add acls

kubernetes/apps/database/emqx/cluster/cluster.yaml

@@ -22,10 +22,17 @@ spec:
           mountPath: /opt/init-user.json
           subPath: init-user.json
           readOnly: true
+        - name: acl-conf
+          mountPath: /opt/acl.conf
+          subPath: acl.conf
+          readOnly: true
       extraVolumes:
         - name: init-user
           secret:
             secretName: emqx-init-user-secret
+        - name: acl-conf
+          configMap:
+            name: emqx-acl-conf
   listenersServiceTemplate:
     metadata:
       annotations:

kubernetes/apps/database/emqx/cluster/kustomization.yaml

@@ -9,6 +9,9 @@ configMapGenerator:
   - name: emqx-conf
     files:
       - emqx.conf=./resources/emqx.conf
+  - name: emqx-acl-conf
+    files:
+      - acl.conf=./resources/acl.conf
 replacements:
   - source:
       kind: ConfigMap

kubernetes/apps/database/emqx/cluster/resources/acl.conf

@@ -0,0 +1,5 @@
+%% ACLs for emqx %%
+{allow, {user, "jahanson"}, all, ["#"]}.
+{allow, {user, "tasmota"}, publish, ["tasmota/discovery/#", "tele/tasmota_+/+", "cmnd/tasmota_+/+"]}.
+{allow, {user, "homeassistant"}, subscribe, ["stat/tasmota_+/+", "tele/tasmota_+/+"]}.
+{deny, all}.

kubernetes/apps/database/emqx/cluster/resources/emqx.conf

@@ -14,14 +14,12 @@ authorization {
     {
       type = built_in_database
       enable = true
+    },
+    {
+      type = file
+      enable = true
+      path = "/opt/acl.conf"
     }
   ]
   no_match: "deny"
 }
-
-authorization.sources.built_in_database.rules = [
-  {allow, {user, "jahanson"}, all, ["#"]},
-  {allow, {user, "tasmota"}, publish, ["tasmota/discovery/#", "tele/tasmota_+/+", "cmnd/tasmota_+/+"]},
-  {allow, {user, "homeassistant"}, subscribe, ["stat/tasmota_+/+", "tele/tasmota_+/+"]},
-  {deny, all}
-]