diff --git a/playbooks/openshift-apps/waiverdb.yml b/playbooks/openshift-apps/waiverdb.yml
index 9008fe3981..fb10fc48a9 100644
--- a/playbooks/openshift-apps/waiverdb.yml
+++ b/playbooks/openshift-apps/waiverdb.yml
@@ -9,80 +9,86 @@
     - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
 
   roles:
-  # The openshift/project role breaks if the project already exists:
-  # https://pagure.io/fedora-infrastructure/issue/6404
-  - role: openshift/project
-    app: waiverdb
-    description: waiverdb
-    appowners:
-    - ralph
-    - mjia
-    - dcallagh
-    - gnaponie
-  - role: openshift/object
-    app: waiverdb
-    template: secret.yml
-    objectname: secret.yml
-  - role: openshift/secret-file
-    app: waiverdb
-    secret_name: waiverdb-stg-secret
-    key: client_secrets.json
-    template: client_secrets.json
-  - role: openshift/secret-file
-    app: waiverdb
-    secret_name: waiverdb-fedmsg-key
-    key: fedmsg-waiverdb.key
-    privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.stg.fedoraproject.org.key
-    when: env == "staging"
-  - role: openshift/secret-file
-    app: waiverdb
-    secret_name: waiverdb-fedmsg-crt
-    key: fedmsg-waiverdb.crt
-    privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.stg.fedoraproject.org.crt
-    when: env == "staging"
-  - role: openshift/secret-file
-    app: waiverdb
-    secret_name: waiverdb-fedmsg-key
-    key: fedmsg-waiverdb.key
-    privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.fedoraproject.org.key
-    when: env != "staging"
-  - role: openshift/secret-file
-    app: waiverdb
-    secret_name: waiverdb-fedmsg-crt
-    key: fedmsg-waiverdb.crt
-    privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.fedoraproject.org.crt
-    when: env != "staging"
-  - role: openshift/object
-    app: waiverdb
-    template: imagestream.yml
-    objectname: imagestream.yml
-  - role: openshift/object
-    app: waiverdb
-    template: buildconfig.yml
-    objectname: buildconfig.yml
-  - role: openshift/object
-    app: waiverdb
-    template: configmap.yml
-    objectname: configmap.yml
-  - role: openshift/object
-    app: waiverdb
-    file: service.yml
-    objectname: service.yml
-  - role: openshift/route
-    app: waiverdb
-    routename: web-pretty
-    host: "waiverdb{{ env_suffix }}.fedoraproject.org"
-    serviceport: web
-    servicename: waiverdb-web
-  # TODO -- someday retire this old route in favor of the pretty one above.
-  - role: openshift/object
-    app: waiverdb
-    file: route.yml
-    objectname: route.yml
-  - role: openshift/object
-    app: waiverdb
-    template: deploymentconfig.yml
-    objectname: deploymentconfig.yml
-  - role: openshift/rollout
-    app: waiverdb
-    dcname: waiverdb-web
+    # The openshift/project role breaks if the project already exists:
+    # https://pagure.io/fedora-infrastructure/issue/6404
+    - role: openshift/project
+      app: waiverdb
+      description: waiverdb
+      appowners:
+        - ralph
+        - mjia
+        - dcallagh
+        - gnaponie
+    - role: openshift/object
+      app: waiverdb
+      template: secret.yml
+      objectname: secret.yml
+    - role: openshift/secret-file
+      app: waiverdb
+      secret_name: waiverdb-stg-secret
+      key: client_secrets.json
+      template: client_secrets.json
+    - role: openshift/secret-file
+      app: waiverdb
+      secret_name: waiverdb-fedora-messaging-key
+      key: waiverdb.key
+      privatefile: "rabbitmq/{{env}}/pki/private/waiverdb{{env_suffix}}.key"
+      when: env == "staging"
+    - role: openshift/secret-file
+      app: waiverdb
+      secret_name: waiverdb-fedora-messaging-crt
+      key: waiverdb.crt
+      privatefile: "rabbitmq/{{env}}/pki/private/waiverdb{{env_suffix}}.crt"
+      when: env == "staging"
+    - role: openshift/secret-file
+      app: waiverdb
+      secret_name: waiverdb-fedora-messaging-ca
+      key: waiverdb.ca
+      privatefile: "rabbitmq/{{env}}/pki/private/ca.crt"
+      when: env == "staging"
+    - role: openshift/secret-file
+      app: waiverdb
+      secret_name: waiverdb-fedmsg-key
+      key: fedmsg-waiverdb.key
+      privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.fedoraproject.org.key
+      when: env != "staging"
+    - role: openshift/secret-file
+      app: waiverdb
+      secret_name: waiverdb-fedmsg-crt
+      key: fedmsg-waiverdb.crt
+      privatefile: fedmsg-certs/keys/waiverdb-waiverdb-web-waiverdb.app.os.fedoraproject.org.crt
+      when: env != "staging"
+    - role: openshift/object
+      app: waiverdb
+      template: imagestream.yml
+      objectname: imagestream.yml
+    - role: openshift/object
+      app: waiverdb
+      template: buildconfig.yml
+      objectname: buildconfig.yml
+    - role: openshift/object
+      app: waiverdb
+      template: configmap.yml
+      objectname: configmap.yml
+    - role: openshift/object
+      app: waiverdb
+      file: service.yml
+      objectname: service.yml
+    - role: openshift/route
+      app: waiverdb
+      routename: web-pretty
+      host: "waiverdb{{ env_suffix }}.fedoraproject.org"
+      serviceport: web
+      servicename: waiverdb-web
+    # TODO -- someday retire this old route in favor of the pretty one above.
