External Secrets from Hashicorp Vault | HiveMQ Platform Operator (new)

Owned by Daria Samkova, created
Last updated: Sept 03, 2024
3 min read

This article explains how to fetch secrets from an external Hashicorp Vault and put them into Kubernetes secrets required for the HiveMQ Platform, such as license, keystore, and truststore.

 Instructions

First, ensure you have the VAULT_ADDR and VAULT_TOKEN from the external vault at hand.

Next, put your secrets in the vault. In this article, we store files in the vault encoded with base64.

The files (license, keystore, truststore):

$ ls -1 /tmp broker-keystore.jks broker-truststore.jks hivemq.lic

The files from the /tmp directory we put to the vault:

vault secrets enable -path=hivemq-mqtt/obc-poc kv-v2 cd /tmp vault kv put hivemq-mqtt/obc-poc/opt/hivemq/conf/broker-keystore keystore=\"\$(base64 -w 0 < broker-keystore.jks)\" \ keystore.password=changeme keystore.passphrase=changeme vault kv put hivemq-mqtt/obc-poc/opt/hivemq/conf/broker-truststore truststore=\"\$(base64 -w 0 < broker-truststore.jks)\" \ truststore.password=changeme vault kv put hivemq-mqtt/obc-poc/opt/hivemq/license \"latest=\$(base64 -w 0 hivemq.lic)\" vault auth enable kubernetes vault write auth/kubernetes/config \"kubernetes_host=https://\${KUBERNETES_PORT_443_TCP_ADDR}:443\" vault policy write hivemq - <<EOF path \"hivemq-mqtt/obc-poc/data/opt/hivemq/license\" { capabilities = [\"read\"] } path \"hivemq-mqtt/obc-poc/data/opt/hivemq/conf\" { capabilities = [\"read\"] } EOF

Install External Secrets Kubernetes Operator

  1. Add the repo to the Helm:

    helm repo add external-secrets https://charts.external-secrets.io

  2. Install external-secrets/external-secrets in the same namespace as HiveMQ Platform.

  3. Create the secret required for the external-secrets to access the external vault. The secret should contain the VAULT_TOKEN. In our article, the token is root

    OR

     

  4. Create the Secret Store required for the external-secrets to access the external vault. The definition should contain the vault URL and reference to the secret with the token, and also the path (path in the kv-2 engine in the external vault from which the token is allowed to read)

    Now the external-secrets should be able to access the external vault successfully

  5. Create an external-secret that will fetch the keystore from the external vault and put it to the Kubernetes secret hivemq-keystore-v, key keystore.

     

  6. Apply the rest of the external secrets manifests in the same fashion:







  7. If everything works, the following Kubernetes Secrets will be created automatically:

Install HiveMQ Platform

  1. Now, update the HiveMQ Platform values.yaml and configure that license, keystore, trustore, and their passwords are taken from relevant secrets.
    Specify that the license should be taken from the secret hivemq-license-v

    Specify that the keystore should be taken from the secret hivemq-keystore-v

    Example HiveMQ Platform values.yaml:

  2. Install the HiveMQ Platform Operator and HiveMQ Platform

     

  3. Check the HiveMQ broker stateful set logs to make sure the license, keystore and trustore are applied correctly.

 Related articles