add mosquitto

2023-07-24 14:13:50 -05:00 · 2023-07-24 14:13:50 -05:00 · 2cd767e8e4
commit 2cd767e8e4
parent 21066aa4df
9 changed files with 264 additions and 0 deletions
--- a/mosquitto/cert-issuer.yaml
+++ b/mosquitto/cert-issuer.yaml
@ -0,0 +1,50 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+  namespace: mosquitto
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: mosquitto-ca
+  namespace: mosquitto
+spec:
+  isCA: true
+  commonName: mosquitto
+  secretName: mosquitto-mtls-root-ca
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: mosquitto-mtls-issuer
+  namespace: mosquitto
+spec:
+  ca:
+    secretName: mosquitto-mtls-root-ca
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: mosquitto-mtls-write-user
+  namespace: mosquitto
+spec:
+  isCA: false
+  commonName: mosquitto-mtls-write-user
+  secretName: mosquitto-mtls-write-user
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: mosquitto-mtls-issuer
+    kind: Issuer
+    group: cert-manager.io
--- a/mosquitto/cm.yaml
+++ b/mosquitto/cm.yaml
@ -0,0 +1,43 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mosquitto-config
+  namespace: mosquitto
+data:
+  mosquitto.conf: |
+    persistence true
+    persistence_location /mosquitto/data/
+    log_dest stdout
+    log_timestamp_format %Y-%m-%dT%H:%M:%S
+    connection_messages true
+    per_listener_settings true
+
+    listener 1883
+    allow_anonymous false
+    password_file /mosquitto/passwords/mosquitto.passwd
+    protocol mqtt
+    listener 9001
+    protocol websockets
+    allow_anonymous false
+    http_dir /http
+    certfile /mosquitto/tls/tls.crt
+    keyfile /mosquitto/tls/tls.key
+    cafile  /mosquitto/tls/ca.crt
+    require_certificate true
+    use_identity_as_username true
+    listener 8883
+    allow_anonymous false
+    certfile /mosquitto/tls/tls.crt
+    keyfile /mosquitto/tls/tls.key
+    cafile  /mosquitto/tls/ca.crt
+    require_certificate true
+    use_identity_as_username true
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mosquitto-http-dir
+  namespace: mosquitto
+data:
+  health: |
+    {"healthy": true}
--- a/mosquitto/extract-mtls-ca.sh
+++ b/mosquitto/extract-mtls-ca.sh
@ -0,0 +1,3 @@
+#!/bin/sh
+
+kubectl get secret mosquitto-mtls-write-user -o json | jq -r '.data | @base64d "\(.["ca.crt"])"'
--- a/mosquitto/extract-mtls-cert.sh
+++ b/mosquitto/extract-mtls-cert.sh
@ -0,0 +1,3 @@
+#!/bin/sh
+
+kubectl get secret mosquitto-mtls-write-user -o json | jq -r '.data | @base64d "\(.["tls.crt"])\(.["tls.key"])"'
--- a/mosquitto/extract-mtls-key.sh
+++ b/mosquitto/extract-mtls-key.sh
@ -0,0 +1,3 @@
+#!/bin/sh
+
+kubectl get secret mosquitto-mtls-write-user -o json | jq -r '.data | @base64d "\(.["tls.key"])"'
--- a/mosquitto/ns.yaml
+++ b/mosquitto/ns.yaml
@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    kubernetes.io/metadata.name: gitea
+    wildcard-tls.kn8v.com/copy: "true"
+  name: mosquitto
--- a/mosquitto/sts.yaml
+++ b/mosquitto/sts.yaml
@ -0,0 +1,107 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    mosquitto: server
+    app: mosquitto
+  annotations:
+    "reloader.stakater.com/auto": "true"
+  name: mosquitto
+  namespace: mosquitto
+spec:
+  podManagementPolicy: OrderedReady
+  replicas: 1
+  selector:
+    matchLabels:
+      mosquitto: server
+      app: mosquitto
+  serviceName: mosquitto
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        mosquitto: server
+        app: mosquitto
+    spec:
+      initContainers:
+      - name: populate-users
+        image: eclipse-mosquitto
+        command:
+        - /bin/sh
+        - -c
