Skip to content

Rabbitmq scaler with TLS enabled trigger not working for passwordless authentication #6840

Closed
#7606
Closed
Rabbitmq scaler with TLS enabled trigger not working for passwordless authentication#6840
#7606
Assignees
rickbrouwer
Labels
bugSomething isn't workingscalerscaler-rabbit-mq
@jpulgar4

Description

@jpulgar4
jpulgar4
opened on Jun 16, 2025

Report

I have a Rabbitmq trigger configured with TLS. In our Rabbitmq setup we use TLS with passwordless auth, we extract the username from the CommonName field in the client certificate, thus our username is CN=username. We have the following setup:

apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
  name: queue-consumers-scaledobject
  namespace: ml-serving
spec:
  scaleTargetRef:
    name: queue-consumers
  pollingInterval: 5
  cooldownPeriod: 60
  maxReplicaCount: 10
  minReplicaCount: 1
  triggers:
    - type: rabbitmq
      metadata:
        protocol: auto
        queueName: queue_name
        mode: QueueLength
        value: "1"
        tls: enable
      authenticationRef:
        name: rabbitmq-trigger-auth
---
apiVersion: v1
kind: Secret
metadata:
  name: keda-rabbitmq-secret
data:
  host: "amqps://[email protected]:5671/" # Also tried without username to no avail.
  tls: "enable"
  ca: <our ca>
  cert: <our cert>
  key: <our key>
---
apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: rabbitmq-trigger-auth
  namespace: ml-serving
spec:
  secretTargetRef:
    - parameter: host
      name: keda-rabbitmq-secret
      key: host
    - parameter: tls
      name: keda-rabbitmq-secret
      key: tls
    - parameter: ca
      name: keda-rabbitmq-secret
      key: ca
    - parameter: cert
      name: keda-rabbitmq-secret
      key: cert
    - parameter: key
      name: keda-rabbitmq-secret
      key: key

Expected Behavior

We expect the ScaledObject and the TriggerAuthentication to connect properly using External authentication methods in our Rabbitmq cluster and authenticate properly via TLS.

Actual Behavior

The ScaledObject refuses to connect using username and password instead of TLS authentication.

Warning KEDAScalerFailed ScaledObject/*** error establishing rabbitmq connection: Exception (403) Reason: "username or password not allowed"

Steps to Reproduce the Problem

  1. Enable TLS and passwordless authentication to a Rabbitmq user in the cluster
  2. Install the Keda objects above
  3. Try to connect the rabbitmq Trigger and TriggerAuthentication using AMQPS

Logs from KEDA operator

2025-06-16T14:30:18Z    ERROR   Reconciler error        {"controller": "scaledobject", "controllerGroup": "keda.sh", "controllerKind": "ScaledObject", "ScaledObject": {"name":"***","namespace":"apps"}, "namespace": "apps", "name": "***", "reconcileID": "675f4b11-429d-4e91-9ae3-6cedf29b1d8b", "error": "error establishing rabbitmq connection: Exception (403) Reason: \"username or password not allowed\""}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler
        /workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:316
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem
        /workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:263
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2
        /workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:224

KEDA Version

2.17.0

Kubernetes Version

1.31

Platform

Amazon Web Services

Scaler Details

Rabbitmq with TLS

Anything else?

No response

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingscalerscaler-rabbit-mq

Type

No type

Fields

No fields configured for issues without a type.

Projects

Roadmap - KEDA Core

Status

Ready To Ship

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions