...
Setting up the ESE license as a ConfigMap
Step 3 is mandatory, setting HIVEMQ_ALLOW_ALL_CLIENTS to false
If you skip step 1 & 2the following steps, then the enterprise-security-extension will start in trial mode, limited to 5h, and will be automatically disabled by the HiveMQ broker after 5h.
In case you get error configmaps "hivemq-license" already exists , please delete the last configmap using kubectl delete configmap hivemq-license --namespace hivemq and try the addition step again.
HiveMQ Enterprise Security Extension requires a separate license file, e.g. ese-license.elic, in the $HIVEMQ_HOME/license directory. To add the ese-license.elic along with the hivemq-license.lic, create a new configmap hivemq-license including all desired license files:
Code Block kubectl create configmap hivemq-license --namespace=hivemq \ --from-file hivemq-license.lic \ --from-file ese-license.elicEdit the values.yaml file of the hivemq-operator, section
hivemq.configMaps. Update this:Code Block configMaps: [] # ConfigMaps to mount to the HiveMQ pods. These can be mounted to existing directories without shadowing the folder contents as well. #- name: hivemq-license # path: /opt/hivemq/licenseTo this:
Code Block configMaps: - name: hivemq-license path: /opt/hivemq/licenseThis will mount the content of the configMap
hivemq-licenseto the directory/opt/hivemq/licenseof the hivemq-broker pods.
Setting up the ESE config as a ConfigMap
In case you get error configmaps "ese-config" already exists , please delete the last configmap using kubectl delete configmap ese-config --namespace hivemq and try the addition step again.
Create a new configMap ese-config including all desired config files:
Code Block language bash kubectl create configmap ese-config --namespace=hivemq \ --from-file config.xml \ --from-file ese-file-realm.xml
Edit the values.yaml file of the hivemq-operator, section
hivemq.extensions. Update this:Code Block language yaml hivemq: extensions: ... - name: hivemq-enterprise-security-extension extensionUri: preinstalled enabled: false # Note that this is just an example initialization routine. Make sure this points to the current JDBC version you require for your configuration. initialization: | # Download JDBC driver for PostgreSQL [[ ! -f drivers/postgres-jdbc.jar ]] && curl -L https://jdbc.postgresql.org/download/postgresql-42.2.14.jar --output drivers/jdbc/postgres.jarTo this:
Finally, disableCode Block language yaml hivemq: extensions: ... - name: hivemq-enterprise-security-extension extensionUri: preinstalled enabled: true configMap: ese-config initialization: | [[ ! -f conf/config.xml ]] && [[ -f /conf-override/extensions/hivemq-enterprise-security-extension/config.xml ]] && ln -s /conf-override/extensions/hivemq-enterprise-security-extension/config.xml conf/config.xml && [[ ! -f conf/ese-file-realm.xml ]] && [[ -f /conf-override/extensions/hivemq-enterprise-security-extension/ese-file-realm.xml ]] && ln -s /conf-override/extensions/hivemq-enterprise-security-extension/ese-file-realm.xml conf/ese-file-realm.xml
Disable the default security extension
...
By default, the HiveMQ distribution comes with the allow-all extension that permits all MQTT connections without requiring authentication. Before you use HiveMQ in production, add an appropriate security extension and remove the HiveMQ allow-all extension.
To disable the extension, set the HIVEMQ_ALLOW_ALL_CLIENTS environment variable to false.
Edit the values.yaml file of the hivemq-operator, section hivemq.env. Update this:
| Code Block | ||
|---|---|---|
| ||
hivemq:
...
env: []
## Skip config validation
# - name: "HIVEMQ_SKIP_CONFIG_VALIDATION"
# value: "true"
## Add custom environment variables (e.g. for your extension) here.
# - name: MY_CUSTOM_ENV
# value: some-value |
To this:
| Code Block | ||
|---|---|---|
| ||
env:
- name: "HIVEMQ_ALLOW_ALL_CLIENTS"
value: "false" |
Update the configuration
for ease of use we can switch the namespace back to hivemq kubectl config set-context --current --namespace=hivemq
...