RabbitMQ Configuration¶
RabbitMQ enables asynchronous, event-driven workflow invocation and outbound messaging.
Roles in MeshFlows¶
- Broker for domain events and integration messages.
- Trigger source for dedicated RabbitMQ subscriber runtime (ingress adapter).
- Target transport for egress-rabbitmq publishing steps.
RabbitMQ Subscriber Trigger Settings¶
RabbitMQ-triggered workflow starts are handled by a dedicated subscriber deployment
that consumes messages and calls Orchestrator POST /invoke/scheduled.
Key settings:
RABBITMQ_TRIGGER_ENABLEDRABBITMQ_TRIGGER_URLRABBITMQ_TRIGGER_EXCHANGERABBITMQ_TRIGGER_EXCHANGE_TYPERABBITMQ_TRIGGER_QUEUERABBITMQ_TRIGGER_BINDING_KEYRABBITMQ_TRIGGER_WORKFLOWRABBITMQ_TRIGGER_STORAGE_CHANGED_WORKFLOWRABBITMQ_TRIGGER_REQUEUE_ON_ERRORORCHESTRATOR_URLORCHESTRATOR_SCHEDULE_PATHSCHEDULE_INVOCATION_TOKEN
Message Size Limits¶
MeshFlows configures RabbitMQ broker message size via rabbitmq.conf:
max_message_size = $(RABBITMQ_MAX_MESSAGE_SIZE_BYTES)
Default value:
RABBITMQ_MAX_MESSAGE_SIZE_BYTES=16777216(16 MiB)
Important:
- Keep application-level limits at or below this broker limit.
- Increase broker limit before increasing service limits beyond 16 MiB.
Workflow Resolution¶
When consuming a message, workflow selection can happen through:
- Explicit header (
Workflow). - Dedicated storage changed routing rule.
- Static fallback workflow from configuration.
- Header mapping using
Domain,Service,Action,Version.
Operational Guidance¶
- Use durable queues for trigger consumption.
- Keep routing keys explicit per domain where possible.
- Apply dead-letter or requeue strategy based on failure semantics.
- Monitor queue depth, consumer lag, and nack/requeue behavior.
Security Guidance¶
- Use non-default credentials and TLS where possible.
- Restrict broker network exposure to trusted services.
- Separate vhosts or exchanges for environment isolation.
Internal Auth (Dashboard + Broker)¶
For cluster-internal management API access, MeshFlows uses the Kubernetes secret
meshflows-rabbitmq-auth in the target namespace.
Expected secret keys:
usernamepasswordtoken(recommended stable internal token)amqp_url
Recommended setup:
- Set
RABBITMQ_INTERNAL_TOKENin Actions Secrets. - Run deploy workflow (
deploy.yml). - Deploy reconciles secret values and synchronizes broker credentials with
rabbitmqctl.
This prevents credential drift when RabbitMQ data persists on PVC between redeploys.
Troubleshooting 401 on RabbitMQ Dashboard APIs¶
Symptom:
- Dashboard shows:
Failed to load RabbitMQ data: API /api/rabbitmq/overview: 401
Typical cause:
- Secret credentials differ from users currently configured inside RabbitMQ.
Checks:
kubectl get secret meshflows-rabbitmq-auth -n <namespace> -o yamlkubectl exec -n <namespace> deployment/rabbitmq -- rabbitmqctl list_userskubectl exec -n <namespace> deployment/rabbitmq -- rabbitmqctl authenticate_user <user> <password>
Fix:
- Re-run deploy workflow on latest
mainso RabbitMQ credentials are reconciled.
Troubleshooting ACCESS_REFUSED on workflow publish¶
Symptom:
- Workflow step
rabbitmq_publish/egress.rabbitmq.publishfails withACCESS_REFUSED - Login was refused using authentication mechanism PLAIN.
Typical cause:
- The broker user/password in
meshflows-rabbitmq-authwas reconciled, but the Storage runtime secrets used by connections (rabbitmq-user,rabbitmq-passwordin connectionrabbitmq_events) still hold an older value.
Checks:
kubectl exec -n meshflows-dev deployment/rabbitmq -- rabbitmqctl authenticate_user <user> <password>using values frommeshflows-rabbitmq-auth.- Dashboard → Secrets: compare
rabbitmq-passwordwith the cluster secret. - Dashboard → Connections →
rabbitmq_events: URL should reference$secret:rabbitmq-userand$secret:rabbitmq-password.
Fix:
- Re-run Deploy Engine (syncs broker + Storage secrets), or update Storage
secrets manually to match
meshflows-rabbitmq-auth.