...
Helm version v3+
Running Kubernetes cluster version 1.18.0 or higher
kubectl latest version
Instructions
Create a Namespace for the HiveMQ/Postgres deployment.
You can skip this step you want to run everything in “default” namespace.Execute the following command to create a namespace:
Code Block language bash kubectl create namespace <namespace name>
Switch to the newly created namespace:
Code Block language bash kubectl config set-context --current --namespace=<namespace name>
Deploy Postgres
Add the Bitnami Helm repository:
Code Block language bash helm repo add bitnami <httpshttps://charts.bitnami.com/bitnami>bitnami
Create a
postgres_values.yamlfile to configure Postgres deployment:Code Block language yaml global: storageClass#storageClass: "rook-ceph-block" postgresql: auth: password: password postgresPassword: password username: admin primary: initdb: scriptsConfigMap: ese-db-init
Create a ConfigMap called
ese-db-initcontaining theese-db-init.sqlscript, which creates tables and inserts necessary data for testing purposes:View file name 1_permissions.sql View file name 0_ese-db-init.sql Code Block language bash kubectl create configmap ese-db-init --from-file 0_ese-db-init.sql --from-file 1_permissions.sql
Deploy Postgres using Helm:
Code Block language bash helm upgrade postgres --install bitnami/postgresql --values postgres_values.yaml
Verify the status of the pod:
Code Block language bash kubectl get pods
If an error occurs, check the pod logs:
Code Block language bash kubectl logs <pod name>
Connect to the Postgres pod to verify the connection:
Code Block language bash psql --host 127.0.0.1 -U postgres -d postgres -p 5432
Use the following commands in the Postgres shell to interact with the database:
\l: List the databases.\c <db name>: Connect to a specific database.\dt: List the tables from the connected database.select * from users;
Deploy HiveMQ with Enterprise Security Extension (ESE)
Create a ConfigMap for the HiveMQ license (skip this step if you don't have a license yet):
...
Create a config.xml configuration file for the Enterprise Security Extension: You can also find examples of this file in the extension folder under conf/examples
configure sql-realm.
db-name - you can find this in the ese-db-init.sql, default it is postgres
...
Configure the listener-pipeline. Since here we are using role-based authorization we need to set <use-authorization-key> to false and <use-authorization-role-key> to true.
| Code Block | ||
|---|---|---|
| ||
<?xml version="1.0" encoding="UTF-8" ?>
<enterprise-security-extension
xmlns:xsi="<httphttp://www.w3.org/2001/XMLSchema-instance">
xsi:noNamespaceSchemaLocation="config.xsd"
version="1">
<realms>
<!-- a postgresql db-->
<sql-realm>
<name>postgres-backend</name>
<enabled>true</enabled>
<configuration>
<db-type>POSTGRES</db-type>
<db-name>hivemq</db-name>
<db-host>postgres-servicename</db-host>
<db-port>5432</db-port>
<db-username>hivemq</db-username>
<db-password>password</db-password>
</configuration>
</sql-realm>
</realms>
<pipelines>
<!-- secure access to the mqtt broker -->
<listener-pipeline listener="ALL">
<!-- authenticate over a sql db -->
<sql-authentication-manager>
<realm>postgres-backend</realm>
</sql-authentication-manager>
<!-- authorize over a sql db -->
<sql-authorization-manager>
<realm>postgres-backend</realm>
<use-authorization-key>false</use-authorization-key>
<use-authorization-role-key>true</use-authorization-role-key>
</sql-authorization-manager>
</listener-pipeline>
</pipelines>
</enterprise-security-extension> |
...
| Code Block | ||
|---|---|---|
| ||
kubectl create configmap enterprise-security-extension-config --from-file=enterprise-security-extension config.xml |
Create a hivemq_values.yaml file to deploy HiveMQ using the Kubernetes operator. Ensure that the ESE extension is preinstalled: Full values of the operator can be found here
...
| Code Block | ||
|---|---|---|
| ||
hivemq:
cpu: 2
memory: 2Gi
nodeCount: "2"
extensions:
- enabled: true
extensionUri: preinstalled
initialization: |
# A little hack because k8s configMaps can't handle sub-directories
[[ -e /conf-override/extensions/hivemq-enterprise-security-extension/config.xml ]] &&
rm -f $(pwd)/conf/config.xml &&
cp -s /conf-override/extensions/hivemq-enterprise-security-extension/config.xml $(pwd)/conf/config.xml
[[ ! -f drivers/postgres-jdbc.jar ]] &&
curl -L <httpshttps://jdbc.postgresql.org/download/postgresql-42.2.14.jar>jar --output drivers/jdbc/postgres.jar
name: hivemq-enterprise-security-extension
configMap: enterprise-security-extension-config
ports:
- name: "mqtt"
port: 1883
expose: true
patch:
- '[{"op":"add","path":"/spec/selector/hivemq.com~1node-offline","value":"false"},{"op":"add","path":"/metadata/annotations","value":{"service.spec.externalTrafficPolicy":"Local"}}]'
# If you want Kubernetes to expose the MQTT port to external traffic
# - '[{"op":"add","path":"/spec/type","value":"LoadBalancer"}]'
- name: "cc"
port: 8080
expose: true
patch:
- '[{"op":"add","path":"/spec/sessionAffinity","value":"ClientIP"}]'
# If you want Kubernetes to expose the MQTT port to external traffic
# - '[{"op":"add","path":"/spec/type","value":"LoadBalancer"}]'
configMaps:
- name: hivemq-license
path: /opt/hivemq/license
operator:
admissionWebhooks:
enabled: false |
...