enable mtls for mqtt.

Signed-off-by: morvencao <[email protected]>
openshift-online · Jun 14, 2024 · f89bd5b · f89bd5b
1 parent 9b4a782
commit f89bd5b
Showing 1 changed file with 91 additions and 5 deletions.
diff --git a/test/e2e/setup/e2e_setup.sh b/test/e2e/setup/e2e_setup.sh
@@ -14,13 +14,22 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-if ! command -v kind >/dev/null 2>&1; then 
+if ! command -v kind >/dev/null 2>&1; then
     echo "This script will install kind (https://kind.sigs.k8s.io/) on your machine."
     curl -Lo ./kind-amd64 "https://kind.sigs.k8s.io/dl/v0.12.0/kind-$(uname)-amd64"
     chmod +x ./kind-amd64
     sudo mv ./kind-amd64 /usr/local/bin/kind
 fi
 
+if ! command -v step >/dev/null 2>&1; then
+    echo "This script will install step (https://smallstep.com/docs/step-cli/) on your machine."
+    curl -Lo ./step_0.26.2_amd64.tar.gz "https://dl.smallstep.com/gh-release/cli/gh-release-header/v0.26.2/step_$(uname | tr '[:upper:]' '[:lower:]')_0.26.2_amd64.tar.gz"
+    tar -xzvf step_0.26.2_amd64.tar.gz
+    chmod +x ./step_0.26.2/bin/step
+    sudo mv ./step_0.26.2/bin/step /usr/local/bin/step
+    rm -rf ./step_0.26.2_amd64.tar.gz ./step_0.26.2
+fi
+
 # 1. create KinD cluster
 cat << EOF | kind create cluster --name maestro --kubeconfig ./test/e2e/.kubeconfig --config=-
 kind: Cluster
@@ -76,19 +85,96 @@ kubectl patch service maestro -n $namespace -p '{"spec":{"type":"NodePort", "por
 # expose the maestro grpc server via nodeport
 kubectl patch service maestro-grpc -n $namespace -p '{"spec":{"type":"NodePort", "ports":  [{"nodePort": 30090, "port": 8090, "targetPort": 8090}]}}' --type merge
 
-# 5. create a consumer
+# 5. create a self-signed certificate for mqtt
+step certificate create "maestro-mqtt-ca" ca.crt ca.key --profile root-ca --no-password --insecure
+step certificate create "maestro-mqtt-broker" server.crt server.key -san maestro-mqtt -san maestro-mqtt.maestro --profile leaf --ca ./ca.crt --ca-key ./ca.key --no-password --insecure
+step certificate create "maestro-server" client.crt client.key --profile leaf --ca ./ca.crt --ca-key ./ca.key --no-password --insecure
+
+# apply the mosquitto configmap
+cat << EOF | kubectl -n $namespace apply -f -
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: maestro-mqtt
+data:
+  mosquitto.conf: |
+    listener 1883 0.0.0.0
+    allow_anonymous false
+    use_identity_as_username true
+    cafile /mosquitto/certs/ca.crt
+    keyfile /mosquitto/certs/server.key
+    certfile /mosquitto/certs/server.crt
+    tls_version tlsv1.2
+    require_certificate true
+EOF
+
+# create secret containing the mqtt certs and patch the maestro-mqtt deployment
+kubectl create secret generic maestro-mqtt-certs -n $namespace --from-file=ca.crt=./ca.crt --from-file=server.crt=./server.crt --from-file=server.key=./server.key
+kubectl patch deploy/maestro-mqtt -n $namespace --type='json' -p='[{"op": "add", "path": "/spec/template/spec/volumes/-", "value": {"name": "mosquitto-certs","secret": {"secretName": "maestro-mqtt-certs"}}}]'
+kubectl patch deploy/maestro-mqtt -n $namespace --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/volumeMounts/-", "value": {"name": "mosquitto-certs","mountPath": "/mosquitto/certs"}}]}'
+kubectl wait deploy/maestro-mqtt -n $namespace --for condition=Available=True --timeout=200s
+
+# apply the maestro-mqtt secret
+cat << EOF | kubectl -n $namespace apply -f -
+apiVersion: v1
+kind: Secret
+metadata:
+  name: maestro-mqtt
+stringData:
+  config.yaml: |
+    brokerHost: maestro-mqtt.maestro:1883
+    caFile: /secrets/mqtt-certs/ca.crt
+    clientCertFile: /secrets/mqtt-certs/client.crt
+    clientKeyFile: /secrets/mqtt-certs/client.key
+    topics:
+      sourceEvents: sources/maestro/consumers/+/sourceevents
+      agentEvents: \$share/statussubscribers/sources/maestro/consumers/+/agentevents
+EOF
+
+# create secret containing the client certs to mqtt broker and patch the maestro deployment
+kubectl create secret generic maestro-server-certs -n $namespace --from-file=ca.crt=./ca.crt --from-file=client.crt=./client.crt --from-file=client.key=./client.key
+kubectl patch deploy/maestro -n $namespace --type='json' -p='[{"op": "add", "path": "/spec/template/spec/volumes/-", "value": {"name": "mqtt-certs","secret": {"secretName": "maestro-server-certs"}}}]'
+kubectl patch deploy/maestro -n $namespace --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/volumeMounts/-", "value": {"name": "mqtt-certs","mountPath": "/secrets/mqtt-certs"}}]}'
+kubectl wait deploy/maestro -n $namespace --for condition=Available=True --timeout=200s
+
+# 6. create a consumer
 export external_host_ip="127.0.0.1"
 echo $external_host_ip > ./test/e2e/.external_host_ip
-kubectl wait deployment maestro -n $namespace --for condition=Available=True --timeout=200s
 
