Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. These instructions assume that the secrets in the vault are in the following structure:

    Code Block
    languagetext
    hivemq-poc1
    └── opt
        └── hivemq
            ├── conf
            │   ├── key.passphrase
            │   ├── keystore.password
            │   ├── keystore_base64
            │   ├── truststore.password
            │   └── truststore_base64
            └── license
                └── license_base64


    To achieve such a structure in the Hashicorp Vault at a kv-2 path, and enable hivemq to read from the path, the following commands in the Hashicorp Vault are used:

    Code Block
    languagebash
    # Enable Vault to store key-value pairs at path hivemq-poc1
    vault secrets enable -path=hivemq-poc1 kv-v2
    
    # Create vault secrets from files
    
    cd /tmp
    
    vault kv put hivemq-poc1/opt/hivemq/conf keystore_base64="$(base64 </tmp/broker-keystore.jks)" \
      keystore.password=changeme key.passphrase=changeme
    vault kv put hivemq-poc1/opt/hivemq/conf truststore_base64="$(base64 </tmp/broker-truststore.jks)"
    vault kv put hivemq-poc1/opt/hivemq/license license_base64="$(base64 </tmp/hivemq4.lic)"
    
    # Enable hivemq to read from paths
    vault policy write hivemq - <<EOF
    path "hivemq-poc1/data/opt/hivemq/license" {
       capabilities = ["read"]
    }
    path "hivemq-poc1/data/opt/hivemq/conf" {
       capabilities = ["read"]
    }
    EOFIf EOF

    If your

    secrets

    in

    the

    vault

    are

    stored

    differently,

    you

    must

    adopt

    the

    consul-template.hcl

    accordingly.

  2. Create the HCL template to fetch and decode the secretsa config map with the Consul Template script which will get secrets from the vault and decode them to normal files:
    consul-template.yaml

    Code Block
    languageyaml
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: consul-template
      namespace: hivemq
    data:
      consul-template.hcl: |
        template {
          contents = "{{ with secret (printf \"%s/opt/hivemq/license\" (mustEnv \"TARGET_ENV\")) }}{{ base64Decode .Data.data.license_base64 }}{{ end }}"
          destination = "/opt/hivemq/license/hivemq4.lic"
        }
        template {
          contents = "{{ with secret (printf \"%s/opt/hivemq/conf\" (mustEnv \"TARGET_ENV\")) }}{{ base64Decode .Data.data.keystore_base64 }}{{ end }}"
          destination = "/opt/hivemq/keystore/broker-keystore.jks"
        }
        template {
          contents = "{{ with secret (printf \"%s/opt/hivemq/conf\" (mustEnv \"TARGET_ENV\")) }}{{ base64Decode .Data.data.truststore_base64 }}{{ end }}"
          destination = "/opt/hivemq/keystore/broker-truststore.jks"
        }
     
    Code Block
    languagebash
    kubectl apply -f consul-template.yaml --namespace hivemq
  3. Add init container to the hivemq-platform values.yaml

    Code Block
    languageyaml
    additionalInitContainers:
      - name: init-consul-template
        image: hashicorp/consul-template:latest
        command: [ "consul-template", "-once", "-config", "/consul-template/consul-template.hcl", "-kill-signal", "SIGTERM", "-log-level", "debug" ]
        env:
          - name: VAULT_ADDR
            value: http://vault.vault.svc.cluster.local:8200
          - name: VAULT_TOKEN
            value: root
          - name: TARGET_ENV
            value: hivemq-poc1/data
        volumeMounts:
          - name: consul-template
            mountPath: /consul-template
          - name: hivemq-license
            mountPath: /opt/hivemq/license
          - name: hivemq-keystore
            mountPath: /opt/hivemq/keystore
  4. Add the additional container to the hivemq-platform values.yaml:

    Code Block
    languageyaml
    additionalContainers:
      - name: sidecar-consul-template
        image: hashicorp/consul-template:latest
        command: [ '/bin/sh', '-c' ]
        args:
          - |
            trap 'echo "Terminating container"; exit 0' SIGTERM
            consul-template -config /consul-template/consul-template.hcl -kill-signal SIGTERM -log-level debug"  &
            while true; do sleep 1; done
        env:
          - name: VAULT_ADDR
            value: http://vault.vault.svc.cluster.local:8200
          - name: VAULT_TOKEN
            value: root
          - name: TARGET_ENV
            value: hivemq-poc1/data
        volumeMounts:
          # Volume consul-template to read the consul-template.hcl from
          - name: consul-template
            mountPath: /consul-template
          # Volume hivemq-license to store the decoded license
          - name: hivemq-license
            mountPath: /opt/hivemq/license
          # Volume hivemq-keystore to store the keystore and truststore
          - name: hivemq-keystore
            mountPath: /opt/hivemq/keystore
  5. Add additional volumes to the hivemq-platform values.yaml:

    Code Block
    languageyaml
    additionalVolumes:
      # Volume hivemq-license to store the decoded license
      - name: hivemq-license
        path: /opt/hivemq/license
        type: emptyDir
        containerName: hivemq
      
      # Volume hivemq-keystore to store the keystore and truststore
      - type: emptyDir
        name: hivemq-keystore
        containerName: hivemq
        path: /opt/hivemq/keystore
        
      # Volume consul-template with consul-template.hcl file
      - type: configMap
        name: consul-template
        containerName: sidecar-consul-template
        path: /consul-template

  6. Install HiveMQ Platform Operator

    Code Block
    languagebash
    helm upgrade op --install hivemq/hivemq-platform-operator --set logLevel=DEBUG
  7. Install HiveMQ Platform broker

    Code Block
    languagebash
    helm upgrade broker --install hivemq/hivemq-platform --values values-hivemq-platform.yaml

...