Versions Compared

Old Version 8

changes.mady.by.user Daria Samkova

Saved on

compared with

New Version 9

changes.mady.by.user Daria Samkova

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

\uD83D\uDCD8 Instructions

  1. Put secrets to the vault and enable These instructions assume that the secrets are put into the vault in the following way and it is enabled to read them via policy “hivemq”hivemq:

    Code Block
    languagebash
    vault secrets enable -path=hivemq-poc1 kv-v2

cd /tmp

vault kv put hivemq-poc1/opt/hivemq/conf keystore_base64="$(base64 </tmp/broker-keystore.jks)" \
  keystore.password=changeme key.passphrase=changeme
vault kv put hivemq-poc1/opt/hivemq/conf truststore_base64="$(base64 </tmp/broker-truststore.jks)"
vault kv put hivemq-poc1/opt/hivemq/license license_base64="$(base64 </tmp/hivemq4.lic)"

vault policy write hivemq - <<EOF
path "hivemq-poc1/data/opt/hivemq/license" {
   capabilities = ["read"]
}
path "hivemq-poc1/data/opt/hivemq/conf" {
   capabilities = ["read"]
}
EOF

    This means that the secrets in the vault have the following structure:

    Code Block
    hivemq-poc1
└── opt
    └── hivemq
        ├── conf
        │   ├── key.passphrase
        │   ├── keystore.password
        │   └── keystore_base64
        └── license
            └── license_base64

    In this example, the path in the vault is hivemq-poc1/data/opt/hivemq/license and it contains keys keystore_base64, keystore.password, and key.passphrase, and path hivemq-poc1/data/opt/hivemq/license contains key license_base64.
    If your secrets in the vault are stored differently, you must adopt the consul-template.hcl accordingly.

  2. Create the HCL template to fetch and decode the secrets:
    consul-template.yaml

    Code Block
    languageyaml
    apiVersion: v1
kind: ConfigMap
metadata:
  name: consul-template
  namespace: hivemq
data:
  consul-template.hcl: |
    template {
      contents = "{{ with secret (printf \"%s/opt/hivemq/license\" (mustEnv \"TARGET_ENV\")) }}{{ base64Decode .Data.data.license_base64 }}{{ end }}"
      destination = "/opt/hivemq/license/hivemq4.lic"
    }

    template {
      contents = "{{ with secret (printf \"%s/opt/hivemq/conf\" (mustEnv \"TARGET_ENV\")) }}{{ base64Decode .Data.data.keystore_base64 }}{{ end }}"
      destination = "/opt/hivemq/keystore/broker-keystore.jks"
    }

    template {
      contents = "{{ with secret (printf \"%s/opt/hivemq/conf\" (mustEnv \"TARGET_ENV\")) }}{{ base64Decode .Data.data.truststore_base64 }}{{ end }}"
      destination = "/opt/hivemq/keystore/broker-truststore.jks"
    }
    Code Block
    languagebash
    kubectl apply -f consul-template.yaml --namespace hivemq

  3. Add init container to the hivemq-platform values.yaml

    Code Block
    languageyaml
    AadditionalInitContainersadditionalInitContainers:
  - name: init-consul-template
    image: hashicorp/consul-template:latest
    command: [ "consul-template", "-once", "-config", "/consul-template/consul-template.hcl", "-kill-signal", "SIGTERM", "-log-level", "debug" ]
    env:
      - name: VAULT_ADDR
        value: http://vault.vault.svc.cluster.local:8200
      - name: VAULT_TOKEN
        value: root
      - name: TARGET_ENV
        value: hivemq-poc1/data
    volumeMounts:
      - name: consul-template
        mountPath: /consul-template
      - name: hivemq-license
        mountPath: /opt/hivemq/license
      - name: hivemq-keystore
        mountPath: /opt/hivemq/keystore

  4. Add the additional container to the hivemq-platform values.yaml:

    Code Block
    languageyaml
    additionalContainers:
  - name: sidecar-consul-template
    image: hashicorp/consul-template:latest
    command: [ '/bin/sh', '-c' ]
    args:
      - |
        trap 'echo "Terminating container"; exit 0' SIGTERM
        consul-template -config /consul-template/consul-template.hcl -kill-signal SIGTERM -log-level debug"  &
        while true; do sleep 1; done
    env:
      - name: VAULT_ADDR
        value: http://vault.vault.svc.cluster.local:8200
      - name: VAULT_TOKEN
        value: root
      - name: TARGET_ENV
        value: hivemq-poc1/data
    volumeMounts:
      # Volume consul-template to read the consul-template.hcl from
      - name: consul-template
        mountPath: /consul-template
      # Volume hivemq-license to store the decoded license
      - name: hivemq-license
        mountPath: /opt/hivemq/license
      # Volume hivemq-keystore to store the keystore and truststore
      - name: hivemq-keystore
        mountPath: /opt/hivemq/keystore

  5. Add additional volumes to the hivemq-platform values.yaml:

    Code Block
    languageyaml
    additionalVolumes:
  # Volume hivemq-license to store the decoded license
  - name: hivemq-license
    path: /opt/hivemq/license
    type: emptyDir
    containerName: hivemq
  
  # Volume hivemq-keystore to store the keystore and truststore
  - type: emptyDir
    name: hivemq-keystore
    containerName: hivemq
    path: /opt/hivemq/keystore
    
  # Volume consul-template with consul-template.hcl file
  - type: configMap
    name: consul-template
    containerName: sidecar-consul-template
    path: /consul-template

  6. Install HiveMQ Platform Operator

    Code Block
    languagebash
    helm upgrade op --install hivemq/hivemq-platform-operator --set logLevel=DEBUG

  7. Install HiveMQ Platform broker

    Code Block
    languagebash
    helm upgrade broker --install hivemq/hivemq-platform --values values-hivemq-platform.yaml

...