Skip to content

Commit f69ebf0

Browse files
committed
Edit pass
1 parent 4b125a4 commit f69ebf0

File tree

2 files changed

+32
-117
lines changed

2 files changed

+32
-117
lines changed

articles/iot-operations/manage-mqtt-broker/howto-configure-authentication.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ To link a BrokerListener to a *BrokerAuthentication* resource, specify the `auth
2828

2929
## Default BrokerAuthentication resource
3030

31-
Azure IoT Operations deploys a default *BrokerAuthentication* resource named `default` linked with the *default* listener in the `azure-iot-operations` namespace. It's configured to only use Kubernetes Service Account Tokens (SATs) for authentication.
31+
Azure IoT Operations deploys a default *BrokerAuthentication* resource named `default` linked with the *default* listener in the `azure-iot-operations` namespace. It's configured to only use [Kubernetes Service Account Tokens (SATs)](#kubernetes-service-account-tokens) for authentication.
3232

3333
> [!IMPORTANT]
3434
> The service account token (SAT) authentication method in the default *BrokerAuthentication* resource is required for components in the Azure IoT Operations to function correctly. Avoid updating or deleting the default *BrokerAuthentication* resource.

articles/iot-operations/manage-mqtt-broker/howto-configure-brokerlistener.md

Lines changed: 31 additions & 116 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ ms.date: 11/06/2024
1515

1616
# Secure MQTT broker communication using BrokerListener
1717

18-
To customize the network access and security use the BrokerListener resource. A listener corresponds to a network endpoint that exposes the broker to the network. You can have one or more BrokerListener resources for each *Broker* resource, and thus multiple ports with different access control each.
18+
To customize the network access and security use the BrokerListener resource. A listener corresponds to a network endpoint that exposes the broker to the network. You can have one or more BrokerListener resources for each Broker, and thus multiple ports with different access control each.
1919

2020
Each listener port can have its own authentication and authorization rules that define who can connect to the listener and what actions they can perform on the broker. You can use [BrokerAuthentication](./howto-configure-authentication.md) and [BrokerAuthorization](./howto-configure-authorization.md) resources to specify the access control policies for each listener. This flexibility allows you to fine-tune the permissions and roles of your MQTT clients, based on their needs and use cases.
2121

@@ -35,7 +35,7 @@ For a list of all available settings, see the [Broker Listener API reference](/r
3535

3636
## Default BrokerListener
3737

38-
When you deploy Azure IoT Operations, the deployment also creates a BrokerListener resource named `default`. This listener is used to for encrypted internal communication between Azure IoT Operations components. The default listener is part of the [default *Broker*](./overview-broker.md#default-broker-resource), exposes a [ClusterIp service](https://kubernetes.io/docs/concepts/services-networking/service/#type-clusterip) on port 18883, uses [Kubernetes service account authentication](./howto-configure-authentication.md#enable-service-account-token-sat-authentication), has an [automatically managed](#configure-tls-with-automatic-certificate-management) TLS certificate, and doesn't use any authorization.
38+
When you deploy Azure IoT Operations, the deployment also creates a BrokerListener resource named `default`. This listener is used to for encrypted internal communication between Azure IoT Operations components. The default listener is part of the [default Broker](./overview-broker.md#default-broker-resource), exposes a [ClusterIp service](https://kubernetes.io/docs/concepts/services-networking/service/#type-clusterip) on port 18883, uses [Kubernetes service account authentication](./howto-configure-authentication.md#default-brokerauthentication-resource), has an [automatically managed](#configure-tls-with-automatic-certificate-management) TLS certificate, and doesn't use any authorization.
3939

4040
> [!CAUTION]
4141
> To avoid disrupting internal Azure IoT Operations communication, keep the default listener unchanged and dedicated for internal use. For external communication, [create a new listener](#create-new-broker-listeners). If you need to use the ClusterIp service, add more ports to the default listener without changing any of the existing settings.
@@ -186,6 +186,8 @@ To create a new listener, specify the following settings:
186186
- **Ports**: List of ports that to listen on. See [Ports](#ports).
187187
- (Optional) **Service name**: override the Kubernetes service name. See [Service name](#service-name).
188188

189+
### Example: Create a new listener with two ports
190+
189191
This example shows how to create a new listener with load balancer service type. The BrokerListener resource defines a two ports that accept MQTT connections from clients.
190192

191193
- The first port listens on port 1883 without TLS and authentication. Clients can connect to the broker without encryption or authentication. This setup is suitable for testing only. [Don't use this configuration in production](./howto-test-connection.md#only-turn-off-tls-and-authentication-for-testing).
@@ -372,12 +374,12 @@ To enable TLS with automatic certificate management, specify the TLS settings on
372374

