...
Copy the hivemq-license file to the
vault-0pod.Code Block language bash kubectl cp hivemqhivemq4.lic vault-0:/tmp/
Verify that the file is copied.
Code Block language bash kubectl exec -it vault-0 -- ls /tmp
Code Block language text hivemqhivemq4.lic
Start an interactive shell session on the
vault-0pod.Code Block language bash kubectl exec -it vault-0 -- /bin/sh
Your system prompt is replaced with a new prompt
/ $. Commands issued at this prompt are executed on thevault-0container.Enable kv-v2 secrets at the path
hivemq.Code Block language bash vault secrets enable -path=hivemq kv-v2
Code Block language text Success! Enabled the kv-v2 secrets engine at: hivemq/
Create a secret at path
hivemq/test/licensewith ahivemq_license_b64key and base64-encoded/tmp/hivemqhivemq4.licfile.Code Block language bash cd /tmp vault kv put hivemq/test/license hivemq_license_b64="$(base64 -w 0 hivemqhivemq4.lic)"
Code Block language text ====== Secret Path ====== hivemq/data/test/license ======= Metadata ======= Key Value --- ----- created_time 2024-02-21T17:34:39.261249639Z custom_metadata <nil> deletion_time n/a destroyed false version 1
Verify that the secret is defined at the path
hivemq/test/license.Code Block language bash vault kv get hivemq/test/license
Code Block language text ====== Secret Path ====== hivemq/data/test/license ======= Metadata ======= Key Value --- ----- created_time 2024-02-21T14:57:01.446984026Z custom_metadata <nil> deletion_time n/a destroyed false version 1 ========= Data ========= Key Value --- ----- hivemq_license_b64 SCFNUSRbM10.......
The secret is ready for the application.
Lastly, exit the
vault-0pod.Code Block language bash exit
...
If you do not have values.yaml file yet, you can get the latest version from the Helm chart repository and store it as a file:
Code Block language bash helm show values hivemq/hivemq-platform > values-hivemq-platform-with-annotations.yaml
Edit the values-hivemq-platform-with-annotations.yaml file. Add annotations to the HiveMQ Pods.
Code Block language yaml nodes: # Annotations to add to the HiveMQ Pods annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/role: "hivemq-platform" vault.hashicorp.com/agent-inject-status: 'update' vault.hashicorp.com/agent-inject-secret-hivemqhivemq4.lic: "hivemq/data/test/license" vault.hashicorp.com/secret-volume-path-hivemqhivemq4.lic: "/opt/hivemq/license/" vault.hashicorp.com/agent-inject-template-hivemqhivemq4.lic: | {{- with secret "hivemq/data/test/license" -}} {{- $hivemq_broker_license := base64Decode .Data.data.hivemq_license_b64 -}} {{- $hivemq_broker_license -}} {{- end -}}(Re)install hivemq
Code Block language bash helm upgrade oper --install hivemq/hivemq-platform-operator sleep 30 helm upgrade broker --install hivemq/hivemq-platform -n hivemq -f values-hivemq-platform-with-annotations.yaml --set nodes.replicaCount=1
Get all the pods in the hivemq namespace.
Code Block language bash kubectl get pods --namespace hivemq
Code Block language text NAME READY STATUS RESTARTS AGE broker-0 2/2 Running 0 18m hivemq-oper-bc-vbd25 1/1 Running 0 46m
Wait until the re-deployed
hivemqpod reports that it isRunningand ready (2/2).This new pod now launches two containers. The application container, named
hivemq, and the Hashicorp Vault Agent container, namedvault-agent.Display the logs of the
vault-agentcontainer in the newhivemqpod.Code Block language bash kubectl logs \ $(kubectl get pod -l hivemq-platform=broker -o jsonpath="{.items[0].metadata.name}") \ --container vault-agentHashicorp Vault Agent manages the token lifecycle and the secret retrieval. The secret is rendered in the
hivemqcontainer at the path/opt/hivemq/license/.Display the secret written to the
hivemqcontainer.Code Block language bash kubectl exec \ $(kubectl get pod -l hivemq-platform=broker -o jsonpath="{.items[0].metadata.name}") \ --container hivemq -- cat /opt/hivemq/license/hivemqhivemq4.licThe base64-decoded secret data is present on the container
...