initial

certificate.yml

@@ -0,0 +1,27 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: mosquitto-broker-cert
+spec:
+  secretName: mosquitto-broker-cert
+  duration: 2160h
+  renewBefore: 360h
+  subject:
+    organizations:
+      - hottis-de
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  usages:
+    - server auth
+  dnsNames:
+    - broker.hottis.de
+    - broker2.hottis.de
+    - broker.cem-berresheim.ib-hottgenroth.de
+  issuerRef:
+    name: letsencrypt-staging-http
+    kind: ClusterIssuer
+    group: cert-manager.io
+

deploy.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+NAMESPACE=mosquitto
+
+kubectl create namespace $NAMESPACE \
+  --dry-run=client \
+  -o yaml | \
+  kubectl -f - apply
+
+echo "Applying certificate ..."
+kubectl apply -f $DEPLOYMENT_DIR/certificate.yml -n $NAMESPACE
+
+echo "Applyiny configuration ..."
+kubectl create configmap mosquitto-broker-config
+  --from-file=mosquitto.conf=mosquitto.conf
+  --from-file=pwfile=pwfile
+  --namespace=$NAMESPACE
+  --dry-run=client -o yaml | kubectl apply -f - -n $NAMESPACE
+
+echo "Waiting for certificate secret to be created..."
+kubectl wait --for=condition=Ready certificate/mosquitto-broker-cert -n $NAMESPACE --timeout=300s
+
+if [ $? -ne 0 ]; then
+  echo "Certificate secret creation failed or timed out"
+  exit 1
+fi
+
+echo "Certificate ready, applying deployment ..."
+
+kubectl apply -f deploy.yml -n $NAMESPACE
+

deploy.yml

@@ -0,0 +1,111 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mosquitto-broker
+  annotations:
+    configmap.reloader.stakater.com/reload: "mosquitto-broker-config"
+    secret.reloader.stakater.com/reload: "mosquitto-broker-cert"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mosquitto-broker
+  template:
+    metadata:
+      labels:
+        app: mosquitto-broker
+    spec:
+      containers:
+        - name: mosquitto-broker
+          image: eclipse-mosquitto:2.0.22
+          ports:
+            - name: mqtt
+              containerPort: 1883
+              protocol: TCP
+            - name: mqtt-anon
+              containerPort: 1884
+              protocol: TCP
+            - name: mqtt-tls
+              containerPort: 8883
+              protocol: TCP
+          readinessProbe:
+            tcpSocket:
+              port: 1883
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 5
+            successThreshold: 1
+            failureThreshold: 3
+          volumeMounts:
+            - name: mosquitto-broker-config
+              mountPath: /mosquitto/config/
+              readOnly: true
+            - name: mosquitto-broker-tls-config
+              mountPath: /mosquitto/config/ssl
+              readOnly: true
+      volumes:
+        - name: mosquitto-broker-config
+          configMap:
+            name: mosquitto-broker-config
+            items:
+              - key: mosquitto.conf
+                path: mosquitto.conf
+              - key: pwfile
+                path: pwfile
+        - name: mosquitto-broker-tls-conf
+          secret:
+            secretName: mosquitto-broker-tls-conf
+            defaultMode: 0644
+            items:
+              - key: tls.crt
+                path: server.crt
+                mode: 0644
+              - key: tls.key
+                path: server.key
+                mode: 0444
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mosquitto-broker-mqtt
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  selector:
+    app: mosquitto-broker
+  ports:
+    - name: mqtt
+      port: 1883
+      targetPort: 1883
+      protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mosquitto-broker-mqtt-anon
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  selector:
+    app: mosquitto-broker
+  ports:
+    - name: mqtt-anon
+      port: 1884
+      targetPort: 1884
+      protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mosquitto-broker-mqtt-tls
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  selector:
+    app: mosquitto-broker
+  ports:
+    - name: mqtt-tls
+      port: 8883
+      targetPort: 8883
+      protocol: TCP
+

mosquitto.conf

@@ -0,0 +1,25 @@
+pid_file /mosquitto/config/mosquitto.pid
+log_dest stdout
+log_type all
+
+persistence true
+persistence_location /mosquitto/data
+
+per_listener_settings true
+
+listener 1884
+protocol mqtt
+allow_anonymous true
+
+listener 1883
+protocol mqtt
+allow_anonymous false
+password_file /mosquitto/config/pwfile
+
+listener 8883
+protocol mqtt
+allow_anonymous false
+password_file /mosquitto/config/pwfile
+certfile /mosquitto/config/ssl/server.crt
+keyfile /mosquitto/config/ssl/server.key
+