diff --git a/kubernetes/apps/database/emqx/app/externalsecret.yaml b/kubernetes/apps/database/emqx/app/externalsecret.yaml new file mode 100644 index 00000000..0f338383 --- /dev/null +++ b/kubernetes/apps/database/emqx/app/externalsecret.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: emqx +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: emqx-secret + template: + engineVersion: v2 + data: + EMQX_DASHBOARD__DEFAULT_USERNAME: "{{ .EMQX_DASHBOARD__DEFAULT_USERNAME }}" + EMQX_DASHBOARD__DEFAULT_PASSWORD: "{{ .EMQX_DASHBOARD__DEFAULT_PASSWORD }}" + dataFrom: + - extract: + key: emqx +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: emqx-init-user +spec: + refreshInterval: 5m + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: emqx-init-user-secret + template: + engineVersion: v2 + data: + init-user.json: | + [{"user_id": "{{ .EMQX_MQTT_INIT_USERNAME }}", "password": "{{ .EMQX_MQTT_INIT_PASSWORD }}", "is_superuser": true}] + dataFrom: + - extract: + key: emqx diff --git a/kubernetes/apps/database/emqx/app/helmrelease.yaml b/kubernetes/apps/database/emqx/app/helmrelease.yaml new file mode 100644 index 00000000..cb2ef56d --- /dev/null +++ b/kubernetes/apps/database/emqx/app/helmrelease.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: emqx +spec: + interval: 30m + chart: + spec: + chart: emqx-operator + version: 2.2.25 + sourceRef: + kind: HelmRepository + name: emqx-charts + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + fullnameOverride: emqx-operator + image: + repository: ghcr.io/emqx/emqx-operator diff --git a/kubernetes/apps/database/emqx/app/kustomization.yaml b/kubernetes/apps/database/emqx/app/kustomization.yaml new file mode 100644 index 00000000..2708f09e --- /dev/null +++ b/kubernetes/apps/database/emqx/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./externalsecret.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/database/emqx/cluster/cluster.yaml b/kubernetes/apps/database/emqx/cluster/cluster.yaml new file mode 100644 index 00000000..654494d5 --- /dev/null +++ b/kubernetes/apps/database/emqx/cluster/cluster.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: apps.emqx.io/v2beta1 +kind: EMQX +metadata: + name: emqx +spec: + image: public.ecr.aws/emqx/emqx:5.8.1 + config: + data: | + authentication { + backend = "built_in_database" + mechanism = "password_based" + password_hash_algorithm { + name = "bcrypt" + } + user_id_type = "username" + bootstrap_file = "/opt/init-user.json" + bootstrap_type = "plain" + } + authorization { + sources = [ + { + type = built_in_database + enable = true + } + ] + no_match: "deny" + } + coreTemplate: + metadata: + annotations: + reloader.stakater.com/auto: "true" + spec: + replicas: 3 + envFrom: + - secretRef: + name: emqx-secret + extraVolumeMounts: + - name: init-user + mountPath: /opt/init-user.json + subPath: init-user.json + readOnly: true + extraVolumes: + - name: init-user + secret: + secretName: emqx-init-user-secret + listenersServiceTemplate: + spec: + type: LoadBalancer + annotations: + external-dns.alpha.kubernetes.io/hostname: mqtt.zebernst.dev + io.cilium/lb-ipam-ips: 10.2.100.8 diff --git a/kubernetes/apps/database/emqx/cluster/ingress.yaml b/kubernetes/apps/database/emqx/cluster/ingress.yaml new file mode 100644 index 00000000..ea0d1d87 --- /dev/null +++ b/kubernetes/apps/database/emqx/cluster/ingress.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: emqx + annotations: + hajimari.io/icon: simple-icons:mqtt +spec: + ingressClassName: internal + rules: + - host: &host emqx.zebernst.dev + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: emqx-dashboard + port: + number: 18083 + tls: + - hosts: + - *host diff --git a/kubernetes/apps/database/emqx/cluster/kustomization.yaml b/kubernetes/apps/database/emqx/cluster/kustomization.yaml new file mode 100644 index 00000000..6b159eb9 --- /dev/null +++ b/kubernetes/apps/database/emqx/cluster/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./cluster.yaml + - ./ingress.yaml + - ./podmonitor.yaml diff --git a/kubernetes/apps/database/emqx/cluster/podmonitor.yaml b/kubernetes/apps/database/emqx/cluster/podmonitor.yaml new file mode 100644 index 00000000..2d5a302e --- /dev/null +++ b/kubernetes/apps/database/emqx/cluster/podmonitor.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: emqx +spec: + selector: + matchLabels: + apps.emqx.io/instance: emqx + apps.emqx.io/managed-by: emqx-operator + podMetricsEndpoints: + - port: dashboard + path: /api/v5/prometheus/stats + relabelings: + - action: replace + # user-defined cluster name, requires unique + replacement: emqx5 + targetLabel: cluster + - action: replace + # fix value, don't modify + replacement: emqx + targetLabel: from + - action: replace + # fix value, don't modify + sourceLabels: + - pod + targetLabel: instance diff --git a/kubernetes/apps/database/emqx/ks.yaml b/kubernetes/apps/database/emqx/ks.yaml new file mode 100644 index 00000000..b15c39a0 --- /dev/null +++ b/kubernetes/apps/database/emqx/ks.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app emqx + namespace: flux-system +spec: + targetNamespace: database + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: cert-manager + - name: external-secrets-stores + path: ./kubernetes/apps/database/emqx/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app emqx-cluster + namespace: flux-system +spec: + targetNamespace: database + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: emqx + path: ./kubernetes/apps/database/emqx/cluster + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/database/kustomization.yaml b/kubernetes/apps/database/kustomization.yaml index 65d70e1d..696cfee9 100644 --- a/kubernetes/apps/database/kustomization.yaml +++ b/kubernetes/apps/database/kustomization.yaml @@ -8,4 +8,5 @@ resources: # Flux-Kustomizations - ./cloudnative-pg/ks.yaml - ./dragonfly/ks.yaml + - ./emqx/ks.yaml - ./ferretdb/ks.yaml diff --git a/kubernetes/flux/repositories/helm/emqx.yaml b/kubernetes/flux/repositories/helm/emqx.yaml new file mode 100644 index 00000000..159aba59 --- /dev/null +++ b/kubernetes/flux/repositories/helm/emqx.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: emqx-charts + namespace: flux-system +spec: + interval: 2h + url: https://repos.emqx.io/charts diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml index 66c2ebee..c669e726 100644 --- a/kubernetes/flux/repositories/helm/kustomization.yaml +++ b/kubernetes/flux/repositories/helm/kustomization.yaml @@ -10,6 +10,7 @@ resources: - ./coredns.yaml - ./deliveryhero.yaml - ./descheduler.yaml + - ./emqx.yaml - ./external-dns.yaml - ./external-secrets.yaml - ./grafana.yaml