Setup TLS listener for Hivemq cluster using HiveMQ operator

In this article, we will walk you through the steps to enable TLS listener for the HiveMQ in the Kubernetes cluster using the HiveMQ Operator. By default, the HiveMQ operator will always enable TCP listener with port 1883.

Prerequisites:

• The Kubernetes cluster is already set up and running.

• k8s version 1.16+ is installed

• Helm version 3 is installed

• The Hivemq k8s operator repo is already added in the helm repo

• Ready keystore.jks, (optional) truststore.jks(You can find steps to create these JKS files here)

\uD83D\uDCD8 Instructions

1. As you have the JKS (Java KeyStore) file(s) ready, create a configMap to mount it in the Pod at the specified path. Use the following command:

   kubectl create configmap hivemq-jks --from-file <path/to/your keystorejks file> -n <namespace>

2. Add the configMap to your values.yaml file for HiveMQ as follows:

   hivemq:
     ...
     configMaps:
     - name: hivemq-jks
       path: /opt/hivemq/conf

   This will mount both JKS files at the specified Path.

3. Store the passwords in the Kubernetes secret using the following command:

   kubectl create secret generic tls-passwords \
   --from-literal=keystore_password='changeme' \
   --from-literal=keystore_private_password='changeme' -n <namespace>

   You can also add passwords for the trust store similarly.

4. Create environment variables to access the passwords in the HiveMQ listener’s configurations. Update your values.yaml file with the following configuration:

   hivemq:
     ...
     
     env:
     - name: KEYSTORE_KEY_PASSWORD
       valueFrom:
         secretKeyRef:
           key: keystore_password
           name: tls-passwords
     - name: KEYSTORE_PRIVATE_KEY_PASSWORD
       valueFrom:
         secretKeyRef:
           key: keystore_private_password
           name: tls-passwords

5. To enable the tls TLS listener, please add the following block to your values.yaml and add the correct JKS file name along with the environment variables names for passwords used while creating the Keystore.

   hivemq:
     ...
     listenerConfiguration: |
       <tls-tcp-listener>
           <port>8883</port>
           <bind-address>0.0.0.0</bind-address>
           <proxy-protocol>true</proxy-protocol>
           <tls>
               <keystore>
                   <path>/opt/hivemq/conf/hivemq.jks</path>
                   <password>${KEYSTORE_KEY_PASSWORD}</password>
                   <private-key-password>${KEYSTORE_PRIVATE_KEY_PASSWORD}</private-key-password>
               </keystore>
           </tls>
       </tls-tcp-listener>

6. Update the MQTT port number from 1883 to 8883 in both the Ports section of your values.yaml file and in case you are exposing these ports via service then update that file as well.

7. Deploy the above changes to the Kubernetes cluster

   helm upgrade --install -f values.yaml hivemq hivemq/hivemq-operator -n <namespace>

8. Verify the logs to check if TLS is enabled or not.
   

   kubectl logs <pod name> -n <namespace>

9. You will see the following logs if all changes are deployed correctly.

   

10. You can also test the connection via the MQTT CLI tool

\uD83D\uDCCB Related articles

• Page:
  How to configure ESE to authenticate clients using client certificates and authorize using postgresSQL(without username/password)
• Page:
  How to configure ESE to use Certificates Authentication
• Page:
  Forward HiveMQ JMX metrics to DataDog | HiveMQ Platform Operator (new)
• Page:
  Expose HiveMQ JMX metrics for DataDog in Kubernetes
• Page:
  Set custom variables using Kubernetes Legacy HiveMQ operator