fix(rabbitmq): use SASL EXTERNAL for RabbitMQ AMQP TLS without credentials

[rickbrouwer]

The report in issue 6840 mentions that when RabbitMQ is configured for certificate-based authentication (SASL EXTERNAL via the rabbitmq_auth_mechanism_ssl plugin) KEDA would fail to connect with a 403 "username or password not allowed" error.
This happened because amqp091-go falls back to PLAIN auth using credentials from the host URL when Config.SASL is not set, even when TLS is enabled and no explicit credentials are provided.

So, the fix is that when TLS is enabled without credentials, explicitly set Config.SASL to ExternalAuth so it uses SASL EXTERNAL instead of falling back to PLAIN auth.

Checklist

• When introducing a new scaler, I agree with the scaling governance policy
• I have verified that my change is according to the deprecations & breaking changes policy
• Tests have been added (if applicable)
• Ensure make generate-scalers-schema has been run to update any outdated generated files
• Changelog has been updated and is aligned with our changelog requirements, only when the change impacts end users
• A PR is opened to update our Helm chart (repo) (if applicable, ie. when deployment manifests are modified)
• A PR is opened to update the documentation on (repo) (if applicable)
• Commits are signed with Developer Certificate of Origin (DCO - learn more)

Fixes #6840
Docs: kedacore/keda-docs#1727

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[github-actions]

Thank you for your contribution! 🙏

Please understand that we will do our best to review your PR and give you feedback as soon as possible, but please bear with us if it takes a little longer as expected.

While you are waiting, make sure to:

• Add an entry in our changelog in alphabetical order and link related issue
• Update the documentation, if needed
• Add unit & e2e tests for your changes
• GitHub checks are passing
• Is the DCO check failing? Here is how you can fix DCO issues

Once the initial tests are successful, a KEDA member will ensure that the e2e tests are run. Once the e2e tests have been successfully completed, the PR may be merged at a later date. Please be patient.

Learn more about our contribution guide.

[rickbrouwer]

/run-e2e rabbit
Update: You can check the progress here

[dttung2905]

Thanks @rickbrouwer for the PR. We might also need some documentation about the expected behavior. something like
"with TLS and no username/password parameters, SASL EXTERNAL is used; put credentials in trigger auth if you need PLAIN"

[rickbrouwer]

Thanks @rickbrouwer for the PR. We might also need some documentation about the expected behavior. something like "with TLS and no username/password parameters, SASL EXTERNAL is used; put credentials in trigger auth if you need PLAIN"

Thanks, can you check if my note is clear enough? kedacore/keda-docs#1727

[rickbrouwer]

/run-e2e rabbit
Update: You can check the progress here

[Copilot]

Pull request overview

This PR updates the RabbitMQ scaler’s AMQP/TLS connection setup to support certificate-based authentication by explicitly selecting SASL EXTERNAL when TLS is enabled and no credentials are provided, preventing amqp091-go from falling back to PLAIN auth from the URI.

Changes:

• Refactors AMQP connection config creation into a new buildAMQPConfig helper.
• Sets amqp.Config.SASL to ExternalAuth for TLS connections without credentials (to avoid unintended PLAIN fallback).
• Adds unit tests for buildAMQPConfig SASL selection behavior and updates the changelog.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
pkg/scalers/rabbitmq_scaler.go	Builds AMQP config via helper and conditionally enables SASL EXTERNAL for TLS/no-credential scenarios
pkg/scalers/rabbitmq_scaler_test.go	Adds unit tests validating the new SASL-selection logic
CHANGELOG.md	Documents the RabbitMQ TLS/SASL EXTERNAL behavior change

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[rickbrouwer]

@zroubalik can you run a new copilot review? thanks!

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[rickbrouwer]

/run-e2e rabbit
Update: You can check the progress here

[wozniakjan]

/run-e2e rabbit
Update: You can check the progress here

[wozniakjan]

lgtm, good to merge as is