/
Consul-template sidecar | HiveMQ Platform Operator (new)

Consul-template sidecar | HiveMQ Platform Operator (new)

 Instructions

  1. These instructions assume that the secrets in the vault are in the following structure:

    hivemq-poc1 └── opt └── hivemq ├── conf │   ├── key.passphrase │   ├── keystore.password │   ├── keystore_base64 │   ├── truststore.password │   └── truststore_base64 └── license └── license_base64


    To achieve such a structure in the Hashicorp Vault at a kv-2 path, and enable hivemq to read from the path, the following commands in the Hashicorp Vault are used:

    # Enable Vault to store key-value pairs at path hivemq-poc1 vault secrets enable -path=hivemq-poc1 kv-v2 # Create vault secrets from files cd /tmp vault kv put hivemq-poc1/opt/hivemq/conf keystore_base64="$(base64 </tmp/broker-keystore.jks)" \ keystore.password=changeme key.passphrase=changeme vault kv put hivemq-poc1/opt/hivemq/conf truststore_base64="$(base64 </tmp/broker-truststore.jks)" vault kv put hivemq-poc1/opt/hivemq/license license_base64="$(base64 </tmp/hivemq4.lic)" # Enable hivemq to read from paths vault policy write hivemq - <<EOF path "hivemq-poc1/data/opt/hivemq/license" { capabilities = ["read"] } path "hivemq-poc1/data/opt/hivemq/conf" { capabilities = ["read"] } EOF

    If your secrets in the vault are stored differently, you must adopt the consul-template.hcl accordingly.

     

  2. Create a config map with the Consul Template script which will get secrets from the vault and decode them to normal files:
    consul-template.yaml

    apiVersion: v1 kind: ConfigMap metadata: name: consul-template namespace: hivemq data: consul-template.hcl: | template { contents = "{{ with secret (printf \"%s/opt/hivemq/license\" (mustEnv \"TARGET_ENV\")) }}{{ base64Decode .Data.data.license_base64 }}{{ end }}" destination = "/opt/hivemq/license/hivemq4.lic" } template { contents = "{{ with secret (printf \"%s/opt/hivemq/conf\" (mustEnv \"TARGET_ENV\")) }}{{ base64Decode .Data.data.keystore_base64 }}{{ end }}" destination = "/opt/hivemq/keystore/broker-keystore.jks" } template { contents = "{{ with secret (printf \"%s/opt/hivemq/conf\" (mustEnv \"TARGET_ENV\")) }}{{ base64Decode .Data.data.truststore_base64 }}{{ end }}" destination = "/opt/hivemq/keystore/broker-truststore.jks" }
  3. Add init container to the hivemq-platform values.yaml

  4. Add the additional container to the hivemq-platform values.yaml:

  5. Add additional volumes to the hivemq-platform values.yaml:

     

  6. Install HiveMQ Platform Operator

  7. Install HiveMQ Platform broker

If Helm upgrade broker fails, for example, because of a mistake in a test configuration, do not immediately force-delete broker pods. Instead, first uninstall the release:

helm uninstall broker

Only if the uninstallation cannot terminate broker pods, force delete them:

kubectl delete pod --selector hivemq-platform=broker --grace-period=0 --force

Tested with:

  • Helm v3.15.4

  • Kubernetes v1.29.7

  • Kubectl v1.29.2

  • Kubernetes provider: AKS 2xStandard_A8_v2 Kubernetes v1.29.7

  • HiveMQ 4.31.0 (Helm chart: hivemq/hivemq-platform-0.2.21)

  • HiveMQ Platform Operator 1.5.1 (Helm chart: hivemq-platform-operator-0.2.9)

 Related articles

Related content

External Secrets from Hashicorp Vault | HiveMQ Platform Operator (new)
External Secrets from Hashicorp Vault | HiveMQ Platform Operator (new)
More like this
Inject license via Hashicorp Vault Agent Annotations | HiveMQ Platform Operator (new)
Inject license via Hashicorp Vault Agent Annotations | HiveMQ Platform Operator (new)
More like this
Inject license via Hashicorp Vault Agent | HiveMQ Operator (legacy)
Inject license via Hashicorp Vault Agent | HiveMQ Operator (legacy)
More like this
Inject license via Hashicorp Vault Agent Init Container | HiveMQ Platform Operator (new)
Inject license via Hashicorp Vault Agent Init Container | HiveMQ Platform Operator (new)
More like this
Set the HiveMQ License File from a Kubernetes Secret
Set the HiveMQ License File from a Kubernetes Secret
More like this
Setting Up HiveMQ License for Your HiveMQ Cluster using HiveMQ Platform Operator
Setting Up HiveMQ License for Your HiveMQ Cluster using HiveMQ Platform Operator
More like this