Merge branch 'stage' for release v1.4.0

Author: fcv-iteratorIt

.gitignore

@@ -1 +1,6 @@
-.idea/
+.idea/
+ca.crt
+ca.key
+server.crt
+server.key
+server.csr

configuration/mosquitto-broker-os2iot/mosquitto-os2iot.conf

@@ -0,0 +1,51 @@
+auth_plugin /home/mosquitto-go-auth/go-auth.so
+listener 8885
+
+cafile /etc/mosquitto/ca_certificates/ca.crt
+keyfile /etc/mosquitto/certs/server.key
+certfile /etc/mosquitto/certs/server.crt
+tls_version tlsv1.3
+
+auth_opt_backends postgres
+
+auth_opt_pg_host **INSERT HOSTNAME**
+auth_opt_pg_port **INSERT PORT**
+auth_opt_pg_user **INSERT USER**
+auth_opt_pg_password **INSERT PASSWORD**
+auth_opt_pg_dbname **INSERT DBNAME**
+auth_opt_pg_userquery SELECT mqttpasswordhash FROM iot_device WHERE mqttUsername = $1 limit 1
+auth_opt_pg_superquery SELECT COUNT(*) FROM iot_device WHERE (mqttusername = $1 AND permissions = 'superUser')
+auth_opt_pg_aclquery SELECT mqttTopicName FROM iot_device WHERE (mqttUsername = $1 AND permissions = 'write') OR (9 = $2 AND mqttUsername = $1)
+
+auth_opt_pg_sslmode verify-ca
+auth_opt_hasher pbkdf2
+
+auth_opt_hasher_salt_size 16
+auth_opt_hasher_iterations 1000
+auth_opt_hasher_keylen 32
+auth_opt_hasher_algorithm sha512
+
+auth_opt_retry_count 5
+auth_opt_pg_connect_tries 5
+
+listener 8884
+require_certificate true
+use_identity_as_username true
+
+auth_opt_backends postgres
+
+auth_opt_pg_host **INSERT HOSTNAME**
+auth_opt_pg_port **INSERT PORT**
+auth_opt_pg_user **INSERT USER**
+auth_opt_pg_password **INSERT PASSWORD**
+auth_opt_pg_dbname **INSERT DBNAME**
+auth_opt_pg_userquery SELECT mqttpasswordhash FROM iot_device WHERE mqttUsername = $1 limit 1
+auth_opt_pg_superquery SELECT COUNT(*) FROM iot_device WHERE (mqttusername = $1 AND permissions = 'superUser')
+auth_opt_pg_aclquery SELECT mqttTopicName FROM iot_device WHERE (mqttUsername = $1 AND permissions = 'write') OR (9 = $2 AND mqttUsername = $1)
+
+auth_opt_pg_sslmode verify-ca
+
+cafile /etc/mosquitto/ca_certificates/ca.crt
+keyfile /etc/mosquitto/certs/server.key
+certfile /etc/mosquitto/certs/server.crt
+tls_version tlsv1.3

docker-compose.yml

@@ -95,6 +95,13 @@ services:
       EMAIL_USER: [email protected] # Change this for sending emails with OS2iot
       EMAIL_PASS: some-login-pass # Change this for sending emails with OS2iot
       EMAIL_FROM: [email protected] # Change this for sending emails with OS2iot
+      MQTT_BROKER_HOSTNAME: # Change this to the public ip/hostname of the mqtt broker
+      ENCRYPTION_SYMMETRIC_KEY: # Change this to the symmetric key generated
+      CA_KEY_PASSWORD: # Change this to the password of the generated CA certificate key
+      MQTT_SUPER_USER_PASSWORD: # Change this to the password for the internal super user.
+    volumes:
+      - ./configuration/mosquitto-broker-os2iot/ca.crt:/tmp/os2iot/backend/dist/resources/ca.crt
+      - ./configuration/mosquitto-broker-os2iot/ca.key:/tmp/os2iot/backend/dist/resources/ca.key
 
   os2iot-postgresql:
     restart: always
@@ -142,6 +149,21 @@ services:
     depends_on:
       - os2iot-zookeeper
 
