A kubernetes configuration yaml to construct VerneMQ Cluster.
-
create password file
- create two user as
innerandouterin order to access from Kubernetes and from Internet
$ mkdir -p secrets $ touch secrets/vmq.passwd $ docker run --rm -v $(PWD)/secrets:/mnt -it erlio/docker-vernemq vmq-passwd /mnt/vmq.passwd inner $ docker run --rm -v $(PWD)/secrets:/mnt -it erlio/docker-vernemq vmq-passwd /mnt/vmq.passwd outer
- create two user as
-
register password file as Kubernetes Secret
$ kubectl create secret generic vernemq-passwd --from-file=./secrets/vmq.passwd
-
create self-signed CA
$ openssl req -new -x509 -days 365 -extensions v3_ca -keyout secrets/ca.key -out secrets/ca.crt
-
create server certificate signed by self-signed CA
- you have to spacify the FQDN of VerneMQ's MQTTS endpoint
$ openssl genrsa -out secrets/server.key 2048 $ openssl req -out secrets/server.csr -key secrets/server.key -new $ openssl x509 -req -in secrets/server.csr -CA secrets/ca.crt -CAkey secrets/ca.key -CAcreateserial -out secrets/server.crt -days 365
-
register certifcation files as Kubernetes Secret
$ kubectl create secret generic vernemq-certifications --from-file=./secrets/ca.crt --from-file=./secrets/server.crt --from-file=./secrets/server.key
-
start VerneMQ Cluster on Kubernetes like below:
- start 3 pods using StatefulSet
- create and join a VerneMQ cluster automatically
- listen MQTT (1883/tcp) as ClusterIP which can be accessed from Kubernetes only
- listen MQTT over TLS (8883/tcp) as LoadBalancer which can be accessed from Kubernetes and Internet
$ kubectl apply -f vernemq-cluster.yaml
-
confirm cluster status
$ kubectl exec vernemq-0 -- vmq-admin cluster show +---------------------------------------------------+-------+ | Node |Running| +---------------------------------------------------+-------+ |VerneMQ@vernemq-0.vernemq.default.svc.cluster.local| true | |VerneMQ@vernemq-2.vernemq.default.svc.cluster.local| true | |VerneMQ@vernemq-1.vernemq.default.svc.cluster.local| true | +---------------------------------------------------+-------+
-
check MQTTS external IP
$ kubectl get services -l app=mqtts
-
register the FQDN of VerneMQ's MQTTS endpoint to DNS Server in order to resolve MQTTS external IP
-
start 'inner' subscriber
- 'inner' subscriber subscribe VerneMQ from inside Kubernetes using 1883/tcp (no encrypt)
$ kubectl run inner-sub --rm -it --image efrecon/mqtt-client /bin/ash / # mosquitto_sub -h mqtt -p 1883 -t /foo/bar -d -u inner -P <password of 'inner'> -
start 'outer' subscriber
- 'outer' subscriber subscribe VerneMQ through Internet using 8883/tcp (mqtt over tls)
$ mosquitto_sub -h <FQDN of VerneMQ's MQTTS endpoint> -p 8883 --cafile ./secrets/ca.crt -t /foo/bar -d -u outer -P <password of 'outer'> -
publish message from 'inner' publisher
- 'inner' publisher publish message to VerneMQ from inside Kubernetes using 1883/tcp (no encrypt)
- When 'inner' publisher pulish message, its message push back to 'inner' subscriber and 'outer' suscriber
$ kubectl run inner-pub --rm -it --image efrecon/mqtt-client /bin/ash / # mosquitto_pub -h mqtt -p 1883 -t /foo/bar -d -u inner -P <password of 'inner'> -m "Message from inner" -
publish message from 'outer' publisher
- 'outer' publisher publish message to VerneMQ through Internet using 8883/tcp (mqtt over tls)
- When 'outer' publisher pulish message, its message push back to 'inner' subscriber and 'outer' suscriber
$ mosquitto_pub -h <FQDN of VerneMQ's MQTTS endpoint> -p 8883 --cafile ./secrets/ca.crt -t /foo/bar -d -u outer -P <password of 'outer'> -m "Message from outer"
Copyright (c) 2018 Nobuyuki Matsui nobuyuki.matsui@gmail.com