This guide provides detailed steps for configuring the Enterprise Security Extension (ESE) with the HiveMQ Platform Operator. Ensure you meet the specified prerequisites before proceeding.
Prerequisites:
Helm version v3+
Running Kubernetes cluster version 1.18.0 or higher
kubectl latest version
Running Postgres database with all required tables and data.
Instructions
Generate hivemq_values.yaml:
Deploy HiveMQ using the HiveMQ Platform and generate the
hivemq_values.yamlfile:helm show values hivemq/hivemq-platform > hivemq_values.yaml
Configure ESE License:
Follow the specific steps outlined for configuring the ESE license. Setting Up HiveMQ License for Your HiveMQ Cluster using HiveMQ Platform Operator
Create config.xml for ESE:
Examples of the
config.xmlfile are in the extension folder underconf/examples.Configure the
sql-realmwith your database name, host, username, and password.Configure the
listener-pipeline, setting<use-authorization-key>to false and<use-authorization-role-key>to true.Please refer to the example:
<?xml version="1.0" encoding="UTF-8" ?> <enterprise-security-extension xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="config.xsd" version="1"> <realms> <!-- a postgresql db--> <sql-realm> <name>postgres-backend</name> <enabled>true</enabled> <configuration> <db-type>POSTGRES</db-type> <db-name>hivemq</db-name> <db-host>postgres-servicename or host</db-host> <db-port>5432</db-port> <db-username>hivemq</db-username> <db-password>password</db-password> </configuration> </sql-realm> </realms> <pipelines> <!-- secure access to the mqtt broker --> <listener-pipeline listener="ALL"> <!-- authenticate over a sql db --> <sql-authentication-manager> <realm>postgres-backend</realm> </sql-authentication-manager> <!-- authorize over a sql db --> <sql-authorization-manager> <realm>postgres-backend</realm> <use-authorization-key>false</use-authorization-key> <use-authorization-role-key>true</use-authorization-role-key> </sql-authorization-manager> </listener-pipeline> </pipelines> </enterprise-security-extension>
Create ConfigMap for ESE configuration:
kubectl create configmap ese-config --from-file config.xml -n <namespace>
Deploy HiveMQ Platform Operator:
helm install platform-op hivemq/hivemq-platform-operator -n <namespace>
Edit hivemq_values.yaml: Modify the
hivemq_values.yamlfile to include ESE-related changes.Disable the hivemq-allow-all-extension
extensions: - name: hivemq-allow-all-extension enabled: false ...Configure the ConfigMap name created in the previous step. Set
enabled: trueto enable this extension.... extensions: - name: hivemq-enterprise-security-extension enabled: true configMapName: "ese-config" ...
Override StatefulSet Configuration:
Each SQL realm must create a JDBC database connection to the configured database instance. To create the connection, a database-specific JDBC Driver is required. This driver is not prepacked with an ESE extension hence it needs to be downloaded first.Either create a separate file for your StatefulSet or add it to the existing
hivemq_values.yaml.To create a separate file to override the Statefulset, you can get a template of it using the following command and just edit the
output/templates/hivemq-custom-resource.yml.helm template my-hivemq-platform hivemq/hivemq-platform --output-dir ./output
Deploy HiveMQ:
helm upgrade --install -f hivemq_values.yaml <installation name> hivemq/hivemq-platform --set-file config.overrideStatefulSet=files/stateful-set-spec.yaml -n <namespace>
To edit
hivemq_values.yamlPlease. refer example ofoverrideStatefulSet.... config: create: false name: hivemq-configuration-hivemq-test overrideStatefulSet: | spec: replicas: 2 template: spec: containers: - name: hivemq env: - name: JAVA_OPTS value: "-XX:+UnlockExperimentalVMOptions -XX:InitialRAMPercentage=50 -XX:MaxRAMPercentage=50" image: "docker.io/hivemq/hivemq4:4.24.0" imagePullPolicy: IfNotPresent ports: - name: mqtt-1883 containerPort: 1883 - name: cc-8080 containerPort: 8080 # Metric container ports are not configurable right now - name: metrics-9399 containerPort: 9399 resources: limits: cpu: "1024m" memory: "2048M" requests: cpu: "1024m" memory: "2048M" volumeMounts: - name: licenses mountPath: /opt/hivemq/license - name: jdbc-drivers mountPath: /opt/hivemq/extensions/hivemq-enterprise-security-extension/drivers/jdbc initContainers: - name: install image: alpine imagePullPolicy: IfNotPresent command: ["sh", "-c"] args: - | echo "Downloading jdbc driver to download dir..." wget -P /download/ https://jdbc.postgresql.org/download/postgresql-42.6.0.jar mv /download/postgresql-42.6.0.jar /download/postgresql.jar chmod 444 /download/postgresql.jar ls /download -la volumeMounts: - name: jdbc-drivers mountPath: "/download/" volumes: - name: licenses secret: secretName: hivemq-license - name: jdbc-drivers emptyDir: {}Deploy HiveMQ:
helm upgrade --install -f hivemq_values.yaml <installation name> hivemq/hivemq-platform -n <namespace>
Check Pod Status:
Verify that all hivemq pods are running.
kubectl get pods -n <namespace>
Verify Enterprise Security Extension Start:
Check the
hivemq.logto confirm successful ESE startup.kubectl logs <pod name> -n <namespace>
Perform Quick Tests:
Utilize the MQTT CLI to conduct quick tests.
When you define a custom StatefulSetSpec, make sure that ports and services match between the Service configuration and the StatefulSpec configuration. For example, the container port must match the service name section. Port names can contain a maximum of 15 characters and cannot end with a -.