From 2017b851565b2c92f279c8a960f821e28fc5faec Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Thu, 22 Aug 2024 13:41:31 +0800 Subject: [PATCH] fix(EMQX): 5.7.2, bootstrap user, no PVC, TLS --- kube/deploy/core/db/emqx/app/hr.yaml | 2 +- kube/deploy/core/db/emqx/cluster/emqx.yaml | 98 ++++++++++---------- kube/deploy/core/db/emqx/cluster/es.yaml | 48 ++-------- kube/deploy/core/db/emqx/cluster/glauth.yaml | 94 ------------------- 4 files changed, 58 insertions(+), 184 deletions(-) delete mode 100644 kube/deploy/core/db/emqx/cluster/glauth.yaml diff --git a/kube/deploy/core/db/emqx/app/hr.yaml b/kube/deploy/core/db/emqx/app/hr.yaml index 21d02ed4..64dfc9e8 100644 --- a/kube/deploy/core/db/emqx/app/hr.yaml +++ b/kube/deploy/core/db/emqx/app/hr.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: emqx-operator - version: 2.2.22 + version: 2.2.23 sourceRef: name: emqx kind: HelmRepository diff --git a/kube/deploy/core/db/emqx/cluster/emqx.yaml b/kube/deploy/core/db/emqx/cluster/emqx.yaml index 3fb84f32..8cbe92e8 100644 --- a/kube/deploy/core/db/emqx/cluster/emqx.yaml +++ b/kube/deploy/core/db/emqx/cluster/emqx.yaml @@ -3,63 +3,44 @@ apiVersion: apps.emqx.io/v2beta1 kind: EMQX metadata: - name: emqx + name: &app emqx namespace: emqx spec: - image: public.ecr.aws/emqx/emqx:5.6.1 + image: public.ecr.aws/emqx/emqx:5.7.2 config: # the `$${env}` in the env var means Flux's Kustomize controller should escape the envsubst and output `${env}` exactly data: | authentication { enable = true - backend = "ldap" + backend = "built_in_database" mechanism = "password_based" - method { - type = bind - bind_password = "$${password}" - } - server = "glauth.emqx.svc.cluster.local.:636" - query_timeout = "10s" - username = "cn=search,ou=search,ou=users,dc=emqx,dc=io" - password = "file:///secrets/ldap-search.password" - pool_size = 1 - base_dn = "cn=$${username},ou=emqx,ou=users,dc=emqx,dc=io" - filter = "(objectClass=*)" - ssl { - enable = true - server_name_indication = "emqx-glauth.${DNS_SHORT}" + password_hash_algorithm { + name = "bcrypt" } + user_id_type = "username" + bootstrap_file = "/secrets/init-user.json" + bootstrap_type = "plain" } authorization { + no_match = "deny" + deny_action = "ignore" sources = [{ enable = true - type = ldap - publish_attribute = "mqttPublishTopic" - subscribe_attribute = "mqttSubscriptionTopic" - all_attribute = "mqttPubSubTopic" - server = "glauth.emqx.svc.cluster.local.:636" - query_timeout = "10s" - username = "cn=search,ou=search,ou=users,dc=emqx,dc=io" - password = "file:///secrets/ldap-search.password" - pool_size = 1 - base_dn = "cn=$${username},ou=emqx,ou=users,dc=emqx,dc=io" - filter = "(objectClass=*)" - ssl { - enable = true - server_name_indication = "emqx-glauth.${DNS_SHORT}" - } + type = "file" + path = "/secrets/acl.conf" }] - no_match = "deny" } - -# listeners.ssl.default { -# bind = "0.0.0.0:8883" -# ssl_options { -# certfile = "/tls/cert.pem" -# keyfile = "/tls/key.pem" -# gc_after_handshake = true -# } -# } + listeners.ssl.default { + bind = "0.0.0.0:8883" + ssl_options { + certfile = "/tls/cert.pem" + keyfile = "/tls/key.pem" + gc_after_handshake = true + # no mTLS + verify = verify_none + fail_if_no_peer_cert = false + } + } bootstrapAPIKeys: - secretRef: key: @@ -70,16 +51,16 @@ spec: secretKey: X_EMQX_APIKEY_SECRET coreTemplate: spec: - replicas: 3 + replicas: 2 envFrom: &envFrom - secretRef: name: emqx-secrets - volumeClaimTemplates: - storageClassName: local - accessModes: [ReadWriteOnce] - resources: - requests: - storage: 1Gi + #volumeClaimTemplates: + # storageClassName: local + # accessModes: [ReadWriteOnce] + # resources: + # requests: + # storage: 1Gi extraVolumes: - name: emqx-secrets secret: @@ -89,14 +70,29 @@ spec: secretName: short-domain-tls extraVolumeMounts: - name: emqx-secrets - subPath: ldap-search.password - mountPath: /secrets/ldap-search.password + subPath: init-user.json + mountPath: /secrets/init-user.json + readOnly: true + - name: emqx-secrets + subPath: acl.conf + mountPath: /secrets/acl.conf + readOnly: true - name: tls subPath: tls.crt mountPath: /tls/cert.pem + readOnly: true - name: tls subPath: tls.key mountPath: /tls/key.pem + readOnly: true + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + apps.emqx.io/instance: *app + apps.emqx.io/db-role: core listenersServiceTemplate: metadata: annotations: diff --git a/kube/deploy/core/db/emqx/cluster/es.yaml b/kube/deploy/core/db/emqx/cluster/es.yaml index f2f71dee..1d653765 100644 --- a/kube/deploy/core/db/emqx/cluster/es.yaml +++ b/kube/deploy/core/db/emqx/cluster/es.yaml @@ -24,41 +24,13 @@ spec: EMQX_DASHBOARD__DEFAULT_PASSWORD: "{{ .EMQX_DASHBOARD__DEFAULT_PASSWORD }}" X_EMQX_APIKEY_KEY: "{{ .X_EMQX_APIKEY_KEY }}" X_EMQX_APIKEY_SECRET: "{{ .X_EMQX_APIKEY_SECRET }}" - ldap-search.password: "{{ .GLAUTH_SEARCH_PASSWORD }}" - glauth.toml: | - debug = true - [ldap] - enabled = false - [ldaps] - enabled = true - listen = "0.0.0.0:6636" - cert = "/tls/tls.crt" - key = "/tls/tls.key" - [backend] - datastore = "config" - baseDN = "dc=emqx,dc=io" - nameformat = "cn" - groupformat = "ou" - [[users]] - name = "search" - uidnumber = 99991 - primarygroup = 99991 - passsha256 = "{{ .GLAUTH_SEARCH_PASSWORD_SHA256 }}" - [[users.capabilities]] - action = "search" - object = "*" - [[groups]] - name = "search" - gidnumber = 99991 - [[users]] - name = "hass" - uidnumber = 99992 - primarygroup = 99990 - passsha256 = "{{ .GLAUTH_HASS_PASSWORD_SHA256 }}" - [[users.customattributes]] - mqttPublishTopic = ["homeassistant/pub/#", "zigbee2mqtt/pub/#"] - mqttSubscriptionTopic = ["homeassistant/sub/#", "zigbee2mqtt/sub/#"] - mqttPubSubTopic = ["homeassistant/pubsub/#", "zigbee2mqtt/pubsub/#"] - [[groups]] - name = "emqx" - gidnumber = 99990 + init-user.json: | + [ + {"user_id": "{{ .X_EMQX_MQTT_HASS_USERNAME }}", "password": "{{ .X_EMQX_MQTT_HASS_PASSWORD }}", "is_superuser": false} + ] + acl.conf: | + %% Allow MQTT client using username "dashboard" to subscribe to "$SYS/#" topics + {allow, {user, "{{ .X_EMQX_MQTT_HASS_USERNAME }}"}, all, ["homeassistant/#", "hass/#", "zigbee2mqtt/#"]}. + + %% Default Deny All + {reject, all}. diff --git a/kube/deploy/core/db/emqx/cluster/glauth.yaml b/kube/deploy/core/db/emqx/cluster/glauth.yaml deleted file mode 100644 index f0e4922b..00000000 --- a/kube/deploy/core/db/emqx/cluster/glauth.yaml +++ /dev/null @@ -1,94 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: &app glauth - namespace: emqx -spec: - interval: 5m - chart: - spec: - chart: app-template - version: 3.1.0 - sourceRef: - name: bjw-s - kind: HelmRepository - namespace: flux-system - values: - controllers: - glauth: - type: deployment - replicas: 2 - containers: - main: - image: &img - repository: docker.io/glauth/glauth - tag: v2.3.2@sha256:5112abbb2b5145dadb1a2fed57242ad3718e4af11062d0bb812b50cda6c708ab - command: ["/app/glauth", "-c", "/config"] - env: &env - TZ: "${CONFIG_TZ}" - securityContext: &sc - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - resources: - requests: - cpu: "10m" - limits: - memory: "128Mi" - probes: - liveness: - enabled: true - readiness: - enabled: true - service: - glauth: - controller: glauth - ports: - ldap-tcp: - port: 636 - targetPort: 6636 - protocol: TCP - ldap-udp: - port: 636 - targetPort: 6636 - protocol: UDP - persistence: - config: - type: secret - name: emqx-secrets - globalMounts: - - subPath: glauth.toml - path: /config/glauth.toml - tls: - type: secret - name: short-domain-tls - defaultMode: 0400 - globalMounts: - - path: /tls - readOnly: true - defaultPodOptions: - automountServiceAccountToken: false - enableServiceLinks: false - securityContext: - runAsNonRoot: true - runAsUser: &uid 1000 - runAsGroup: *uid - fsGroup: *uid - fsGroupChangePolicy: Always - seccompProfile: { type: "RuntimeDefault" } - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: fuckoff.home.arpa/emqx - operator: DoesNotExist - networkpolicies: - same-ns: - controller: glauth - policyTypes: [Ingress, Egress] - rules: - ingress: [from: [{podSelector: {}}]] - egress: [to: [{podSelector: {}}]]