[Questions] 3.13.x: Switching to OAuth 2 causes nodes to be OOM-killed by Kubernetes

[BeyondEvil]

Community Support Policy

• I have read RabbitMQ's Community Support Policy
• I run RabbitMQ 4.x, the only series currently covered by community support
• I promise to provide all relevant information (versions, logs from all nodes, rabbitmq-diagnostics output, detailed reproduction steps)

RabbitMQ version used

4.0.7

Erlang version used

27.2.x

Operating system (distribution) used

Kubernetes (AWS EKS Bottlerocket)

How is RabbitMQ deployed?

Bitnami Helm chart

rabbitmq-diagnostics status output

See https://www.rabbitmq.com/docs/cli to learn how to use rabbitmq-diagnostics

I have no name!@rabbitmq-cluster-server-0:/$ rabbitmq-diagnostics status
Status of node rabbit@rabbitmq-cluster-server-0.rabbitmq-cluster-nodes.rabbitmq-system ...
Runtime

OS PID: 59
OS: Linux
Uptime (seconds): 9854
Is under maintenance?: false
RabbitMQ version: 3.13.2
RabbitMQ release series support status: supported
Node name: rabbit@rabbitmq-cluster-server-0.rabbitmq-cluster-nodes.rabbitmq-system
Erlang configuration: Erlang/OTP 26 [erts-14.2.5] [source] [64-bit] [smp:4:2] [ds:4:2:10] [async-threads:1] [jit:ns]
Crypto library: OpenSSL 3.0.11 19 Sep 2023
Erlang processes: 445 used, 1048576 limit
Scheduler run queue: 1
Cluster heartbeat timeout (net_ticktime): 60

Plugins

Enabled plugin file: /operator/enabled_plugins
Enabled plugins:

 * rabbitmq_prometheus
 * rabbitmq_federation
 * rabbitmq_peer_discovery_k8s
 * rabbitmq_auth_backend_oauth2
 * base64url
 * accept
 * rabbitmq_peer_discovery_common
 * jose
 * prometheus
 * rabbitmq_management
 * rabbitmq_management_agent
 * rabbitmq_web_dispatch
 * amqp_client
 * cowboy
 * cowlib
 * oauth2_client

Data directory

Node data directory: /bitnami/rabbitmq/mnesia/rabbit@rabbitmq-cluster-server-0.rabbitmq-cluster-nodes.rabbitmq-system
Raft data directory: /bitnami/rabbitmq/mnesia/rabbit@rabbitmq-cluster-server-0.rabbitmq-cluster-nodes.rabbitmq-system/quorum/rabbit@rabbitmq-cluster-server-0.rabbitmq-cluster-nodes.rabbitmq-system

Config files

 * /opt/bitnami/rabbitmq/etc/rabbitmq/advanced.config
 * /opt/bitnami/rabbitmq/etc/rabbitmq/rabbitmq.conf
 * /opt/bitnami/rabbitmq/etc/rabbitmq/conf.d/10-operatorDefaults.conf
 * /opt/bitnami/rabbitmq/etc/rabbitmq/conf.d/11-default_user.conf
 * /opt/bitnami/rabbitmq/etc/rabbitmq/conf.d/90-userDefinedConfiguration.conf

Log file(s)

 * <stdout>

Alarms

(none)

Memory

Total memory used: 0.1611 gb
Calculation strategy: rss
Memory high watermark setting: 3.67 gb, computed to: 3.436 gb

reserved_unallocated: 0.0888 gb (55.14 %)
code: 0.0404 gb (25.05 %)
other_system: 0.025 gb (15.49 %)
other_proc: 0.0165 gb (10.26 %)
other_ets: 0.0033 gb (2.06 %)
atom: 0.0019 gb (1.16 %)
binary: 0.0013 gb (0.8 %)
plugins: 0.0012 gb (0.76 %)
metrics: 0.0007 gb (0.46 %)
mgmt_db: 0.0002 gb (0.12 %)
metadata_store: 0.0002 gb (0.11 %)
msg_index: 0.0002 gb (0.1 %)
mnesia: 0.0001 gb (0.04 %)
metadata_store_ets: 0.0 gb (0.02 %)
quorum_ets: 0.0 gb (0.02 %)
connection_other: 0.0 gb (0.0 %)
quorum_queue_procs: 0.0 gb (0.0 %)
quorum_queue_dlx_procs: 0.0 gb (0.0 %)
stream_queue_procs: 0.0 gb (0.0 %)
stream_queue_replica_reader_procs: 0.0 gb (0.0 %)
connection_writers: 0.0 gb (0.0 %)
connection_channels: 0.0 gb (0.0 %)
queue_procs: 0.0 gb (0.0 %)
queue_slave_procs: 0.0 gb (0.0 %)
stream_queue_coordinator_procs: 0.0 gb (0.0 %)
allocated_unused: 0.0 gb (0.0 %)
connection_readers: 0.0 gb (0.0 %)

