BrokerListener changes

Author: PatAltimore

articles/iot-operations/manage-mqtt-broker/howto-configure-brokerlistener.md

@@ -20,6 +20,15 @@ To customize the network access and security use the **BrokerListener** resource
 
 Each listener can have its own authentication and authorization rules that define who can connect to the listener and what actions they can perform on the broker. You can use *BrokerAuthentication* and *BrokerAuthorization* resources to specify the access control policies for each listener. This flexibility allows you to fine-tune the permissions and roles of your MQTT clients, based on their needs and use cases.
 
+Listeners have the following characteristics:
+
+- You can have up to three listeners. One listener per service type of `loadBalancer`, `clusterIp`, or `nodePort`. The default *BrokerListener* named *listener* is service type `clusterIp`.
+- Each listener supports multiple ports
+- AuthN and authZ references are per port
+- TLS configuration is per port
+- Service names must be unique
+- Ports cannot conflict over different listeners
+
 The *BrokerListener* resource has these fields:
 
 | Field Name | Required | Description |
@@ -50,7 +59,7 @@ The *BrokerListener* resource has these fields:
 | ports.tls.manual         | No | Manual TLS server certificate management through a defined secret. For more information, see [Configure TLS with manual certificate management](howto-configure-tls-manual.md).|
 | ports.tls.manual.secretName | Yes | Kubernetes secret containing an X.509 client certificate. This is a reference to the secret through an identifying name, not the secret itself. |
 | ports.tls.manual.secretNamespace | No | Certificate K8S namespace. Omit to use current namespace. |
-| serviceName | No | The name of Kubernetes service created for this listener. Kubernetes creates DNS records for this `serviceName` that clients should use to connect to MQTT broker. This subfield is optional and defaults to `aio-mq-dmqtt-frontend`. Important: If you have multiple listeners with the same `serviceType` and `serviceName`, the listeners share the same Kubernetes service. For more information, see [Service name and service type](#service-name-and-service-type). |
+| serviceName | No | The name of Kubernetes service created for this listener. Kubernetes creates DNS records for this `serviceName` that clients should use to connect to MQTT broker. This subfield is optional and defaults to `aio-mq-dmqtt-frontend`. |
 | serviceType | No | The type of the Kubernetes service created for this listener. This subfield is optional and defaults to `clusterIp`. Must be either `loadBalancer`, `clusterIp`, or `nodePort`. |
 
 ## Default BrokerListener
@@ -74,28 +83,28 @@ metadata:
 spec:
   brokerRef: broker
   ports:
-    - authenticationRef: authn
-      port: 8883
-      protocol: Mqtt
-      tls:
-        automatic:
-          issuerRef:
-            apiGroup: cert-manager.io
-            kind: Issuer
-            name: mq-dmqtt-frontend
-        mode: Automatic
-    serviceName: aio-mq-dmqtt-frontend
-    serviceType: ClusterIp
+  - authenticationRef: authn
+    port: 8883
+    protocol: Mqtt
+    tls:
+      automatic:
+        issuerRef:
+          apiGroup: cert-manager.io
+          kind: Issuer
+          name: mq-dmqtt-frontend
+      mode: Automatic
+  serviceName: aio-mq-dmqtt-frontend
+  serviceType: ClusterIp
 ```
 
 To learn more about the default BrokerAuthentication resource linked to this listener, see [Default BrokerAuthentication resource](howto-configure-authentication.md#default-brokerauthentication-resource).
 
 ## Create new BrokerListeners
 
-This example shows how to create two new *BrokerListener* resources for a *Broker* resource named *my-broker*. Each *BrokerListener* resource defines a port and a TLS setting for a listener that accepts MQTT connections from clients.
+This example shows how to create a new *BrokerListener* resource for a *Broker* resource named *my-broker*. The *BrokerListener* resource defines a two ports that accept MQTT connections from clients.
 
-- The first *BrokerListener* resource, named *my-test-listener*, defines a listener on port 1883 with no TLS and authentication off. Clients can connect to the broker without encryption or authentication.
-- The second *BrokerListener* resource, named *my-secure-listener*, defines a listener on port 8883 with TLS and authentication enabled. Only authenticated clients can connect to the broker with TLS encryption. The `tls` field is set to `automatic`, which means that the listener uses cert-manager to get and renew its server certificate.
+- The first port listens on port 1883 with no TLS and authentication off. Clients can connect to the broker without encryption or authentication.
+- The second port listens on port 8883 with TLS and authentication enabled. Only authenticated clients can connect to the broker with TLS encryption. TLS is set to `automatic`, which means that the listener uses cert-manager to get and renew its server certificate.
 
 To create these *BrokerListener* resources, apply this YAML manifest to your Kubernetes cluster:
 
@@ -106,48 +115,23 @@ metadata:
   name: my-test-listener
   namespace: azure-iot-operations
 spec:
-  authenticationEnabled: false
-  authorizationEnabled: false
-  brokerRef: broker
-  port: 1883
----
-apiVersion: mq.iotoperations.azure.com/v1beta1
-kind: BrokerListener
-metadata:
-  name: my-secure-listener
-  namespace: azure-iot-operations
-spec:
-  authenticationEnabled: true
-  authorizationEnabled: false
   brokerRef: broker
-  port: 8883
-  tls:
-    automatic:
-      issuerRef:
-        name: e2e-cert-issuer
-        kind: Issuer
-        group: cert-manager.io
+  serviceType: loadBalancer
+  serviceName: my-new-listener
+  ports:
+      port: 1883
+      protocol: Mqtt
+      port: 18883
+      authenticationRef: authn
+      protocol: Mqtt
+      tls:
+        automatic:
+          issuerRef:
+            name: e2e-cert-issuer
+            kind: Issuer
+            group: cert-manager.io
 ```
 
-## Service name and service type
-
-If you have multiple BrokerListener resources with the same `serviceType` and `serviceName`, the resources share the same Kubernetes service. This means that the service exposes all the ports of all the listeners. For example, if you have two listeners with the same `serviceType` and `serviceName`, one on port 1883 and the other on port 8883, the service exposes both ports. Clients can connect to the broker on either port. 
-
-There are two important rules to follow when sharing service name:
-
-1. Listeners with the same `serviceType` must share the same `serviceName`.
-
-1. Listeners with different `serviceType` must have different `serviceName`.
-
-Notably, the service for the default listener on port 8883 is `clusterIp` and named `aio-mq-dmqtt-frontend`. The following table summarizes what happens when you create a new listener on a different port:
-
-| New listener `serviceType` | New listener `serviceName` | Result |
-| --- | --- | --- |
-| `clusterIp` | `aio-mq-dmqtt-frontend` | The new listener creates successfully, and the service exposes both ports. |
-| `clusterIp` | `my-service` | The new listener fails to create because the service type conflicts with the default listener. |
-| `loadBalancer` or `nodePort` | `aio-mq-dmqtt-frontend` | The new listener fails to create because the service name conflicts with the default listener. |
-| `loadBalancer` or `nodePort` | `my-service` | The new listener creates successfully, and a new service is created. |
-
 ## Related content
 
 - [Configure MQTT broker authorization](howto-configure-authorization.md)

articles/iot-operations/manage-mqtt-broker/howto-configure-tls-auto.md

@@ -7,7 +7,7 @@ ms.subservice: azure-mqtt-broker
 ms.topic: how-to
 ms.custom:
   - ignite-2023
-ms.date: 07/01/2024
+ms.date: 07/27/2024
 
 #CustomerIntent: As an operator, I want to configure MQTT broker to use TLS so that I have secure communication between the MQTT broker and client.
 ---
@@ -24,8 +24,11 @@ With automatic certificate management, you use cert-manager to manage the TLS se
 
 1. Use `kubectl` to check for the pods matching the cert-manager app labels.
 
-    ```console
-    $ kubectl get pods --namespace azure-iot-operations -l 'app in (cert-manager,cainjector,webhook)'
+    ```bash
+    kubectl get pods --namespace azure-iot-operations -l 'app in (cert-manager,cainjector,webhook)'
+    ```
+    
+    ```Output
     NAME                                           READY   STATUS    RESTARTS       AGE
     aio-cert-manager-64f9548744-5fwdd              1/1     Running   4 (145m ago)   4d20h
     aio-cert-manager-cainjector-6c7c546578-p6vgv   1/1     Running   4 (145m ago)   4d20h
@@ -99,7 +102,7 @@ If you don't have a CA certificate, cert-manager can generate a root CA certific
     kubectl apply -f ca.yaml
     ```
 
-Cert-manager creates a CA certificate using its defaults. The properties of this certificate can be changed by modifying the Certificate spec. See [cert-manager documentation](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec) for a list of valid options.
+Cert-manager creates a CA certificate using its defaults. The properties of this certificate can be changed by modifying the Certificate specification. See [cert-manager documentation](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec) for a list of valid options.
 
 ### Distribute the root certificate
 
@@ -179,9 +182,7 @@ metadata:
   namespace: azure-iot-operations
 spec:
   brokerRef: broker
-  authenticationEnabled: false # If set to true, a BrokerAuthentication resource must be configured
-  authorizationEnabled: false
-  serviceType: loadBalancer # Optional; defaults to 'clusterIP'
+  serviceType: loadBalancer
   serviceName: my-new-tls-listener # Avoid conflicts with default service name 'aio-mq-dmqtt-frontend'
   port: 8884 # Avoid conflicts with default port 8883
   tls:
@@ -268,74 +269,80 @@ To help you get started, Azure IoT Operations is deployed with a default "quicks
 
 * The public portion of the root CA certificate is stored in a ConfigMap called `aio-ca-trust-bundle-test-only`. You can retrieve the CA certificate from the ConfigMap and inspect it with kubectl and openssl.
 
-  ```console
-  $ kubectl get configmap aio-ca-trust-bundle-test-only -n azure-iot-operations -o json | jq -r '.data["ca.crt"]' | openssl x509 -text -noout
-  Certificate:
-      Data:
-          Version: 3 (0x2)
-          Serial Number:
-              74:d8:b6:fe:63:5a:7d:24:bd:c2:c0:25:c2:d2:c7:94:66:af:36:89
-          Signature Algorithm: ecdsa-with-SHA256
-          Issuer: CN = Azure IoT Operations Quickstart Root CA - Not for Production
-          Validity
-              Not Before: Nov  2 00:34:31 2023 GMT
-              Not After : Dec  2 00:34:31 2023 GMT
-          Subject: CN = Azure IoT Operations Quickstart Root CA - Not for Production
-          Subject Public Key Info:
-              Public Key Algorithm: id-ecPublicKey
-                  Public-Key: (256 bit)
-                  pub:
-                      04:51:43:93:2c:dd:6b:7e:10:18:a2:0f:ca:2e:7b:
-                      bb:ba:5c:78:81:7b:06:99:b5:a8:11:4f:bb:aa:0d:
-                      e0:06:4f:55:be:f9:5f:9e:fa:14:75:bb:c9:01:61:
-                      0f:20:95:cd:9b:69:7c:70:98:f8:fa:a0:4c:90:da:
-                      5b:1a:d7:e7:6b
-                  ASN1 OID: prime256v1
-                  NIST CURVE: P-256
-          X509v3 extensions:
-              X509v3 Basic Constraints: critical
-                  CA:TRUE
-              X509v3 Key Usage: 
-                  Certificate Sign
-              X509v3 Subject Key Identifier: 
-                  B6:DD:8A:42:77:05:38:7A:51:B4:8D:8E:3F:2A:D1:79:32:E9:43:B9
-      Signature Algorithm: ecdsa-with-SHA256
-          30:44:02:20:21:cd:61:d7:21:86:fd:f8:c3:6d:33:36:53:e3:
-          a6:06:3c:a6:80:14:13:55:16:f1:19:a8:85:4b:e9:5d:61:eb:
-          02:20:3e:85:8a:16:d1:0f:0b:0d:5e:cd:2d:bc:39:4b:5e:57:
-          38:0b:ae:12:98:a9:8f:12:ea:95:45:71:bd:7c:de:9d
-  ```
+    ```bash
+    kubectl get configmap aio-ca-trust-bundle-test-only -n azure-iot-operations -o json | jq -r '.data["ca.crt"]' | openssl x509 -text -noout
+    ```
+
+    ```Output
+    Certificate:
+        Data:
+            Version: 3 (0x2)
+            Serial Number:
+                74:d8:b6:fe:63:5a:7d:24:bd:c2:c0:25:c2:d2:c7:94:66:af:36:89
+            Signature Algorithm: ecdsa-with-SHA256
+            Issuer: CN = Azure IoT Operations Quickstart Root CA - Not for Production
+            Validity
+                Not Before: Nov  2 00:34:31 2023 GMT
+                Not After : Dec  2 00:34:31 2023 GMT
+            Subject: CN = Azure IoT Operations Quickstart Root CA - Not for Production
+            Subject Public Key Info:
+                Public Key Algorithm: id-ecPublicKey
+                    Public-Key: (256 bit)
+                    pub:
+                        04:51:43:93:2c:dd:6b:7e:10:18:a2:0f:ca:2e:7b:
+                        bb:ba:5c:78:81:7b:06:99:b5:a8:11:4f:bb:aa:0d:
+                        e0:06:4f:55:be:f9:5f:9e:fa:14:75:bb:c9:01:61:
+                        0f:20:95:cd:9b:69:7c:70:98:f8:fa:a0:4c:90:da:
+                        5b:1a:d7:e7:6b
+                    ASN1 OID: prime256v1
+                    NIST CURVE: P-256
+            X509v3 extensions:
+                X509v3 Basic Constraints: critical
+                    CA:TRUE
+                X509v3 Key Usage: 
+                    Certificate Sign
+                X509v3 Subject Key Identifier: 
+                    B6:DD:8A:42:77:05:38:7A:51:B4:8D:8E:3F:2A:D1:79:32:E9:43:B9
+        Signature Algorithm: ecdsa-with-SHA256
+            30:44:02:20:21:cd:61:d7:21:86:fd:f8:c3:6d:33:36:53:e3:
+            a6:06:3c:a6:80:14:13:55:16:f1:19:a8:85:4b:e9:5d:61:eb:
+            02:20:3e:85:8a:16:d1:0f:0b:0d:5e:cd:2d:bc:39:4b:5e:57:
+            38:0b:ae:12:98:a9:8f:12:ea:95:45:71:bd:7c:de:9d
+    ```
 
