Emqx-operator and services

wolutator · September 5, 2023, 7:05am

Hi,

I’ve created an EMQX instance using the emqx-operator (version 2.2.2) on a k3s cluster (version 1.27.4). Additional I’ve metallb installed.

I’m creating the EMQX using this piece of code:

apiVersion: apps.emqx.io/v2beta1
kind: EMQX
metadata:
  name: emqx01
spec:
  image: emqx:5.1
  listenersServiceTemplate:
    spec:
      type: LoadBalancer
  dashboardServiceTemplate:
    spec:
      type: LoadBalancer
  config:
    data: |
      listeners.tcp.internal {
        access_rules = ["allow all"]
        bind = "0.0.0.0:1883"
        enable_authn = false
      }
      listeners.tcp.default {
        access_rules = ["allow all"]
        bind = "0.0.0.0:1884"
        enable_authn = true
      }
      authentication = [
        {
          backend = postgresql
          database = emqx
          enable = true
          mechanism = password_based
          password = PLACEHOLDER
          password_hash_algorithm {name = sha256, salt_position = suffix}
          pool_size = 8
          query = "SELECT password_hash, salt FROM mqtt_user where username = ${username} LIMIT 1"
          server = "timescaledb.default.svc.cluster.local:5432"
          ssl {
            ciphers = []
            depth = 10
            enable = true
            hibernate_after = 5s
            log_level = notice
            reuse_sessions = true
            secure_renegotiate = true
            verify = verify_none
            versions = [tlsv1.3, tlsv1.2]
          }
          username = emqx
        }
      ]

  coreTemplate:
    spec:
      volumeClaimTemplates:
        storageClassName: nfs-client
        resources:
          requests:
            storage: 20Mi
        accessModes:
          - ReadWriteOnce
      env:
        - name: EMQX_AUTHENTICATION__1__PASSWORD
          valueFrom:
            secretKeyRef:
              name: emqx01-database-password
              key: password

I’ve two listeners configured, one I want to use in a protected subnet without authentication, the other one (to be extended using TLS stuff) externally with authentication.

Unfortunately the statement listenersServiceTemplate creates a single loadbalancer object with both ports bound to it. However, I would like to get two separate loadbalancer objects which I can individual fine-tune, in particularly with two different external IP addresses.

Is there any way to achieve that or is there a way to disable the creation of the service objects completely to let me create them afterwards on my own?
(Leaving out the listenersServiceTemplate block completely won’t help, I end up with a service object of type ClusterIP and two ports. Unfortunately it appears, that I can’t bind additional service objects of type LoadBalancer to that EMQX instance - or to be exact: k3s let me bind them, but they won’t work (no answer on the network at all from them).)

Does anyone have a hint for me?

Thanks and Cheers, Wolfgang

dmif · September 6, 2023, 1:06pm

Hello,

You might want to create a feature request here: GitHub - emqx/emqx-operator: A Kubernetes Operator for EMQX

wolutator · September 6, 2023, 9:37pm

Thanks for the hint, I’ve done that.

Cheers, Wolfgang