Skip to content

RabbitMQ

Production-ready RabbitMQ message broker for Kubernetes. Supports single-node and multi-node cluster architectures, quorum queues (default), management UI with dedicated Ingress, Prometheus metrics, and TLS listeners.

Fix the Erlang cookie before scaling to a cluster

The Erlang cookie (auth.erlangCookie) is used for node-to-node authentication. If it changes between deployments, cluster nodes will refuse to connect to each other. Set an explicit value in auth.erlangCookie or use auth.existingSecret — never rely on auto-generation in cluster mode.

Key Features

  • Official Alpine image — default docker.io/library/rabbitmq:4.3.1-alpine with chart-managed plugins
  • Two architecturessingle-node (one StatefulSet replica) or cluster (StatefulSet with peer discovery)
  • Quorum queues by defaultqueueDefaults.type: quorum for durable, replicated HA queues
  • Dedicated management ingressmanagement.ingress is separate from the AMQP service
  • Gateway API support — optional HTTPRoute for the management UI
  • External Secrets Operator — source username, password, and Erlang cookie from an external provider
  • Dual-stack Services — optional Service ipFamilyPolicy and ipFamilies controls
  • Partition handlingpause_minority strategy prevents split-brain in cluster mode
  • PDB support — optional PodDisruptionBudget to protect cluster quorum during node maintenance
  • TLS listeners — configurable AMQP/S and management TLS from an existing Secret
  • Prometheus metrics — built-in metrics plugin with optional ServiceMonitor
  • Low idle CPU defaults — disables Erlang scheduler busy-wait and uses lightweight TCP probes

Port Reference

PortProtocolDescription
5672TCPAMQP (client connections)
5671TCPAMQPS (AMQP over TLS)
15672HTTPManagement UI
15671HTTPSManagement UI over TLS
15692HTTPPrometheus metrics endpoint
4369TCPEPMD (Erlang port mapper daemon)
25672TCPErlang distribution (cluster traffic)

Runtime Efficiency

The chart defaults to the official Alpine RabbitMQ image and controls enabled plugins through the rendered enabled_plugins file. The base Alpine image already contains the management, Prometheus, and Kubernetes peer-discovery plugins, so management.enabled, metrics.enabled, architecture: cluster, and plugins.extra decide what is active without switching image variants.

By default, runtime.disableSchedulerBusyWait: true renders:

RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS: +sbwt none +sbwtdcpu none +sbwtdio none

This lowers idle CPU in containerized RabbitMQ deployments. Startup, liveness, and readiness probes use TCP checks against the active AMQP listener instead of repeatedly starting rabbitmq-diagnostics.

Installation

HTTPS repository:

helm repo add helmforge https://repo.helmforge.dev
helm repo update
helm install rabbitmq helmforge/rabbitmq -f values.yaml

OCI registry:

helm install rabbitmq oci://ghcr.io/helmforgedev/helm/rabbitmq -f values.yaml

Deployment Examples

# values.yaml — RabbitMQ single-node with management UI and persistence
architecture: single-node

auth:
  username: admin
  existingSecret: rabbitmq-credentials
  existingSecretPasswordKey: rabbitmq-password

queueDefaults:
  type: quorum # modern default — use classic only for legacy compatibility

singleNode:
  persistence:
    enabled: true
    size: 10Gi

management:
  enabled: true
  ingress:
    enabled: true
    ingressClassName: traefik
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    hosts:
      - host: rabbitmq.example.com
        paths:
          - path: /
            pathType: Prefix
    tls:
      - secretName: rabbitmq-tls
        hosts:
          - rabbitmq.example.com

resources:
  requests:
    memory: 256Mi
    cpu: 100m
  limits:
    memory: 1Gi
    cpu: 500m
# values.yaml — 3-node RabbitMQ cluster with fixed Erlang cookie and PDB
architecture: cluster

auth:
  username: admin
  existingSecret: rabbitmq-credentials # must contain password AND erlang cookie
  existingSecretPasswordKey: rabbitmq-password
  existingSecretErlangCookieKey: rabbitmq-erlang-cookie

queueDefaults:
  type: quorum

cluster:
  replicaCount: 3
  partitionHandling: pause_minority
  gracefulShutdown:
    enabled: true
  persistence:
    enabled: true
    size: 10Gi

