rabbitmq · DanielePalaia · Dec 14, 2022 · Dec 12, 2022
diff --git a/docs/examples/external-admin-secret-credentials/README.md b/docs/examples/external-admin-secret-credentials/README.md
@@ -0,0 +1,44 @@
+# Providing an external secret for default user credentials
+
+By default admin credentials for a RabbitmqCluster cluster are stored in a Kubernetes secret called INSTANCE-default-user, where INSTANCE is the name of the RabbitmqCluster object. 
+
+There are some cases where you want to have the flexibility to specify your own credentials in a different secret. For example you may need to use tools like ExternalSecret operator which reads information from external APIs (like a Cloud secret provider) and automatically injects the values into a Kubernetes Secret.
+
+The creation of this secret can delay, so the RabbitMQ cluster statefulset need to delay till the secret is not created.
+
+To do this we provide an option in the CRD called externalsecret like:
+
+```
+apiVersion: rabbitmq.com/v1beta1
+kind: RabbitmqCluster
+metadata:
+  name: external-secret-user
+spec:
+  service:
+    type: LoadBalancer
+  replicas: 1
+  secretBackend:
+    externalSecret: 
+      name: "my-secret"
+```
+
+When this externalSecret field is specified the default secret will not be generated by the cluster operator but the statefulset will wait until my-secret will be generated.
+
+The secret needs to be in the same format as our default-user secret (info are specified in base64 in this case) so like:
+
+```
+apiVersion: v1
+data:
+  default_user.conf: ZGVmYXVsdF91c2VyID0gZGVmYXVsdF91c2VyX2htR1pGaGRld3E2NVA0ZElkeDcKZGVmYXVsdF9wYXNzID0gcWM5OG40aUdEN01ZWE1CVkZjSU8ybXRCNXZvRHVWX24K
+  host: dmF1bHQtZGVmYXVsdC11c2VyLmRlZmF1bHQuc3Zj
+  password: cWM5OG40aUdEN01ZWE1CVkZjSU8ybXRCNXZvRHVWX24=
+  port: NTY3Mg==
+  provider: cmFiYml0bXE=
+  type: cmFiYml0bXE=
+  username: ZGVmYXVsdF91c2VyX2htR1pGaGRld3E2NVA0ZElkeDc=
+kind: Secret
+metadata:
+  name: my-secret 
+  namespace: rabbitmq-system
+type: Opaque
+```
diff --git a/docs/examples/external-admin-secret-credentials/my-secret.yml b/docs/examples/external-admin-secret-credentials/my-secret.yml
@@ -0,0 +1,13 @@
+apiVersion: v1
+data:
+  default_user.conf: ZGVmYXVsdF91c2VyID0gZGVmYXVsdF91c2VyX2htR1pGaGRld3E2NVA0ZElkeDcKZGVmYXVsdF9wYXNzID0gcWM5OG40aUdEN01ZWE1CVkZjSU8ybXRCNXZvRHVWX24K
+  host: dmF1bHQtZGVmYXVsdC11c2VyLmRlZmF1bHQuc3Zj
+  password: cWM5OG40aUdEN01ZWE1CVkZjSU8ybXRCNXZvRHVWX24=
+  port: NTY3Mg==
+  provider: cmFiYml0bXE=
+  type: cmFiYml0bXE=
+  username: ZGVmYXVsdF91c2VyX2htR1pGaGRld3E2NVA0ZElkeDc=
+kind: Secret
+metadata:
+  name: my-secret 
+type: Opaque
diff --git a/docs/examples/external-admin-secret-credentials/rabbitmq.yaml b/docs/examples/external-admin-secret-credentials/rabbitmq.yaml
@@ -0,0 +1,9 @@
+apiVersion: rabbitmq.com/v1beta1
+kind: RabbitmqCluster
+metadata:
+  name: external-secret-user
+spec:
+  replicas: 1
+  secretBackend:
+    externalSecret: 
+      name: "my-secret"
diff --git a/docs/examples/external-admin-secret-credentials/setup.sh b/docs/examples/external-admin-secret-credentials/setup.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+set -eo pipefail
+
+echo "Creating external secret"
+
+kubectl create -f my-secret.yml