Secret is an object that contains a small amount of sensitive information such as passwords, tokens, or keys. For its documentation, please refer to: Secret(opens new window). In this article, we use Secret to save TLS certificate information, so we need to create Secret based on TLS certificate before creating EMQX cluster.
Save the following as a YAML file and deploy it with the kubectl apply command
ca.crt indicates the content of the CA certificate, tls.crt indicates the content of the server certificate, and tls.key indicates the content of the server private key. In this example, the contents of the above three fields are omitted, please fill them with the contents of your own certificate.
The following is the relevant configuration of EMQX Custom Resource. You can choose the corresponding APIVersion according to the version of EMQX you want to deploy. For the specific compatibility relationship, please refer to EMQX Operator Compatibility:
EMQX CRD supports configuring volumes and mount points for EMQX clusters through .spec.template.spec.volumes and .spec.template.spec.emqxContainer.volumeMounts fields. In this article, we can use these two fields to configure TLS certificates for the EMQX cluster.
There are many types of Volumes. For the description of Volumes, please refer to the document: Volumes(opens new window). In this article we are using the secret type.
Save the following as a YAML file and deploy it with the kubectl apply command
The .spec.template.spec.volumes field configures the volume type as: secret, and the name as: emqx-tls.
The .spec.template.spec.emqxContainer.volumeMounts field configures the directory where the TLS certificate is mounted to EMQX: /mounted/cert.
The .spec.template.spec.emqxContainer.emqxConfig field configures the TLS listener certificate path. For more TLS listener configurations, please refer to the document: tlsexternal(opens new window).
Wait for EMQX cluster to be ready, you can check the status of EMQX cluster through the kubectl get command, please make sure that STATUS is Running, this may take some time
$ kubectl get emqxenterprises
NAME STATUS AGE
emqx-ee Running 8m33s
1 2 3
Obtain the External IP of EMQX cluster and access EMQX console
$ kubectl get svc emqx-ee -o json | jq '.status.loadBalancer.ingress[0].ip'192.168.1.200
1 2 3
Access http://192.168.1.200:18083 through a browser, and use the default username and password admin/public to login EMQX console.
EMQX CRD supports using .spec.coreTemplate.extraVolumes and .spec.coreTemplate.extraVolumeMounts and .spec.replicantTemplate.extraVolumes and .spec.replicantTemplate.extraVolumeMounts fields to configure additional volumes and mounts for the EMQX cluster point. In this article, we can use these two fields to configure TLS certificates for the EMQX cluster.
There are many types of Volumes. For the description of Volumes, please refer to the document: Volumes(opens new window). In this article we are using the secret type.
Save the following as a YAML file and deploy it with the kubectl apply command
The .spec.coreTemplate.extraVolumes field configures the volume type as: secret, and the name as: emqx-tls.
The .spec.coreTemplate.extraVolumeMounts field configures the directory where the TLS certificate is mounted to EMQX: /mounted/cert.
The .spec.bootstrapConfig field configures the TLS listener certificate path. For more TLS listener configurations, please refer to the document: ssllistener(opens new window).
Wait for EMQX cluster to be ready, you can check the status of EMQX cluster through the kubectl get command, please make sure that STATUS is Running, this may take some time
$ kubectl get emqx
NAME IMAGE STATUS AGE
emqx emqx:5.0 Running 10m
1 2 3 4
Obtain the External IP of EMQX cluster and access EMQX console
EMQX Operator will create two EMQX Service resources, one is emqx-dashboard and the other is emqx-listeners, corresponding to EMQX console and EMQX listening port respectively.
$ kubectl get svc emqx-dashboard -o json | jq '.status.loadBalancer.ingress[0].ip'192.168.1.200
1 2 3
Access http://192.168.1.200:18083 through a browser, and use the default username and password admin/public to login EMQX console.
MQTT X CLI(opens new window) is an open source MQTT 5.0 command line client tool, designed to help developers to more Quickly develop and debug MQTT services and applications.
Obtain the External IP of EMQX cluster
external_ip=$(kubectl get svc emqx-ee -o json | jq '.status.loadBalancer.ingress[0].ip')
1
external_ip=$(kubectl get svc emqx-listeners -o json | jq '.status.loadBalancer.ingress[0].ip')