1. All the other values in rabbitmq-env.conf.erb were set to nil to allow the defaults to be set by rabbitmq. I presumed all the others were set to nil so upstream could change the defaults and the cookbook wouldn't have to change. (But I guess we need to explicitly set it if someone needed to query for it from the server?) Your call. I'm fine either way.
2. That was a mistake. Forgot to pull that out into my role file. Fixed and pushed.
3. This string needs to be shared across all the nodes in the cluster. So if I set it with the secure_password method then two nodes would get different values by default. I guess I could do a search to see if another host already had seeded the value for that cluster (I'd have to come up with a unique way to identify a rabbitmw single cluster on chef server). And even then, I could get myself into a race condition. And the service wouldn't behave correctly if the cookie changed while it was running. I just decided to go the simple route and let everyone set their own value in a role file (or an encrypted data bag if they felt so inclined.)
I'm happy to investigate #3 more if there's a pattern you can point me to that would handle that scenario.
I'm going to re-close this ... I think that's the workflow to let you guys know that I responded / updated. If not, just let me know. Thx -hb