Page Comparison

...

\uD83D\uDCD8 Instructions

Get the URL and token of the external vault ready.

Put your secrets to the vault. In this article, we store files in the vault encoded with base64.

$ ls -1 /tmp
broker-keystore.jks
broker-truststore.jks
hivemq.lic

vault secrets enable -path=hivemq-mqtt/obc-poc kv-v2
cd /tmp
vault kv put hivemq-mqtt/obc-poc/opt/hivemq/conf/broker-keystore keystore=\"\$(base64 -w 0 < broker-keystore.jks)\" \
  keystore.password=changeme keystore.passphrase=changeme
vault kv put hivemq-mqtt/obc-poc/opt/hivemq/conf/broker-truststore truststore=\"\$(base64 -w 0 < broker-truststore.jks)\" \
  truststore.password=changeme
vault kv put hivemq-mqtt/obc-poc/opt/hivemq/license \"latest=\$(base64 -w 0 hivemq.lic)\"
vault auth enable kubernetes
vault write auth/kubernetes/config \"kubernetes_host=https://\${KUBERNETES_PORT_443_TCP_ADDR}:443\"
vault policy write hivemq - <<EOF
path \"hivemq-mqtt/obc-poc/data/opt/hivemq/license\" {
   capabilities = [\"read\"]
}
path \"hivemq-mqtt/obc-poc/data/opt/hivemq/conf\" {
   capabilities = [\"read\"]
}
EOF

Install External Secrets Kubernetes Operator

1. Install external-secrets/external-secrets in the same namespace as HiveMQ Platform.

   Code Block
   language bash
   helm install external-secrets external-secrets/external-secrets --namespace hivemq

2. Create the secret required for the external-secrets to access the external vault. The secret should contain the vault token. In our case, the token is root

   Code Block
   language bash
   kubectl create secret generic secret-token-for-vault --from-literal token=root --namespace hivemq

   OR

   Code Block
   language bash
   kubectl apply -f 1-secret-token-for-vault.yaml --namespace hivemq

   View file
   name 1-secret-token-for-vault.yaml

   Code Block
   language yaml
   apiVersion: v1 kind: Secret metadata: name: secret-token-for-vault data: token: cm9vdA== # "root"

3. Create the Secret Store required for the external-secrets to access the external vault. The definition should contain the vault URL and reference to the secret with the token, and also the path (path in the kv-2 engine in the external vault from which the token is allowed to read)

   Code Block
   language yaml
   apiVersion: external-secrets.io/v1beta1 kind: SecretStore metadata: name: secretstore-vault spec: provider: vault: server: "http://vault.vault.svc.cluster.local:8200" path: "hivemq-mqtt/obc-poc" version: "v2" auth: # points to a secret that contains a vault token # https://www.vaultproject.io/docs/auth/token tokenSecretRef: name: "secret-token-for-vault" key: "token"

   View file
   name 2-secretstore.yaml

   Code Block
   language bash
   kubectl apply -f 2-secretstore.yaml --namespace hivemq

   Now the external-secrets should be able to access the external vault successfully

4. Create an external-secret that will fetch the keystore from the external vault and put it to the Kubernetes secret hivemq-keystore-v, key keystore.

   Code Block
   language yaml
   apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: external-secret-for-keystore spec: refreshInterval: "15s" secretStoreRef: name: secretstore-vault kind: SecretStore data: - remoteRef: decodingStrategy: Base64 key: "hivemq-mqtt/obc-poc/opt/hivemq/conf/broker-keystore" property: keystore secretKey: keystore target: name: hivemq-keystore-v

5. Apply the rest of the external secrets manifests in the same fashion:
   

   View file
   name 3-external-secret-for-keystore.yaml

   
   

   View file
   name 3.1-external-secret-for-keystore-password.yaml

   
   

   View file
   name 3.2-external-secret-for-keystore-key-password.yaml

   
   

   View file
   name 4-external-secret-for-truststore.yaml

   
   

   View file
   name 4.1-external-secret-for-truststore-password.yaml

   
   

   View file
   name 5-external-secret-for-license.yaml

   
   

6. If everything works, the following Kubernetes Secrets will be created automatically:

   Code Block
   language bash
   kubectl get secrets --namespace hivemq

   Code Block
   language text
   hivemq-keystore-passphrase-v Opaque 1 54m hivemq-keystore-password-v Opaque 1 54m hivemq-keystore-v Opaque 1 54m hivemq-license-v Opaque 1 24m hivemq-truststore-password-v Opaque 1 54m hivemq-truststore-v Opaque 1 54m

Install HiveMQ Platform

7. Now, update the HiveMQ Platform values.yaml and configure that license, keystore, trustore, and their passwords are taken from relevant secrets.
   Specify that the license should be taken from the secret hivemq-license-v

   Code Block
   language yaml
   # Configures the HiveMQ License information. license: create: false name: "hivemq-license-v" data: "" overrideLicense: ""

   Specify that the keystore should be taken from the secret hivemq-keystore-v

   Code Block
   language yaml
   # Secure WebSocket service configuration - type: websocket exposed: true containerPort: 8000 keystoreSecretName: "hivemq-keystore-v" keystoreSecretKey: "keystore" keystorePassword: "" keystorePrivatePassword: "" keystorePasswordSecretName: "hivemq-keystore-password-v" keystorePasswordSecretKey: "keystore.password" keystorePrivatePasswordSecretKey: "keystore.password" # Mutual TLS configuration values truststoreSecretName: "hivemq-truststore-v" truststoreSecretKey: "truststore" truststorePassword: "" truststorePasswordSecretName: "hivemq-truststore-password-v" tlsClientAuthenticationMode: "OPTIONAL"

8. Install the HiveMQ Platform Operator and HiveMQ Platform

   Code Block
   language bash
   helm upgrade op --install hivemq/hivemq-platform-operator --set logLevel=DEBUG --namespace hivemq

   Code Block
   language bash
   helm upgrade op --install hivemq/hivemq-platform --values values-hivemq-platform.yaml --namespace hivemq

9. Check the HiveMQ broker stateful set logs to make sure the license, keystore and trustore are applied correctly.

\uD83D\uDCCB Related articles

...