DataONEorg · artntek · Nov 19, 2025 · Oct 30, 2025 · Nov 4, 2025 · Nov 11, 2025
@@ -1,9 +1,6 @@
 dependencies:
-- name: rabbitmq
-  repository: https://charts.bitnami.com/bitnami
-  version: 14.7.0
 - name: solr
   repository: https://charts.bitnami.com/bitnami
   version: 9.5.5
-digest: sha256:59d67de7ffbf7aad3cddb9ed3c66650858a2a65e16bce5de64ecadc6944ce5ff
-generated: "2025-04-23T15:38:10.540938-07:00"
+digest: sha256:07fc39bbbeadb46195e79fca6e5dae3c747cbcd8744b3449c0385271913b351b
+generated: "2025-10-30T14:22:41.820563-07:00"
@@ -31,19 +31,6 @@ appVersion: "3.2.0-SNAPSHOT"
 
 # Chart dependencies
 dependencies:
-  - name: rabbitmq
-    condition: rabbitmq.enabled, global.rabbitmq.enabled
-    repository: https://charts.bitnami.com/bitnami
-    ## get full list using:  $  helm search repo bitnami/rabbitmq --versions
-    version: 14.7.0    # rabbitmq version 3.13.7
-    ## REMEMBER TO CHANGE: .Values.rabbitmq.nameOverride FOR EACH NEW RELEASE!
-    ##
-    ## NOTE: each release should be a fresh install (using a new PV/PVC). We ensure this by changing
-    ## the rabbitmq.nameOverride for each new subchart version.
-    ## NOTE: If you decide to upgrade instead of using a new PV/PVC, you must upgrade to the latest
-    ## patch release of each minor (APP) version, before upgrading to the next minor (APP) version;
-    ## see: https://www.rabbitmq.com/docs/feature-flags#version-compatibility
-
   - name: solr
     condition: solr.enabled, global.solr.enabled
     repository: https://charts.bitnami.com/bitnami

@@ -5,9 +5,9 @@ index.tdb.directory={{ .Values.idxworker.tripleDbDirectory }}
 
 #The section for the rabbitMQ configuration
 index.rabbitmq.hostname={{ include "idxworker.rabbitmq.hostname" . }}
-index.rabbitmq.hostport={{- include "idxworker.rabbitmq.hostport" . }}
-index.rabbitmq.username={{ .Values.rabbitmq.auth.username }}
-## index.rabbitmq.password will be read from RABBITMQ_PASSWORD env var
+index.rabbitmq.hostport={{ include "idxworker.rabbitmq.hostport" . }}
+## index.rabbitmq.username & index.rabbitmq.password will be read from env vars
+index.rabbitmq.username=${env:RABBITMQ_USERNAME}
 index.rabbitmq.password=${env:RABBITMQ_PASSWORD}
 #If changing max priority, existing queue must be deleted, and consumers must use the same number
 index.rabbitmq.max.priority=10

@@ -4,49 +4,6 @@ APP VERSION: {{ .Chart.AppVersion }}
 
 ** Please be patient while the chart is being deployed **
 
-
-RABBITMQ:
-=========
-Credentials:
-    Username: {{ .Values.rabbitmq.auth.username }}
-    To get password:
-    echo $(kubectl get secret --namespace {{ .Release.Namespace }} {{ .Values.rabbitmq.auth.existingPasswordSecret }} -o jsonpath="{.data.rabbitmq-password}" | base64 -d)
-
-IMPORTANT NOTE: the credentials are saved in persistent volume claims and will not be changed upon upgrade or re-installation unless the persistent volume claim has been deleted. If this is not the first installation of this chart, the credentials may not be valid.
-
-This is applicable when no passwords are set and therefore the random password is autogenerated. In case of using a fixed password, you should specify it when upgrading.
-
-More information about the credentials may be found at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases.
-
-{{- $rmqMgrPort := .Values.rabbitmq.service.ports.manager }}
-
-The RabbitMQ Manager API or Web UI can be accessed within the cluster on port {{ $rmqMgrPort }} at
-{{ include "idxworker.rabbitmq.hostname" . }}
-
-Access the web console or API by port-forwarding:
-
-kubectl -n {{ .Release.Namespace }} port-forward svc/{{ include "idxworker.rabbitmq.hostname" . }} {{ $rmqMgrPort }}:{{ $rmqMgrPort }} &
-
-...then login to the Rabbitmq web console: http://localhost:{{ $rmqMgrPort }} using the credentials
-above, and/or use the API - for example, to see the number of messages on the 'index' queue:
-
-$ curl  -u username:password http://localhost:15672/api/queues/%2f/index | jq | grep "messages\":"
-
-API documentation is available at:
-https://rawcdn.githack.com/rabbitmq/rabbitmq-server/v3.13.1/deps/rabbitmq_management/priv/www/api/index.html
-
-{{- if .Values.rabbitmq.metrics.enabled }}
-
-To access the RabbitMQ Prometheus metrics, get the RabbitMQ Prometheus URL by running:
-
-    kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "common.names.fullname" . }} {{ .Values.service.ports.metrics }}:{{ .Values.service.ports.metrics }} &
-    echo "Prometheus Metrics URL: http://127.0.0.1:{{ .Values.service.ports.metrics }}/metrics"
-
-Then, open the obtained URL in a browser.
-
-{{- end }}
-
-
 SOLR:
 =====
 Solr can be accessed via port {{ .Values.global.solrPort }} on the following DNS name from within

