Page Comparison

...

\uD83D\uDCD8 Instructions

1. As you have the JKS (Java KeyStore) file(s) ready, create a configMap to mount it in the Pod at the specified pathCreate a Secret from TLS certificate files. Use the following command:

   Code Block
   language bash
   kubectl create configmapsecret generic hivemq-jkstls-certificates \ --from-file <pathpath/to/your keystorejks file>keystore.jks \ --from-file path/to/truststore.jks -n <namespace>

2. Add the configMap Secret to your values.yaml file for HiveMQ as followsto mount to the HiveMQ pods:

   Code Block
   language yaml
   hivemq: ... configMapssecrets: - name: hivemqtls-jkscertificates path: /opt/hivemq/conf

   This will mount both JKS files at the specified Path.

3. Store the passwords in the Kubernetes secret using the following command:

   Code Block
   language bash
   kubectl create secret generic tls-passwords \ --from-literal=keystore_passwordpass='changemepassword1' \ --from-literal=keystoretruststore_private_passwordpass='changemepassword2' -n <namespace>

   You can also add passwords for the trust store similarly.

4. Create environment variables to access the passwords in the HiveMQ listener’s configurations. Update your values.yaml file with the following configuration:

   Code Block
   language yaml
   hivemq: ...     env: - name: KEYSTORE_KEY_PASSWORDPASS valueFrom: secretKeyRef: key: keystore_passwordpass name: tls-passwords - name: KEYSTORE_PRIVATE_KEY_PASSWORDTRUSTSTORE_PASS valueFrom: secretKeyRef: key: keystore_private_passwordtruststore_pass name: tls-passwords

5. To enable the tls TLS listener, please add the following block to your values.yaml and add the correct JKS file name along with and the environment variables names for passwords used while creating the Keystore.

   Code Block
   language xml
   hivemq: ... listenerConfiguration: | <tls-tcp-listener> <port>8883</port> <bind-address>0.0.0.0</bind-address> <proxy-protocol>true</proxy-protocol> <tls> <keystore> <path>/opt/hivemq/conf/hivemq<path>conf/keystore.jks</path> <password>${KEYSTORE_KEY_PASSWORDPASS}</password> <private-key-password>${KEYSTORE_PRIVATE_KEY_PASSWORDPASS}</private-key-password> </keystore> <client-authentication-mode>REQUIRED</client-authentication-mode> <truststore> <path>conf/truststore.jks</path> <password>${TRUSTSTORE_PASS}</password> </truststore> </tls> </tls-tcp-listener>

6. In the values.yaml, edit the mqtt port so that it corresponds to the new listener. Update the MQTT port number from 1883 to 8883 in both the Ports section of your values.yaml file and, in case you are exposing these ports via service, then update that file as well.

   Code Block
   language yaml
   hivemq: ports: - expose: true name: mqtt patch: - '[{"op":"add","path":"/spec/selector/hivemq.com~1node-offline","value":"false"},{"op":"add","path":"/metadata/annotations","value":{"service.spec.externalTrafficPolicy":"Local"}}]' port: 8883

7. Deploy the above changes to the Kubernetes cluster

   Code Block
   language bash
   helm upgrade hivemq --install hivemq/hivemq-operator \ -f values.yaml hivemq hivemq/hivemq-operator -n <namespace>

8. Verify the logs to check if TLS is enabled or not.

   Code Block
   kubectl logs <pod name> -n <namespace>

9. You will see the following logs if all changes are deployed correctly.

   

10. You can also test the connection via the MQTT CLI tool

...