Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

\uD83D\uDCD8 Instructions

  1. Put secrets to the vault and enable to read them via policy “hivemq”These instructions assume that the secrets in the vault are in the following structure:

    Code Block
    languagetext
    hivemq-poc1
    └── opt
        └── hivemq
            ├── conf
            │   ├── key.passphrase
            │   ├── keystore.password
            │   ├── keystore_base64
            │   ├── truststore.password
            │   └── truststore_base64
            └── license
                └── license_base64


    To achieve such a structure in the Hashicorp Vault at a kv-2 path, and enable hivemq to read from the path, the following commands in the Hashicorp Vault are used:

    Code Block
    languagebash
    # Enable Vault to store key-value pairs at path hivemq-poc1
    vault secrets enable -path=hivemq-poc1 kv-v2
    
    # Create vault secrets from files
    
    cd /tmp
    
    vault kv put hivemq-poc1/opt/hivemq/conf/hivemq.jks.b64 mydata=\"\ keystore_base64="$(base64 </tmp/hivemqbroker-keystore.jks)\" \
      keystore.password=changeme keystorekey.passphrase=changeme
    vault kv put hivemq-poc1/opt/hivemq/conf/hivemqtruststore.jks.b64 mydata=\"\ truststore_base64="$(base64 </tmp/hivemqtruststorebroker-truststore.jks)\"
    vault kv put hivemq-poc1/opt/hivemq/license/hivemq.lic.b64 \"mydata=\ license_base64="$(base64 </tmp/hivemqhivemq4.lic)\"
    
    # Enable hivemq to read from paths
    vault policy write hivemq - <<EOF
    path \"hivemq-poc1/data/opt/hivemq/license\" {
       capabilities = [\"read\"]
    }
    path \"hivemq-poc1/data/opt/hivemq/conf\" {
       capabilities = [\"read\"]
    }
    EOF

    If your secrets in the vault are stored differently, you must adopt the consul-template.hcl accordingly.

  2. Create the HCL template to fetch and decode the secrets: View filenameconsul-template-sidecar.hcla config map with the Consul Template script which will get secrets from the vault and decode them to normal files:
    consul-template.yaml

    Code Block
    languageyaml
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: consul-template
      namespace: hivemq
    data:
      consul-template.hcl: |
        template {
          contents = "{{ with secret (printf \"%s/opt/hivemq/license\" (mustEnv \"TARGET_ENV\")) }}{{ base64Decode .Data.data.license_base64 }}{{ end }}"
          destination = "/opt/hivemq/license/hivemq4.lic"
        }
        template {
          contents = "{{ with secret (printf \"%s/opt/hivemq/conf\" (mustEnv \"TARGET_ENV\")) }}{{ base64Decode .Data.data.keystore_base64 }}{{ end }}"
          destination = "/opt/hivemq/keystore/broker-keystore.jks"
        }
        template {
          contents = "{{ with secret (printf \"%s/opt/hivemq/conf\" (mustEnv \"TARGET_ENV\")) }}{{ base64Decode .Data.data.truststore_base64 }}{{ end }}"
          destination = "/opt/hivemq/keystore/broker-truststore.jks"
        }
     
    Code Block
    languagebash
    kubectl apply -f consul-template-sidecar.hclyaml --namespace hivemq
  3. Add init container to the hivemq-platform values.yaml

    Code Block
    languageyaml
    AadditionalInitContainersadditionalInitContainers:
      - name: init-consul-template
        image: hashicorp/consul-template:latest
        command: [ "consul-template", "-once", "-config", "/consul-template/consul-template-sidecar.hcl" ]
        env:
          - name: CONSUL_TEMPLATE_LOG_LEVEL, "-kill-signal", "SIGTERM", "-log-level", "debug" ]
            value: DEBUGenv:
          - name: VAULT_ADDR
            value: http://vault.vault.svc.cluster.local:8200
          - name: VAULT_TOKEN
            value: root
          - name: TARGET_ENV
            value: hivemq-poc1/data
        volumeMounts:
          - name: consul-template
            mountPath: /consul-template
          - name: hivemq-license
            mountPath: /opt/hivemq/license
          - name: hivemq-keystore
            mountPath: /opt/hivemq/consulkeystore
  4. Add the additional container to the hivemq-platform values.yaml:

    Code Block
    languageyaml
    additionalContainers:
      - name: sidecar-consul-template
        image: hashicorp/consul-template:latest
        command: [ '/bin/sh', '-c' ]
        args:
          - |
            trap 'echo "Terminating container"; exit 0' SIGTERM
            consul-template -config /consul-template/consul-template-sidecar.hcl -kill-signal SIGTERM -log-level debug"  &
            while true; do sleep 1; done
        env:
          - name: CONSUL_TEMPLATE_LOG_LEVEL
            value: DEBUG
          - name: VAULT_ADDR
            value: http://vault.vault.svc.cluster.local:8200
          - name: VAULT_TOKEN
            value: root
          - name: TARGET_ENV
            value: hivemq-poc1/data
        volumeMounts:
          # Volume consul-template to read the consul-template.hcl from
          - name: consul-template
            mountPath: /consul-template
          # Volume hivemq-license to store the decoded license
          - name: hivemq-license
            mountPath: /opt/hivemq/license
          # Volume hivemq-keystore to store the keystore and truststore
          - name: hivemq-keystore
            mountPath: /opt/hivemq/consulkeystore
  5. Add additional volumes to the hivemq-platform values.yaml:

    Code Block
    languageyaml
    additionalVolumes:
      # Volume hivemq-license to store the decoded license
      - name: hivemq-license
        path: /opt/hivemq/license
        type: emptyDir
        containerName: hivemq
      
      # Volume hivemq-keystore to store the keystore and truststore
      - type: emptyDir
        name: hivemq-keystore
        containerName: hivemq
        path: /tls-hivemqpokeystore/opt/hivemq/keystore
        
      # Volume consul-template with consul-template.hcl file
      - type: configMap
        name: consul-template
        containerName: sidecar-consul-template
        path: /consul-template

  6. Install HiveMQ Platform Operator

    Code Block
    languagebash
    helm upgrade op --install hivemq/hivemq-platform-operator --set logLevel=DEBUG
  7. Install HiveMQ Platform broker

    Code Block
    languagebash
    helm upgrade broker --install hivemq/hivemq-platform --values values-hivemq-platform.yaml

...

  • Helm v3.15.4

  • Kubernetes v1.29.7

  • Kubectl v1.29.2

  • Kubernetes provider: AKS 2xStandard_A8_v2 Kubernetes v1.29.7

  • HiveMQ 4.31.0 (Helm chart: hivemq/hivemq-platform-0.2.21)

  • HiveMQ Platform Operator 1.5.1 (Helm chart: hivemq-platform-operator-0.2.9)

...