+        args:
+        - |
+          cd /users || exit 0
+          echo "creating users"
+          touch /mosquitto/passwords/mosquitto.passwd
+          for f in *;do
+            echo "$f"
+            mosquitto_passwd -b /mosquitto/passwords/mosquitto.passwd "$f" "$(cat "$f")"
+          done
+        volumeMounts:
+        - mountPath: /mosquitto/passwords
+          name: passwords
+        - mountPath: /users
+          name: users
+      containers:
+      - name: mosquitto
+        image: eclipse-mosquitto
+        command:
+        - /usr/sbin/mosquitto
+        args:
+        - -c
+        - /mosquitto/config/mosquitto.conf
+        livenessProbe:
+          tcpSocket:
+            port: 1883
+        readinessProbe:
+          tcpSocket:
+            port: 1883
+        ports:
+        - containerPort: 1883
+          protocol: TCP
+          name: ssh
+        - containerPort: 9001
+          protocol: TCP
+          name: http
+        volumeMounts:
+        - mountPath: /mosquitto/data
+          name: mosquitto-data
+        - mountPath: /mosquitto/config
+          name: mosquitto-config
+        - mountPath: /mosquitto/passwords
+          name: passwords
+        - mountPath: /mosquitto/tls
+          name: tls
+        - mountPath: /http
+          name: mosquitto-http-dir
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      volumes:
+        - name: mosquitto-config
+          configMap:
+            name: mosquitto-config
+        - name: mosquitto-http-dir
+          configMap:
+            name: mosquitto-http-dir
+        - name: passwords
+          emptyDir:
+            sizeLimit: 50Mi
+        - name: users
+          secret:
+            secretName: mosquitto-users
+            optional: true
+        - name: tls
+          secret:
+            secretName: mosquitto-mtls-root-ca
+            optional: false
+  volumeClaimTemplates:
+  - metadata:
+      name: mosquitto-data
+    spec:
+      accessModes: [ "ReadWriteOnce" ]
+      storageClassName: local-path
+      resources:
+        requests:
+          storage: 5Gi
--- a/mosquitto/svc.yaml
+++ b/mosquitto/svc.yaml
@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    mosquitto: server
+    app: mosquitto
+  name: mosquitto
+  namespace: mosquitto
+  annotations:
+    metallb.universe.tf/allow-shared-ip: 172.16.17.83
+    metallb.universe.tf/loadBalancerIPs: 172.16.17.83
+spec:
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - port: 1883
+    name: mqtt
+    protocol: TCP
+    targetPort: 1883
+  - port: 8883
+    name: mqtts
+    protocol: TCP
+    targetPort: 8883
+  - port: 9001
+    name: http
+    protocol: TCP
+    targetPort: 9001
+  selector:
+    mosquitto: server
+    app: mosquitto
+  type: LoadBalancer
--- a/mosquitto/test.sh
+++ b/mosquitto/test.sh
@ -0,0 +1,16 @@
+TEST=test-$(date +%s)-$RANDOM
+
+./extract-mtls-ca.sh > $TEST-ca.pem
+./extract-mtls-cert.sh > $TEST-user.crt
+./extract-mtls-key.sh > $TEST-user.key
+./extract-mtls-ca.sh > $TEST-user.pem
+./extract-mtls-cert.sh >> $TEST-user.pem
+./extract-mtls-key.sh >> $TEST-user.pem
+
+eval "$(kubectl get secret -o json mosquitto-users | jq -r '.data|to_entries[0] | @sh "USERNAME=\(.key)\nPASSWORD=\(@base64d "\(.value)")\n"')"
+
+mosquitto_pub -h 172.16.17.83 -p 1883 -u "$USERNAME" -P "$PASSWORD" -t tests/1 -m success
+mosquitto_pub --insecure -L mqtts://172.16.17.83:8883/tests/2 -m success --cert $TEST-user.crt --key $TEST-user.key --keyform pem --cafile $TEST-ca.pem
+mosquitto_pub --insecure -L mqtts://172.16.17.83:8883/tests/3 -m success -u "$USERNAME" -P "$PASSWORD"
+
+rm $TEST-*