Merge pull request #281106 from PatAltimore/patricka-broker-advanced-release-aio-july-updates

Add broker advanced settings

Author: prmerger-automator[bot]

articles/iot-operations/manage-mqtt-broker/howto-configure-availability-scale.md

@@ -133,15 +133,88 @@ Then, run the following command to deploy the broker:
 kubectl apply -f <path-to-yaml-file>
 ```
 
-## Configure MQTT broker diagnostic settings
+## Configure MQTT broker advanced settings
+
+The following table lists the properties of the broker advanced settings that include client configurations, encryption of internal traffic, certificate rotation, and node tolerations.
+
+| Name                                | Type                     | Description                                                                 |
+|-------------------------------------|--------------------------|-----------------------------------------------------------------------------|
+| clients                             | ClientConfig             | Configurations related to all clients                                      |
+| clients.maxKeepAliveSeconds         | `integer`                | Upper bound of a client's keep alive, in seconds                           |
+| clients.maxMessageExpirySeconds     | `integer`                | Upper bound of message expiry interval, in seconds                         |
+| clients.maxReceiveMaximum           | `integer`                | Upper bound of receive maximum that a client can request in the CONNECT packet |
+| clients.maxSessionExpirySeconds     | `integer`                | Upper bound of session expiry interval, in seconds                         |
+| clients.subscriberQueueLimit        | `SubscriberQueueLimit`    | The limit on the number of queued messages for a subscriber                |
+| clients.subscriberQueueLimit.length | `integer`                | The maximum length of the queue before messages are dropped       |
+| clients.subscriberQueueLimit.strategy | `SubscriberMessageDropStrategy` | The strategy for dropping messages from the queue              |
+| clients.subscriberQueueLimit.strategy.DropOldest | `string` | The oldest message is dropped                                       |
+| clients.subscriberQueueLimit.strategy.None     | `string` | Messages are never dropped                                          |
+| encryptInternalTraffic              | Encrypt                  | The setting to enable or disable encryption of internal traffic            |
+| encryptInternalTraffic.Disabled     | `string`                 | Disable internal traffic encryption                                       |
+| encryptInternalTraffic.Enabled      | `string`                 | Enable internal traffic encryption                                        |
+| internalCerts                       | CertManagerCertOptions   | Certificate rotation and private key configuration                         |
+| internalCerts.duration              | `string`                 | Lifetime of certificate. Must be specified using a *Go* *time.Duration* format (h, m, s). For example, 240h for 240 hours and 45m for 45 minutes. |
+| internalCerts.privateKey            | `CertManagerPrivateKey`  | Configuration of certificate private key                                   |
+| internalCerts.renewBefore           | `string`                 | Duration before renewing a certificate. Must be specified using a *Go* *time.Duration* format (h, m, s). For example, 240h for 240 hours and 45m for 45 minutes. |
+| internalCerts.privateKey.algorithm  | PrivateKeyAlgorithm      | Algorithm for private key                                                  |
+| internalCerts.privateKey.rotationPolicy | PrivateKeyRotationPolicy | Cert-manager private key rotation policy                                |
+| internalCerts.privateKey.algorithm.Ec256   | `string`| Algorithm - EC256  |
+| internalCerts.privateKey.algorithm.Ec384   | `string`| Algorithm - EC384  |
+| internalCerts.privateKey.algorithm.Ec521   | `string`| Algorithm - EC521  |
+| internalCerts.privateKey.algorithm.Ed25519 | `string`| Algorithm - Ed25519|
+| internalCerts.privateKey.algorithm.Rsa2048 | `string`| Algorithm - RSA2048|
+| internalCerts.privateKey.algorithm.Rsa4096 | `string`| Algorithm - RSA4096|
+| internalCerts.privateKey.algorithm.Rsa8192 | `string`| Algorithm - RSA8192|
+| internalCerts.privateKey.rotationPolicy.Always  | `string`| Always rotate key |
+| internalCerts.privateKey.rotationPolicy.Never   | `string`| Never rotate key  |
+| tolerations                         | NodeTolerations          | The details of tolerations that are applied to all *Broker* pods             |
+| tolerations.effect                  | `string`                 | Toleration effect                                                          |
+| tolerations.key                     | `string`                 | Toleration key                                                             |
+| tolerations.operator                | `TolerationOperator`     | Toleration operator. For example, "Exists" or "Equal".                              |
+| tolerations.value                   | `string`                 | Toleration value                                                            |
+| tolerations.operator.Equal          | `string`                 | Equal operator                                                             |
+| tolerations.operator.Exists         | `string`                 | Exists operator                                                             |
+
+Here's an example of a *Broker* with advanced settings:
+
+```yml
+apiVersion: mq.iotoperations.azure.com/v1beta1
+kind: Broker
+metadata:
+  name: broker
+  namespace: azure-iot-operations
+spec:
+  advanced:
+    clients:
+        maxSessionExpirySeconds: 282277
+        maxMessageExpirySeconds: 1622
+        subscriberQueueLimit:
+          length: 1000
+          strategy: DropOldest
+        maxReceiveMaximum: 15000
+        maxKeepAliveSeconds: 300
+    encryptInternalTraffic: Enabled
+    internalCerts:
+      duration: 240h
+      renewBefore: 45m
+      privateKey:
+        algorithm: Rsa2048
+        rotationPolicy: Always
+    tolerations:
+        effect: string
+        key: string
+        operator: Equal
+        value: string
+```
 
-MQTT broker includes diagnostics that provides metrics for MQTT broker components. Operators can use these metrics to monitor the health of the system. A Prometheus endpoint is provided for metrics from all MQTT broker components including self-test metrics.
+## Configure MQTT broker diagnostic settings
 
 Diagnostic settings allow you to enable metrics and tracing for MQTT broker.
 
 - Metrics provide information about the resource utilization and throughput of MQTT broker.
 - Tracing provides detailed information about the requests and responses handled by MQTT broker.
-- Adjust the log level of MQTT broker to control the amount and detail of information that is logged. The log level can be set for different components of MQTT broker. The default log level is `info`.
+
+To override default diagnostic settings for MQTT broker, update the `spec.diagnostics` section in  the *Broker* resource. Adjust the log level to control the amount and detail of information that is logged. The log level can be set for different components of MQTT broker. The default log level is `info`.
 
 You can configure diagnostics using the *Broker* custom resource definition (CRD). The following table shows the properties of the broker diagnostic settings and all default values.
 
@@ -167,7 +240,7 @@ You can configure diagnostics using the *Broker* custom resource definition (CRD
 | traces.selfTracing                   | SelfTracing      |         | The self tracing properties                                     |
 | traces.spanChannelCapacity           | integer          | 1000    | The span channel capacity                                       |
 
-Here's an example of a *Broker* custom resource with diagnostics settings enabled:
+Here's an example of a *Broker* custom resource with metrics and tracing enabled and self-check disabled:
 
 ```yaml
 apiVersion: mq.iotoperations.azure.com/v1beta1