Versions Compared

Old Version 3

changes.mady.by.user Daria Samkova

Saved on

compared with

New Version 4

changes.mady.by.user Daria Samkova

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Install external-secrets/external-secrets in the same namespace as HiveMQ Platform.

    Code Block
    languagebash
    helm install external-secrets external-secrets/external-secrets --namespace hivemq

  2. Create the secret required for the external-secrets to access the external vault. The secret should contain the vault tokenVAULT_TOKEN. In our case, the token is root

    Code Block
    languagebash
    kubectl create secret generic secret-token-for-vault --from-literal token=root  --namespace hivemq

    OR

    Code Block
    languagebash
    kubectl apply -f 1-secret-token-for-vault.yaml --namespace hivemq

    View file
    name1-secret-token-for-vault.yaml

    Code Block
    languageyaml
    apiVersion: v1
kind: Secret
metadata:
  name: secret-token-for-vault
data:
  token: cm9vdA== # "root"

  3. Create the Secret Store required for the external-secrets to access the external vault. The definition should contain the vault URL and reference to the secret with the token, and also the path (path in the kv-2 engine in the external vault from which the token is allowed to read)

    Code Block
    languageyaml
    apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: secretstore-vault
spec:
  provider:
    vault:
      server: "http://vault.vault.svc.cluster.local[ VAULT_ADDR ]:8200"
      path: "hivemq-mqtt/obc-poc"
      version: "v2"
      auth:
        # points to a secret that contains a vault token
        # https://www.vaultproject.io/docs/auth/token
        tokenSecretRef:
          name: "secret-token-for-vault"
          key: "token"

    View file
    name2-secretstore.yaml

    Code Block
    languagebash
    kubectl apply -f 2-secretstore.yaml --namespace hivemq

    Now the external-secrets should be able to access the external vault successfully

  4. Create an external-secret that will fetch the keystore from the external vault and put it to the Kubernetes secret hivemq-keystore-v, key keystore.

    Code Block
    languageyaml
    apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: external-secret-for-keystore
spec:
  refreshInterval: "15s"
  secretStoreRef:
    name: secretstore-vault
    kind: SecretStore
  data:
    - remoteRef:
        decodingStrategy: Base64
        key: "hivemq-mqtt/obc-poc/opt/hivemq/conf/broker-keystore"
        property: keystore
      secretKey: keystore
  target:
    name: hivemq-keystore-v

  5. Apply the rest of the external secrets manifests in the same fashion:

    View file
    name3-external-secret-for-keystore.yaml

    View file
    name3.1-external-secret-for-keystore-password.yaml

    View file
    name3.2-external-secret-for-keystore-key-password.yaml

    View file
    name4-external-secret-for-truststore.yaml

    View file
    name4.1-external-secret-for-truststore-password.yaml

    View file
    name5-external-secret-for-license.yaml

  6. If everything works, the following Kubernetes Secrets will be created automatically:

    Code Block
    languagebash
    kubectl get secrets --namespace hivemq
    Code Block
    languagetext
    hivemq-keystore-passphrase-v             Opaque               1      54m
hivemq-keystore-password-v               Opaque               1      54m
hivemq-keystore-v                        Opaque               1      54m
hivemq-license-v                         Opaque               1      24m
hivemq-truststore-password-v             Opaque               1      54m
hivemq-truststore-v                      Opaque               1      54m

...