Setup ESE with PostgreSQL using HiveMQ Operator

Installation of PostgreSQL Client

• A PostgreSQL client installed locally (we use psql (PostgreSQL) 14.10)

  1. MacOS: brew install PostgreSQL

  2. Windows: link

  3. Linux: link

Installation of PostgreSQL server

1. Add the PostgreSQL repo to your Helm:

   helm repo add bitnami https://charts.bitnami.com/bitnami

2. Update the repo to the latest version:

   helm repo update bitnami

3. Create a new namespace to place the PostgreSql in:

   kubectl create namespace db

4. Switch the KubeCtl context to the new namespace:

5. Install PostgreSQL to the new namespace:

6. If everything is correct, then PostgreSQL in installed to namespace “db”. The default name for the admin user is “postgres”. To get the password for "postgres" user run the following command and note the password:

Create tables for the ESE

1. Port-forward service postgres-postgresql to localhost:

2. Create a new database. When asked “Password for user postgres: ", input the value of the PGPASSWORD variable:

Insert test credentials into the ESE database

1. Save the attached script to the file. Execute the script to create all the necessary tables in the ese-db.

2. Save the attached script to the file. If asked “Password for user postgres: ", input the value of the PGPASSWORD variable.

3. Check your work. If asked “Password for user postgres: ", input the value of the PGPASSWORD variable.

Setting up the ESE license as a ConfigMap

1. HiveMQ Enterprise Security Extension requires a separate license file, e.g. ese-license.elic, in the $HIVEMQ_HOME/license directory. To add the ese-license.elic along with the hivemq-license.lic, create a new configmap hivemq-license including all desired license files:

2. Edit the values.yaml file of the hivemq-operator, section hivemq.configMaps. Update this:

   To this:

   This will mount the content of the configMap hivemq-license to the directory /opt/hivemq/license of the hivemq-broker pods.

3. Finally, disable the default security extension. By default, the HiveMQ distribution comes with the allow-all extension that permits all MQTT connections without requiring authentication. Before you use HiveMQ in production, add an appropriate security extension and remove the HiveMQ allow-all extension.
   To disable the extension, set the HIVEMQ_ALLOW_ALL_CLIENTS environment variable to false.
   Edit the values.yaml file of the hivemq-operator, section hivemq.env. Update this:

   To this:

Configuring the extension

1. Download a simple configuration file for Enterprise Security Extensions in the example below.
   Replace the “password” in <db-password>password</db-password> with the value of PGPASSWORD variable.

2. In the hivemq namespace create a configMap ese-config from the file config.xml

3. Edit values.yaml file of hivemq-operator and update section hivemq.extensions, having name: hivemq-enterprise-security-extension
   Update the old hivemq-enterprise-security-extension block from this:

   To this:

4. Re-deploy hivemq-operator with updated values.yaml

   – for ease of use we switch the namespace back to hivemq kubectl config set-context --current --namespace=hivemq

5. If everything is correct, The HiveMQ log contains info about using the correct license:

The output would contain the following data around license and extension:

End-to-end testing

1. Find the MQTTListenerURL or IP using the following command (hivemq-hivemq-mqtt in our case with IP 20.79.142.120)

    

   Open

   

2. Subscribe (update url/ip for host, taken from last step, localhost in case of port forward)

3. Publish (update url/ip for host, taken from last step, localhost in case of port forward)

    

4. If everything is correct, the subscriber will receive Test

   Open

   

Next steps

Please read official documentation for more configuration options https://docs.hivemq.com/hivemq-enterprise-security-extension/latest/index.html