diff --git a/argocd/apps/platform/mqtt-broker.yml b/argocd/apps/platform/mqtt-broker.yml index 7f9b851..c19d6ed 100644 --- a/argocd/apps/platform/mqtt-broker.yml +++ b/argocd/apps/platform/mqtt-broker.yml @@ -9,51 +9,29 @@ metadata: spec: project: coachlight-k3s-infra source: - repoURL: https://bjw-s.github.io/helm-charts - chart: app-template - targetRevision: 3.7.0 + repoURL: https://sintef.github.io/mosquitto-helm-chart + chart: mosquitto + targetRevision: 0.1.1 helm: valuesObject: - controllers: - mosquitto: - containers: - app: - image: - repository: eclipse-mosquitto - tag: 2.0.20 - resources: - requests: - cpu: 10m - memory: 32Mi - limits: - cpu: 100m - memory: 128Mi - - service: - mosquitto: - controller: mosquitto - ports: - mqtt: - port: 1883 - - persistence: - data: - enabled: true - storageClass: nfs-synology-retain - size: 1Gi - globalMounts: - - path: /mosquitto/data - config: - type: configMap - name: mosquitto-config - globalMounts: - - path: /mosquitto/config/mosquitto.conf - subPath: mosquitto.conf - secret: - type: secret - name: mosquitto-auth - globalMounts: - - path: /mosquitto/secret + mqttOverWebsocket: false + auth: + usersExistingSecret: mosquitto-auth + users: + - username: admin + # Password field is ignored when usersExistingSecret is set + # The actual password comes from the mosquitto-auth secret + password: "" + acl: + - topic: "#" + access: readwrite + resources: + requests: + cpu: 10m + memory: 32Mi + limits: + cpu: 100m + memory: 128Mi destination: server: https://kubernetes.default.svc diff --git a/k8s/infra-mqtt/README.md b/k8s/infra-mqtt/README.md new file mode 100644 index 0000000..d932dd6 --- /dev/null +++ b/k8s/infra-mqtt/README.md @@ -0,0 +1,107 @@ +# MQTT Broker (Mosquitto) - OnePassword Setup + +## Overview + +This directory contains the Kubernetes resources for deploying Mosquitto MQTT broker in the `infra-mqtt` namespace. The broker uses the SINTEF Mosquitto Helm chart and authenticates users via credentials stored in 1Password. + +## 1Password Item Configuration + +### Item Location +- **Vault**: `HomeLab` +- **Item Name**: `mosquitto-auth` + +### Required Fields + +The 1Password item must contain a field named **`passwords.conf`** (exact name, case-sensitive) with the following content format: + +``` +admin: +``` + +### Generating Password Hashes + +Use the `mosquitto_passwd` utility to generate password hashes: + +```bash +# Install mosquitto clients (if not already installed) +# On macOS: +brew install mosquitto + +# On Debian/Ubuntu: +sudo apt-get install mosquitto + +# Generate a password file with a user +mosquitto_passwd -c /tmp/mosquitto_passwd admin +# Enter password when prompted + +# View the generated hash +cat /tmp/mosquitto_passwd +``` + +The output will look like: +``` +admin:$7$101$...hash...$...hash... +``` + +Copy the entire line (including username and hash) into the `passwords.conf` field in 1Password. + +### Adding Multiple Users + +To add multiple users, run `mosquitto_passwd` without the `-c` flag to append: + +```bash +# Add another user to existing file +mosquitto_passwd /tmp/mosquitto_passwd user2 + +# View all users +cat /tmp/mosquitto_passwd +``` + +Then copy all lines into the `passwords.conf` field in 1Password: +``` +admin:$7$101$...hash1... +user2:$7$101$...hash2... +``` + +## Deployment + +The deployment is managed by ArgoCD: + +1. **Sync Wave 10**: `mqtt-broker-secrets` app deploys the OnePasswordItem CRD + - Creates Kubernetes Secret `mosquitto-auth` in namespace `infra-mqtt` + - Secret key `passwords.conf` contains the password file content + +2. **Sync Wave 20**: `mqtt-broker` app deploys the Mosquitto Helm chart + - Uses the SINTEF Mosquitto chart from `https://sintef.github.io/mosquitto-helm-chart` + - References the `mosquitto-auth` secret for user authentication + +## ACL Configuration + +Access control is configured in the ArgoCD Application values: + +```yaml +auth: + users: + - username: admin + acl: + - topic: "#" + access: readwrite +``` + +- The `username` must match a username in the `passwords.conf` secret +- The `password` field in values is ignored when using `usersExistingSecret` +- ACL rules grant the admin user full access to all topics (`#`) + +## Service + +The MQTT broker is exposed as a ClusterIP service on port 1883: +- **Service Name**: `mosquitto` (managed by Helm) +- **Port**: 1883 (MQTT) +- **Websockets**: Disabled + +## Security Notes + +- Anonymous access is disabled +- Authentication is required for all connections +- Passwords are stored in 1Password, not in Git +- Password hashes use SHA512-PBKDF2 format (Mosquitto default) diff --git a/k8s/infra-mqtt/kustomization.yml b/k8s/infra-mqtt/kustomization.yml index 541ff8b..5a14857 100644 --- a/k8s/infra-mqtt/kustomization.yml +++ b/k8s/infra-mqtt/kustomization.yml @@ -4,8 +4,3 @@ kind: Kustomization resources: - namespace.yml - onepassword/mosquitto-auth.yml - -configMapGenerator: - - name: mosquitto-config - files: - - config/mosquitto.conf diff --git a/k8s/infra-mqtt/onepassword/mosquitto-auth.yml b/k8s/infra-mqtt/onepassword/mosquitto-auth.yml index f32225a..381ad55 100644 --- a/k8s/infra-mqtt/onepassword/mosquitto-auth.yml +++ b/k8s/infra-mqtt/onepassword/mosquitto-auth.yml @@ -1,4 +1,9 @@ --- +# This OnePasswordItem creates a Secret named "mosquitto-auth" in the +# infra-mqtt namespace. The 1Password item must have a field named +# "passwords.conf" containing the mosquitto password file content +# (username:hash format, one per line). +# Generate hashes using: mosquitto_passwd -c /tmp/mosquitto_passwd username apiVersion: onepassword.com/v1 kind: OnePasswordItem metadata: