messing with kustomize and emqx

2024-09-22 21:10:53 -05:00 · 2024-09-22 21:10:53 -05:00 · a1edec07ed
commit a1edec07ed
parent 2a8c569ce9
4 changed files with 78 additions and 20 deletions
--- a/kubernetes/apps/database/emqx/app/externalsecret.yaml
+++ b/kubernetes/apps/database/emqx/app/externalsecret.yaml
@ -35,7 +35,34 @@ spec:
      engineVersion: v2
      data:
        init-user.json: |
-          [{"user_id": "{{ .X_EMQX_MQTT_USERNAME }}", "password": "{{ .X_EMQX_MQTT_PASSWORD }}", "is_superuser": true}]
+          [
+            {
+              "user_id": "{{ .X_EMQX_MQTT_USERNAME }}",
+              "password": "{{ .X_EMQX_MQTT_PASSWORD }}",
+              "is_superuser": true
+            },
+            {
+              username = "tasmota"
+              password = "{{ .X_EMQX_TASMOTA_PASSWORD }}"
+            },
+            {
+              username = "homeassistant"
+              password = "{{ .X_EMQX_HOMEASSISTANT_PASSWORD }}"
+            }
+          ]
+
  dataFrom:
    - extract:
        key: emqx
+    - extract:
+        key: "emqx - [tasmota]"
+      rewrite:
+        - regexp:
+            source: "(.*)"
+            target: "X_EMQX_TASMOTA_$1"
+    - extract:
+        key: "emqx - [homeassistant]"
+      rewrite:
+        - regexp:
+            source: "(.*)"
+            target: "X_EMQX_HOMEASSISTANT_$1"
--- a/kubernetes/apps/database/emqx/cluster/cluster.yaml
+++ b/kubernetes/apps/database/emqx/cluster/cluster.yaml
@ -7,26 +7,9 @@ metadata:
 spec:
  image: public.ecr.aws/emqx/emqx:5.8.0
  config:
+    mode: Merge
    data: |
-      authentication {
-        backend = "built_in_database"
-        mechanism = "password_based"
-        password_hash_algorithm {
-            name = "bcrypt",
-        }
-        user_id_type = "username"
-        bootstrap_file = "/opt/init-user.json"
-        bootstrap_type = "plain"
-      }
-      authorization {
-        sources = [
-          {
-            type = built_in_database
-            enable = true
-          }
-        ]
-        no_match: "deny"
-      }
+      $(emqx-conf)
  coreTemplate:
    metadata:
      annotations:
--- a/kubernetes/apps/database/emqx/cluster/kustomization.yaml
+++ b/kubernetes/apps/database/emqx/cluster/kustomization.yaml
@ -6,3 +6,24 @@ resources:
  - ./cluster.yaml
  - ./ingress.yaml
  - ./podmonitor.yaml
+patchesStrategicMerge:
+  - cluster.yaml
+configMapGenerator:
+  - name: emqx-conf
+    files:
+      - resources/emqx.conf
+replacements:
+  - source:
+      kind: ConfigMap
+      name: emqx-conf
+      fieldPath: data.emqx.conf
+    targets:
+      - select:
+          kind: EMQX
+          name: emqx
+        fieldPaths:
+          - spec.config.data
+        options:
+          delimiter: |
+generatorOptions:
+  disableNameSuffixHash: true
--- a/kubernetes/apps/database/emqx/cluster/resources/emqx.conf
+++ b/kubernetes/apps/database/emqx/cluster/resources/emqx.conf
@ -0,0 +1,27 @@
+authentication {
+  backend = "built_in_database"
+  mechanism = "password_based"
+  password_hash_algorithm {
+      name = "bcrypt",
+  }
+  user_id_type = "username"
+  bootstrap_file = "/opt/init-user.json"
+  bootstrap_type = "plain"
+}
+
+authorization {
+  sources = [
+    {
+      type = built_in_database
+      enable = true
+    }
+  ]
+  no_match: "deny"
+}
+
+authorization.sources.built_in_database.rules = [
+  {allow, {user, "jahanson"}, all, ["#"]},
+  {allow, {user, "tasmota"}, publish, ["tasmota/discovery/#", "tele/tasmota_+/+", "cmnd/tasmota_+/+"]},
+  {allow, {user, "homeassistant"}, subscribe, ["stat/tasmota_+/+", "tele/tasmota_+/+"]},
+  {deny, all}
+]