Setup ESE File Realm using HiveMQ Operator

1 Prequisites
2 Setting up the ESE license as a ConfigMap
3 Prepare your HiveMQ Enterprise Security Extension configuration files
4 Setting up the ESE config as a ConfigMap
5 Disable the default security extension
6 Update the configuration
7 End-to-end testing of mqtt clients
8 Next steps

Prequisites

Access to infrastructure with Kubectl e.g.
- AKS Setting up Azure Kubernetes Cluster for HiveMQ Operator | Manage the cluster
- EKS Setting up EKS Cluster in Amazon Web Services(AWS)
Running HiveMQ Cluster Install HiveMQ using Kubernetes Operator
Values.yaml file Install HiveMQ using Kubernetes Operator | Add Helm repository and download values.yaml file
(optional) You have added a valid license to the HiveMQ broker Add a valid license to HiveMQ Cluster
(optional) You have added a load balancer and verified the connection Expose MQTT port 1883 and test message flow using MQTT CLI
Kubectl, Helm and MQTT CLI Prerequisite - Software Packages

Setting up the ESE license as a ConfigMap

If you skip the following steps, then the enterprise-security-extension will start in trial mode, limited to 5h, and will be automatically disabled by the HiveMQ broker after 5h.

In case you get error configmaps "hivemq-license" already exists , please delete the last configmap using kubectl delete configmap hivemq-license --namespace hivemq and try the addition step again.

HiveMQ Enterprise Security Extension requires a separate license file, e.g. ese-license.elic, in the $HIVEMQ_HOME/license directory. To add the ese-license.elic along with the hivemq-license.lic, create a new configmap hivemq-license including all desired license files:
kubectl create configmap hivemq-license --namespace=hivemq \ --from-file hivemq-license.lic \ --from-file ese-license.elic
Edit the values.yaml file of the hivemq-operator, section hivemq.configMaps. Update this:
configMaps: [] # ConfigMaps to mount to the HiveMQ pods. These can be mounted to existing directories without shadowing the folder contents as well. #- name: hivemq-license # path: /opt/hivemq/license
To this:
configMaps: - name: hivemq-license path: /opt/hivemq/license
This will mount the content of the configMap hivemq-license to the directory /opt/hivemq/license of the hivemq-broker pods.

Prepare your HiveMQ Enterprise Security Extension configuration files

Please download the following sample files

config.xml
ese-file-realm.xml

Setting up the ESE config as a ConfigMap

Create a new configMap ese-config including all desired config files:
Edit the values.yaml file of the hivemq-operator, section hivemq.extensions. Update this:
To this:

Disable the default security extension

By default, the HiveMQ distribution comes with the allow-all extension that permits all MQTT connections without requiring authentication. Before you use HiveMQ in production, add an appropriate security extension and remove the HiveMQ allow-all extension.
To disable the extension, set the HIVEMQ_ALLOW_ALL_CLIENTS environment variable to false.
Edit the values.yaml file of the hivemq-operator, section hivemq.env. Update this:

To this:

Update the configuration

Re-deploy hivemq-operator with updated values.yaml

If everything is correct, The HiveMQ log contains info about using the correct license:

The output would contain the following data around license and extension:

Get the external IP of the MQTT load balancer

End-to-end testing of mqtt clients

Find the MQTTListenerURL or IP using the following command (hivemq-hivemq-mqtt in our case with IP 20.113.42.183)
Subscribe a mqtt client: (update url/ip for host, taken from last step, localhost in case of port forward)
Do not close this terminal session. This will allow you to see the results.
From a different terminal session, publish a message to the topic “test”: (update url/ip for host, taken from last step, localhost in case of port forward)
If everything is correct, the subscriber will receive the message: