# Enable TLS

# Task Target

Customize TLS certificates via the extraVolumes and extraVolumeMounts fields.

# Create Secret Based On TLS Certificate

Secret is an object that contains a small amount of sensitive information such as passwords, tokens, or keys. For its documentation, please refer to: Secret (opens new window). In this article, we use Secret to save TLS certificate information, so we need to create Secret based on TLS certificate before creating EMQX cluster.

  • Save the following as a YAML file and deploy it with the kubectl apply command

    apiVersion: v1
    kind: Secret
    metadata:
      name: emqx-tls
    type: kubernetes.io/tls
    stringData:
      ca.crt: |
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
      tls.crt: |
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
      tls.key: |
        -----BEGIN RSA PRIVATE KEY-----
        ...
        -----END RSA PRIVATE KEY-----
    
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18

    ca.crt indicates the content of the CA certificate, tls.crt indicates the content of the server certificate, and tls.key indicates the content of the server private key. In this example, the contents of the above three fields are omitted, please fill them with the contents of your own certificate.

# Configure EMQX Cluster

The following is the relevant configuration of EMQX Custom Resource. You can choose the corresponding APIVersion according to the version of EMQX you want to deploy. For the specific compatibility relationship, please refer to EMQX Operator Compatibility:

# Verify TLS Connection Using MQTT X CLI

MQTT X CLI (opens new window) is an open source MQTT 5.0 command line client tool, designed to help developers to more Quickly develop and debug MQTT services and applications.

  • Obtain the External IP of EMQX cluster

  • Subscribe to messages using MQTT X CLI

    mqttx sub -h ${external_ip} -p 8883 -t "hello" -l mqtts --insecure
    
    [10:00:25] › … Connecting...
    [10:00:25] › ✔ Connected
    [10:00:25] › … Subscribing to hello...
    [10:00:25] › ✔ Subscribed to hello
    
    1
    2
    3
    4
    5
    6
  • Create a new terminal window and publish a message using the MQTT X CLI

    mqttx pub -h ${external_ip} -p 8883 -t "hello" -m "hello world" -l mqtts --insecure
    
    [10:00:58] › … Connecting...
    [10:00:58] › ✔ Connected
    [10:00:58] › … Message Publishing...
    [10:00:58] › ✔ Message published
    
    1
    2
    3
    4
    5
    6
  • View messages received in the subscribed terminal window

    [10:00:58] › payload: hello world
    
    1