pdb:
  enabled: true
  minAvailable: 2 # always maintain quorum (majority of 3)

management:
  enabled: true
  ingress:
    enabled: true
    ingressClassName: traefik
    hosts:
      - host: rabbitmq.example.com
        paths:
          - path: /
            pathType: Prefix

resources:
  requests:
    memory: 512Mi
    cpu: 250m
  limits:
    memory: 2Gi
    cpu: '1'
# values.yaml — RabbitMQ with TLS for AMQP and management UI
architecture: single-node

auth:
  username: admin
  existingSecret: rabbitmq-credentials

tls:
  enabled: true
  existingSecret: rabbitmq-tls-secret # must contain ca.crt, tls.crt, tls.key
  caFilename: ca.crt
  certFilename: tls.crt
  keyFilename: tls.key
  verify: verify_peer
  failIfNoPeerCert: false

management:
  enabled: true
  ingress:
    enabled: true
    ingressClassName: traefik
    useTlsPort: true # route ingress to management HTTPS port (15671)
    hosts:
      - host: rabbitmq.example.com
        paths:
          - path: /
            pathType: Prefix

singleNode:
  persistence:
    enabled: true
    size: 10Gi
# values.yaml — RabbitMQ with Prometheus metrics and ServiceMonitor
architecture: single-node

auth:
  username: admin
  existingSecret: rabbitmq-credentials

singleNode:
  persistence:
    enabled: true
    size: 10Gi

metrics:
  enabled: true
  serviceMonitor:
    enabled: true
    interval: 30s
    labels:
      release: prometheus # match your Prometheus Operator selector label

management:
  enabled: true
# values.yaml — RabbitMQ credentials managed by External Secrets Operator
auth:
  username: admin
  existingSecret: rabbitmq-credentials
  existingSecretUsernameKey: rabbitmq-username
  existingSecretPasswordKey: rabbitmq-password
  existingSecretErlangCookieKey: rabbitmq-erlang-cookie

externalSecrets:
  enabled: true
  apiVersion: external-secrets.io/v1
  refreshInterval: '0'
  secretStoreRef:
    name: platform-secrets
    kind: ClusterSecretStore
  data:
    - secretKey: rabbitmq-username
      remoteRef:
        key: rabbitmq/admin
        property: username
    - secretKey: rabbitmq-password
      remoteRef:
        key: rabbitmq/admin
        property: password
    - secretKey: rabbitmq-erlang-cookie
      remoteRef:
        key: rabbitmq/cluster
        property: erlangCookie
# values.yaml — expose the RabbitMQ management UI through Gateway API
management:
  enabled: true
  gateway:
    enabled: true
    hostnames:
      - rabbitmq.example.com
    parentRefs:
      - name: public-gateway
        namespace: gateway-system

Configuration Reference

Core

ParameterTypeDefaultDescription
architecturestringsingle-nodeDeployment mode: single-node (Deployment) or cluster (StatefulSet).
nameOverridestring""Override the chart name.
fullnameOverridestring""Override the full release name.
commonLabelsobject{}Extra labels added to all resources.
clusterDomainstringcluster.localKubernetes cluster domain.

Image

ParameterTypeDefaultDescription
image.repositorystringdocker.io/library/rabbitmqOfficial RabbitMQ image repository.
image.tagstring"4.3.1-alpine"Official Alpine RabbitMQ image tag.
image.pullPolicystringIfNotPresentImage pull policy.
imagePullSecretsarray[]Pull secrets for private registries.

Authentication

ParameterTypeDefaultDescription
auth.usernamestringuserRabbitMQ admin username.
auth.passwordstring""Admin password. Auto-generated if empty.
auth.erlangCookiestring""Erlang cookie for node-to-node auth. Auto-generated if empty.
auth.vhoststring/Default virtual host created by RabbitMQ.
auth.existingSecretstring""Existing secret with username, password, and Erlang cookie.
auth.existingSecretUsernameKeystringrabbitmq-usernameKey for username in existingSecret.
auth.existingSecretPasswordKeystringrabbitmq-passwordKey for password in existingSecret.
auth.existingSecretErlangCookieKeystringrabbitmq-erlang-cookieKey for Erlang cookie in existingSecret.

