Skip to content

Commit

Permalink
feat(emqx): add mqtt users
Browse files Browse the repository at this point in the history
  • Loading branch information
@zebernst
zebernst committed Jan 26, 2025
1 parent cdf1589 commit be83a6f
Show file tree
Hide file tree
Showing 4 changed files with 50 additions and 25 deletions.
20 changes: 0 additions & 20 deletions kubernetes/apps/database/emqx/app/externalsecret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,23 +17,3 @@ spec:
dataFrom:
- extract:
key: emqx
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: emqx-init-user
spec:
refreshInterval: 5m
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: emqx-init-user-secret
template:
engineVersion: v2
data:
init-user.json: |
[{"user_id": "{{ .EMQX_MQTT_INIT_USERNAME }}", "password": "{{ .EMQX_MQTT_INIT_PASSWORD }}", "is_superuser": true}]
dataFrom:
- extract:
key: emqx
16 changes: 11 additions & 5 deletions kubernetes/apps/database/emqx/cluster/cluster.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,15 @@ spec:
bootstrap_type = "plain"
}
authorization {
deny_action = ignore
no_match = allow
sources = [
{
type = built_in_database
type = file
enable = true
path = "/etc/acl.conf"
}
]
no_match: "deny"
}
coreTemplate:
metadata:
Expand All @@ -36,14 +38,18 @@ spec:
- secretRef:
name: emqx-secret
extraVolumeMounts:
- name: init-user
- name: authz
mountPath: /opt/init-user.json
subPath: init-user.json
readOnly: true
- name: authz
mountPath: /etc/acl.conf
subPath: acl.conf
readOnly: true
extraVolumes:
- name: init-user
- name: authz
secret:
secretName: emqx-init-user-secret
secretName: emqx-authz-secret
listenersServiceTemplate:
metadata:
annotations:
Expand Down
38 changes: 38 additions & 0 deletions kubernetes/apps/database/emqx/cluster/externalsecret.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: emqx-authz
spec:
refreshInterval: 5m
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: emqx-authz-secret
template:
engineVersion: v2
data:
init-user.json: |
[
{"user_id": "{{ .EMQX_MQTT_INIT_USERNAME }}", "password": "{{ .EMQX_MQTT_INIT_PASSWORD }}", "is_superuser": true},
{"user_id": "{{ .HOME_ASSISTANT_MQTT_USERNAME }}", "password": "{{ .HOME_ASSISTANT_MQTT_PASSWORD }}", "is_superuser": false},
{"user_id": "{{ .ZIGBEE2MQTT_MQTT_USERNAME }}", "password": "{{ .ZIGBEE2MQTT_MQTT_PASSWORD }}", "is_superuser": false}
]
acl.conf: |
%% Home Assistant
{allow, {user, "{{ .HOME_ASSISTANT_MQTT_USERNAME }}"}, all, ["homeassistant/#", "+/discover/#", "+/discovery/#"]}.
{allow, {user, "{{ .HOME_ASSISTANT_MQTT_USERNAME }}"}, all, ["esphome/#"]}.
{allow, {user, "{{ .HOME_ASSISTANT_MQTT_USERNAME }}"}, all, ["valetudo/#"]}.
{allow, {user, "{{ .HOME_ASSISTANT_MQTT_USERNAME }}"}, all, ["zigbee2mqtt/#"]}.
%% Zigbee2MQTT
{allow, {user, "{{ .ZIGBEE2MQTT_MQTT_USERNAME }}"}, all, ["zigbee2mqtt/#"]}.
{allow, {user, "{{ .ZIGBEE2MQTT_MQTT_USERNAME }}"}, subscribe, ["homeassistant/status"]}.
%% Default
{deny, all}.
dataFrom:
- extract:
key: emqx
1 change: 1 addition & 0 deletions kubernetes/apps/database/emqx/cluster/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./cluster.yaml
- ./externalsecret.yaml
- ./ingress.yaml
- ./podmonitor.yaml
- ./gatus.yaml

0 comments on commit be83a6f

Please sign in to comment.