 * By default, there's already a CA issuer configured in the `azure-iot-operations` namespace called `aio-ca-issuer`. It's used as the common CA issuer for all TLS server certificates for IoT Operations. MQTT broker uses an issuer created from the same CA certificate to issue TLS server certificates for the default TLS listener on port 8883. You can inspect the issuer with the following command:
 
-  ```console
-  $ kubectl get issuer aio-ca-issuer -n azure-iot-operations -o yaml
-  apiVersion: cert-manager.io/v1
-  kind: Issuer
-  metadata:
-    annotations:
-      meta.helm.sh/release-name: azure-iot-operations
-      meta.helm.sh/release-namespace: azure-iot-operations
-    creationTimestamp: "2023-11-01T23:10:24Z"
-    generation: 1
-    labels:
-      app.kubernetes.io/managed-by: Helm
-    name: aio-ca-issuer
-    namespace: azure-iot-operations
-    resourceVersion: "2036"
-    uid: c55974c0-e0c3-4d35-8c07-d5a0d3f79162
-  spec:
-    ca:
-      secretName: aio-ca-key-pair-test-only
-  status:
-    conditions:
-    - lastTransitionTime: "2023-11-01T23:10:59Z"
-      message: Signing CA verified
-      observedGeneration: 1
-      reason: KeyPairVerified
-      status: "True"
-      type: Ready
-  ```
+    ```bash
+    kubectl get issuer aio-ca-issuer -n azure-iot-operations -o yaml
+    ```
+
+    ```Output
+    apiVersion: cert-manager.io/v1
+    kind: Issuer
+    metadata:
+      annotations:
+        meta.helm.sh/release-name: azure-iot-operations
+        meta.helm.sh/release-namespace: azure-iot-operations
+      creationTimestamp: "2023-11-01T23:10:24Z"
+      generation: 1
+      labels:
+        app.kubernetes.io/managed-by: Helm
+      name: aio-ca-issuer
+      namespace: azure-iot-operations
+      resourceVersion: "2036"
+      uid: c55974c0-e0c3-4d35-8c07-d5a0d3f79162
+    spec:
+      ca:
+        secretName: aio-ca-key-pair-test-only
+    status:
+      conditions:
+      - lastTransitionTime: "2023-11-01T23:10:59Z"
+        message: Signing CA verified
+        observedGeneration: 1
+        reason: KeyPairVerified
+        status: "True"
+        type: Ready
+    ```
 
 For production, you must configure a CA issuer with a certificate from a trusted CA, as described in the previous sections.