373375
### Verify cert-manager installation
374376

375-
With automatic certificate management, you use cert-manager to manage the TLS server certificate. By default, cert-manager is installed alongside Azure IoT Operations Preview in the `azure-iot-operations` namespace already. Verify the installation before proceeding.
377+
With automatic certificate management, you use cert-manager to manage the TLS server certificate. By default, cert-manager is installed alongside Azure IoT Operations Preview in the `cert-manager` namespace already. Verify the installation before proceeding.
376378

377379
1. Use `kubectl` to check for the pods matching the cert-manager app labels.
378380

379381
```bash
380-
kubectl get pods --namespace azure-iot-operations -l 'app in (cert-manager,cainjector,webhook)'
382+
kubectl get pods --namespace cert-manager -l 'app in (cert-manager,cainjector,webhook)'
381383
```
382384

383385
```Output
@@ -390,7 +392,7 @@ With automatic certificate management, you use cert-manager to manage the TLS se
390392
1. If you see the pods shown as ready and running, cert-manager is installed and ready to use.
391393

392394
> [!TIP]
393-
> To further verify the installation, check the cert-manager documentation [verify installation](https://cert-manager.io/docs/installation/kubernetes/#verifying-the-installation). Remember to use the `azure-iot-operations` namespace.
395+
> To further verify the installation, check the cert-manager documentation [verify installation](https://cert-manager.io/docs/installation/kubernetes/#verifying-the-installation). Remember to use the `cert-manager` namespace.
394396

395397
### Create an Issuer for the TLS server certificate
396398

@@ -539,7 +541,8 @@ The following is an example of a BrokerListener resource that enables TLS on por
539541

540542
| Setting | Description |
541543
| -------------- | --------------------------------------------------------------------------------------------- |
542-
| Port | Port number on which the BrokerListener listens for MQTT connections. Required. |
544+
| Name | Name of the BrokerListener resource. Enter `aio-broker-loadbalancer-tls`. |
545+
| Port | Port number on which the BrokerListener listens for MQTT connections. Enter 8884. |
543546
| Authentication | The [authentication resource reference](howto-configure-authentication.md). |
544547
| Authorization | The [authorization resource reference](howto-configure-authorization.md). |
545548
| TLS | Select the *Add* button. |
@@ -561,8 +564,7 @@ The following is an example of a BrokerListener resource that enables TLS on por
561564
```bicep
562565
param aioInstanceName string = '<AIO_INSTANCE_NAME>'
563566
param customLocationName string = '<CUSTOM_LOCATION_NAME>'
564-
param listenerServiceName string = '<LISTENER_SERVICE_NAME>'
565-
param listenerName string = '<LISTENER_NAME>'
567+
param listenerName string = 'aio-broker-loadbalancer-tls'
566568
567569
resource aioInstance 'Microsoft.IoTOperations/instances@2024-09-15-preview' existing = {
568570
name: aioInstanceName
@@ -586,16 +588,18 @@ resource loadBalancerListener 'Microsoft.IoTOperations/instances/brokers/listene
586588
}
587589
588590
properties: {
589-
serviceName: listenerServiceName
590591
serviceType: 'LoadBalancer'
591592
ports: [
592593
{
593594
authenticationRef: 'default'
594595
port: 8884
595596
tls: {
596-
mode: 'Manual'
597-
manual: {
598-
secretRef: 'server-cert-secret'
597+
mode: 'Automatic'
598+
certManagerCertificateSpec: {
599+
issuerRef: {
600+
name: 'my-issuer'
601+
kind: 'Issuer'
602+
}
599603
}
600604
}
601605
}
@@ -611,61 +615,6 @@ Deploy the Bicep file using Azure CLI.
611615
az deployment group create --resource-group <RESOURCE_GROUP> --template-file <FILE>.bicep
612616
```
613617

614-
#### Optional: Configure server certificate parameters
615-
616-
The only required parameters are `issuerRef.name` and `issuerRef.kind`. All properties of the generated TLS server certificates are automatically chosen. However, MQTT broker allows certain properties to be customized by specifying them in the BrokerListener resource, under `tls.automatic.issuerRef`. The following is an example of all supported properties:
617-
618-
```bicep
619-
ports: [
620-
{
621-
port: 8884
622-
tls: {
623-
mode: 'Automatic'
624-
certManagerCertificateSpec: {
625-
issuerRef: {
626-
// Name of issuer. Required.
627-
name: 'my-issuer'
628-
// 'Issuer' or 'ClusterIssuer'. Required.
629-
kind: 'Issuer'
630-
// Issuer group. Optional; defaults to 'cert-manager.io'.
631-
// External issuers may use other groups.
632-
group: 'cert-manager.io'
633-
}
634-
// Namespace of certificate. Optional; omit to use default namespace.
635-
namespace: 'az'
636-
// Where to store the generated TLS server certificate. Any existing
637-
// data at the provided secret will be overwritten.
638-
// Optional; defaults to 'my-issuer-{port}'.
639-
secret: 'my-issuer-8884'
640-
// Parameters for the server certificate's private key.
641-
// Optional; defaults to rotationPolicy: Always, algorithm: ECDSA, size: 256.
642-
privateKey: {
643-
rotationPolicy: 'Always'
644-
algorithm: 'ECDSA'
645-
size: 256
646-
}
647-
// Total lifetime of the TLS server certificate. Optional; defaults to '720h' (30 days).
648-
duration: '720h'
649-
// When to begin renewing the certificate. Optional; defaults to '240h' (10 days).
650-
renewBefore: '240h'
651-
// Any additional SANs to add to the server certificate. Omit if not required.
652-
san: {
653-
dns: [
654-
'iotmq.example.com'
655-
// To connect to the broker from a different namespace, add the following DNS name:
656-
'aio-broker.azure-iot-operations.svc.cluster.local'
657-
]
658-
ip: [
659-
'192.168.1.1'
660-
]
661-
}
662-
}
663-
}
664-
}
665-
]
666-
667-
```
668-
669618
# [Kubernetes](#tab/kubernetes)
670619

671620
Modify the `tls` setting in a BrokerListener resource to specify a TLS port and *Issuer* for the frontends.
@@ -674,12 +623,11 @@ Modify the `tls` setting in a BrokerListener resource to specify a TLS port and
674623
apiVersion: mqttbroker.iotoperations.azure.com/v1beta1
675624
kind: BrokerListener
676625
metadata:
677-
name: loadbalancer-tls
626+
name: aio-broker-loadbalancer-tls # Avoid conflicts with default service name 'aio-broker'
678627
namespace: azure-iot-operations
679628
spec:
680629
brokerRef: default
681630
serviceType: loadBalancer
682-
serviceName: aio-broker-loadbalancer-tls # Avoid conflicts with default service name 'aio-broker'
683631
ports:
684632
- port: 8884 # Avoid conflicts with default port 18883
685633
tls:
@@ -690,60 +638,26 @@ spec:
690638
kind: Issuer
691639
```
692640

