Merge pull request #281917 from PatAltimore/patricka-enhanced-auth-release-aio-july-updates

prmerger-automator[bot] · web-flow · commit ba924f469da5 · 2024-07-26T21:23:56.000Z
Change MQTT client to enhanced auth
diff --git a/articles/iot-operations/manage-mqtt-broker/howto-configure-authentication.md b/articles/iot-operations/manage-mqtt-broker/howto-configure-authentication.md
@@ -277,7 +277,9 @@ Apply your changes with `kubectl apply`. It might take a few minutes for the cha
 
 ### Test SAT authentication
 
-SAT authentication must be used from a client in the same cluster as MQTT broker. The following command specifies a pod that has the mosquitto client and mounts the SAT created in the previous steps into the pod.
+SAT authentication must be used from a client in the same cluster as MQTT broker. Only enhanced authentication fields are permitted. Set authentication method to `K8S-SAT` and authentication data to the token.
+
+The following command specifies a pod that has the mosquitto client and mounts the SAT created in the previous steps into the pod. 
 
 ```yaml
 apiVersion: v1
@@ -306,21 +308,28 @@ spec:
 
 Here, the `serviceAccountName` field in the pod configuration must match the service account associated with the token being used. Also, The `serviceAccountToken.audience` field in the pod configuration must be one of the `audiences` configured in the BrokerAuthentication resource.
 
-Once the pod has been created, start a shell in the pod:
+Once the pod is created, start a shell in the pod:
 
 ```bash
 kubectl exec --stdin --tty mqtt-client -n azure-iot-operations -- sh
 ```
 
-The token is mounted at the path specified in the configuration `/var/run/secrets/tokens` in the previous example. Retrieve the token and use it to authenticate.
+Inside the pod's shell, run the following command to publish a message to the broker:
 
 ```bash
-token=$(cat /var/run/secrets/tokens/mqtt-client-token)
+mosquitto_pub --host aio-mq-dmqtt-frontend --port 8883 --message "hello" --topic "world" --debug --cafile /var/run/certs/ca.crt -D CONNECT authentication-method 'K8S-SAT' -D CONNECT authentication-data $(cat /var/run/secrets/tokens/mq-sat)
+```
+
+The output should look similar to the following:
 
-mosquitto_pub -h aio-mq-dmqtt-frontend -V mqttv5 -t hello -m world -u '$sat' -P "$token"
+```Output
+Client (null) sending CONNECT
+Client (null) received CONNACK (0)
+Client (null) sending PUBLISH (d0, q0, r0, m1, 'world', ... (5 bytes))
+Client (null) sending DISCONNECT
 ```
 
-The MQTT username must be set to `$sat`. The MQTT password must be set to the SAT itself.
+The mosquitto client uses the service account token mounted at `/var/run/secrets/tokens/mq-sat` to authenticate with the broker. The token is valid for 24 hours. The client also uses the default root CA cert mounted at `/var/run/certs/ca.crt` to verify the broker's TLS certificate chain.
 
 ### Refresh service account tokens
 
diff --git a/articles/iot-operations/manage-mqtt-broker/howto-test-connection.md b/articles/iot-operations/manage-mqtt-broker/howto-test-connection.md
@@ -87,7 +87,7 @@ The first option is to connect from within the cluster. This option uses the def
 1. Inside the pod's shell, run the following command to publish a message to the broker:
 
     ```console
-    mosquitto_pub --host aio-mq-dmqtt-frontend --port 8883 --message "hello" --topic "world" --username '$sat' --pw $(cat /var/run/secrets/tokens/mq-sat) --debug --cafile /var/run/certs/ca.crt
+    mosquitto_pub --host aio-mq-dmqtt-frontend --port 8883 --message "hello" --topic "world" --debug --cafile /var/run/certs/ca.crt -D CONNECT authentication-method 'K8S-SAT' -D CONNECT authentication-data $(cat /var/run/secrets/tokens/mq-sat)
     ```
 
     The output should look similar to the following:
@@ -104,7 +104,7 @@ The first option is to connect from within the cluster. This option uses the def
 1. To subscribe to the topic, run the following command:
 
     ```console
-    mosquitto_sub --host aio-mq-dmqtt-frontend --port 8883 --topic "world" --username '$sat' --pw $(cat /var/run/secrets/tokens/mq-sat) --debug --cafile /var/run/certs/ca.crt
+    mosquitto_sub --host aio-mq-dmqtt-frontend --port 8883 --topic "world" --debug --cafile /var/run/certs/ca.crt -D CONNECT authentication-method 'K8S-SAT' -D CONNECT authentication-data $(cat /var/run/secrets/tokens/mq-sat)
     ```
 
     The output should look similar to the following:
@@ -119,15 +119,6 @@ The first option is to connect from within the cluster. This option uses the def
 
     The mosquitto client uses the same service account token and root CA cert to authenticate with the broker and subscribe to the topic.
 
-1. You can also use mqttui to connect to the broker using the service account token. The `--insecure` flag is required because mqttui doesn't support TLS certificate chain verification with a custom root CA cert.
-
-    > [!CAUTION]
-    > Using `--insecure` is not recommended for production scenarios. Only use it for testing or development purposes.
-
-    ```console
-    mqttui --broker mqtts://aio-mq-dmqtt-frontend:8883 --username '$sat' --password $(cat /var/run/secrets/tokens/mq-sat) --insecure
-    ```
-
 1. To remove the pod, run `kubectl delete pod mqtt-client -n azure-iot-operations`.
 
 ## Connect clients from outside the cluster to default the TLS port
