From 75ac3059502088fa00b9b89181b688e5f607ad27 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 6 Jan 2026 01:51:09 +0000 Subject: [PATCH 1/4] Initial plan From 35548f176b2fb2152053e9b09dc3096c95be72da Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 6 Jan 2026 01:57:12 +0000 Subject: [PATCH 2/4] Replace bjw-s/app-template with SINTEF Mosquitto chart v0.1.1 Co-authored-by: SRF-Audio <16975040+SRF-Audio@users.noreply.github.com> --- argocd/apps/platform/mqtt-broker.yml | 62 ++++++------------- k8s/infra-mqtt/kustomization.yml | 5 -- k8s/infra-mqtt/onepassword/mosquitto-auth.yml | 4 ++ 3 files changed, 23 insertions(+), 48 deletions(-) diff --git a/argocd/apps/platform/mqtt-broker.yml b/argocd/apps/platform/mqtt-broker.yml index 7f9b851..ee6eea1 100644 --- a/argocd/apps/platform/mqtt-broker.yml +++ b/argocd/apps/platform/mqtt-broker.yml @@ -9,51 +9,27 @@ metadata: spec: project: coachlight-k3s-infra source: - repoURL: https://bjw-s.github.io/helm-charts - chart: app-template - targetRevision: 3.7.0 + repoURL: https://sintef.github.io/mosquitto-helm-chart + chart: mosquitto + targetRevision: 0.1.1 helm: valuesObject: - controllers: - mosquitto: - containers: - app: - image: - repository: eclipse-mosquitto - tag: 2.0.20 - resources: - requests: - cpu: 10m - memory: 32Mi - limits: - cpu: 100m - memory: 128Mi - - service: - mosquitto: - controller: mosquitto - ports: - mqtt: - port: 1883 - - persistence: - data: - enabled: true - storageClass: nfs-synology-retain - size: 1Gi - globalMounts: - - path: /mosquitto/data - config: - type: configMap - name: mosquitto-config - globalMounts: - - path: /mosquitto/config/mosquitto.conf - subPath: mosquitto.conf - secret: - type: secret - name: mosquitto-auth - globalMounts: - - path: /mosquitto/secret + mqttOverWebsocket: false + auth: + usersExistingSecret: mosquitto-auth + users: + - username: admin + password: "" + acl: + - topic: "#" + access: readwrite + resources: + requests: + cpu: 10m + memory: 32Mi + limits: + cpu: 100m + memory: 128Mi destination: server: https://kubernetes.default.svc diff --git a/k8s/infra-mqtt/kustomization.yml b/k8s/infra-mqtt/kustomization.yml index 541ff8b..5a14857 100644 --- a/k8s/infra-mqtt/kustomization.yml +++ b/k8s/infra-mqtt/kustomization.yml @@ -4,8 +4,3 @@ kind: Kustomization resources: - namespace.yml - onepassword/mosquitto-auth.yml - -configMapGenerator: - - name: mosquitto-config - files: - - config/mosquitto.conf diff --git a/k8s/infra-mqtt/onepassword/mosquitto-auth.yml b/k8s/infra-mqtt/onepassword/mosquitto-auth.yml index f32225a..f011097 100644 --- a/k8s/infra-mqtt/onepassword/mosquitto-auth.yml +++ b/k8s/infra-mqtt/onepassword/mosquitto-auth.yml @@ -1,4 +1,8 @@ --- +# This OnePasswordItem creates a Secret named "mosquitto-auth" in the infra-mqtt namespace. +# The 1Password item must have a field named "passwords.conf" containing the mosquitto +# password file content (username:hash format, one per line). +# Generate hashes using: mosquitto_passwd -c /tmp/passwd username apiVersion: onepassword.com/v1 kind: OnePasswordItem metadata: From ab318861c00aaa10efbc10e45a2e12a7379d3c66 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 6 Jan 2026 01:58:41 +0000 Subject: [PATCH 3/4] Add documentation and fix yamllint warnings Co-authored-by: SRF-Audio <16975040+SRF-Audio@users.noreply.github.com> --- k8s/infra-mqtt/README.md | 107 ++++++++++++++++++ k8s/infra-mqtt/onepassword/mosquitto-auth.yml | 7 +- 2 files changed, 111 insertions(+), 3 deletions(-) create mode 100644 k8s/infra-mqtt/README.md diff --git a/k8s/infra-mqtt/README.md b/k8s/infra-mqtt/README.md new file mode 100644 index 0000000..d932dd6 --- /dev/null +++ b/k8s/infra-mqtt/README.md @@ -0,0 +1,107 @@ +# MQTT Broker (Mosquitto) - OnePassword Setup + +## Overview + +This directory contains the Kubernetes resources for deploying Mosquitto MQTT broker in the `infra-mqtt` namespace. The broker uses the SINTEF Mosquitto Helm chart and authenticates users via credentials stored in 1Password. + +## 1Password Item Configuration + +### Item Location +- **Vault**: `HomeLab` +- **Item Name**: `mosquitto-auth` + +### Required Fields + +The 1Password item must contain a field named **`passwords.conf`** (exact name, case-sensitive) with the following content format: + +``` +admin: +``` + +### Generating Password Hashes + +Use the `mosquitto_passwd` utility to generate password hashes: + +```bash +# Install mosquitto clients (if not already installed) +# On macOS: +brew install mosquitto + +# On Debian/Ubuntu: +sudo apt-get install mosquitto + +# Generate a password file with a user +mosquitto_passwd -c /tmp/mosquitto_passwd admin +# Enter password when prompted + +# View the generated hash +cat /tmp/mosquitto_passwd +``` + +The output will look like: +``` +admin:$7$101$...hash...