kubernetes/rabbitmq/rabbitmq.conf

# Send logs to container engine via stderr
log.console = true
log.console.level = info
log.file = false

# Disable default (non-TLS) listener
listeners.tcp = none

# Activate TLS listener on AMQPS port
listeners.ssl.default = 5671
ssl_options.certfile = /run/secrets/rabbitmq/cert/tls.crt
ssl_options.keyfile = /run/secrets/rabbitmq/cert/tls.key

# Require mTLS authentication (client certificate)
ssl_options.cacertfile = /etc/rabbitmq/ca.crt
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true
auth_mechanisms.1 = EXTERNAL
ssl_cert_login_from = common_name

## Import user/permission definitions from JSON file
definitions.import_backend = local_filesystem
definitions.local.path = /etc/rabbitmq/definitions.json
definitions.skip_if_unchanged = true