Queue Defaults

ParameterTypeDefaultDescription
queueDefaults.typestringquorumDefault queue type: quorum (HA, replicated) or classic (legacy, non-HA).
Quorum queues are the modern default

Quorum queues use the Raft consensus algorithm for durable, replicated message storage. They replace classic mirrored queues and are the recommended choice for new deployments. Classic queues are still supported for compatibility with legacy applications but are not HA.

Single-Node Mode

ParameterTypeDefaultDescription
singleNode.persistence.enabledbooleantrueEnable PVC for message storage.
singleNode.persistence.sizestring8GiPVC size.
singleNode.persistence.storageClassstring""StorageClass for the PVC.
singleNode.persistence.accessModestringReadWriteOncePVC access mode.

Cluster Mode

Set a fixed Erlang cookie before creating a cluster

Never use auto-generated Erlang cookies in cluster mode. If a pod is replaced and the cookie changes, the new node will be rejected by the existing cluster members. Store the cookie in a Kubernetes Secret and reference it via auth.existingSecret.

ParameterTypeDefaultDescription
cluster.replicaCountinteger3Number of RabbitMQ cluster nodes.
cluster.podManagementPolicystringOrderedReadyStatefulSet pod management policy.
cluster.partitionHandlingstringpause_minorityNetwork partition strategy. pause_minority prevents split-brain.
cluster.ordinalStartinteger0Starting ordinal for peer discovery.
cluster.seedNodestring""Explicit seed node hostname for cluster formation.
cluster.gracefulShutdown.enabledbooleantrueExecute graceful shutdown before pod termination.
cluster.persistence.enabledbooleantrueEnable PVCs for each cluster node.
cluster.persistence.sizestring8GiPVC size per node.
cluster.persistence.storageClassstring""StorageClass for cluster PVCs.

Management UI

ParameterTypeDefaultDescription
management.enabledbooleantrueEnable the management plugin and UI (port 15672/15671).
management.ingress.enabledbooleanfalseEnable Ingress for the management UI.
management.ingress.ingressClassNamestringtraefikIngress class for the management UI.
management.ingress.annotationsobject{}Annotations for the management Ingress.
management.ingress.hostsarray[]Ingress host and path rules.
management.ingress.tlsarray[]TLS configuration for the management Ingress.
management.ingress.useTlsPortbooleanfalseRoute ingress to the TLS management port (15671).

TLS

ParameterTypeDefaultDescription
tls.enabledbooleanfalseEnable TLS listeners for AMQP and management.
tls.existingSecretstring""Existing secret with CA, certificate, and private key.
tls.caFilenamestringca.crtCA certificate filename inside the secret.
tls.certFilenamestringtls.crtCertificate filename inside the secret.
tls.keyFilenamestringtls.keyPrivate key filename inside the secret.
tls.verifystringverify_noneTLS peer verification mode.
tls.failIfNoPeerCertbooleanfalseReject connections without a valid peer certificate.
tls.disableNonTLSListenersbooleanfalseDisable plaintext AMQP listeners when TLS is enabled.

Plugins

ParameterTypeDefaultDescription
plugins.extraarray[]Additional RabbitMQ plugins to enable beyond chart defaults.

Custom Configuration

ParameterTypeDefaultDescription
config.extrastring""Extra rabbitmq.conf entries appended to the generated config.
config.advancedConfigstring""Raw advanced.config Erlang term content.

Runtime

ParameterTypeDefaultDescription
runtime.disableSchedulerBusyWaitbooleantrueAdd Erlang VM flags that reduce scheduler busy-wait idle CPU.
runtime.additionalErlArgsstring""Additional Erlang VM arguments appended to chart-managed defaults.

Probes

ParameterTypeDefaultDescription
startupProbe.enabledbooleantrueEnable TCP startup probe.
startupProbe.initialDelaySecondsinteger10Startup probe initial delay.
startupProbe.timeoutSecondsinteger3Startup probe timeout.
startupProbe.periodSecondsinteger10Startup probe period.
startupProbe.failureThresholdinteger30Startup probe failure threshold.
livenessProbe.enabledbooleantrueEnable TCP liveness probe.
livenessProbe.initialDelaySecondsinteger30Liveness probe initial delay.
livenessProbe.timeoutSecondsinteger3Liveness probe timeout.
livenessProbe.periodSecondsinteger30Liveness probe period.
livenessProbe.failureThresholdinteger6Liveness probe failure threshold.
readinessProbe.enabledbooleantrueEnable TCP readiness probe.
readinessProbe.initialDelaySecondsinteger20Readiness probe initial delay.
readinessProbe.timeoutSecondsinteger3Readiness probe timeout.
readinessProbe.periodSecondsinteger10Readiness probe period.
readinessProbe.failureThresholdinteger6Readiness probe failure threshold.

