Versions Compared

Old Version 6

changes.mady.by.user Daria Samkova

Saved on

compared with

New Version Current

changes.mady.by.user Daria Samkova

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

\uD83D\uDCD8 Instructions

  1. Put secrets to the vault and enable to read them via policy “hivemq”These instructions assume that the secrets in the vault are in the following structure:

    Code Block
    languagetext
    hivemq-poc1
└── opt
    └── hivemq
        ├── conf
        │   ├── key.passphrase
        │   ├── keystore.password
        │   ├── keystore_base64
        │   ├── truststore.password
        │   └── truststore_base64
        └── license
            └── license_base64


    To achieve such a structure in the Hashicorp Vault at a kv-2 path, and enable hivemq to read from the path, the following commands in the Hashicorp Vault are used:

    Code Block
    languagebash
    # Enable Vault to store key-value pairs at path hivemq-poc1
vault secrets enable -path=hivemq-poc1 kv-v2

# Create vault secrets from files

cd /tmp

vault kv put hivemq-poc1/opt/hivemq/conf/hivemq.jks.b64 mydata keystore_base64="$(base64 </tmp/hivemqbroker-keystore.jks)" \
  keystore.password=changeme keystorekey.passphrase=changeme
vault kv put hivemq-poc1/opt/hivemq/conf/hivemqtruststore.jks.b64 mydata truststore_base64="$(base64 </tmp/hivemqtruststorebroker-truststore.jks)"
vault kv put hivemq-poc1/opt/hivemq/license/hivemq.lic.b64 "mydata= license_base64="$(base64 </tmp/hivemqhivemq4.lic)"

# Enable hivemq to read from paths
vault policy write hivemq - <<EOF
path "hivemq-poc1/data/opt/hivemq/license" {
   capabilities = ["read"]
}
path "hivemq-poc1/data/opt/hivemq/conf" {
   capabilities = ["read"]
}
EOF

    If your secrets in the vault are stored differently, you must adopt the consul-template.hcl accordingly.

  2. Create the HCL template to fetch and decode the secrets: View filenameconsul-template-sidecar.hcla config map with the Consul Template script which will get secrets from the vault and decode them to normal files:
    consul-template.yaml

    Code Block
    languageyaml
    apiVersion: v1
kind: ConfigMap
metadata:
  name: consul-template
  namespace: hivemq
data:
  consul-template.hcl: |
    template {
      contents = "{{ with secret (printf \"%s/opt/hivemq/license\" (mustEnv \"TARGET_ENV\")) }}{{ base64Decode .Data.data.license_base64 }}{{ end }}"
      destination = "/opt/hivemq/license/hivemq4.lic"
    }
    template {
      contents = "{{ with secret (printf \"%s/opt/hivemq/conf\" (mustEnv \"TARGET_ENV\")) }}{{ base64Decode .Data.data.keystore_base64 }}{{ end }}"
      destination = "/opt/hivemq/keystore/broker-keystore.jks"
    }
    template {
      contents = "{{ with secret (printf \"%s/opt/hivemq/conf\" (mustEnv \"TARGET_ENV\")) }}{{ base64Decode .Data.data.truststore_base64 }}{{ end }}"
      destination = "/opt/hivemq/keystore/broker-truststore.jks"
    }
    Code Block
    languagebash
    kubectl apply -f consul-template-sidecar.hclyaml --namespace hivemq

  3. Add init container to the hivemq-platform values.yaml

    Code Block
    languageyaml
    AadditionalInitContainersadditionalInitContainers:
  - name: init-consul-template
    image: hashicorp/consul-template:latest
    command: [ "consul-template", "-once", "-config", "/consul-template/consul-template-sidecar.hcl" ]
    env:
      - name: CONSUL_TEMPLATE_LOG_LEVEL, "-kill-signal", "SIGTERM", "-log-level", "debug" ]
        value: DEBUGenv:
      - name: VAULT_ADDR
        value: http://vault.vault.svc.cluster.local:8200
      - name: VAULT_TOKEN
        value: root
      - name: TARGET_ENV
        value: hivemq-poc1/data
    volumeMounts:
      - name: consul-template
        mountPath: /consul-template
      - name: hivemq-license
        mountPath: /opt/hivemq/license
      - name: hivemq-keystore
        mountPath: /opt/hivemq/consulkeystore

  4. Add the additional container to the hivemq-platform values.yaml:

    Code Block
    languageyaml
    additionalContainers:
  - name: sidecar-consul-template
    image: hashicorp/consul-template:latest
    command: [ '/bin/sh', '-c' ]
    args:
      - |
        trap 'echo "Terminating container"; exit 0' SIGTERM
        consul-template -config /consul-template/consul-template-sidecar.hcl -kill-signal SIGTERM -log-level debug"  &
        while true; do sleep 1; done
    env:
      - name: CONSUL_TEMPLATE_LOG_LEVEL
        value: DEBUG
      - name: VAULT_ADDR
        value: http://vault.vault.svc.cluster.local:8200
      - name: VAULT_TOKEN
        value: root
      - name: TARGET_ENV
        value: hivemq-poc1/data
    volumeMounts:
      # Volume consul-template to read the consul-template.hcl from
      - name: consul-template
        mountPath: /consul-template
      # Volume hivemq-license to store the decoded license
      - name: hivemq-license
        mountPath: /opt/hivemq/license
      # Volume hivemq-keystore to store the keystore and truststore
      - name: hivemq-keystore
        mountPath: /opt/hivemq/consulkeystore

  5. Add additional volumes to the hivemq-platform values.yaml:

    Code Block
    languageyaml
    additionalVolumes:
  # Volume hivemq-license to store the decoded license
  - name: hivemq-license
    path: /opt/hivemq/license
    type: emptyDir
    containerName: hivemq
  
  # Volume hivemq-keystore to store the keystore and truststore
  - type: emptyDir
    name: hivemq-keystore
    containerName: hivemq
    path: /tls-hivemqpokeystoreopt/hivemq/keystore
    
  # Volume consul-template with consul-template.hcl file
  - type: configMap
    name: consul-template
    containerName: sidecar-consul-template
    path: /consul-template

  6. Install HiveMQ Platform Operator

    Code Block
    languagebash
    helm upgrade op --install hivemq/hivemq-platform-operator --set logLevel=DEBUG

  7. Install HiveMQ Platform broker

    Code Block
    languagebash
    helm upgrade broker --install hivemq/hivemq-platform --values values-hivemq-platform.yaml

...