search

emqx / emqx-operator

A Kubernetes Operator for EMQX
https://www.emqx.com
Apache License 2.0
203 stars 64 forks source link

Add support for EMQX `.spec.config` from existing Secret or Configmap #1039

Closed onedr0p closed 2 months ago

onedr0p commented 2 months ago

Is your feature request related to a problem? Please describe.

I would like to use the templating features of ESO in order to populate the .spec.config field in the EMQX resource and it would be great if the .spec.config could read from an existing secret or configmap to achieve this.

Describe the solution you'd like

Consider the following ...

EMQX resource

---
apiVersion: apps.emqx.io/v2beta1
kind: EMQX
metadata:
  name: emqx5
  namespace: database
spec:
  image: public.ecr.aws/emqx/emqx:5.6.0
  # New Option
  configFrom:
    - type: secret
      name: emqx-config-secret
  coreTemplate:
    spec:
      replicas: 3

External Secret resource

This will create a Kubernetes secret and ESO would replaced {{.LDAP_USERNAME}} and {{.LDAP_PASSWORD}} with my external secret from my provider.

---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: emqx-config
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: emqx-config-secret
    template:
      engineVersion: v2
      data:
        config: |
          authentication {
            backend = "ldap"
            mechanism = "password_based"
            method {
              type = hash
              password_attribute = "userPassword"
              is_superuser_attribute = "isSuperuser"
            }
            server = "127.0.0.1:389"
            query_timeout = "5s"
            username = "{{.LDAP_USERNAME}}"
            password = "{{.LDAP_PASSWORD}}"
            pool_size = 8
            base_dn = "uid=${username},ou=testdevice,dc=emqx,dc=io"
            filter = "(objectClass=mqttUser)"
          }
  dataFrom:
    - extract:
        key: emqx
    - extract:
        key: ldap

I could then use the secret in the EMQX resource using configFrom as shown in my example.

Rory-Z commented 2 months ago

Hi @onedr0p I'm sorry I don't know too much for external secrets, looks it is a community operator? I think we will not support it soon. EMQX support use environment variables to configure, check this document: https://docs.emqx.com/en/enterprise/latest/configuration/configuration.html#environment-variables So maybe you can try set K8s secret to EMQX pod environment, I think it will be work.

onedr0p commented 2 months ago

This really isn't about ESO, it's more about consuming the config from an existing secret or configmap. I was just explaining my use-case with ESO.

Rory-Z commented 2 months ago

OK, can environment variables meet your needs?

onedr0p commented 2 months ago

I suppose so