File Descriptors

Total: 0, limit: 65439
Sockets: 0, limit: 58893

Free Disk Space

Low free disk space watermark: 2.0 gb
Free disk space: 10.4468 gb

Totals

Connection count: 0
Queue count: 0
Virtual host count: 1

Listeners

Interface: 0.0.0.0, port: 15672, protocol: http, purpose: HTTP API
Interface: [::], port: 15692, protocol: http/prometheus, purpose: Prometheus exporter API over HTTP
Interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Interface: [::], port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0

Logs from node 1 (with sensitive values edited out)

See https://www.rabbitmq.com/docs/logging to learn how to collect logs

rabbitmq 2025-03-10 11:59:43.906170+00:00 [debug] <0.715.0> Downloading oauth_provider using issuer "https://argocd.k8s.eu-north-1.ops.company.com/api/dex"
rabbitmq 2025-03-10 11:59:47.850986+00:00 [info] <0.389.0> vm_memory_high_watermark set. Memory used:3762774016 allowed:3435973837
rabbitmq 2025-03-10 11:59:47.851252+00:00 [warning] <0.387.0> memory resource limit alarm set on node 'rabbit@rabbitmq-cluster-server-0.rabbitmq-cluster-nodes.rabbitmq-system'.
rabbitmq 2025-03-10 11:59:47.851252+00:00 [warning] <0.387.0> 
rabbitmq 2025-03-10 11:59:47.851252+00:00 [warning] <0.387.0> **********************************************************
rabbitmq 2025-03-10 11:59:47.851252+00:00 [warning] <0.387.0> *** Publishers will be blocked until this alarm clears ***
rabbitmq 2025-03-10 11:59:47.851252+00:00 [warning] <0.387.0> **********************************************************
rabbitmq 2025-03-10 11:59:47.851252+00:00 [warning] <0.387.0> 
rabbitmq 2025-03-10 11:59:47.852003+00:00 [debug] <0.274.0> wal: opening new file 00000021.wal open mem tables: #Ref<0.1294853839.1474428929.203650>
rabbitmq 2025-03-10 11:59:47.852492+00:00 [debug] <0.272.0> segment_writer: deleting wal file: 00000020.wal
rabbitmq 2025-03-10 11:59:49.349223+00:00 [debug] <0.718.0> accepting AMQP connection <0.718.0> (10.122.139.103:36544 -> 10.122.136.102:5672)
rabbitmq 2025-03-10 11:59:49.349385+00:00 [debug] <0.718.0> closing AMQP connection <0.718.0> (10.122.139.103:36544 -> 10.122.136.102:5672):
rabbitmq 2025-03-10 11:59:49.349385+00:00 [debug] <0.718.0> connection_closed_with_no_data_received
stream closed EOF for rabbitmq-system/rabbitmq-cluster-server-0 (rabbitmq)
stream logs failed previous terminated container "setup-container" in pod "rabbitmq-cluster-server-0" not found for rabbitmq-system/rabbitmq-cluster-server-0 (setup-container)

Logs from node 2 (if applicable, with sensitive values edited out)

See https://www.rabbitmq.com/docs/logging to learn how to collect logs

# PASTE LOG HERE, BETWEEN BACKTICKS

Logs from node 3 (if applicable, with sensitive values edited out)

See https://www.rabbitmq.com/docs/logging to learn how to collect logs

# PASTE LOG HERE, BETWEEN BACKTICKS

rabbitmq.conf

See https://www.rabbitmq.com/docs/configure#config-location to learn how to find rabbitmq.conf file location

I have no name!@rabbitmq-cluster-server-0:/$ cat  /opt/bitnami/rabbitmq/etc/rabbitmq/rabbitmq.conf
## Clustering
cluster_partition_handling = ignore

## Defaults
# During the first start, RabbitMQ will create a vhost and a user
# These config items control what gets created
default_permissions.configure = .*
default_permissions.read = .*
default_permissions.write = .*
log.console = true
default_vhost = /
default_user = user
default_pass = bitnami

## Networking
listeners.tcp.default = 5672

## Management
management.tcp.ip = 0.0.0.0
management.tcp.port = 15672
loopback_users.user = true

## Resource limits
# Set a free disk space limit relative to total available RAM
disk_free_limit.relative = 1.0

Steps to deploy RabbitMQ cluster

We're using an ArgoCD Application to deploy the RabbitMQ Cluster Operator:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: 'rabbitmq-stage-sa-east-1'
  namespace: 'argocd'
  annotations:
    argocd.argoproj.io/sync-wave: '50'
  labels:
    clusterName: company-stage-sa-east-1-k8s
    env: stage
    region: sa-east-1
    vendor: aws
spec:
  project: 'addons-stage'
  sources:
    - repoURL: 'registry-1.docker.io/bitnamicharts'
      targetRevision: '4.4.6'
      chart: 'rabbitmq-cluster-operator'
      helm:
        releaseName: 'rabbitmq'
        ignoreMissingValueFiles: true
        valueFiles:
          - '$values/k8s/addons/stage/sa-east-1/rabbitmq.yaml'