+    - role: openshift/object
+      app: waiverdb
+      file: route.yml
+      objectname: route.yml
+    - role: openshift/object
+      app: waiverdb
+      template: deploymentconfig.yml
+      objectname: deploymentconfig.yml
+    - role: openshift/rollout
+      app: waiverdb
+      dcname: waiverdb-web
diff --git a/roles/openshift-apps/waiverdb/templates/config.toml b/roles/openshift-apps/waiverdb/templates/config.toml
new file mode 100644
index 0000000000..ee15e27909
--- /dev/null
+++ b/roles/openshift-apps/waiverdb/templates/config.toml
@@ -0,0 +1,15 @@
+# Configuration for fedora-messaging. This file is in the TOML format.
+# For complete details on all configuration options, see the documentation.
+
+amqp_url = "amqps://waiverdb{{ env_suffix }}:@rabbitmq01{{ env_suffix }}.phx2.fedoraproject.org/%2Fpubsub"
+
+{% if env == "staging" %}
+topic_prefix = "org.fedoraproject.stg"
+{% else %}
+topic_prefix = "org.fedoraproject.prod"
+{% endif %}
+
+[tls]
+ca_cert = "/etc/pki/rabbitmq/ca/waiverdb.ca"
+keyfile = "/etc/pki/rabbitmq/key/waiverdb.key"
+certfile = "/etc/pki/rabbitmq/crt/waiverdb.crt"
diff --git a/roles/openshift-apps/waiverdb/templates/configmap.yml b/roles/openshift-apps/waiverdb/templates/configmap.yml
index f7d38d6179..313110bcf7 100644
--- a/roles/openshift-apps/waiverdb/templates/configmap.yml
+++ b/roles/openshift-apps/waiverdb/templates/configmap.yml
@@ -48,3 +48,16 @@ data:
       relay_inbound=["tcp://busgateway01.phx2.fedoraproject.org:9941"],
 {% endif %}
     )
+{% if env == 'staging' %}
+---
+- apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: fedora-messaging-configmap
+    labels:
+      app: waiverdb
+{% macro load_file(filename) %}{% include filename %}{%- endmacro -%}
+  data:
+    config.toml: |-
+      {{ load_file('config.toml') | indent }}
+{% endif %}
diff --git a/roles/openshift-apps/waiverdb/templates/deploymentconfig.yml b/roles/openshift-apps/waiverdb/templates/deploymentconfig.yml
index 159a7ca9a7..a3082ba17e 100644
--- a/roles/openshift-apps/waiverdb/templates/deploymentconfig.yml
+++ b/roles/openshift-apps/waiverdb/templates/deploymentconfig.yml
@@ -37,18 +37,33 @@ spec:
         - name: config-volume
           mountPath: /etc/waiverdb
           readOnly: true
-        - name: fedmsg-config-volume
-          mountPath: /etc/fedmsg-waiverdb.d
-          readOnly: true
         - name: secret-volume
           mountPath: /etc/secret
           readOnly: true
+{% if env == 'staging' %}
+        - name: fedora-messaging-ca-volume
+          mountPath: /etc/pki/rabbitmq/ca
+          readOnly: true
+        - name: fedora-messaging-key-volume
+          mountPath: /etc/pki/rabbitmq/key
+          readOnly: true
+        - name: fedora-messaging-crt-volume
+          mountPath: /etc/pki/rabbitmq/crt
+          readOnly: true
+        - name: fedora-messaging-config-volume
+          mountPath: /etc/fedora-messaging
+          readOnly: true
+{% else %}
         - name: fedmsg-key-volume
           mountPath: /etc/pki/fedmsg/key
           readOnly: true
         - name: fedmsg-crt-volume
           mountPath: /etc/pki/fedmsg/crt
           readOnly: true
+        - name: fedmsg-config-volume
+          mountPath: /etc/fedmsg-waiverdb.d
+          readOnly: true
+{% endif %}
         env:
         - name: DATABASE_PASSWORD
           valueFrom:
@@ -79,18 +94,33 @@ spec:
       - name: config-volume
         configMap:
           name: waiverdb-configmap
-      - name: fedmsg-config-volume
-        configMap:
-          name: waiverdb-fedmsg-configmap
       - name: secret-volume
         secret:
           secretName: waiverdb-secret
+{% if env == 'staging' %}
+      - name: fedora-messaging-certs-volume
+        configMap:
+          name: fedora-messaging-configmap
+      - name: fedora-messaging-ca-volume
+        secret:
+          secretName: waiverdb-fedora-messaging-ca
+      - name: fedora-messaging-cert-volume
+        secret:
+          secretName: waiverdb-fedora-messaging-crt
+      - name: fedora-messaging-key-volume
+        secret:
+          secretName: waiverdb-fedora-messaging-key
+{% else %}
+      - name: fedmsg-config-volume
+        configMap:
+          name: waiverdb-fedmsg-configmap
       - name: fedmsg-key-volume
         secret:
           secretName: waiverdb-fedmsg-key
       - name: fedmsg-crt-volume
         secret:
           secretName: waiverdb-fedmsg-crt
+{% endif %}
   triggers:
   - type: ImageChange
     imageChangeParams: