Setting Up Enterprise Security Extension(Postgres) with HiveMQ Platform Operator

This guide provides detailed steps for configuring the Enterprise Security Extension (ESE) with the HiveMQ Platform Operator. Ensure you meet the specified prerequisites before proceeding.

Prerequisites:

1. Helm version v3+

2. Running Kubernetes cluster version 1.18.0 or higher

3. kubectl latest version

4. Running Postgres database with all required tables and data.

Instructions

1. Generate hivemq_values.yaml:

   Deploy HiveMQ using the HiveMQ Platform and generate the hivemq_values.yaml file:

   helm show values hivemq/hivemq-platform > hivemq_values.yaml

2. Configure ESE License:

   Follow the specific steps outlined for configuring the ESE license. Setting Up HiveMQ License for Your HiveMQ Cluster using HiveMQ Platform Operator

3. Create config.xml for ESE:

   • Examples of the config.xml file are in the extension folder under conf/examples.

   • Configure the sql-realm with your database name, host, username, and password.

   • Configure the listener-pipeline, setting <use-authorization-key> to false and <use-authorization-role-key> to true.

   • Please refer to the example:

     <?xml version="1.0" encoding="UTF-8" ?> <enterprise-security-extension xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="config.xsd" version="1"> <realms> <!-- a postgresql db--> <sql-realm> <name>postgres-backend</name> <enabled>true</enabled> <configuration> <db-type>POSTGRES</db-type> <db-name>hivemq</db-name> <db-host>postgres-servicename or host</db-host> <db-port>5432</db-port> <db-username>hivemq</db-username> <db-password>password</db-password> </configuration> </sql-realm> </realms> <pipelines> <!-- secure access to the mqtt broker --> <listener-pipeline listener="ALL"> <!-- authenticate over a sql db --> <sql-authentication-manager> <realm>postgres-backend</realm> </sql-authentication-manager> <!-- authorize over a sql db --> <sql-authorization-manager> <realm>postgres-backend</realm> <use-authorization-key>false</use-authorization-key> <use-authorization-role-key>true</use-authorization-role-key> </sql-authorization-manager> </listener-pipeline> </pipelines> </enterprise-security-extension>

4. Create ConfigMap for ESE configuration:

   kubectl create configmap ese-config --from-file config.xml -n <namespace>

5. Deploy HiveMQ Platform Operator:

6. Edit hivemq_values.yaml: Modify the hivemq_values.yaml file to include ESE-related changes.

   1. Disable the hivemq-allow-all-extension

   2. Configure the ConfigMap name created in the previous step. Set enabled: true to enable this extension.

7. Override StatefulSet Configuration:
   Each SQL realm must create a JDBC database connection to the configured database instance. To create the connection, a database-specific JDBC Driver is required. This driver is not prepacked with an ESE extension hence it needs to be downloaded first.
   
   

   Either create a separate file for your StatefulSet or add it to the existing hivemq_values.yaml.

   1. To create a separate file stateful-set-spec.yaml to override the Statefulset,

      Deploy HiveMQ:

   2. To edit hivemq_values.yaml Please. refer example of overrideStatefulSet.

      Deploy HiveMQ:

8. Check Pod Status:

   Verify that all hivemq pods are running.

9. Verify Enterprise Security Extension Start:

   Check the hivemq.log to confirm successful ESE startup.

10. Perform Quick Tests:

    Utilize the MQTT CLI to conduct quick tests.

 Related articles