Table of Contents |
---|
Prequisite
:Access to infrastructure with Kubectl
Running HiveMQ Cluster Install HiveMQ using Kubernetes Operator
Values.yaml file https://hivemq.atlassian.net/wiki/spaces/HMSKB/pages/2691039283/Install+HiveMQ+using+Kubernetes+Operator#Add-Helm-repository-and-download-values.yaml-file
Kubectl, Helm and MQTT CLI Prerequisite - Software Packages
Installation of PostgreSQL Client
A PostgreSQL client installed locally (we use psql (PostgreSQL) 14.10)
Installation of PostgreSQL server
Add the PostgreSQL repo to your Helm:
Code Block language bash helm repo add bitnami https://charts.bitnami.com/bitnami
Update the repo to the latest version:
Code Block language bash helm repo update bitnami
Create a new namespace to place the PostgreSql in:
Code Block kubectl create namespace db
Switch the KubeCtl context to the new namespace:
Code Block kubectl config set-context --current --namespace=db
Install PostgreSQL to the new namespace:
Code Block language bash helm upgrade postgres --install bitnami/postgresql --namespace db
If everything is correct, then PostgreSQL in installed to namespace “db”. The default name for the admin user is “postgres”. To get the password for "postgres" user run the following command and note the password:
Code Block language bash export PGPASSWORD=$(kubectl get secret --namespace db postgres-postgresql -o jsonpath="{.data.postgres-password}" | base64 -d) && echo $PGPASSWORD
Create tables for the ESE
Port-forward service postgres-postgresql to localhost:
Code Block language bash kubectl port-forward svc/postgres-postgresql 5432:5432
Create a new database. When asked “Password for user
postgres
: ", input the value of thePGPASSWORD
variable:Code Block language bash psql -h localhost -p 5432 -U postgres -c 'CREATE DATABASE "ese-db";'
Insert test credentials into the ESE database
Save the attached script
to the file. Execute the script to create all the necessary tables in the ese-db.View file name postgresql_create.sql Code Block language bash psql -h localhost -p 5432 -U postgres -d ese-db -a -f postgresql_create.sql
Save the attached script
to the file. If asked “Password for userView file name create-users.sql postgres
: ", input the value of thePGPASSWORD
variable.Code Block language bash psql -h localhost -p 5432 -U postgres -d ese-db -a -f create-users.sql
Check your work. If asked “Password for user
postgres
: ", input the value of thePGPASSWORD
variable.Code Block language bash psql -h localhost -p 5432 -U postgres -d ese-db -c 'SELECT * from public.users;'
You can optionally install a UI client e.g. pgAdmin https://www.pgadmin.org/download/ , add a connection (localhost for port forwarding) and check tables manually.
Setting up the ESE license as a ConfigMap
Step 3 is mandatory, setting HIVEMQ_ALLOW_ALL_CLIENTS to false
If you skip step 1 & 2, then the enterprise-security-extension will start in trial mode, limited to 5h, and will be automatically disabled by the HiveMQ broker after 5h.
...
HiveMQ Enterprise Security Extension requires a separate license file, e.g. ese-license.elic, in the $HIVEMQ_HOME/license directory. To add the ese-license.elic along with the hivemq-license.lic, create a new configmap hivemq-license including all desired license files:
Code Block language bash kubectl create configmap hivemq-license --namespace=hivemq \ --from-file hivemq-license.lic \ --from-file ese-license.elic
Edit the values.yaml file of the hivemq-operator, section
hivemq.configMaps
. Update this:Code Block configMaps: [] # ConfigMaps to mount to the HiveMQ pods. These can be mounted to existing directories without shadowing the folder contents as well. #- name: hivemq-license # path: /opt/hivemq/license
To this:
Code Block configMaps: - name: hivemq-license path: /opt/hivemq/license
This will mount the content of the configMap
hivemq-license
to the directory/opt/hivemq/license
of the hivemq-broker pods.Finally, disable the default security extension. By default, the HiveMQ distribution comes with the allow-all extension that permits all MQTT connections without requiring authentication. Before you use HiveMQ in production, add an appropriate security extension and remove the HiveMQ allow-all extension.
To disable the extension, set theHIVEMQ_ALLOW_ALL_CLIENTS
environment variable to false.
