Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

\uD83D\uDCD8 Instructions

...

First, ensure you have the VAULT_ADDR and VAULT_TOKEN from the external vault at hand.

Next, put your secrets in the vault. In this article, we store files in the vault encoded with base64.

Expand
titleputting files and strings to the vault

The files (license, keystore, truststore):

Code Block
languagebash
$ ls -1 /tmp
broker-keystore.jks
broker-truststore.jks
hivemq.lic

The files from the /tmp directory we put to the vault:

Code Block
languagebash
vault secrets enable -path=hivemq-mqtt/obc-poc kv-v2
cd /tmp
vault kv put hivemq-mqtt/obc-poc/opt/hivemq/conf/broker-keystore keystore=\"\$(base64 -w 0 < broker-keystore.jks)\" \
  keystore.password=changeme keystore.passphrase=changeme
vault kv put hivemq-mqtt/obc-poc/opt/hivemq/conf/broker-truststore truststore=\"\$(base64 -w 0 < broker-truststore.jks)\" \
  truststore.password=changeme
vault kv put hivemq-mqtt/obc-poc/opt/hivemq/license \"latest=\$(base64 -w 0 hivemq.lic)\"
vault auth enable kubernetes
vault write auth/kubernetes/config \"kubernetes_host=https://\${KUBERNETES_PORT_443_TCP_ADDR}:443\"
vault policy write hivemq - <<EOF
path \"hivemq-mqtt/obc-poc/data/opt/hivemq/license\" {
   capabilities = [\"read\"]
}
path \"hivemq-mqtt/obc-poc/data/opt/hivemq/conf\" {
   capabilities = [\"read\"]
}
EOF

Install External Secrets Kubernetes Operator

  1. Add the repo to the Helm:

    Code Block
    languagebash
    helm repo add external-secrets https://charts.external-secrets.io
  2. Install external-secrets/external-secrets in the same namespace as HiveMQ Platform.

    Code Block
    languagebash
    helm install external-secrets external-secrets/external-secrets --namespace hivemq
  3. Create the secret required for the external-secrets to access the external vault. The secret should contain the vault tokenVAULT_TOKEN. In our casearticle, the token is root

    Code Block
    languagebash
    kubectl create secret generic secret-token-for-vault --from-literal token=root  --namespace hivemq

    OR

    Code Block
    languagebash
    kubectl apply -f 1-secret-token-for-vault.yaml --namespace hivemq

    View file
    name1-secret-token-for-vault.yaml

    Code Block
    languageyaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: secret-token-for-vault
    data:
      token: cm9vdA== # "root"

  4. Create the Secret Store required for the external-secrets to access the external vault. The definition should contain the vault URL and reference to the secret with the token, and also the path (path in the kv-2 engine in the external vault from which the token is allowed to read)

    Code Block
    languageyaml
    apiVersion: external-secrets.io/v1beta1
    kind: SecretStore
    metadata:
      name: secretstore-vault
    spec:
      provider:
        vault:
          server: "http://vault.vault.svc.cluster.local[ VAULT_ADDR ]:8200"
          path: "hivemq-mqtt/obc-poc"
          version: "v2"
          auth:
            # points to a secret that contains a vault token
            # https://www.vaultproject.io/docs/auth/token
            tokenSecretRef:
              name: "secret-token-for-vault"
              key: "token"

    View file
    name2-secretstore.yaml

    Code Block
    languagebash
    kubectl apply -f 2-secretstore.yaml --namespace hivemq

    Now the external-secrets should be able to access the external vault successfully

  5. Create an external-secret that will fetch the keystore from the external vault and put it to the Kubernetes secret hivemq-keystore-v, key keystore.

    Code Block
    languageyaml
    apiVersion: external-secrets.io/v1beta1
    kind: ExternalSecret
    metadata:
      name: external-secret-for-keystore
    spec:
      refreshInterval: "15s"
      secretStoreRef:
        name: secretstore-vault
        kind: SecretStore
      data:
        - remoteRef:
            decodingStrategy: Base64
            key: "hivemq-mqtt/obc-poc/opt/hivemq/conf/broker-keystore"
            property: keystore
          secretKey: keystore
      target:
        name: hivemq-keystore-v

  6. Apply the rest of the external secrets manifests in the same fashion:

    View file
    name3-external-secret-for-keystore.yaml

    View file
    name3.1-external-secret-for-keystore-password.yaml

    View file
    name3.2-external-secret-for-keystore-key-password.yaml

    View file
    name4-external-secret-for-truststore.yaml

    View file
    name4.1-external-secret-for-truststore-password.yaml

    View file
    name5-external-secret-for-license.yaml

  7. If everything works, the following Kubernetes Secrets will be created automatically:

    Code Block
    languagebash
    kubectl get secrets --namespace hivemq
    Code Block
    languagetext
    hivemq-keystore-passphrase-v             Opaque               1      54m
    hivemq-keystore-password-v               Opaque               1      54m
    hivemq-keystore-v                        Opaque               1      54m
    hivemq-license-v                         Opaque               1      24m
    hivemq-truststore-password-v             Opaque               1      54m
    hivemq-truststore-v                      Opaque               1      54m

Install HiveMQ Platform

  1. Now, update the HiveMQ Platform values.yaml and configure that license, keystore, trustore, and their passwords are taken from relevant secrets.
    Specify that the license should be taken from the secret hivemq-license-v

    Code Block
    languageyaml
    # Configures the HiveMQ License information.
    license:
      create: false
      name: "hivemq-license-v"
      data: ""
      overrideLicense: ""

    Specify that the keystore should be taken from the secret hivemq-keystore-v

    Code Block
    languageyaml
      # Secure WebSocket service configuration
      - type: websocket
        exposed: true
        containerPort: 8000
        
        keystoreSecretName: "hivemq-keystore-v"
        keystoreSecretKey: "keystore"
    
        keystorePassword: ""
        keystorePrivatePassword: ""
    
        keystorePasswordSecretName: "hivemq-keystore-password-v"
        keystorePasswordSecretKey: "keystore.password"
        keystorePrivatePasswordSecretKey: "keystore.password"
        
        # Mutual TLS configuration values
        truststoreSecretName: "hivemq-truststore-v"
        truststoreSecretKey: "truststore"
        truststorePassword: ""
        truststorePasswordSecretName: "hivemq-truststore-password-v"
        tlsClientAuthenticationMode: "OPTIONAL"

    Example HiveMQ Platform values.yaml:

    View file
    namevalues-hivemq-platform.yaml

  2. Install the HiveMQ Platform Operator and HiveMQ Platform

    Code Block
    languagebash
    helm upgrade op --install hivemq/hivemq-platform-operator --set logLevel=DEBUG --namespace hivemq
    Code Block
    languagebash
    helm upgrade 

...

  1. broker --install hivemq/hivemq-platform --values values-hivemq-platform.yaml --namespace hivemq

  2. Check the HiveMQ broker stateful set logs to make sure the license, keystore and trustore are applied correctly.

...