EMQX listeners configuration via Kubernetes deployment, bootstrap config

Thierry · February 16, 2023, 9:27pm

Hi,

I am new to MQTT and am deploying a EMQX cluster that has 3 listeners as follows:

2 listeners, default and quic, that are accessible publicly via username/password authentication and uses SSL encryption.
1 internal listener that does not require any authentication and does not use SSL encryption.

I would like to know if such a setup is possible.
Then, how to deploy this with Kubernetes.

So far, I came up with this as part of the deployment.yaml file:

  bootstrapConfig: |
    dashboard {
      listeners.http {
          bind: 18083
      }
      default_username: "admin"
      default_password: "xxx"
    }

    listeners.tcp.default {
      bind = "0.0.0.0:1883"
      max_connections = 1024000
    }

    listeners.tcp.internal {
      bind = "0.0.0.0:1884"
      max_connections = 1024000
    }

    listeners.tcp.quic {
      bind = "0.0.0.0:1885"
      max_connections = 1024000
    }

This works, but I am not sure how to add the layers of SSL and password authentication that I need for 2 out of those 3 listeners.

So far, I used this as a reference:

github.com

emqx/emqx-operator/blob/main/config/samples/emqx/v2alpha1/emqx-full.yaml

apiVersion: apps.emqx.io/v2alpha1
kind: EMQX
metadata:
  name: emqx
spec:
  image: "emqx/emqx:5.0.9"
  imagePullPolicy: IfNotPresent
  # imagePullSecrets:
  #   - name: fake-secrets
  # bootstrapAPIKeys:
  #   - key: bootstrap_user_key
  #     secret: bootstrap_secret
  bootstrapConfig: |
    node {
      cookie = emqxsecretcookie
      data_dir = "data"
      etc_dir = "etc"
    }
    cluster {
      discovery_strategy = dns

This file has been truncated. show original

I have tried adding lines into the configuration of each of the listeners, such as:

      authentication=[{enable=true, backend="built_in_database", mechanism="password_based"}]

and

      ssl_options.verify = "verify_peer"

I have not found the right code snippet to use.

Can someone point me to some kind of documentation or examples that I could follow?

Thank you.

Maverick · February 27, 2023, 3:14am

Hi. Sorry I missed your post.

EMQX 5.0 supports global authentication and authentication configured individually for listeners.

Configuration

authentication = [
    ...
]

is global authentication and takes effect for all listeners.

But its premise is that the listener does not configure authentication by itself.

Listeners can configure their own authentication:

listeners.tcp.default {
  ...
  enable_authn = true
  authentication = [
    ...
  ]
}

Authentication can also be turned off, indicating that clients connected through this listener will not need authentication

listeners.tcp.default {
  ...
  enable_authn = false
}

You can find these in Authenticaiton.