Edit the values.yaml file of the hivemq-operator, sectionhivemq.env
. Update this:Code Block hivemq: ... env: [] ## Skip config validation # - name: "HIVEMQ_SKIP_CONFIG_VALIDATION" # value: "true" ## Add custom environment variables (e.g. for your extension) here. # - name: MY_CUSTOM_ENV # value: some-value
To this:
Code Block env: - name: "HIVEMQ_ALLOW_ALL_CLIENTS" value: "false"
Configuring the extension
HiveMQ Enterprise Security Extension is preinstalled with HiveMQ so once you enable it, it will look for its configuration file. You must prepare this file before enabling the extension. If you skip this step, the extension will not find its configuration file and will not load any configuration.
Download a simple configuration file for Enterprise Security Extensions in the example below.
Replace the “password” in<db-password>password</db-password>
with the value ofPGPASSWORD
variable.View file name config.xml In the hivemq namespace create a configMap ese-config from the file config.xml
Code Block language bash kubectl create configmap ese-config --from-file config.xml --namespace hivemq
Edit values.yaml file of
hivemq-operator
and update section hivemq.extensions, havingname: hivemq-enterprise-security-extension
Update the old hivemq-enterprise-security-extension block from this:Code Block language yaml - name: hivemq-enterprise-security-extension extensionUri: preinstalled enabled: false # Note that this is just an example initialization routine. Make sure this points to the current JDBC version you require for your configuration. initialization: | # Download JDBC driver for PostgreSQL [[ ! -f drivers/postgres-jdbc.jar ]] && curl -L https://jdbc.postgresql.org/download/postgresql-42.2.14.jar --output drivers/jdbc/postgres.jar
To this:
Code Block language yaml - name: hivemq-enterprise-security-extension extensionUri: preinstalled enabled: true configMap: ese-config initialization: | [[ ! -f conf/config.xml ]] && [[ -f /conf-override/extensions/hivemq-enterprise-security-extension/config.xml ]] && ln -s /conf-override/extensions/hivemq-enterprise-security-extension/config.xml conf/config.xml && [[ ! -f drivers/postgres-jdbc.jar ]] && curl -L https://jdbc.postgresql.org/download/postgresql-42.7.1.jar --output drivers/jdbc/postgres.jar
Re-deploy hivemq-operator with updated values.yaml
Code Block helm upgrade hivemq --install hivemq/hivemq-operator --values values.yaml --namespace hivemq
– for ease of use we switch the namespace back to hivemq
kubectl config set-context --current --namespace=hivemq
If everything is correct, The HiveMQ log contains info about using the correct license:
...
Code Block |
---|
2024-01-30 10:36:12,693 INFO - Using valid license (ese-license.elic) for enterprise extension with name "HiveMQ Enterprise Security Extension", valid until 2024-03-31. 2024-01-30 10:36:12,943 INFO - Starting extension with id "hivemq-enterprise-security-extension" at /opt/hivemq/extensions/hivemq-enterprise-security-extension 2024-01-30 10:36:13,599 INFO - HiveMQ Enterprise Security Extension: Successfully loaded configuration from '/opt/hivemq/extensions/hivemq-enterprise-security-extension/conf/config.xml'. 2024-01-30 10:36:13,602 INFO - Starting HiveMQ Enterprise Security Extension. 2024-01-30 10:36:14,152 INFO - Started HiveMQ Enterprise Security Extension successfully in 1206ms. 2024-01-30 10:36:14,152 INFO - Extension "HiveMQ Enterprise Security Extension" version 4.24.0 started successfully. |
End-to-end testing
Find the MQTTListenerURL or IP using the following command (hivemq-hivemq-mqtt in our case with IP 20.79.142.120)
Code Block kubectl get services --namespace hivemq
Subscribe (update url/ip for host, taken from last step, localhost in case of port forward)
Code Block language bash mqtt subscribe --topic "topic/+/status" --qos 1 --host 20.79.142.120 --port 1883 --showTopics \ --user backendservice --password backendpassword
Publish (update url/ip for host, taken from last step, localhost in case of port forward)
Code Block language bash mqtt publish --identifier TheClient1 --topic topic/TheClient1/status \ --host 20.79.142.120 --port 1883 --qos 1 \ --user frontendclient --password clientpassword --message "test"
If everything is correct, the subscriber will receive
Test
Next steps
Please read official documentation for more configuration options https://docs.hivemq.com/hivemq-enterprise-security-extension/latest/index.html
...