add mosquitto
This commit is contained in:
parent
21066aa4df
commit
2cd767e8e4
50
mosquitto/cert-issuer.yaml
Normal file
50
mosquitto/cert-issuer.yaml
Normal file
|
@ -0,0 +1,50 @@
|
|||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: selfsigned-issuer
|
||||
namespace: mosquitto
|
||||
spec:
|
||||
selfSigned: {}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: mosquitto-ca
|
||||
namespace: mosquitto
|
||||
spec:
|
||||
isCA: true
|
||||
commonName: mosquitto
|
||||
secretName: mosquitto-mtls-root-ca
|
||||
privateKey:
|
||||
algorithm: ECDSA
|
||||
size: 256
|
||||
issuerRef:
|
||||
name: selfsigned-issuer
|
||||
kind: Issuer
|
||||
group: cert-manager.io
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: mosquitto-mtls-issuer
|
||||
namespace: mosquitto
|
||||
spec:
|
||||
ca:
|
||||
secretName: mosquitto-mtls-root-ca
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: mosquitto-mtls-write-user
|
||||
namespace: mosquitto
|
||||
spec:
|
||||
isCA: false
|
||||
commonName: mosquitto-mtls-write-user
|
||||
secretName: mosquitto-mtls-write-user
|
||||
privateKey:
|
||||
algorithm: ECDSA
|
||||
size: 256
|
||||
issuerRef:
|
||||
name: mosquitto-mtls-issuer
|
||||
kind: Issuer
|
||||
group: cert-manager.io
|
43
mosquitto/cm.yaml
Normal file
43
mosquitto/cm.yaml
Normal file
|
@ -0,0 +1,43 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: mosquitto-config
|
||||
namespace: mosquitto
|
||||
data:
|
||||
mosquitto.conf: |
|
||||
persistence true
|
||||
persistence_location /mosquitto/data/
|
||||
log_dest stdout
|
||||
log_timestamp_format %Y-%m-%dT%H:%M:%S
|
||||
connection_messages true
|
||||
per_listener_settings true
|
||||
|
||||
listener 1883
|
||||
allow_anonymous false
|
||||
password_file /mosquitto/passwords/mosquitto.passwd
|
||||
protocol mqtt
|
||||
listener 9001
|
||||
protocol websockets
|
||||
allow_anonymous false
|
||||
http_dir /http
|
||||
certfile /mosquitto/tls/tls.crt
|
||||
keyfile /mosquitto/tls/tls.key
|
||||
cafile /mosquitto/tls/ca.crt
|
||||
require_certificate true
|
||||
use_identity_as_username true
|
||||
listener 8883
|
||||
allow_anonymous false
|
||||
certfile /mosquitto/tls/tls.crt
|
||||
keyfile /mosquitto/tls/tls.key
|
||||
cafile /mosquitto/tls/ca.crt
|
||||
require_certificate true
|
||||
use_identity_as_username true
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: mosquitto-http-dir
|
||||
namespace: mosquitto
|
||||
data:
|
||||
health: |
|
||||
{"healthy": true}
|
3
mosquitto/extract-mtls-ca.sh
Executable file
3
mosquitto/extract-mtls-ca.sh
Executable file
|
@ -0,0 +1,3 @@
|
|||
#!/bin/sh
|
||||
|
||||
kubectl get secret mosquitto-mtls-write-user -o json | jq -r '.data | @base64d "\(.["ca.crt"])"'
|
3
mosquitto/extract-mtls-cert.sh
Executable file
3
mosquitto/extract-mtls-cert.sh
Executable file
|
@ -0,0 +1,3 @@
|
|||
#!/bin/sh
|
||||
|
||||
kubectl get secret mosquitto-mtls-write-user -o json | jq -r '.data | @base64d "\(.["tls.crt"])\(.["tls.key"])"'
|
3
mosquitto/extract-mtls-key.sh
Executable file
3
mosquitto/extract-mtls-key.sh
Executable file
|
@ -0,0 +1,3 @@
|
|||
#!/bin/sh
|
||||
|
||||
kubectl get secret mosquitto-mtls-write-user -o json | jq -r '.data | @base64d "\(.["tls.key"])"'
|
7
mosquitto/ns.yaml
Normal file
7
mosquitto/ns.yaml
Normal file
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
labels:
|
||||
kubernetes.io/metadata.name: gitea
|
||||
wildcard-tls.kn8v.com/copy: "true"
|
||||
name: mosquitto
|
107
mosquitto/sts.yaml
Normal file
107
mosquitto/sts.yaml
Normal file
|
@ -0,0 +1,107 @@
|
|||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
labels:
|
||||
mosquitto: server
|
||||
app: mosquitto
|
||||
annotations:
|
||||
"reloader.stakater.com/auto": "true"
|
||||
name: mosquitto
|
||||
namespace: mosquitto
|
||||
spec:
|
||||
podManagementPolicy: OrderedReady
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
mosquitto: server
|
||||
app: mosquitto
|
||||
serviceName: mosquitto
