/
Setting Up Enterprise Security Extension(Postgres) with HiveMQ Platform Operator

Setting Up Enterprise Security Extension(Postgres) with HiveMQ Platform Operator

Owned by Sheetal Shet, created
Last updated: Apr 15, 2025
2 min read

This guide provides detailed steps for configuring the Enterprise Security Extension (ESE) with the HiveMQ Platform Operator. Ensure you meet the specified prerequisites before proceeding.

Prerequisites:

  1. Helm version v3+

  2. Running Kubernetes cluster version 1.18.0 or higher

  3. kubectl latest version

  4. Running Postgres database with all required tables and data.

Instructions

  1. Generate hivemq_values.yaml:

    Deploy HiveMQ using the HiveMQ Platform and generate the hivemq_values.yaml file:

    helm show values hivemq/hivemq-platform > hivemq_values.yaml

  2. Configure ESE License:

    Follow the specific steps outlined for configuring the ESE license. Setting Up HiveMQ License for Your HiveMQ Cluster using HiveMQ Platform Operator

  3. Create config.xml for ESE:

    • Examples of the config.xml file are in the extension folder under conf/examples.

    • Configure the sql-realm with your database name, host, username, and password.

    • Configure the listener-pipeline, setting <use-authorization-key> to false and <use-authorization-role-key> to true.

    • Please refer to the example:

      <?xml version="1.0" encoding="UTF-8" ?> <enterprise-security-extension xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="config.xsd" version="1"> <realms> <!-- a postgresql db--> <sql-realm> <name>postgres-backend</name> <enabled>true</enabled> <configuration> <db-type>POSTGRES</db-type> <db-name>hivemq</db-name> <db-host>postgres-servicename or host</db-host> <db-port>5432</db-port> <db-username>hivemq</db-username> <db-password>password</db-password> </configuration> </sql-realm> </realms> <pipelines> <!-- secure access to the mqtt broker --> <listener-pipeline listener="ALL"> <!-- authenticate over a sql db --> <sql-authentication-manager> <realm>postgres-backend</realm> </sql-authentication-manager> <!-- authorize over a sql db --> <sql-authorization-manager> <realm>postgres-backend</realm> <use-authorization-key>false</use-authorization-key> <use-authorization-role-key>true</use-authorization-role-key> </sql-authorization-manager> </listener-pipeline> </pipelines> </enterprise-security-extension>

  4. Create ConfigMap for ESE configuration:

    kubectl create configmap ese-config --from-file config.xml -n <namespace>

  5. Deploy HiveMQ Platform Operator:

    helm install platform-op hivemq/hivemq-platform-operator -n <namespace>

  6. Edit hivemq_values.yaml: Modify the hivemq_values.yaml file to include ESE-related changes.

    1. Disable the hivemq-allow-all-extension

      extensions: - name: hivemq-allow-all-extension enabled: false ...

    2. Configure the ConfigMap name created in the previous step. Set enabled: true to enable this extension.

      ... extensions: - name: hivemq-enterprise-security-extension enabled: true configMapName: "ese-config" ...

  7. Deploy HiveMQ:

    helm upgrade --install -f hivemq_values.yaml <installation name> hivemq/hivemq-platform -n <namespace>

  8. Check Pod Status:

    Verify that all hivemq pods are running.

    kubectl get pods -n <namespace>

  9. Verify Enterprise Security Extension Start:

    Check the hivemq.log to confirm a successful ESE startup.

    kubectl logs <pod name> -n <namespace>

  10. Perform Quick Tests:

    Utilize the MQTT CLI to conduct quick tests.

When you define a custom StatefulSetSpec, make sure that ports and services match between the Service configuration and the StatefulSpec configuration. For example, the container port must match the service name section. Port names can contain a maximum of 15 characters and cannot end with a -.

 Related articles

 

 

Related content