@@ -111,35 +111,43 @@ Either use the value set in .Values.persistence.claimName, or if blank, autopopu
 {{- end }}
 
 {{/*
-Check if RabbitMQ SubChart is enabled
+Create a default fully qualified app name for the embedded RabbitMQ Cluster Operator Deployment.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 */}}
-{{- define "rmq.enabled" -}}
-{{ $rmqEnabled := (or (((.Values.global).rabbitmq).enabled) ((.Values.rabbitmq).enabled)) }}
-{{ end }}
+{{- define "idxworker.rmq.fullname" -}}
+{{- $name := default "rmq" .Values.rabbitmq.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- printf "%s-%s" .Release.Name $name }}
+{{- end }}
+
+{{/*
+If RabbitMQ Secret Name not defined, infer from bundled RMQ Cluster Operator, or error out.
+*/}}
+{{- define "idxworker.rabbitmq.secret.name" }}
+{{- $rmqSecret := .Values.idxworker.rabbitmqSecret }}
+{{- if and ((.Values.rabbitmq).enabled) (not $rmqSecret) }}
+{{- $rmqSecret = printf "%s-default-user" (include "idxworker.rmq.fullname" .) }}
+{{- end }}
+{{- required "idxworker.rabbitmqSecret REQUIRED if not using bundled RMQ Operator" $rmqSecret }}
+{{- end }}
 
 {{/*
 set RabbitMQ HostName
 */}}
 {{- define "idxworker.rabbitmq.hostname" }}
 {{- $rmqHost := .Values.idxworker.rabbitmqHostname }}
-{{- if and (include "rmq.enabled" .) (not $rmqHost) }}
-{{- if .Values.rabbitmq.fullnameOverride }}
-{{- $rmqHost = printf "%s-headless" (.Values.rabbitmq.fullnameOverride | trunc 63 | trimSuffix "-") }}
-{{- else }}
-{{- $rmqName := (required ".Values.rabbitmq.nameOverride REQUIRED in indexer chart" .Values.rabbitmq.nameOverride) }}
-{{- $rmqHost = printf "%s-%s-headless" .Release.Name ($rmqName | trunc 63 | trimSuffix "-") }}
-{{- end }}
+{{- if and ((.Values.rabbitmq).enabled) (not $rmqHost) }}
+{{- $rmqHost = (include "idxworker.rmq.fullname" .) }}
 {{- end }}
-{{- $rmqHost }}
+{{- required "idxworker.rabbitmqHostname REQUIRED if not using bundled RMQ Operator" $rmqHost }}
 {{- end }}
 
 {{/*
 set RabbitMQ HostPort
 */}}
 {{- define "idxworker.rabbitmq.hostport" }}
 {{- $rmqPort := .Values.idxworker.rabbitmqHostPort }}
-{{- if and (include "rmq.enabled" .) (not $rmqPort) -}}
-{{ $rmqPort = .Values.rabbitmq.service.ports.amqp }}
+{{- if and ((.Values.rabbitmq).enabled) (not $rmqPort) -}}
+{{ $rmqPort = .Values.idxworker.rabbitmqHostPort }}
 {{- end }}
 {{- $rmqPort }}
 {{- end }}

@@ -130,11 +130,17 @@ spec:
                   # If 'false', the secret must exist before the pod can start
                   # App versions before v2.3.4 will read this value from a config file, not the env var.
                   optional: true
+            - name: RABBITMQ_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{  include "idxworker.rabbitmq.secret.name" . }}
+                  key: {{ required "idxworker.rabbitmqUserKey IS REQUIRED" .Values.idxworker.rabbitmqUserKey }}
+                  optional: false
             - name: RABBITMQ_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: {{  required "rabbitmq.auth.existingPasswordSecret IS REQUIRED" .Values.rabbitmq.auth.existingPasswordSecret }}
-                  key: rabbitmq-password
+                  name: {{  include "idxworker.rabbitmq.secret.name" . }}
+                  key: {{ required "idxworker.rabbitmqPasswordKey IS REQUIRED" .Values.idxworker.rabbitmqPasswordKey }}
                   optional: false
             {{- if .Values.solr.auth.enabled }}
             - name: SOLR_ADMIN_PASSWORD