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
mosquitto: server
|
||||
app: mosquitto
|
||||
spec:
|
||||
initContainers:
|
||||
- name: populate-users
|
||||
image: eclipse-mosquitto
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
args:
|
||||
- |
|
||||
cd /users || exit 0
|
||||
echo "creating users"
|
||||
touch /mosquitto/passwords/mosquitto.passwd
|
||||
for f in *;do
|
||||
echo "$f"
|
||||
mosquitto_passwd -b /mosquitto/passwords/mosquitto.passwd "$f" "$(cat "$f")"
|
||||
done
|
||||
volumeMounts:
|
||||
- mountPath: /mosquitto/passwords
|
||||
name: passwords
|
||||
- mountPath: /users
|
||||
name: users
|
||||
containers:
|
||||
- name: mosquitto
|
||||
image: eclipse-mosquitto
|
||||
command:
|
||||
- /usr/sbin/mosquitto
|
||||
args:
|
||||
- -c
|
||||
- /mosquitto/config/mosquitto.conf
|
||||
livenessProbe:
|
||||
tcpSocket:
|
||||
port: 1883
|
||||
readinessProbe:
|
||||
tcpSocket:
|
||||
port: 1883
|
||||
ports:
|
||||
- containerPort: 1883
|
||||
protocol: TCP
|
||||
name: ssh
|
||||
- containerPort: 9001
|
||||
protocol: TCP
|
||||
name: http
|
||||
volumeMounts:
|
||||
- mountPath: /mosquitto/data
|
||||
name: mosquitto-data
|
||||
- mountPath: /mosquitto/config
|
||||
name: mosquitto-config
|
||||
- mountPath: /mosquitto/passwords
|
||||
name: passwords
|
||||
- mountPath: /mosquitto/tls
|
||||
name: tls
|
||||
- mountPath: /http
|
||||
name: mosquitto-http-dir
|
||||
dnsPolicy: ClusterFirst
|
||||
restartPolicy: Always
|
||||
volumes:
|
||||
- name: mosquitto-config
|
||||
configMap:
|
||||
name: mosquitto-config
|
||||
- name: mosquitto-http-dir
|
||||
configMap:
|
||||
name: mosquitto-http-dir
|
||||
- name: passwords
|
||||
emptyDir:
|
||||
sizeLimit: 50Mi
|
||||
- name: users
|
||||
secret:
|
||||
secretName: mosquitto-users
|
||||
optional: true
|
||||
- name: tls
|
||||
secret:
|
||||
secretName: mosquitto-mtls-root-ca
|
||||
optional: false
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
name: mosquitto-data
|
||||
spec:
|
||||
accessModes: [ "ReadWriteOnce" ]
|
||||
storageClassName: local-path
|
||||
resources:
|
||||
requests:
|
||||
storage: 5Gi
|
32
mosquitto/svc.yaml
Normal file
32
mosquitto/svc.yaml
Normal file
|
@ -0,0 +1,32 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
mosquitto: server
|
||||
app: mosquitto
|
||||
name: mosquitto
|
||||
namespace: mosquitto
|
||||
annotations:
|
||||
metallb.universe.tf/allow-shared-ip: 172.16.17.83
|
||||
metallb.universe.tf/loadBalancerIPs: 172.16.17.83
|
||||
spec:
|
||||
ipFamilies:
|
||||
- IPv4
|
||||
ipFamilyPolicy: SingleStack
|
||||
ports:
|
||||
- port: 1883
|
||||
name: mqtt
|
||||
protocol: TCP
|
||||
targetPort: 1883
|
||||
- port: 8883
|
||||
name: mqtts
|
||||
protocol: TCP
|
||||
targetPort: 8883
|
||||
- port: 9001
|
||||
name: http
|
||||
protocol: TCP
|
||||
targetPort: 9001
|
||||
selector:
|
||||
mosquitto: server
|
||||
app: mosquitto
|
||||
type: LoadBalancer
|
16
mosquitto/test.sh
Normal file
16
mosquitto/test.sh
Normal file
|
@ -0,0 +1,16 @@
|
|||
TEST=test-$(date +%s)-$RANDOM
|
||||
|
||||
./extract-mtls-ca.sh > $TEST-ca.pem
|
||||
./extract-mtls-cert.sh > $TEST-user.crt
|
||||
./extract-mtls-key.sh > $TEST-user.key
|
||||
./extract-mtls-ca.sh > $TEST-user.pem
|
||||
./extract-mtls-cert.sh >> $TEST-user.pem
|
||||
./extract-mtls-key.sh >> $TEST-user.pem
|
||||
|
||||
eval "$(kubectl get secret -o json mosquitto-users | jq -r '.data|to_entries[0] | @sh "USERNAME=\(.key)\nPASSWORD=\(@base64d "\(.value)")\n"')"
|
||||
|
||||
mosquitto_pub -h 172.16.17.83 -p 1883 -u "$USERNAME" -P "$PASSWORD" -t tests/1 -m success
|
||||
mosquitto_pub --insecure -L mqtts://172.16.17.83:8883/tests/2 -m success --cert $TEST-user.crt --key $TEST-user.key --keyform pem --cafile $TEST-ca.pem
|
||||
mosquitto_pub --insecure -L mqtts://172.16.17.83:8883/tests/3 -m success -u "$USERNAME" -P "$PASSWORD"
|
||||
|
||||
rm $TEST-*
|
Loading…
Reference in New Issue
Block a user