Keystore from Azure Key Vault | HiveMQ Platform Operator (new)

This article shows how to securely configure a TLS listener for the HiveMQ Platform on Azure Kubernetes Service (AKS) by using keystore and truststore files managed in Azure Key Vault.

• Azure CLI: You'll need the az command-line tool installed and configured with an active Azure subscription.

• kubectl: The Kubernetes command-line tool, kubectl, must be installed to interact with your AKS cluster.

• Helm: The Helm package manager for Kubernetes is required to install the HiveMQ Platform Operator.

• Keystore & Truststore: You must have your hivemq-keystore.jks and hivemq-truststore.jks files are available in your current working directory.

1. Create a resource group for the Azure Kubernetes Cluster

   az group create --name demo-group --location unitedstates

2. Create a demo AKS cluster in the resource group with Azure Key Vault Secrets Provider Add On enabled

   az aks create --resource-group demo-group --name demo-cluster --node-count 2 --node-vm-size Standard_8as_v6 --kubernetes-version 1.33 --enable-managed-identity --enable-addons azure-keyvault-secrets-provider

3. Create a Key Vault in the resource group

   az keyvault create --name kv-demo --resource-group demo-group --location unitedstates --enable-rbac-authorization false

4. Add secrets to the key vault

   az keyvault secret set --vault-name kv-demo --name keystore-password --value "changeme" az keyvault secret set --vault-name kv-demo --name truststore-password --value "changeme" az keyvault secret set --vault-name kv-demo --name keystore --value "$(base64 < "./hivemq-keystore.jks")" az keyvault secret set --vault-name kv-demo --name truststore --value "$(base64 < "./hivemq-truststore.jks")"

5. Get the Id of your Azure Key Vault Secrets Provider in the cluster. Copy the output of this command, as it is the object ID of your Azure Key Vault Secrets Provider.

   az aks show --resource-group demo-group --name demo-cluster --query addonProfiles.azureKeyvaultSecretsProvider.identity.objectId -o tsv

6. Enable your Azure Key Vault Secrets Provider to read from the key vault

   az keyvault set-policy --name kv-demo --object-id "Object Id of your Azure Key Vault Secrets Provider" --secret-permissions get list

7. Get credentials for the kubectl

   az aks get-credentials --resource-group demo-group --name demo-cluster --overwrite-existing

8. Get the Tenant Id of the key vault. Copy the output of this command, as it is the Tenant ID of your Key Vault.

   az keyvault show --name kv-demo --resource-group demo-group --query properties.tenantId -o tsv

9. Get the Client Id of the azureKeyvaultSecretsProvider in the cluster

   az aks show --resource-group "$resource_group" --name "$cluster_name" \ --query "addonProfiles.azureKeyvaultSecretsProvider.identity.clientId" \ -o tsv

10. Create SecretProviderClass manifest to bind the secrets from the key vault to a kubernetes secret
    secrets-store.yaml

    apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: kv-demo-secrets-from-vault spec: provider: azure parameters: usePodIdentity: "false" useVMManagedIdentity: "true" userAssignedIdentityID: "Client Id of your Azure Key Vault Secrets Provider" keyvaultName: "kv-demo" tenantId: "Tenant Id of the key vault" objects: | array: - | objectName: keystore objectType: secret objectEncoding: base64 - | objectName: keystore-password objectType: secret - | objectName: truststore objectType: secret objectEncoding: base64 - | objectName: truststore-password objectType: secret secretObjects: - secretName: secrets-from-vault type: Opaque data: - objectName: keystore key: keystore - objectName: keystore-password key: keystore.password - objectName: truststore key: truststore - objectName: truststore-password key: truststore.password

11. Create the SecretProviderClass

    kubectl apply -f secrets-store.yaml

12. Install hivemq-platform-operator

    helm repo add hivemq https://hivemq.github.io/helm-charts helm repo update hivemq helm install hpo hivemq/hivemq-platform-operator

13. Prepare your-values.yaml for the hivemq-platform referring to the secrets from the key vault

    ... services: ... - type: mqtt name: "tls-tcp-listener-8883" exposed: true containerPort: 8883 keystoreSecretName: "secrets-from-vault" keystoreSecretKey: "keystore" keystorePasswordSecretName: "secrets-from-vault" keystorePasswordSecretKey: "keystore.password" truststoreSecretName: "secrets-from-vault" truststoreSecretKey: "truststore" truststorePasswordSecretName: "secrets-from-vault" tlsClientAuthenticationMode: "REQUIRED" ...

14. Install hivemq-platform

    helm install hp hivemq/hivemq-platform --values your-values.yaml

15. Monitor the operator log for possible secrets not found

    kubectl logs deployment/hivemq-hpo -f

16. Verify the TLS listener started successfully using keystore secrets

    kubectl logs statefulset/hp --follow

17. Clean up after the demo. Delete the AKS cluster.

    az aks delete --resource-group demo-group --name demo-cluster

18. Delete the kubectl profile

    kubectl config delete-context demo-cluster

19. Delete the Key Vault

    az keyvault delete --name kv-demo --resource-group demo-group

20. Purge the Key Vault

    az keyvault purge --name kv-demo --location unitedstates

21. Delete the resource group

    az group delete --name demo-group