 sleep 5 # wait 5 seconds for the service ready
 
 # the consumer name is not specified, the consumer id will be used as the consumer name
 export consumer_name=$(curl -k -X POST -H "Content-Type: application/json" https://${external_host_ip}:30080/api/maestro/v1/consumers -d '{}' | jq -r '.id')
 echo $consumer_name > ./test/e2e/.consumer_name
 
-# 6. deploy maestro agent into maestro-agent namespace
+# 7. deploy maestro agent into maestro-agent namespace
 export agent_namespace=maestro-agent
-kubectl create namespace $agent_namespace || true
+kubectl create namespace ${agent_namespace} || true
 make agent-template
 kubectl apply -n ${agent_namespace} --filename="templates/agent-template.json" | egrep --color=auto 'configured|$$'
+
+# apply the maestro-mqtt secret
+cat << EOF | kubectl -n ${agent_namespace} apply -f -
+apiVersion: v1
+kind: Secret
+metadata:
+  name: maestro-agent-mqtt
+stringData:
+  config.yaml: |
+    brokerHost: maestro-mqtt.maestro:1883
+    caFile: /secrets/mqtt-certs/ca.crt
+    clientCertFile: /secrets/mqtt-certs/client.crt
+    clientKeyFile: /secrets/mqtt-certs/client.key
+    topics:
+      sourceEvents: sources/maestro/consumers/${consumer_name}/sourceevents
+      agentEvents: sources/maestro/consumers/${consumer_name}/agentevents
+EOF
+
+# create secret containing the client certs to mqtt broker and patch the maestro-agent deployment
+kubectl create secret generic maestro-agent-certs -n ${agent_namespace} --from-file=ca.crt=./ca.crt --from-file=client.crt=./client.crt --from-file=client.key=./client.key
+kubectl patch deploy/maestro-agent -n ${agent_namespace} --type='json' -p='[{"op": "add", "path": "/spec/template/spec/volumes/-", "value": {"name": "mqtt-certs","secret": {"secretName": "maestro-agent-certs"}}}]'
+kubectl patch deploy/maestro-agent -n ${agent_namespace} --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/volumeMounts/-", "value": {"name": "mqtt-certs","mountPath": "/secrets/mqtt-certs"}}]}'
+kubectl wait deploy/maestro-agent -n ${agent_namespace} --for condition=Available=True --timeout=200s
+
+# remove the certs
+rm ./ca.crt ./ca.key ./server.crt ./server.key ./client.crt ./client.key