@@ -0,0 +1,34 @@
+### RabbitMQ Cluster Configuration
+## --------------------------------------
+## This manifest deploys a RabbitMQ cluster using the RabbitMQ Cluster Operator.
+## See:
+##   https://www.rabbitmq.com/kubernetes/operator/using-operator
+##   https://www.rabbitmq.com/docs/production-checklist
+##   https://github.com/rabbitmq/cluster-operator/tree/main/docs/examples/production-ready
+
+apiVersion: rabbitmq.com/v1beta1
+kind: RabbitmqCluster
+metadata:
+  name: {{ include "idxworker.rmq.fullname" . }}
+  labels:
+    app: rabbitmq
+spec:
+  replicas: {{ .Values.rabbitmq.replicaCount }}
+  resources:
+    {{ toYaml .Values.rabbitmq.resources | nindent 4 }}
+  rabbitmq:
+    {{- if .Values.rabbitmq.envConfig }}
+    envConfig: |
+      {{- range $k, $v := .Values.rabbitmq.envConfig }}
+      {{ $k }}={{ $v | quote }}
+      {{- end }}
+    {{- end }}
+    {{- if .Values.rabbitmq.additionalConfig }}
+    additionalConfig: |
+      {{- range $k, $v := .Values.rabbitmq.additionalConfig }}
+      {{ $k }} = {{ $v }}
+      {{- end }}
+    {{- end }}
+  persistence:
+    storageClassName: {{ .Values.rabbitmq.persistence.storageClassName }}
+    storage: {{ .Values.rabbitmq.persistence.size }}
@@ -174,15 +174,33 @@ idxworker:
   ##
   solrVerConflictMaxTries: 25000
 
-  ## @param idxworker.rabbitmqHostname hostname of the rabbitmq service to use
-  ## Leave unset (rabbitmqHostname: "") to automatically populate when using rmq bitnami subchart
+  ## @param idxworker.rabbitmqHostname RMQ host to be called by indexer. Leave blank to autopopulate
+  ## from the bundled rabbitmq operator installation (if rabbitmq.enabled)
   ##
   rabbitmqHostname: ""
 
-  ## @param idxworker.rabbitmqHostPort hostport of the rabbitmq service
-  ## Leave unset (rabbitmqHostPort: "") to automatically populate when using rmq bitnami subchart
+  ## @param idxworker.rabbitmqHostPort RMQ port to be called by indexer. (Doesn't set rmq's port!)
+  ## Only tells the indexer which port to use in the connection string.
   ##
-  rabbitmqHostPort: ""
+  rabbitmqHostPort: "5672"
+
+  ## @param idxworker.rabbitmqUsername The username needed for rabbitmq access. Leave blank to autopopulate
+  ## from 'idxworker.rabbitmqSecret'
+  ##
+  rabbitmqUsername: ""
+
+  ## @param idxworker.rabbitmqSecret Secret holding rmq credentials. Leave blank to autopopulate
+  ## from the bundled rabbitmq operator installation (if rabbitmq.enabled)
+  ##
+  rabbitmqSecret: ""
+
+  ## @param idxworker.rabbitmqUserKey key associated with rabbitmq username in existing secret
+  ##
+  rabbitmqUserKey: "username"
+
+  ## @param idxworker.rabbitmqPasswordKey key associated with rabbitmq password in existing secret
+  ##
+  rabbitmqPasswordKey: "password"
 
   ## @param idxworker.data_directory Location of data within the metacat shared volume
   ##
@@ -315,63 +333,79 @@ idxworker:
   ##
   extraEnvVars: []
 
-## @section RabbitMQ Bitnami Sub-Chart Configuration
+## @section RabbitMQ Configuration
+## For a production example of a multi-zone Kubernetes deployment with 3 worker nodes, each in a
+## different zone, see:
+## https://github.com/rabbitmq/cluster-operator/tree/main/docs/examples/production-ready
 ##
 rabbitmq:
   enabled: true
 
