add mosquitto
This commit is contained in:
parent
21066aa4df
commit
2cd767e8e4
50
mosquitto/cert-issuer.yaml
Normal file
50
mosquitto/cert-issuer.yaml
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Issuer
|
||||||
|
metadata:
|
||||||
|
name: selfsigned-issuer
|
||||||
|
namespace: mosquitto
|
||||||
|
spec:
|
||||||
|
selfSigned: {}
|
||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: mosquitto-ca
|
||||||
|
namespace: mosquitto
|
||||||
|
spec:
|
||||||
|
isCA: true
|
||||||
|
commonName: mosquitto
|
||||||
|
secretName: mosquitto-mtls-root-ca
|
||||||
|
privateKey:
|
||||||
|
algorithm: ECDSA
|
||||||
|
size: 256
|
||||||
|
issuerRef:
|
||||||
|
name: selfsigned-issuer
|
||||||
|
kind: Issuer
|
||||||
|
group: cert-manager.io
|
||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Issuer
|
||||||
|
metadata:
|
||||||
|
name: mosquitto-mtls-issuer
|
||||||
|
namespace: mosquitto
|
||||||
|
spec:
|
||||||
|
ca:
|
||||||
|
secretName: mosquitto-mtls-root-ca
|
||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: mosquitto-mtls-write-user
|
||||||
|
namespace: mosquitto
|
||||||
|
spec:
|
||||||
|
isCA: false
|
||||||
|
commonName: mosquitto-mtls-write-user
|
||||||
|
secretName: mosquitto-mtls-write-user
|
||||||
|
privateKey:
|
||||||
|
algorithm: ECDSA
|
||||||
|
size: 256
|
||||||
|
issuerRef:
|
||||||
|
name: mosquitto-mtls-issuer
|
||||||
|
kind: Issuer
|
||||||
|
group: cert-manager.io
|
43
mosquitto/cm.yaml
Normal file
43
mosquitto/cm.yaml
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: mosquitto-config
|
||||||
|
namespace: mosquitto
|
||||||
|
data:
|
||||||
|
mosquitto.conf: |
|
||||||
|
persistence true
|
||||||
|
persistence_location /mosquitto/data/
|
||||||
|
log_dest stdout
|
||||||
|
log_timestamp_format %Y-%m-%dT%H:%M:%S
|
||||||
|
connection_messages true
|
||||||
|
per_listener_settings true
|
||||||
|
|
||||||
|
listener 1883
|
||||||
|
allow_anonymous false
|
||||||
|
password_file /mosquitto/passwords/mosquitto.passwd
|
||||||
|
protocol mqtt
|
||||||
|
listener 9001
|
||||||
|
protocol websockets
|
||||||
|
allow_anonymous false
|
||||||
|
http_dir /http
|
||||||
|
certfile /mosquitto/tls/tls.crt
|
||||||
|
keyfile /mosquitto/tls/tls.key
|
||||||
|
cafile /mosquitto/tls/ca.crt
|
||||||
|
require_certificate true
|
||||||
|
use_identity_as_username true
|
||||||
|
listener 8883
|
||||||
|
allow_anonymous false
|
||||||
|
certfile /mosquitto/tls/tls.crt
|
||||||
|
keyfile /mosquitto/tls/tls.key
|
||||||
|
cafile /mosquitto/tls/ca.crt
|
||||||
|
require_certificate true
|
||||||
|
use_identity_as_username true
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: mosquitto-http-dir
|
||||||
|
namespace: mosquitto
|
||||||
|
data:
|
||||||
|
health: |
|
||||||
|
{"healthy": true}
|
3
mosquitto/extract-mtls-ca.sh
Executable file
3
mosquitto/extract-mtls-ca.sh
Executable file
|
@ -0,0 +1,3 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