    - repoURL: 'https://github.com/company/IaC.git'
      targetRevision: HEAD
      ref: values

  destination:
    name: 'company-stage-sa-east-1-k8s'
    namespace: 'rabbitmq-system'

  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true

Another Application then deploys the RabbbitMQCluster custom resource:

apiVersion: rabbitmq.com/v1beta1
kind: RabbitmqCluster
metadata:
  name: rabbitmq-cluster
  namespace: rabbitmq-system
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
spec:
  replicas: 1

  persistence:
    storageClassName: gp3
    storage: 10Gi

  resources:
    requests:
      cpu: 1
      memory: 4Gi
    limits:
      cpu: ''
      memory: 4Gi

  rabbitmq:
    additionalConfig: |
      log.console.level = debug
      auth_backends.1 = rabbit_auth_backend_oauth2
      auth_backends.2 = internal
      auth_oauth2.resource_server_id = rabbitmq
      auth_oauth2.issuer = https://argocd.k8s.eu-north-1.ops.company.com/api/dex
      management.oauth_enabled = true
      management.oauth_client_id = rabbitmq
      management.oauth_client_secret = <client-secret>
      management.oauth_scopes = openid profile email groups
      vm_memory_high_watermark.absolute = 3500Mi

    advancedConfig: |
      [
          {rabbitmq_auth_backend_oauth2,
           [{scope_prefix, <<>>}
           ,{extra_scopes_source, <<"groups">>}
           ,{preferred_username_claims, [<<"email">>, <<"username">>, <<"user_name">>, <<"sub">>]}
           ,{scope_aliases, #{<<"company:platform">> => [<<"tag:administrator">>, <<"configure:*/*/*">>, <<"write:*/*/*">>, <<"read:*/*/*">>]}}
           ]
          }
      ].

    additionalPlugins:
      - rabbitmq_auth_backend_oauth2

Steps to reproduce the behavior in question

Configure OIDC auth and try to login.

The pod will consume all memory and be OOMKilled and the browser console will display the below error:

advanced.config

See https://www.rabbitmq.com/docs/configure#config-location to learn how to find advanced.config file location

I have no name!@rabbitmq-cluster-server-0:/$ cat /opt/bitnami/rabbitmq/etc/rabbitmq/advanced.config
[
    {rabbitmq_auth_backend_oauth2,
     [{scope_prefix, <<>>}
     ,{extra_scopes_source, <<"groups">>}
     ,{preferred_username_claims, [<<"email">>, <<"username">>, <<"user_name">>, <<"sub">>]}
     ,{scope_aliases, #{<<"company:platform">> => [<<"tag:administrator">>, <<"configure:*/*/*">>, <<"write:*/*/*">>, <<"read:*/*/*">>]}}
     ]
    }
].

Application code

# PASTE CODE HERE, BETWEEN BACKTICKS

Kubernetes deployment file

# Relevant parts of K8S deployment that demonstrate how RabbitMQ is deployed
# PASTE YAML HERE, BETWEEN BACKTICKS

What problem are you trying to solve?

We're trying to use Dex (the ArgoCD bundled one) with RabbitMQ so that we can manage users via Github.

Note that Dex is working as expected for both ArgoCD and the Kubernetes API (via kubectl and kubelogin).

[BeyondEvil]

These are the relevant bits of the Dex config:

        connectors:
          - type: github
            id: github
            name: GitHub
            config:
              clientID: "$argocd-github-oauth:clientID"
              clientSecret: "$argocd-github-oauth:clientSecret"
              orgs:
                - name: company
                  teams:
                    - engineering
                    - platform
        staticClients:
          - id: kubernetes
            name: kubernetes
            secret: "$dex-client-secret:clientSecret"
            redirectURIs:
              - "http://localhost:8000"

          - id: rabbitmq
            name: rabbitmq
            secret: "$dex-client-secret:clientSecret"
            redirectURIs:
              - "https://rabbitmq.k8s.sa-east-1.stage.company.com/js/oidc-oauth/login-callback.html"
        web:
          allowedOrigins: ['*']

[BeyondEvil]

I noticed that despite using the latest chart 4.4.6 we're still getting an old version of rabbitmq:

[MirahImage]

If you want the latest version of RabbitMQ to be deployed in your cluster, you should specify the image https://www.rabbitmq.com/kubernetes/operator/using-operator#images
This also lets you choose when you will perform RabbitMQ cluster upgrades by specifying a new image version.

[BeyondEvil]

These are the contents of the values.yaml for the chart:

global:
  defaultStorageClass: 'gp3'

[michaelklishin]

@BeyondEvil per our Community Support policy, we will not troubleshoot OAuth 2 for you, in particular together with Bitnami images, Dex and so on.

Start with getting 4.0.7, then proceed to Reasoning About Memory Use and monitoring and charting the same data.

We cannot guess how much memory these nodes are allowed to use, what uses it, and so on. You are the first person who claims that using OAuth 2 results in nodes being OOM-killed, and we know for a fact that there are some very large scale installations and even installations that use several IDPs at once.