641+
---
642+
693643
Once the BrokerListener resource is configured, MQTT broker automatically creates a new service with the specified port and TLS enabled.
694644

695645
#### Optional: Configure server certificate parameters
696646

697-
The only required parameters are `issuerRef.name` and `issuerRef.kind`. All properties of the generated TLS server certificates are automatically chosen. However, MQTT broker allows certain properties to be customized by specifying them in the BrokerListener resource, under `tls.automatic.issuerRef`. The following is an example of all supported properties:
647+
The only required parameters are issuer name and issuer kind. All properties of the generated TLS server certificates are automatically chosen. However, MQTT broker allows certain properties to be customized following the same syntax as cert-manager Certificates. For example, you can specify the private key algorithm and rotation policy. These settings are under `tls.certManagerCertificateSpec` or the **TLS configuration** pane in the Azure portal.
698648

699-
```yaml
700-
# cert-manager issuer for TLS server certificate. Required.
701-
issuerRef:
702-
# Name of issuer. Required.
703-
name: my-issuer
704-
# 'Issuer' or 'ClusterIssuer'. Required.
705-
kind: Issuer
706-
# Issuer group. Optional; defaults to 'cert-manager.io'.
707-
# External issuers may use other groups.
708-
group: cert-manager.io
709-
# Namespace of certificate. Optional; omit to use default namespace.
710-
namespace: az
711-
# Where to store the generated TLS server certificate. Any existing
712-
# data at the provided secret will be overwritten.
713-
# Optional; defaults to 'my-issuer-{port}'.
714-
secret: my-issuer-8884
715-
# Parameters for the server certificate's private key.
716-
# Optional; defaults to rotationPolicy: Always, algorithm: ECDSA, size: 256.
717-
privateKey:
718-
rotationPolicy: Always
719-
algorithm: ECDSA
720-
size: 256
721-
# Total lifetime of the TLS server certificate. Optional; defaults to '720h' (30 days).
722-
duration: 720h
723-
# When to begin renewing the certificate. Optional; defaults to '240h' (10 days).
724-
renewBefore: 240h
725-
# Any additional SANs to add to the server certificate. Omit if not required.
726-
san:
727-
dns:
728-
- iotmq.example.com
729-
# To connect to the broker from a different namespace, add the following DNS name:
730-
- aio-broker.azure-iot-operations.svc.cluster.local
731-
ip:
732-
- 192.168.1.1
733-
```
649+
For a full list of these settings, see [Broker Listener CertManagerCertificateSpec API reference](/rest/api/iotoperationsmq/broker-listener/create-or-update#certmanagercertificatespec).
734650

