From 313ab18c228a820be4cead15e35ee94e7f78c7e7 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Sun, 26 Jan 2020 20:30:42 +0100 Subject: [PATCH] move acls and passwds to sealed secrets --- mosquitto/README.md | 17 +++++++++++++++++ mosquitto/acl-secret.yaml | 17 +++++++++++++++++ mosquitto/app.yaml | 31 ++++++++++++------------------- mosquitto/passwd-secret.yaml | 17 +++++++++++++++++ 4 files changed, 63 insertions(+), 19 deletions(-) create mode 100644 mosquitto/README.md create mode 100644 mosquitto/acl-secret.yaml create mode 100644 mosquitto/passwd-secret.yaml diff --git a/mosquitto/README.md b/mosquitto/README.md new file mode 100644 index 0000000..b509308 --- /dev/null +++ b/mosquitto/README.md @@ -0,0 +1,17 @@ +# Mosquitto installation + +## Usage + +*Modify ACLs* + +``` +vim ../../gitops-tbrnt-private/mosquitto/acl-secret.yaml +kubeseal --controller-namespace sealed-secrets -o yaml -n mosquitto < ../../gitops-tbrnt-private/mosquitto/acl-secret.yaml > acl-secret.yaml +``` + +*Modify users/passwords* + +``` +vim ../../gitops-tbrnt-private/mosquitto/passwd-secret.yaml +kubeseal --controller-namespace sealed-secrets -o yaml -n mosquitto < ../../gitops-tbrnt-private/mosquitto/passwd-secret.yaml > passwd-secret.yaml +``` diff --git a/mosquitto/acl-secret.yaml b/mosquitto/acl-secret.yaml new file mode 100644 index 0000000..e85a846 --- /dev/null +++ b/mosquitto/acl-secret.yaml @@ -0,0 +1,17 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: mosquitto-acl + namespace: mosquitto +spec: + encryptedData: + mosquitto.acl: AgC/9E1WTQxVu2TtSD4P9iUjsJkRZFq2IoQXRt/acP35LI718LuYFi7FFpPQ8cLuju5TY18aQmE95yTrzux9lScADwNQc2BgkdCLt/dRmN9GYhgU/yPBOsGhWMeGo3jxqARdcKcnD3Bph6oM6ldRWg/XFdSDd8pjsmTD/MXs0i18hE/LXQpj68TtDVJKQvzsZ5ZcJqrMBSEROiGm4GrKtWVAnHae74p7Ge7STj3lg6xSY53F9UqMjbf+ldom636+0YKdAQUgl27kMMtaPyJ2LvNqaxdTpaGjRXAbAs8ZJOdUFOgtwBGxb1G7nMsxNlS1R/mzZBYi0KWptIqBbB0po+rcN7U8Sx638QqjagPLBTVIxn/I1ItmnuldwbBU2YaPCJ8hmjTa2xJT2EpgY9z5mWmxTGCHZmrlfe3t3z54o60lNsIMvMnUItND5x2hfQuC5tQUbbBCi2jUUmWGfapJS0Q+JFCvIg5w+k+xX50oqvDbQkFOOZxSZmvll38B6DUUiWlqY6p5vFzIDNlbXxHARe2fru6EFLPkYezbP3oSm8P7ArmaV7Rd8FO3P7Bchr+DcwprNlzYy+BHdwqwlWwrIXWxMHzVW+om4l0FG5JjSCPGXO8jkxox2Iis+RvAkuk1Con0WWk5JBzqs2S+yRnQr4eie4Zz0hcbhbw6twrCLH62fPcO6q8q4Rnmnd+HSGRjN1z+edlVGr0nYVy9h1CipHca3dsLXc1iwcN2kh49byhdT/TW7+iPa9DKmicfZNHOZuDOlNSFC2ixNe/0yo4xqLzrzOLM/0LY6ICxKl2mloqP5qaqBmQ1D4Cu9/JNS6xbCVjO4lLHfuwF3PVaCRvtLou5vrrXKxJcnUwdpimEQunCA5X0pdu2Q9p9gCQ//84D1EDmFmWC1ybIeMVrO4H8GtHvVloMJJxR6sLMsErzS6yNf2Ucg/TOjV8C5ojCmYlo+LJSQ7+9V2c/tvRYdBz/5Bhaxphhr8UcFXghykp4j6FskWRDz0ebhhjRmm7N7iAF0yoYDj1voYOsCVtkn8YEYqz9L066yzAuq5I4mkwBt2JS1StMlXx5zwY= + template: + metadata: + creationTimestamp: null + name: mosquitto-acl + namespace: mosquitto + type: Opaque +status: {} + diff --git a/mosquitto/app.yaml b/mosquitto/app.yaml index 01ff15b..2df473d 100644 --- a/mosquitto/app.yaml +++ b/mosquitto/app.yaml @@ -36,6 +36,10 @@ spec: name: config - mountPath: /mosquitto/certificates name: certificates + - mountPath: /mosquitto/acl + name: acl + - mountPath: /mosquitto/passwd + name: passwd livenessProbe: failureThreshold: 3 initialDelaySeconds: 1 @@ -59,6 +63,12 @@ spec: - name: certificates secret: secretName: mosquitto-tls + - name: acl + secret: + secretName: mosquitto-acl + - name: passwd + secret: + secretName: mosquitto-passwd --- apiVersion: v1 kind: Service @@ -99,20 +109,6 @@ metadata: name: mosquitto namespace: mosquitto data: - mosquitto.acl: | - # This affects access control for clients with no username. - topic read $SYS/# - - # This only affects clients with username "tobru". - user tobru - topic /# - topic owntracks/# - - user ot-recorder - topic owntracks/# - - # This affects all clients. - pattern write $SYS/broker/connection/%c/state mosquitto.conf: | # Config file for mosquitto user mosquitto @@ -161,11 +157,8 @@ data: keyfile /mosquitto/certificates/tls.key # Security - password_file /mosquitto/config/mosquitto.passwd - acl_file /mosquitto/config/mosquitto.acl - mosquitto.passwd: | - tobru:$6$J8h/CHCqJgNR6O3I$jhvpbYRQkS59NUHCWcTl4Bno0dBOHmGyI9wjMObvMXCabt//ksWN33AkYOeZc+afMbHlBftX2NfIxuclzLNXMg== - ot-recorder:$6$naz4hsdtrfSyQa4P$IJnC8S6B4nDHxFLS2xFKkHzEL6UQg6iS3Y9mduzrY26LrA5JuXjMLer7dRmAT39yRyo6jEW4y01vBoVSxacFdQ== + password_file /mosquitto/passwd/mosquitto.passwd + acl_file /mosquitto/acl/mosquitto.acl ca.crt: | -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ diff --git a/mosquitto/passwd-secret.yaml b/mosquitto/passwd-secret.yaml new file mode 100644 index 0000000..bb5131c --- /dev/null +++ b/mosquitto/passwd-secret.yaml @@ -0,0 +1,17 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: mosquitto-passwd + namespace: mosquitto +spec: + encryptedData: + mosquitto.passwd: AgDY5IkOr4zeS1eHw7id85poA4wuun5apYDeRsnN7cojwiYkTtxEWWfpnUxhTL7KShbf1vvNTEXQqm0T5uNlcOimvORcurnikUFpKyfU0di0UhuJLeshoL/VOcPuN1gFSu0e9MV8cCQSou/+72ZR4Os0xG5PEqdY3UyI0vGM7tbmp89mvpFwBom84t7PlaSHxSKvZT6bAwDcenjwXSMGLl3NMuLwI6mze/Y23IPUkATllZf0ovwFQmxml5snhMzkthJ+ShLTuIKr/rB8XvAfM90vMtgAVE8q1RPscXfBaO9u16I/M1yzKbLlJh3UVnq7IZzxRamotbmheV2jOIzBs2ATkAX3j3yqA2HPmxjpsJUt8HrE84g61jjE0VSO6u55xlA+WECXfHMOdIBDrVFdOnejzBJ8TTLfHOJQTq4NitM9GtcnzGPLWsYrm459zeBdH5l9y9Z5ONHS0wAEqMsRuzPSPoeGwwLWy1hd2XePJQ/jBD+DhS8g9leEFL8GudmaRK7xgoC3/v+LEN4xkQs43FOIp/C43TgS/NyvZWGHXDsHTL8g6gThnFxf1D7yTo73ngCpxVnrNH3EMOI28HjWvoOSjLzM7IIf0erJmYMg57qkiWNIXms8hrHeWH4wFEe9gBz1emaVGbrVMPjsXdN/b36zc4DTVGhyqhQ8SUxNfY5bfrJK/pRRWKzRNSDoBYV+/nu3btwNdlHkVOq2knb7agNfHtIqP64GBosaaMYzaIHs9GxRkvKFX6KARIqPW9JXvXXGVMh1AZcg18TsnbQ1Nk06u9froldDBiQbMmvBh4aqueInHL7QmSkwqhUjQUQHhUb4Cm4GMc26qVs1IHWRpW+QA9TyL2QbYneMnaVRx9WirAR1FE/Z7l+mnSKKBgx14nfNqr2YYQR0AhDZSEmYhruQt29qbRqenbJY4UFLd3ZI57P0hbUTd/2+7at5w4AHkBSxDmyaGdx6mB7Pzley2A+rT+Z/VoEt52za5vq7cyWElAbeqksqwhZQQNy9Lw== + template: + metadata: + creationTimestamp: null + name: mosquitto-passwd + namespace: mosquitto + type: Opaque +status: {} +