messing with kustomize and emqx

kubernetes/apps/database/emqx/app/externalsecret.yaml

@@ -35,7 +35,34 @@ spec:
       engineVersion: v2
       data:
         init-user.json: |
-          [{"user_id": "{{ .X_EMQX_MQTT_USERNAME }}", "password": "{{ .X_EMQX_MQTT_PASSWORD }}", "is_superuser": true}]
+          [
+            {
+              "user_id": "{{ .X_EMQX_MQTT_USERNAME }}",
+              "password": "{{ .X_EMQX_MQTT_PASSWORD }}",
+              "is_superuser": true
+            },
+            {
+              username = "tasmota"
+              password = "{{ .X_EMQX_TASMOTA_PASSWORD }}"
+            },
+            {
+              username = "homeassistant"
+              password = "{{ .X_EMQX_HOMEASSISTANT_PASSWORD }}"
+            }
+          ]
+
   dataFrom:
     - extract:
         key: emqx
+    - extract:
+        key: "emqx - [tasmota]"
+      rewrite:
+        - regexp:
+            source: "(.*)"
+            target: "X_EMQX_TASMOTA_$1"
+    - extract:
+        key: "emqx - [homeassistant]"
+      rewrite:
+        - regexp:
+            source: "(.*)"
+            target: "X_EMQX_HOMEASSISTANT_$1"

kubernetes/apps/database/emqx/cluster/cluster.yaml

@@ -7,26 +7,9 @@ metadata:
 spec:
   image: public.ecr.aws/emqx/emqx:5.8.0
   config:
+    mode: Merge
     data: |
-      authentication {
+      $(emqx-conf)
-        backend = "built_in_database"
-        mechanism = "password_based"
-        password_hash_algorithm {
-            name = "bcrypt",
-        }
-        user_id_type = "username"
-        bootstrap_file = "/opt/init-user.json"
-        bootstrap_type = "plain"
-      }
-      authorization {
-        sources = [
-          {
-            type = built_in_database
-            enable = true
-          }
-        ]
-        no_match: "deny"
-      }
   coreTemplate:
     metadata:
       annotations:

kubernetes/apps/database/emqx/cluster/kustomization.yaml

@@ -6,3 +6,24 @@ resources:
   - ./cluster.yaml
   - ./ingress.yaml
   - ./podmonitor.yaml
+patchesStrategicMerge:
+  - cluster.yaml
+configMapGenerator:
+  - name: emqx-conf
+    files:
+      - resources/emqx.conf
+replacements:
+  - source:
+      kind: ConfigMap
+      name: emqx-conf
+      fieldPath: data.emqx.conf
+    targets:
+      - select:
+          kind: EMQX
+          name: emqx
+        fieldPaths:
+          - spec.config.data
+        options:
+          delimiter: |
+generatorOptions:
+  disableNameSuffixHash: true

kubernetes/apps/database/emqx/cluster/resources/emqx.conf

@@ -0,0 +1,27 @@
+authentication {
+  backend = "built_in_database"
+  mechanism = "password_based"
+  password_hash_algorithm {
+      name = "bcrypt",
+  }
+  user_id_type = "username"
+  bootstrap_file = "/opt/init-user.json"
+  bootstrap_type = "plain"
+}
+
+authorization {
+  sources = [
+    {
+      type = built_in_database
+      enable = true
+    }
+  ]
+  no_match: "deny"
+}
+
+authorization.sources.built_in_database.rules = [
+  {allow, {user, "jahanson"}, all, ["#"]},
+  {allow, {user, "tasmota"}, publish, ["tasmota/discovery/#", "tele/tasmota_+/+", "cmnd/tasmota_+/+"]},
+  {allow, {user, "homeassistant"}, subscribe, ["stat/tasmota_+/+", "tele/tasmota_+/+"]},
+  {deny, all}
+]