kubectl get secret mosquitto-mtls-write-user -o json | jq -r '.data | @base64d "\(.["ca.crt"])"'
|
3
mosquitto/extract-mtls-cert.sh
Executable file
3
mosquitto/extract-mtls-cert.sh
Executable file
|
@ -0,0 +1,3 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
kubectl get secret mosquitto-mtls-write-user -o json | jq -r '.data | @base64d "\(.["tls.crt"])\(.["tls.key"])"'
|
3
mosquitto/extract-mtls-key.sh
Executable file
3
mosquitto/extract-mtls-key.sh
Executable file
|
@ -0,0 +1,3 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
kubectl get secret mosquitto-mtls-write-user -o json | jq -r '.data | @base64d "\(.["tls.key"])"'
|
7
mosquitto/ns.yaml
Normal file
7
mosquitto/ns.yaml
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
kubernetes.io/metadata.name: gitea
|
||||||
|
wildcard-tls.kn8v.com/copy: "true"
|
||||||
|
name: mosquitto
|
107
mosquitto/sts.yaml
Normal file
107
mosquitto/sts.yaml
Normal file
|
@ -0,0 +1,107 @@
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: StatefulSet
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
mosquitto: server
|
||||||
|
app: mosquitto
|
||||||
|
annotations:
|
||||||
|
"reloader.stakater.com/auto": "true"
|
||||||
|
name: mosquitto
|
||||||
|
namespace: mosquitto
|
||||||
|
spec:
|
||||||
|
podManagementPolicy: OrderedReady
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
mosquitto: server
|
||||||
|
app: mosquitto
|
||||||
|
serviceName: mosquitto
|
||||||
|
updateStrategy:
|
||||||
|
type: RollingUpdate
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
mosquitto: server
|
||||||
|
app: mosquitto
|
||||||
|
spec:
|
||||||
|
initContainers:
|
||||||
|
- name: populate-users
|
||||||
|
image: eclipse-mosquitto
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -c
|
||||||
|
args:
|
||||||
|
- |
|
||||||
|
cd /users || exit 0
|
||||||
|
echo "creating users"
|
||||||
|
touch /mosquitto/passwords/mosquitto.passwd
|
||||||
|
for f in *;do
|
||||||
|
echo "$f"
|
||||||
|
mosquitto_passwd -b /mosquitto/passwords/mosquitto.passwd "$f" "$(cat "$f")"
|
||||||
|
done
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /mosquitto/passwords
|
||||||
|
name: passwords
|
||||||
|
- mountPath: /users
|
||||||
|
name: users
|
||||||
|
containers:
|
||||||
|
- name: mosquitto
|
||||||
|
image: eclipse-mosquitto
|
||||||
|
command:
|
||||||
|
- /usr/sbin/mosquitto
|
||||||
|
args:
|
||||||
|
- -c
|
||||||
|
- /mosquitto/config/mosquitto.conf
|
||||||
|
livenessProbe:
|
||||||
|
tcpSocket:
|
||||||
|
port: 1883
|
||||||
|
readinessProbe:
|
||||||
|
tcpSocket:
|
||||||
|
port: 1883
|
||||||
|
ports:
|
||||||
|
- containerPort: 1883
|
||||||
|
protocol: TCP
|
||||||
|
name: ssh
|
||||||
|
- containerPort: 9001
|
||||||
|
protocol: TCP
|
||||||
|
name: http
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /mosquitto/data
|
||||||
|
name: mosquitto-data
|
||||||
|
- mountPath: /mosquitto/config
|
||||||
|
name: mosquitto-config
|
||||||
|
- mountPath: /mosquitto/passwords
|
||||||
|
name: passwords
|
||||||
|
- mountPath: /mosquitto/tls
|
||||||
|
name: tls
|
||||||
|
- mountPath: /http
|
||||||
|
name: mosquitto-http-dir
|
||||||
|
dnsPolicy: ClusterFirst
|
||||||
|
restartPolicy: Always
|
||||||
|
volumes:
|
||||||
|
- name: mosquitto-config
|
||||||
|
configMap:
|
||||||
|
name: mosquitto-config
|
||||||
|
- name: mosquitto-http-dir
|
||||||
|
configMap:
|
||||||
|
name: mosquitto-http-dir
|
||||||
|
- name: passwords
|
||||||
|
emptyDir:
|
||||||
|
sizeLimit: 50Mi
|
||||||
|
- name: users
|
||||||
|
secret:
|
||||||
|
secretName: mosquitto-users
|
||||||
|
optional: true
|
||||||
|
- name: tls
|
||||||
|
secret:
|
||||||
|
secretName: mosquitto-mtls-root-ca
|
||||||
|
optional: false
|
||||||
|
volumeClaimTemplates:
|
||||||
|
- metadata:
|
||||||
|
name: mosquitto-data
|
||||||
|
spec:
|
||||||
|
accessModes: [ "ReadWriteOnce" ]
|
||||||
|
storageClassName: local-path
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 5Gi
|
32
mosquitto/svc.yaml
Normal file
32
mosquitto/svc.yaml
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
mosquitto: server
|
||||||
|
app: mosquitto
|
||||||
|
name: mosquitto
|
||||||
|
namespace: mosquitto
|
||||||
|
annotations:
|
||||||
|
metallb.universe.tf/allow-shared-ip: 172.16.17.83
|
||||||
|
metallb.universe.tf/loadBalancerIPs: 172.16.17.83
|
||||||
|
spec:
|
||||||
|
ipFamilies:
|
||||||
|
- IPv4
|
||||||
|
ipFamilyPolicy: SingleStack
|
||||||
|
ports:
|
||||||
|
- port: 1883
|
||||||
|
name: mqtt
|
||||||
|
protocol: TCP
|
||||||
|
targetPort: 1883
|
||||||
|
- port: 8883
|
||||||
|
name: mqtts
|
||||||
|
protocol: TCP
|
||||||
|
targetPort: 8883
|
||||||
|
- port: 9001
|
||||||
|
name: http
|
||||||
|
protocol: TCP
|
||||||
|
targetPort: 9001
|
||||||
|
selector:
|
||||||
|
mosquitto: server
|
||||||
|
app: mosquitto
|
||||||
|
type: LoadBalancer
|
16
mosquitto/test.sh
Normal file
16
mosquitto/test.sh
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
TEST=test-$(date +%s)-$RANDOM
|
||||||
|
|
||||||
|
./extract-mtls-ca.sh > $TEST-ca.pem
|
||||||
|
./extract-mtls-cert.sh > $TEST-user.crt
|
||||||
|
./extract-mtls-key.sh > $TEST-user.key
|
||||||
|
./extract-mtls-ca.sh > $TEST-user.pem
|
||||||
|
./extract-mtls-cert.sh >> $TEST-user.pem
|
||||||
|
./extract-mtls-key.sh >> $TEST-user.pem
|
||||||
|
|
||||||
|
eval "$(kubectl get secret -o json mosquitto-users | jq -r '.data|to_entries[0] | @sh "USERNAME=\(.key)\nPASSWORD=\(@base64d "\(.value)")\n"')"
|
||||||
|
|
||||||
|
mosquitto_pub -h 172.16.17.83 -p 1883 -u "$USERNAME" -P "$PASSWORD" -t tests/1 -m success
|
||||||
|
mosquitto_pub --insecure -L mqtts://172.16.17.83:8883/tests/2 -m success --cert $TEST-user.crt --key $TEST-user.key --keyform pem --cafile $TEST-ca.pem
|
||||||
|
mosquitto_pub --insecure -L mqtts://172.16.17.83:8883/tests/3 -m success -u "$USERNAME" -P "$PASSWORD"
|
||||||
|
|
||||||
|
rm $TEST-*
|
Loading…
Reference in New Issue
Block a user