv1.3', 'tlsv1.2']},
            
            %% Cipher Suites (Mapped as an array of Strings)
            {ciphers, [
                "ECDHE-ECDSA-AES256-GCM-SHA384",
                "ECDHE-RSA-AES256-GCM-SHA384"
            ]}
        ]},

        %% Cowboy Network Optimization Options for SSL
        {cowboy_opts, [
            {compress, false},
            {idle_timeout, 60000},
            {inactivity_timeout, 60000},
            {request_timeout, 60000},
            {shutdown_timeout, 5000},
            {max_keepalive, 100}
        ]}
    ]},

    %% Compatibility Parameters
    %% This functions as a strict no-op within the current engine versions
    {filter_aggregated_queue_metrics_pattern, ".*"}
  ]},

  %% ===========================================================================
  %% Core RabbitMQ Configuration (Required for handling the Encrypted Password)
  %% ===========================================================================
  {rabbit, [
      {config_entry_decoder, [
          {passphrase, <<"mypassphrase">>}
      ]}
  ]}
].

Additional Information

Prometheus schema mapping -https://github.com/rabbitmq/rabbitmq-server/blob/main/deps/rabbitmq_prometheus/priv/schema/rabbitmq_prometheus.schema

Powered by Wolken Software