$...hash... +``` + +Copy the entire line (including username and hash) into the `passwords.conf` field in 1Password. + +### Adding Multiple Users + +To add multiple users, run `mosquitto_passwd` without the `-c` flag to append: + +```bash +# Add another user to existing file +mosquitto_passwd /tmp/mosquitto_passwd user2 + +# View all users +cat /tmp/mosquitto_passwd +``` + +Then copy all lines into the `passwords.conf` field in 1Password: +``` +admin:$7$101$...hash1... +user2:$7$101$...hash2... +``` + +## Deployment + +The deployment is managed by ArgoCD: + +1. **Sync Wave 10**: `mqtt-broker-secrets` app deploys the OnePasswordItem CRD + - Creates Kubernetes Secret `mosquitto-auth` in namespace `infra-mqtt` + - Secret key `passwords.conf` contains the password file content + +2. **Sync Wave 20**: `mqtt-broker` app deploys the Mosquitto Helm chart + - Uses the SINTEF Mosquitto chart from `https://sintef.github.io/mosquitto-helm-chart` + - References the `mosquitto-auth` secret for user authentication + +## ACL Configuration + +Access control is configured in the ArgoCD Application values: + +```yaml +auth: + users: + - username: admin + acl: + - topic: "#" + access: readwrite +``` + +- The `username` must match a username in the `passwords.conf` secret +- The `password` field in values is ignored when using `usersExistingSecret` +- ACL rules grant the admin user full access to all topics (`#`) + +## Service + +The MQTT broker is exposed as a ClusterIP service on port 1883: +- **Service Name**: `mosquitto` (managed by Helm) +- **Port**: 1883 (MQTT) +- **Websockets**: Disabled + +## Security Notes + +- Anonymous access is disabled +- Authentication is required for all connections +- Passwords are stored in 1Password, not in Git +- Password hashes use SHA512-PBKDF2 format (Mosquitto default) diff --git a/k8s/infra-mqtt/onepassword/mosquitto-auth.yml b/k8s/infra-mqtt/onepassword/mosquitto-auth.yml index f011097..d60cb27 100644 --- a/k8s/infra-mqtt/onepassword/mosquitto-auth.yml +++ b/k8s/infra-mqtt/onepassword/mosquitto-auth.yml @@ -1,7 +1,8 @@ --- -# This OnePasswordItem creates a Secret named "mosquitto-auth" in the infra-mqtt namespace. -# The 1Password item must have a field named "passwords.conf" containing the mosquitto -# password file content (username:hash format, one per line). +# This OnePasswordItem creates a Secret named "mosquitto-auth" in the +# infra-mqtt namespace. The 1Password item must have a field named +# "passwords.conf" containing the mosquitto password file content +# (username:hash format, one per line). # Generate hashes using: mosquitto_passwd -c /tmp/passwd username apiVersion: onepassword.com/v1 kind: OnePasswordItem From a65ca6eb461306ca98a5eb085968b92745dfef20 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 6 Jan 2026 01:59:58 +0000 Subject: [PATCH 4/4] Address code review feedback - add clarifying comments Co-authored-by: SRF-Audio <16975040+SRF-Audio@users.noreply.github.com> --- argocd/apps/platform/mqtt-broker.yml | 2 ++ k8s/infra-mqtt/onepassword/mosquitto-auth.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/argocd/apps/platform/mqtt-broker.yml b/argocd/apps/platform/mqtt-broker.yml index ee6eea1..c19d6ed 100644 --- a/argocd/apps/platform/mqtt-broker.yml +++ b/argocd/apps/platform/mqtt-broker.yml @@ -19,6 +19,8 @@ spec: usersExistingSecret: mosquitto-auth users: - username: admin + # Password field is ignored when usersExistingSecret is set + # The actual password comes from the mosquitto-auth secret password: "" acl: - topic: "#" diff --git a/k8s/infra-mqtt/onepassword/mosquitto-auth.yml b/k8s/infra-mqtt/onepassword/mosquitto-auth.yml index d60cb27..381ad55 100644 --- a/k8s/infra-mqtt/onepassword/mosquitto-auth.yml +++ b/k8s/infra-mqtt/onepassword/mosquitto-auth.yml @@ -3,7 +3,7 @@ # infra-mqtt namespace. The 1Password item must have a field named # "passwords.conf" containing the mosquitto password file content # (username:hash format, one per line). -# Generate hashes using: mosquitto_passwd -c /tmp/passwd username +# Generate hashes using: mosquitto_passwd -c /tmp/mosquitto_passwd username apiVersion: onepassword.com/v1 kind: OnePasswordItem metadata: