...
\uD83D\uDCD8 Instructions
...
First, ensure you have the VAULT_ADDR and VAULT_TOKEN from the external vault at hand.
Next, put your secrets in the vault. In this article, we store files in the vault encoded with base64.
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
The files (license, keystore, truststore):
The files from the /tmp directory we put to the vault:
|
Install External Secrets Kubernetes Operator
Add the repo to the Helm:
Code Block language bash helm repo add external-secrets https://charts.external-secrets.io
Install
external-secrets/external-secrets
in the same namespace as HiveMQ Platform.Code Block language bash helm install external-secrets external-secrets/external-secrets --namespace hivemq
Create the secret required for the external-secrets to access the external vault. The secret should contain the vault tokenVAULT_TOKEN. In our casearticle, the token is
root
Code Block language bash kubectl create secret generic secret-token-for-vault --from-literal token=root --namespace hivemq
OR
Code Block language bash kubectl apply -f 1-secret-token-for-vault.yaml --namespace hivemq
View file name 1-secret-token-for-vault.yaml Code Block language yaml apiVersion: v1 kind: Secret metadata: name: secret-token-for-vault data: token: cm9vdA== # "root"
Create the Secret Store required for the external-secrets to access the external vault. The definition should contain the vault URL and reference to the secret with the token, and also the path (path in the kv-2 engine in the external vault from which the token is allowed to read)
Code Block language yaml apiVersion: external-secrets.io/v1beta1 kind: SecretStore metadata: name: secretstore-vault spec: provider: vault: server: "http://vault.vault.svc.cluster.local[ VAULT_ADDR ]:8200" path: "hivemq-mqtt/obc-poc" version: "v2" auth: # points to a secret that contains a vault token # https://www.vaultproject.io/docs/auth/token tokenSecretRef: name: "secret-token-for-vault" key: "token"
View file name 2-secretstore.yaml Code Block language bash kubectl apply -f 2-secretstore.yaml --namespace hivemq
Now the external-secrets should be able to access the external vault successfully
Create an external-secret that will fetch the keystore from the external vault and put it to the Kubernetes secret
hivemq-keystore-v
, keykeystore
.Code Block language yaml apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: external-secret-for-keystore spec: refreshInterval: "15s" secretStoreRef: name: secretstore-vault kind: SecretStore data: - remoteRef: decodingStrategy: Base64 key: "hivemq-mqtt/obc-poc/opt/hivemq/conf/broker-keystore" property: keystore secretKey: keystore target: name: hivemq-keystore-v
Apply the rest of the external secrets manifests in the same fashion:
View file name 3-external-secret-for-keystore.yaml View file name 3.1-external-secret-for-keystore-password.yaml View file name 3.2-external-secret-for-keystore-key-password.yaml View file name 4-external-secret-for-truststore.yaml View file name 4.1-external-secret-for-truststore-password.yaml View file name 5-external-secret-for-license.yaml If everything works, the following Kubernetes Secrets will be created automatically:
Code Block language bash kubectl get secrets --namespace hivemq
Code Block language text hivemq-keystore-passphrase-v Opaque 1 54m hivemq-keystore-password-v Opaque 1 54m hivemq-keystore-v Opaque 1 54m hivemq-license-v Opaque 1 24m hivemq-truststore-password-v Opaque 1 54m hivemq-truststore-v Opaque 1 54m
Install HiveMQ Platform
Now, update the HiveMQ Platform values.yaml and configure that license, keystore, trustore, and their passwords are taken from relevant secrets.
Specify that the license should be taken from the secrethivemq-license-v
Code Block language yaml # Configures the HiveMQ License information. license: create: false name: "hivemq-license-v" data: "" overrideLicense: ""
Specify that the keystore should be taken from the secret
hivemq-keystore-v
Code Block language yaml # Secure WebSocket service configuration - type: websocket exposed: true containerPort: 8000 keystoreSecretName: "hivemq-keystore-v" keystoreSecretKey: "keystore" keystorePassword: "" keystorePrivatePassword: "" keystorePasswordSecretName: "hivemq-keystore-password-v" keystorePasswordSecretKey: "keystore.password" keystorePrivatePasswordSecretKey: "keystore.password" # Mutual TLS configuration values truststoreSecretName: "hivemq-truststore-v" truststoreSecretKey: "truststore" truststorePassword: "" truststorePasswordSecretName: "hivemq-truststore-password-v" tlsClientAuthenticationMode: "OPTIONAL"
Example HiveMQ Platform values.yaml:
View file name values-hivemq-platform.yaml Install the HiveMQ Platform Operator and HiveMQ Platform
Code Block language bash helm upgrade op --install hivemq/hivemq-platform-operator --set logLevel=DEBUG --namespace hivemq
Code Block language bash helm upgrade
...
broker --install hivemq/hivemq-platform --values values-hivemq-platform.yaml --namespace hivemq
Check the HiveMQ broker stateful set logs to make sure the license, keystore and trustore are applied correctly.
\uD83D\uDCCB Related articles
...