Versions Compared

Old Version 6

changes.mady.by.user Harsh Bansal

Saved on

compared with

New Version 7

changes.mady.by.user Harsh Bansal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

Prequisites

Setting up the ESE license as a ConfigMap

If you skip the following steps, then the enterprise-security-extension will start in trial mode, limited to 5h, and will be automatically disabled by the HiveMQ broker after 5h.

...

  1. HiveMQ Enterprise Security Extension requires a separate license file, e.g. ese-license.elic, in the $HIVEMQ_HOME/license directory. To add the ese-license.elic along with the hivemq-license.lic, create a new configmap hivemq-license including all desired license files:

    Code Block
    kubectl create configmap hivemq-license --namespace=hivemq \
  --from-file hivemq-license.lic \
  --from-file ese-license.elic

  2. Edit the values.yaml file of the hivemq-operator, section hivemq.configMaps. Update this:

    Code Block
      configMaps: []
  # ConfigMaps to mount to the HiveMQ pods. These can be mounted to existing directories without shadowing the folder contents as well.
  #- name: hivemq-license
  #  path: /opt/hivemq/license

    To this:

    Code Block
      configMaps: 
    - name: hivemq-license
      path: /opt/hivemq/license

    This will mount the content of the configMap hivemq-license to the directory /opt/hivemq/license of the hivemq-broker pods.

Prepare your HiveMQ Enterprise Security Extension configuration files

HiveMQ Enterprise Security Extension is preinstalled with HiveMQ so once you enable it, it will look for its configuration file. You must prepare this file before enabling the extension. If you skip this step, the extension will not find its configuration file and will not load any configuration.

...

In case you are running a local setup, please place your HiveMQ Enterprise Security Extension configuration files in the conf folder of your HiveMQ Enterprise Security Extension.

Setting up the ESE config as a ConfigMap

In case you get error configmaps "ese-config" already exists , please delete the last configmap using kubectl delete configmap ese-config --namespace hivemq and try the addition step again.

  1. Create a new configMap ese-config including all desired config files:

    Code Block
    languagebash
    kubectl create configmap ese-config --namespace=hivemq \
  --from-file config.xml \
  --from-file ese-file-realm.xml

  2. Edit the values.yaml file of the hivemq-operator, section hivemq.extensions. Update this:

    Code Block
    languageyaml
    hivemq:
  extensions:
  ...
  
    - name: hivemq-enterprise-security-extension
      extensionUri: preinstalled
      enabled: false
      # Note that this is just an example initialization routine. Make sure this points to the current JDBC version you require for your configuration.
      initialization: |
        # Download JDBC driver for PostgreSQL
        [[ ! -f drivers/postgres-jdbc.jar ]] &&
        curl -L https://jdbc.postgresql.org/download/postgresql-42.2.14.jar --output drivers/jdbc/postgres.jar

    To this:

    Code Block
    languageyaml
    hivemq:
  extensions:
  ...
  
    - name: hivemq-enterprise-security-extension
      extensionUri: preinstalled
      enabled: true
      configMap: ese-config
      initialization: |
        [[ ! -f conf/config.xml ]] &&
        [[ -f /conf-override/extensions/hivemq-enterprise-security-extension/config.xml ]] &&
        ln -s /conf-override/extensions/hivemq-enterprise-security-extension/config.xml conf/config.xml &&
        [[ ! -f conf/ese-file-realm.xml ]] &&
        [[ -f /conf-override/extensions/hivemq-enterprise-security-extension/ese-file-realm.xml ]] &&
        ln -s /conf-override/extensions/hivemq-enterprise-security-extension/ese-file-realm.xml conf/ese-file-realm.xml

Disable the default security extension

By default, the HiveMQ distribution comes with the allow-all extension that permits all MQTT connections without requiring authentication. Before you use HiveMQ in production, add an appropriate security extension and remove the HiveMQ allow-all extension.
To disable the extension, set the HIVEMQ_ALLOW_ALL_CLIENTS environment variable to false.
Edit the values.yaml file of the hivemq-operator, section hivemq.env. Update this:

...

Code Block
languageyaml
  env:
    - name: "HIVEMQ_ALLOW_ALL_CLIENTS"
      value: "false"

Update the configuration

for ease of use we can switch the namespace back to hivemq kubectl config set-context --current --namespace=hivemq

...

  1. Get the external IP of the MQTT load balancer

    Code Block
    languagebash
    mqttHost=$(kubectl get svc hivemq-hivemq-mqtt -o jsonpath='{.status.loadBalancer.ingress[0].ip}{"\n"}')
mqttPort=$(kubectl get svc hivemq-hivemq-mqtt -o jsonpath='{.spec.ports[0].port}{"\n"}')

End-to-end testing of mqtt clients

  1. Subscribe a mqtt client:

    Code Block
    languagebash
    mqtt subscribe -h $mqttHost -p $mqttPort -t '#' -q 1 -u mqtt-user-1 -pw mqtt-password-1

    Do not close this terminal session. This will allow you to see the results.

  2. From a different terminal session, publish a message to the topic “test”:

    Code Block
    languagebash
    mqtt publish -h $mqttHost -p $mqttPort -t topic-1 -m Hello -q 1 -u mqtt-user-2 -pw mqtt-password-2

  3. If everything is correct, the subscriber will receive the message:

    Code Block
    languagebash
    mqtt subscribe -h $mqttHost -p $mqttPort -t '#' -q 1 -u mqtt-user-1 -pw mqtt-password-1
    Code Block
    languagebash
    Hello

Filter by label (Content by label)
showLabelsfalse
max5
spacescom.atlassian.confluence.content.render.xhtml.model.resource.identifiers.SpaceResourceIdentifier@117ee
sortmodified
showSpacefalse
reversetrue
typepage
labelskb-how-to-article
cqllabel = "kb-how-to-article" and type = "page" and space = "HMS"