github-personal/Biohazard
1
0
Fork 0
mirror of https://github.com/outbackdingo/Biohazard.git synced 2026-01-27 10:18:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(EMQX): 5.7.2, bootstrap user, no PVC, TLS

Browse Source
This commit is contained in:
JJGadgets
2024-08-22 13:41:31 +08:00
parent 37a9d7388b
commit 2017b85156
4 changed files with 58 additions and 184 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
kube/deploy/core/db/emqx/app/hr.yaml
View File

@@ -9,7 +9,7 @@ spec:
chart:
spec:
chart: emqx-operator
version: 2.2.22
version: 2.2.23
sourceRef:
name: emqx
kind: HelmRepository

98
kube/deploy/core/db/emqx/cluster/emqx.yaml
View File

@@ -3,63 +3,44 @@
apiVersion: apps.emqx.io/v2beta1
kind: EMQX
metadata:
name: emqx
name: &app emqx
namespace: emqx
spec:
image: public.ecr.aws/emqx/emqx:5.6.1
image: public.ecr.aws/emqx/emqx:5.7.2
config:
# the `$${env}` in the env var means Flux's Kustomize controller should escape the envsubst and output `${env}` exactly
data: |
authentication {
enable = true
backend = "ldap"
backend = "built_in_database"
mechanism = "password_based"
method {
type = bind
bind_password = "$${password}"
}
server = "glauth.emqx.svc.cluster.local.:636"
query_timeout = "10s"
username = "cn=search,ou=search,ou=users,dc=emqx,dc=io"
password = "file:///secrets/ldap-search.password"
pool_size = 1
base_dn = "cn=$${username},ou=emqx,ou=users,dc=emqx,dc=io"
filter = "(objectClass=*)"
ssl {
enable = true
server_name_indication = "emqx-glauth.${DNS_SHORT}"
password_hash_algorithm {
name = "bcrypt"
}
user_id_type = "username"
bootstrap_file = "/secrets/init-user.json"
bootstrap_type = "plain"
}
authorization {
no_match = "deny"
deny_action = "ignore"
sources = [{
enable = true
type = ldap
publish_attribute = "mqttPublishTopic"
subscribe_attribute = "mqttSubscriptionTopic"
all_attribute = "mqttPubSubTopic"
server = "glauth.emqx.svc.cluster.local.:636"
query_timeout = "10s"
username = "cn=search,ou=search,ou=users,dc=emqx,dc=io"
password = "file:///secrets/ldap-search.password"
pool_size = 1
base_dn = "cn=$${username},ou=emqx,ou=users,dc=emqx,dc=io"
filter = "(objectClass=*)"
ssl {
enable = true
server_name_indication = "emqx-glauth.${DNS_SHORT}"
}
type = "file"
path = "/secrets/acl.conf"
}]
no_match = "deny"
}
# listeners.ssl.default {
# bind = "0.0.0.0:8883"
# ssl_options {
# certfile = "/tls/cert.pem"
# keyfile = "/tls/key.pem"
# gc_after_handshake = true
# }
# }
listeners.ssl.default {
bind = "0.0.0.0:8883"
ssl_options {
certfile = "/tls/cert.pem"
keyfile = "/tls/key.pem"
gc_after_handshake = true
# no mTLS
verify = verify_none
fail_if_no_peer_cert = false
}
}
bootstrapAPIKeys:
- secretRef:
key:
@@ -70,16 +51,16 @@ spec:
secretKey: X_EMQX_APIKEY_SECRET
coreTemplate:
spec:
replicas: 3
replicas: 2
envFrom: &envFrom
- secretRef:
name: emqx-secrets
volumeClaimTemplates:
storageClassName: local
accessModes: [ReadWriteOnce]
resources:
requests:
storage: 1Gi
#volumeClaimTemplates:
# storageClassName: local
# accessModes: [ReadWriteOnce]
# resources:
# requests:
# storage: 1Gi
extraVolumes:
- name: emqx-secrets
secret:
@@ -89,14 +70,29 @@ spec:
secretName: short-domain-tls
extraVolumeMounts:
- name: emqx-secrets
subPath: ldap-search.password
mountPath: /secrets/ldap-search.password
subPath: init-user.json
mountPath: /secrets/init-user.json
readOnly: true
- name: emqx-secrets
subPath: acl.conf
mountPath: /secrets/acl.conf
readOnly: true
- name: tls
subPath: tls.crt
mountPath: /tls/cert.pem
readOnly: true
- name: tls
subPath: tls.key
mountPath: /tls/key.pem
readOnly: true
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
apps.emqx.io/instance: *app
apps.emqx.io/db-role: core
listenersServiceTemplate:
metadata:
annotations:

48
kube/deploy/core/db/emqx/cluster/es.yaml
View File

@@ -24,41 +24,13 @@ spec:
EMQX_DASHBOARD__DEFAULT_PASSWORD: "{{ .EMQX_DASHBOARD__DEFAULT_PASSWORD }}"
X_EMQX_APIKEY_KEY: "{{ .X_EMQX_APIKEY_KEY }}"
X_EMQX_APIKEY_SECRET: "{{ .X_EMQX_APIKEY_SECRET }}"
ldap-search.password: "{{ .GLAUTH_SEARCH_PASSWORD }}"
glauth.toml: |
debug = true
[ldap]
enabled = false
[ldaps]
enabled = true
listen = "0.0.0.0:6636"
cert = "/tls/tls.crt"
key = "/tls/tls.key"
[backend]
datastore = "config"
baseDN = "dc=emqx,dc=io"
nameformat = "cn"
groupformat = "ou"
[[users]]
name = "search"
uidnumber = 99991
primarygroup = 99991
passsha256 = "{{ .GLAUTH_SEARCH_PASSWORD_SHA256 }}"
[[users.capabilities]]
action = "search"
object = "*"
[[groups]]
name = "search"
gidnumber = 99991
[[users]]
name = "hass"
uidnumber = 99992
primarygroup = 99990
passsha256 = "{{ .GLAUTH_HASS_PASSWORD_SHA256 }}"
[[users.customattributes]]
mqttPublishTopic = ["homeassistant/pub/#", "zigbee2mqtt/pub/#"]
mqttSubscriptionTopic = ["homeassistant/sub/#", "zigbee2mqtt/sub/#"]
mqttPubSubTopic = ["homeassistant/pubsub/#", "zigbee2mqtt/pubsub/#"]
[[groups]]
name = "emqx"
gidnumber = 99990
init-user.json: |
[
{"user_id": "{{ .X_EMQX_MQTT_HASS_USERNAME }}", "password": "{{ .X_EMQX_MQTT_HASS_PASSWORD }}", "is_superuser": false}
]
acl.conf: |
%% Allow MQTT client using username "dashboard" to subscribe to "$SYS/#" topics
{allow, {user, "{{ .X_EMQX_MQTT_HASS_USERNAME }}"}, all, ["homeassistant/#", "hass/#", "zigbee2mqtt/#"]}.
%% Default Deny All
{reject, all}.

94
kube/deploy/core/db/emqx/cluster/glauth.yaml
View File

@@ -1,94 +0,0 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: &app glauth
namespace: emqx
spec:
interval: 5m
chart:
spec:
chart: app-template
version: 3.1.0
sourceRef:
name: bjw-s
kind: HelmRepository
namespace: flux-system
values:
controllers:
glauth:
type: deployment
replicas: 2
containers:
main:
image: &img
repository: docker.io/glauth/glauth
tag: v2.3.2@sha256:5112abbb2b5145dadb1a2fed57242ad3718e4af11062d0bb812b50cda6c708ab
command: ["/app/glauth", "-c", "/config"]
env: &env
TZ: "${CONFIG_TZ}"
securityContext: &sc
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
resources:
requests:
cpu: "10m"
limits:
memory: "128Mi"
probes:
liveness:
enabled: true
readiness:
enabled: true
service:
glauth:
controller: glauth
ports:
ldap-tcp:
port: 636
targetPort: 6636
protocol: TCP
ldap-udp:
port: 636
targetPort: 6636
protocol: UDP
persistence:
config:
type: secret
name: emqx-secrets
globalMounts:
- subPath: glauth.toml
path: /config/glauth.toml
tls:
type: secret
name: short-domain-tls
defaultMode: 0400
globalMounts:
- path: /tls
readOnly: true
defaultPodOptions:
automountServiceAccountToken: false
enableServiceLinks: false
securityContext:
runAsNonRoot: true
runAsUser: &uid 1000
runAsGroup: *uid
fsGroup: *uid
fsGroupChangePolicy: Always
seccompProfile: { type: "RuntimeDefault" }
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: fuckoff.home.arpa/emqx
operator: DoesNotExist
networkpolicies:
same-ns:
controller: glauth
policyTypes: [Ingress, Egress]
rules:
ingress: [from: [{podSelector: {}}]]
egress: [to: [{podSelector: {}}]]