-  ## As of 8/25/25, Bitnami charges for secure container images, unless we use the "latest" tag.
-  ## As a stopgap, we reference the legacy images, which are still available for free (but note
-  ## that newer versions will not become available in the future, so we need to find an alternative
-  ## source for images...)
-  ## @param postgresql.global.security.allowInsecureImages Allow non-bitnami-hardened images
-  ## @param rabbitmq.image.repository source repo for main image
-  ## @param postgresql.volumePermissions.image.repository  source repo for volumePermissions image
-  global:
-    security:
-      allowInsecureImages: true
-  image:
-    repository: bitnamilegacy/rabbitmq
-  volumePermissions:
-    image:
-      repository: bitnamilegacy/os-shell
-
-  ## @param rabbitmq.fullnameOverride String to fully override rabbitmq.fullname template (optional)
-  ## Takes precedence over rabbitmq.nameOverride.
+  ## @param rabbitmq.nameOverride REQUIRED partial override for resourcename used for pods, PVCs etc
+  ## Automatically prepends the release name, so the resulting resource name for the pods etc. will
+  ## begin:  <myrelease>-<rabbitmq.nameOverride>-...
   ##
-  fullnameOverride: ""
+  ## We change this with every change in RabbitMQ app version, so that we can use a new PV/PVC for
+  ## each release. This means each new installation is a fresh install, instead of being an upgrade,
+  ## which would be a lot more onerous (see rabbitMQ docs).
+  ##
+  ## Convention is to use 'rmq', followed by the rabbitmq app version, with periods replaced by
+  ## dashes; e.g.:
+  ##  nameOverride: "rmq-4-1-3"  ## for rabbitmq app version 4.1.3
+  ##
+  nameOverride: "rmq-4-1-3"
 
-  ## @param rabbitmq.nameOverride REQUIRED partial override for resourcename used for pods, PVCs etc
-  ## Maintains the release name, so the resulting resource name for the pods etc. will begin:
-  ## myrelease-nameOverride-...
+  ## @param rabbitmq.replicaCount Number of desired rabbitmq pods (always use an odd number)
+  ## see: https://www.rabbitmq.com/docs/clustering#node-count
   ##
-  ## We change this with every change in rmq subchart version, so that we can use a new PV/PVC for
-  ## each release. This means each new installation is a fresh install, instead of being an
-  ## upgrade - which would be a lot more onerous (see rabbitMQ docs).
+  replicaCount: 1
+
+  ## @param rabbitmq.resources Resource requests and limits for rabbitmq pods (OVERRIDE THESE!)
   ##
-  ## Convention is to use 'rabbitmq', followed by the rabbitmq app version (not the chart version),
-  ## with periods replaced by dashes; e.g.:
-  ##  nameOverride: "rabbitmq-3-13-7"  ## for rabbitmq app version 3.13.7 (Bitnami chart v.14.7.0)
+  ## NOTE:
+  ##   CPU: For production, the ABSOLUTE MINIMUM is 2 CPUs per RabbitMQ node (and 4 CPUs
+  ##        RECOMMENDED).
+  ##        RMQ will work poorly with 1 CPU, which is why it's not recommended for production
+  ##        workloads
+  ##   MEMORY: For production, min. 2GB of RAM is recommended, increasing to 4Gi or even 8 - 10Gi,
+  ##        depending on load. It is recommended to keep the memory requests and limits both at the
+  ##        same value.
   ##
-  nameOverride: "rabbitmq-3-13-7"
+  resources:
+    requests:
+      cpu: 500m
+      memory: 500Mi
+    limits:
+      cpu: 800m
+      memory: 500Mi
 
   persistence:
-    size: 10Gi
-  #replicaCount: 3
-  #If you change the number of the max priority, the existing queue must be deleted, and consumers
-  # must use the same number.
-  #max.priority: 10
-
-  auth:
-    ## @param rabbitmq.username the username for rabbitmq access
+    ## @param rabbitmq.persistence.storageClassName Storage class name for rabbitmq data PV
+    ## Leave blank ("") to use the default storage class for the cluster
     ##
-    username: rmq
+    storageClassName: ""
 
-    ## @param rabbitmq.existingPasswordSecret the k8s secret holding the rabbitmq password
-    ## (must be associated with key: 'rabbitmq-password')
+    ## @param rabbitmq.persistence Size of persistent volume for rabbitmq data
     ##
-    existingPasswordSecret: "ssss"
+    size: 10Gi
 
+  ## @param rabbitmq.envConfig Additional rabbitmq environment variable settings
+  ## See:
+  ##   https://www.rabbitmq.com/kubernetes/operator/using-operator#env-config
+  ##   https://www.rabbitmq.com/docs/configure#customise-environment
+  ## Example:
+  ##   envConfig:
+  ##     RABBITMQ_USE_LONGNAME: "true"
+  envConfig: {}
+
+  ## @param rabbitmq.additionalConfig Additional rabbitmq configuration settings
+  ## See:
+  ##   https://www.rabbitmq.com/docs/configure#config-items
+  ##   https://www.rabbitmq.com/docs/production-checklist
+  ##   https://github.com/rabbitmq/cluster-operator/tree/main/docs/examples/production-ready
+  ##
+  additionalConfig:
+    disk_free_limit.relative: "1.0"
 
 ## @section Solr Bitnami Sub-Chart Configuration
 ##