Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Prerequisites:

  1. Helm version v3+

  2. Running Kubernetes

...

Hivemq license

...

  1. cluster version 1.18.0 or higher

  2. kubectl latest version


Instructions

  1. Create a Namespace for the HiveMQ/Postgres deployment.
    You can skip this step you want to run everything in “default” namespace.

    Execute the following command to create a namespace:

    Code Block
    languagebash
    kubectl 

...

  1. create 

...

  1. namespace <namespace name>

    Switch to the newly created namespace:

    Code Block
    languagebash
    kubectl 

...

  1. config 

...

  1. set-context --current --namespace=<namespace name>
  2. Deploy Postgres

    Add the Bitnami Helm repository:

    Code Block
    languagebash
    helm repo add bitnami https://charts.bitnami.com/bitnami

...

  1. Create a postgres_values.yaml file to

...

  1. configure Postgres deployment:

    Code Block
    languageyaml
    global:
      

...

  1. #storageClass: "rook-ceph-block"
      postgresql:
        auth:
          password: password
          postgresPassword: password
          username: admin

...

  1. 
    
    primary:
      initdb:
        scriptsConfigMap: ese-db-init

...

  1. Create a ConfigMap called ese-db-init

...

  1. containing the ese-db-init.sql script,

...

  1. which creates tables and inserts data for testing purposes:

    View file
    name1_permissions.sql
    View file
    name0_ese-db-init.sql

    Code Block
    languagebash
    kubectl create configmap ese-db-init --from-file 0_ese-db-init.sql --from-file 1_permissions.sql

    Deploy Postgres using Helm:

    Code Block
    languagebash
    helm upgrade postgres --install 

...

  1. bitnami/postgresql -

...

  1. -values postgres_values.yaml

...

  1. Verify the status of the pod

...

  1. :

    Code Block
    languagebash
    kubectl get pods

    If an error occurs, check the pod logs

...

  1. :

    Code Block
    languagebash
    kubectl logs <pod name>

    Connect to the Postgres pod to verify the

...

  1. connection:

    Code Block
    languagebash
    psql --host 127.0.0.1 -U postgres -d postgres -p 5432

...

  1. Use the following commands in the Postgres shell to interact with the database:

    • \l: List the databases.

    • \c <db name>: Connect to

...

Setup hivemq with ESE:

...

    • a specific database.

    • \dt: List the tables from the connected database.

    • select * from users;

  1. Deploy HiveMQ with Enterprise Security Extension (ESE)

Create a ConfigMap for the HiveMQ license (skip this step if you don't have a license yet):

Code Block
languagebash
kubectl create configmap hivemq-license 

...

--from-file=hivemq-ese-2021.lic

Create

...

a config.xml configuration file for the Enterprise Security Extension: You can also find examples of this file in the extension folder under conf/examples

configure sql-realm.

db-name - you can find this in the ese-db-init.sql, default it is postgres

db-host - this should be your postgres service name, you can get this via kubetctl get svc command

db-username - This should be from postgres_values.yaml auth.username block

db-password - This should be from postgres_values.yaml auth.password block

Configure the listener-pipeline. Since here we are using role-based authorization we need to set <use-authorization-key> to false and <use-authorization-role-key> to true.

Code Block
languagexml
<?xml version="1.0" encoding="UTF-8" ?>
<enterprise-security-extension
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:noNamespaceSchemaLocation="config.xsd"
        version="1">
    <realms>
        <!-- a postgresql db-->
        <sql-realm>
            <name>postgres-backend</name>
            <enabled>true</enabled>
            <configuration>
                <db-type>POSTGRES</db-type>
                <db-name>hivemq</db-name>
                <db-host>postgres-servicename</db-host>
                <db-port>5432</db-port>
                <db-username>hivemq</db-username>
                <db-password>password</db-password>
            </configuration>
        </sql-realm>
    </realms>
    <pipelines>
        <!-- secure access to the mqtt broker -->
        <listener-pipeline listener="ALL">
            <!-- authenticate over a sql db -->
            <sql-authentication-manager>
                <realm>postgres-backend</realm>
            </sql-authentication-manager>
            <!-- authorize over a sql db -->
            <sql-authorization-manager>
                <realm>postgres-backend</realm>
                <use-authorization-key>false</use-authorization-key>
                <use-authorization-role-key>true</use-authorization-role-key>
            </sql-authorization-manager>
        </listener-pipeline>
    </pipelines>
</enterprise-security-extension>

Create a ConfigMap for the ESE configuration:

Code Block
languagebash
kubectl create configmap enterprise-security-extension-config --from-file

...

 config.xml

Create a hivemq_values.yaml

...

file to deploy HiveMQ using the Kubernetes operator. Ensure that the ESE extension is preinstalled

...

: Full values of the operator can be found here

...

example hivemq_values.yaml

(Note: CPU and Memory configs we have set for demo purposes. For production, we recommend qualifying our minimum hardware requirements for HiveMQ to run as expected. )

Code Block
languageyaml
hivemq:
  cpu

...

: 2
  memory: 2Gi
  nodeCount: "2"
  
  extensions:
  - enabled: true
    extensionUri: preinstalled
    initialization: |
      # A little hack because k8s configMaps can't handle sub-directories
      [[ -e /conf-override/extensions/hivemq-enterprise-security-extension/

...

config.xml ]] &&
      rm -f $(pwd)/conf/

...

config.xml &&
      cp -s /conf-override/extensions/hivemq-enterprise-security-extension/

...

config.xml $(pwd)/conf/

...

config.xml
      [[ ! -f drivers/postgres-jdbc.jar ]] &&
      curl -L https://jdbc.postgresql.org/download/postgresql-42.2.14.jar --output drivers/jdbc/postgres.jar
    name: hivemq-enterprise-security-extension
    configMap: enterprise-security-extension-config
  

...


  ports:
    - name: "mqtt"
      port: 1883
      expose: true
    

...

  patch:
        

...

- '[{"op":"add","path":"/spec/selector/hivemq.com~1node-offline","value":"false"},{"op":"add","path":"/metadata/annotations","value":{"service.spec.externalTrafficPolicy":"Local"}}]'
        # If you want Kubernetes to expose the MQTT port to external traffic
        # - '[{"op":"add","path":"/spec/type","value":"LoadBalancer"}]'
    - name: "cc"
      port: 

...

8080
     

...

 expose: true
    

...

 

...

 patch:
   

...

     - '[{"op":"add","path":"/spec/sessionAffinity","value":"ClientIP"}]'
        # If you want Kubernetes to expose the MQTT port to external traffic
        # - '[{"op":

...

"add","path":"/spec/type","value":"LoadBalancer"}]'
  configMaps:
    - name: hivemq-license
      path: /opt/hivemq/license
operator:
  admissionWebhooks:
    enabled: false

Deploy

...

the HiveMQ cluster using

...

Helm:

Code Block
languagebash
helm upgrade --install -f hivemq_values.yaml <release name> hivemq/hivemq-operator

Check the status of the pods

...

:

Code Block
languagebash
kubectl get pods

...

Verify the extension logs

...

now connect to Postgres pod and create required use, roles and permissions data

...

if it has started successfully:

Code Block
languagebash
kubectl logs <pod name>

Use the MQTT CLI to perform quick tests.