735651
#### Verify deployment
736652

737-
Use kubectl to check that the service associated with the BrokerListener resource is running. From the example above, the service name is `my-new-tls-listener` and the namespace is `azure-iot-operations`. The following command checks the service status:
653+
Use kubectl to check that the service associated with the BrokerListener resource is running. From the example above, the service name is `aio-broker-loadbalancer-tls` and the namespace is `azure-iot-operations`. The following command checks the service status:
738654

739655
```console
740656
$ kubectl get service my-new-tls-listener -n azure-iot-operations
741-
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
742-
my-new-tls-listener LoadBalancer 10.X.X.X 172.X.X.X 8884:32457/TCP 33s
657+
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
658+
aio-broker-loadbalancer-tls LoadBalancer 10.X.X.X 172.X.X.X 8884:32457/TCP 33s
743659
```
744660

745-
---
746-
747661
#### Connect to the broker with TLS
748662

749663
Once the server certificate is configured, TLS is enabled. To test with mosquitto:
@@ -767,7 +681,6 @@ To help you get started, Azure IoT Operations is deployed with a default "quicks
767681

768682
For production, you must configure a CA issuer with a certificate from a trusted CA, as described in the previous sections.
769683

770-
771684
## Configure TLS with manual certificate management
772685

773686
To manually configure MQTT broker to use a specific TLS certificate, specify it in a BrokerListener resource with a reference to a Kubernetes secret. Then deploy it using kubectl. This article shows an example to configure TLS with self-signed certificates for testing.
@@ -833,7 +746,7 @@ The following is an example of a BrokerListener resource that enables TLS on por
833746

834747
1. In the Azure portal, navigate to your IoT Operations instance.
835748
1. Under **Azure IoT Operations resources**, select **MQTT Broker**.
836-
1. Select or create a listener. You can only create one listener per service type. If you already have a listener of the same service type, you can add more ports to the existing listener.
749+
1. Select or create a listener. You can only create one listener per service type. If you already have a listener of the same service type, you can add more ports to the existing listener. To follow the example, specify the listener service name as `mqtts-endpoint`.
837750
1. You can add TLS settings to the listener by selecting the **TLS** on an existing port or by adding a new port.
838751

839752
:::image type="content" source="media/howto-configure-brokerlistener/tls-manual.png" alt-text="Screenshot using Azure portal to create MQTT broker for load balancer listener with manual TLS certificates." lightbox="media/howto-configure-brokerlistener/tls-manual.png":::
@@ -852,11 +765,13 @@ The following is an example of a BrokerListener resource that enables TLS on por
852765

853766
# [Bicep](#tab/bicep)
854767

768+
Modify the `tls` setting in a BrokerListener resource to specify manual TLS configuration referencing the Kubernetes secret. Note the name of the secret used for the TLS server certificate (`server-cert-secret` in the example previously).
769+
855770
```bicep
856771
param aioInstanceName string = '<AIO_INSTANCE_NAME>'
857772
param customLocationName string = '<CUSTOM_LOCATION_NAME>'
858-
param listenerServiceName string = '<LISTENER_SERVICE_NAME>'
859-
param listenerName string = '<LISTENER_NAME>'
773+
param listenerServiceName string = 'mqtts-endpoint'
774+
param listenerName string = '<LISTENER_NAME>' // Match the SAN in the server certificate
860775
861776
resource aioInstance 'Microsoft.IoTOperations/instances@2024-09-15-preview' existing = {
862777
name: aioInstanceName
@@ -885,7 +800,7 @@ resource loadBalancerListener 'Microsoft.IoTOperations/instances/brokers/listene
885800
ports: [
886801
{
887802
authenticationRef: 'default'
888-
port: 8885
803+
port: 8885 // Avoid port conflict with default listener at 18883
889804
tls: {
890805
mode: 'Manual'
891806
manual: {
@@ -918,7 +833,7 @@ metadata:
918833
spec:
919834
brokerRef: default
920835
serviceType: loadBalancer # Optional, defaults to clusterIP
921-
serviceName: aio-broker-loadbalancer-tls # Match the SAN in the server certificate
836+
serviceName: mqtts-endpoint # Match the SAN in the server certificate
922837
ports:
923838
- port: 8885 # Avoid port conflict with default listener at 18883
924839
tls:

0 commit comments

Comments
 (0)