From 3594a73bafea1805ac656cef96ea9605e8243f3a Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Mon, 23 Sep 2024 02:10:32 -0500 Subject: [PATCH] add acls --- kubernetes/apps/database/emqx/cluster/cluster.yaml | 7 +++++++ .../apps/database/emqx/cluster/kustomization.yaml | 3 +++ .../apps/database/emqx/cluster/resources/acl.conf | 5 +++++ .../apps/database/emqx/cluster/resources/emqx.conf | 12 +++++------- 4 files changed, 20 insertions(+), 7 deletions(-) create mode 100644 kubernetes/apps/database/emqx/cluster/resources/acl.conf diff --git a/kubernetes/apps/database/emqx/cluster/cluster.yaml b/kubernetes/apps/database/emqx/cluster/cluster.yaml index 71c71303..522f85ec 100644 --- a/kubernetes/apps/database/emqx/cluster/cluster.yaml +++ b/kubernetes/apps/database/emqx/cluster/cluster.yaml @@ -22,10 +22,17 @@ spec: mountPath: /opt/init-user.json subPath: init-user.json readOnly: true + - name: acl-conf + mountPath: /opt/acl.conf + subPath: acl.conf + readOnly: true extraVolumes: - name: init-user secret: secretName: emqx-init-user-secret + - name: acl-conf + configMap: + name: emqx-acl-conf listenersServiceTemplate: metadata: annotations: diff --git a/kubernetes/apps/database/emqx/cluster/kustomization.yaml b/kubernetes/apps/database/emqx/cluster/kustomization.yaml index c35ed6e2..30f5b868 100644 --- a/kubernetes/apps/database/emqx/cluster/kustomization.yaml +++ b/kubernetes/apps/database/emqx/cluster/kustomization.yaml @@ -9,6 +9,9 @@ configMapGenerator: - name: emqx-conf files: - emqx.conf=./resources/emqx.conf + - name: emqx-acl-conf + files: + - acl.conf=./resources/acl.conf replacements: - source: kind: ConfigMap diff --git a/kubernetes/apps/database/emqx/cluster/resources/acl.conf b/kubernetes/apps/database/emqx/cluster/resources/acl.conf new file mode 100644 index 00000000..8d0fc7c7 --- /dev/null +++ b/kubernetes/apps/database/emqx/cluster/resources/acl.conf @@ -0,0 +1,5 @@ +%% ACLs for emqx %% +{allow, {user, "jahanson"}, all, ["#"]}. +{allow, {user, "tasmota"}, publish, ["tasmota/discovery/#", "tele/tasmota_+/+", "cmnd/tasmota_+/+"]}. +{allow, {user, "homeassistant"}, subscribe, ["stat/tasmota_+/+", "tele/tasmota_+/+"]}. +{deny, all}. diff --git a/kubernetes/apps/database/emqx/cluster/resources/emqx.conf b/kubernetes/apps/database/emqx/cluster/resources/emqx.conf index 66bf5782..9a658610 100644 --- a/kubernetes/apps/database/emqx/cluster/resources/emqx.conf +++ b/kubernetes/apps/database/emqx/cluster/resources/emqx.conf @@ -14,14 +14,12 @@ authorization { { type = built_in_database enable = true + }, + { + type = file + enable = true + path = "/opt/acl.conf" } ] no_match: "deny" } - -authorization.sources.built_in_database.rules = [ - {allow, {user, "jahanson"}, all, ["#"]}, - {allow, {user, "tasmota"}, publish, ["tasmota/discovery/#", "tele/tasmota_+/+", "cmnd/tasmota_+/+"]}, - {allow, {user, "homeassistant"}, subscribe, ["stat/tasmota_+/+", "tele/tasmota_+/+"]}, - {deny, all} -]