+  mosquitto-os2iot:
+    image: os2iot-mosquitto
+    ports:
+      - 8884:8884
+      - 8885:8885
+    build:
+      context: "./mosquitto-broker"
+      dockerfile: "Dockerfile"
+    volumes:
+      - ./configuration/mosquitto-broker-os2iot/ca.crt:/etc/mosquitto/ca_certificates/ca.crt
+      - ./configuration/mosquitto-broker-os2iot/ca.key:/etc/mosquitto/ca_certificates/ca.key
+      - ./configuration/mosquitto-broker-os2iot/server.key:/etc/mosquitto/certs/server.key
+      - ./configuration/mosquitto-broker-os2iot/server.crt:/etc/mosquitto/certs/server.crt
+      - ./configuration/mosquitto-broker-os2iot/mosquitto-os2iot.conf:/etc/mosquitto/conf.d/go-auth.conf
+
 volumes:
   pg-data:
   postgresqldata:

helm/charts/mosquitto-os2iot/Chart.yaml

@@ -0,0 +1,21 @@
+apiVersion: v2
+name: mosquitto-os2iot
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+version: 0.1.2
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application.
+appVersion: 1.16.1

helm/charts/mosquitto-os2iot/templates/configmap.yaml

@@ -0,0 +1,57 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $.Chart.Name }}-configmap
+data:
+  go-auth.conf: |
+    auth_plugin /home/mosquitto-go-auth/go-auth.so
+    listener 8885
+
+    cafile /etc/mosquitto/ca_certificates/ca.crt
+    keyfile /etc/mosquitto/certs/server.key
+    certfile /etc/mosquitto/certs/server.crt
+    tls_version tlsv1.3
+
+    auth_opt_backends postgres
+
+    auth_opt_pg_host {{ .Values.deployment.env.DATABASE_HOST }}
+    auth_opt_pg_port {{ .Values.deployment.env.DATABASE_PORT }}
+    auth_opt_pg_user {{ .Values.deployment.env.DATABASE_USERNAME }}
+    auth_opt_pg_password {{ .Values.deployment.env.DATABASE_PASSWORD }}
+    auth_opt_pg_dbname {{ .Values.deployment.env.DATABASE_NAME }}
+    auth_opt_pg_userquery SELECT mqttPassword FROM iot_device WHERE mqttUsername = $1 limit 1
+    auth_opt_pg_superquery SELECT COUNT(*) FROM iot_device WHERE (mqttusername = $1 AND permissions = 'superUser')
+    auth_opt_pg_aclquery SELECT mqttTopicName FROM iot_device WHERE (mqttUsername = $1 AND permissions = 'write') OR (9 = $2 AND mqttUsername = $1)
+
+    auth_opt_pg_sslmode verify-ca
+    auth_opt_hasher pbkdf2
+
+    auth_opt_hasher_salt_size 16
+    auth_opt_hasher_iterations 1000
+    auth_opt_hasher_keylen 32
+    auth_opt_hasher_algorithm sha512
+
+    auth_opt_retry_count 5
+    auth_opt_pg_connect_tries 5
+
+    listener 8884
+    require_certificate true
+    use_identity_as_username true
+
+    auth_opt_backends postgres
+
+    auth_opt_pg_host {{ .Values.deployment.env.DATABASE_HOST }}
+    auth_opt_pg_port {{ .Values.deployment.env.DATABASE_PORT }}
+    auth_opt_pg_user {{ .Values.deployment.env.DATABASE_USERNAME }}
+    auth_opt_pg_password {{ .Values.deployment.env.DATABASE_PASSWORD }}
+    auth_opt_pg_dbname {{ .Values.deployment.env.DATABASE_NAME }}
+    auth_opt_pg_userquery SELECT mqttPassword FROM iot_device WHERE mqttUsername = $1 limit 1
+    auth_opt_pg_superquery SELECT COUNT(*) FROM iot_device WHERE (mqttusername = $1 AND permissions = 'superUser')
+    auth_opt_pg_aclquery SELECT mqttTopicName FROM iot_device WHERE (mqttUsername = $1 AND permissions = 'write') OR (9 = $2 AND mqttUsername = $1)
+
+    auth_opt_pg_sslmode verify-ca
+
+    cafile /etc/mosquitto/ca_certificates/ca.crt
+    keyfile /etc/mosquitto/certs/server.key
+    certfile /etc/mosquitto/certs/server.crt
+    tls_version tlsv1.3

