search

k8s-at-home / charts

⚠️ Deprecated : Helm charts for applications you run at home
https://docs.k8s-at-home.com
Apache License 2.0
1.45k stars 623 forks source link

[mosquitto] TLS does not work if listener is defined in mosquitto.conf #1701

Closed terop closed 2 years ago

terop commented 2 years ago

Helm chart name

mosquitto

Helm chart version

4.4.0

Container name

eclipse-mosquitto

Container tag

2.0.14

Description

If TLS is to be used (which nowadays is preferred, I suppose) defining the listener option in the main mosquitto.conf causes TLS authentication to not work, below lines are seen in the log

1657982972: New connection from <IP>:<port> on port 8883.
1657982972: Client <unknown> disconnected due to malformed packet.

TLS works if thelistener option is defined in the same config file where the TLS certfileand keyfile options are defined. This problem has noted in other places, e.g. https://serverfault.com/a/1075260/975505. I guess TLS would also work if the certificate options were defined in mosquitto.conf but I think it is not recommended by upstream.

I workarounded this problem by manually modifying the chart and removing the listener option from configmap.yaml, see diff below.

index a2bba09e..e389901a 100644
--- a/charts/stable/mosquitto/templates/configmap.yaml
+++ b/charts/stable/mosquitto/templates/configmap.yaml
@@ -9,7 +9,6 @@ metadata:
 data:
   mosquitto.conf: |
     per_listener_settings {{ .Values.perListenerSettings }}
-    listener {{ .Values.service.main.ports.mqtt.port }}
     {{- if .Values.auth.enabled }}
     allow_anonymous false
     {{- else }}

To actually solve the problem I see two options: 1) Add a note in the chart documentation that if you want to use TLS the listener option needs to be removed or 2) Add a new value to values.yaml which would enable conditionally to do 1) above without the user having to modify the chart

I think implementing option 2) would make sense.

Expected result

TLS works without having to modify the chart.

Helm values to reproduce

image:
  tag: 2.0.14

service:
  main:
    ports:
      mqtt:
        enabled: true
        port: 8883

auth:
  enabled: true

persistence:
  configinc:
    enabled: true
    mountPath: /mosquitto/configinc
    accessMode: ReadWriteOnce
    size: 50Mi

Additional Information

No response

Repo link

No response