PodDisruptionBudget

ParameterTypeDefaultDescription
pdb.enabledbooleanfalseCreate a PodDisruptionBudget.
pdb.minAvailableinteger1Minimum available pods during disruptions. Set to 2 for 3-node HA.
pdb.maxUnavailablestring""Maximum unavailable pods (alternative to minAvailable).

Metrics

ParameterTypeDefaultDescription
metrics.enabledbooleanfalseEnable the Prometheus metrics plugin (port 15692).
metrics.serviceMonitor.enabledbooleanfalseCreate a Prometheus Operator ServiceMonitor.
metrics.serviceMonitor.intervalstring30sMetrics scrape interval.
metrics.serviceMonitor.labelsobject{}Extra labels for the ServiceMonitor.

Service

ParameterTypeDefaultDescription
service.typestringClusterIPService type.
service.amqpPortinteger5672AMQP listener port.
service.amqpsPortinteger5671AMQPS listener port (TLS).
service.managementPortinteger15672Management UI HTTP port.
service.managementTlsPortinteger15671Management UI HTTPS port.
service.epmdPortinteger4369Erlang port mapper daemon port.
service.distPortinteger25672Erlang distribution port (cluster inter-node traffic).
service.metricsPortinteger15692Prometheus metrics port.
service.annotationsobject{}Annotations for the Service.
service.extraPortsarray[]Extra ports added to the Service.
service.ipFamilyPolicystring""Service IP family policy. Empty uses the cluster default.
service.ipFamiliesarray[]Ordered Service IP families such as IPv4 and IPv6.

Gateway API

The chart can expose the management UI with Gateway API by rendering an HTTPRoute that targets the management Service port. Use this when your cluster standardizes north-south HTTP traffic through Gateway API.

ParameterTypeDefaultDescription
management.gateway.enabledbooleanfalseRender a Gateway API HTTPRoute for management UI.
management.gateway.hostnamesarray[]HTTPRoute hostnames. Empty matches all hostnames.
management.gateway.parentRefsarray[]Parent Gateway references used by the HTTPRoute.

External Secrets Operator

Use External Secrets for RabbitMQ credentials when passwords and Erlang cookies are owned by a secret manager.

ParameterTypeDefaultDescription
externalSecrets.enabledbooleanfalseRender an ExternalSecret for RabbitMQ credentials.
externalSecrets.apiVersionstringexternal-secrets.io/v1ExternalSecret API version.
externalSecrets.refreshIntervalstring"0"Refresh interval. "0" syncs once.
externalSecrets.secretStoreRefobject{}SecretStore or ClusterSecretStore reference.
externalSecrets.target.creationPolicystringOwnerTarget Secret creation policy.
externalSecrets.dataarray[]Mappings for username, password, and Erlang cookie keys.

Resources and Security

ParameterTypeDefaultDescription
resourcesobject{}CPU and memory requests and limits.
podSecurityContextobject{}Pod-level security context.
securityContextobject{}Container-level security context.

Scheduling

ParameterTypeDefaultDescription
nodeSelectorobject{}Node selector for scheduling.
tolerationsarray[]Tolerations for scheduling.
affinityobject{}Affinity rules.
topologySpreadConstraintsarray[]Topology spread constraints.
priorityClassNamestring""PriorityClass for the pod.
terminationGracePeriodSecondsinteger120Grace period. Allows in-progress message deliveries to complete.
podLabelsobject{}Extra labels for the pod.
podAnnotationsobject{}Extra annotations for the pod.

Extra

ParameterTypeDefaultDescription
extraEnvarray[]Extra environment variables for the container.
extraVolumesarray[]Extra volumes to attach to the pod.
extraVolumeMountsarray[]Extra volume mounts for the container.
extraManifestsarray[]Extra Kubernetes manifests deployed alongside the chart.

More Information

Edit this page on GitHub