helm/charts/mosquitto-os2iot/templates/deployment.yaml

@@ -0,0 +1,65 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: {{ $.Chart.Name }}
+  labels:
+    helm.sh/chart: "{{ $.Chart.Name }}-{{ $.Chart.Version }}"
+    app.kubernetes.io/name: {{ $.Chart.Name }}
+    app.kubernetes.io/instance: {{ $.Chart.Name }}-{{ .Values.DOCKER_IMAGE_TAG }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  replicas: {{ .Values.REPLICAS }}
+  selector:
+    matchLabels:
+      app: {{ $.Chart.Name }}
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+    type: RollingUpdate
+  revisionHistoryLimit: {{ .Values.REVISION_HISTORY_LIMIT }}
+  template:
+    metadata:
+      labels:
+        app: {{ $.Chart.Name }}
+        version: "{{ $.Chart.Name }}-{{ .Values.DOCKER_IMAGE_TAG }}"
+    spec:
+      containers:
+        - name: {{ $.Chart.Name }}
+          image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}"
+          imagePullPolicy: {{ .Values.deployment.image.pullPolicy }}
+          ports:
+            - name: mos-cert
+              containerPort: 8884
+              protocol: TCP
+            - name: mos-userpass
+              containerPort: 8885
+              protocol: TCP
+          resources:
+            limits:
+              cpu: 150m
+              memory: 512Mi
+            requests:
+              cpu: 5m
+              memory: 128Mi
+          volumeMounts:
+            - name: {{ $.Chart.Name }}-configmap
+              mountPath: /etc/mosquitto/conf.d/go-auth.conf
+              subPath: go-auth.conf
+            - name: secret-ca-crt
+              mountPath: /etc/mosquitto/ca_certificates
+              readOnly: true
+            - name: secret-server-key
+              mountPath: /etc/mosquitto/certs
+              readOnly: true
+      volumes:
+        - name: "{{ $.Chart.Name }}-configmap"
+          configMap:
+            name: "{{ $.Chart.Name }}-configmap"
+        - name: secret-ca-crt
+          secret:
+            secretName: ca-keys
+        - name: secret-server-key
+          secret:
+            secretName: server-keys
+      restartPolicy: Always

helm/charts/mosquitto-os2iot/templates/service.yaml

@@ -0,0 +1,19 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: {{ $.Chart.Name }}-svc
+  labels:
+    app: {{ $.Chart.Name }}
+spec:
+  type: ClusterIP
+  ports:
+    - name: mosquitto-os2iot
+      port: 8884
+      targetPort: 8884
+      protocol: TCP
+    - name: mosquitto-os2iot
+      port: 8885
+      targetPort: 8885
+      protocol: TCP
+  selector:
+    app: {{ $.Chart.Name }}

helm/charts/mosquitto-os2iot/templates/virtualservice.yaml

@@ -0,0 +1,17 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: "{{ $.Chart.Name }}-virtualservice"
+spec:
+  hosts:
+    - {{ .Values.INGRESS_ADDRESS | default  (printf "%s-%s.%s" .Release.Namespace $.Chart.Name .Values.global.DOMAIN_NAME)}}
+  gateways:
+    - istio-system/istio-ingressgateway
+  http:
+    - name: {{ $.Chart.Name }}
+      route:
+        - destination:
+            port:
+              number: 8884
+              number: 8885
+            host: "{{ $.Chart.Name }}-svc"

helm/charts/mosquitto-os2iot/values.yaml

@@ -0,0 +1,25 @@
+# Default values for aodb.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+# Registry the image comes from
+# CONTAINER_REGISTRY: postgres
+
+# Image that needs to be used.
+DOCKER_IMAGE_NAME: mosquitto-os2iot
+
+DOCKER_IMAGE_PULL_POLICY: IfNotPresent
+
+# How many replicas of the pod?
+REPLICAS: 1
+
+# How much revision history should be stored? (can clog up etcd)
+REVISION_HISTORY_LIMIT: 3
+
+deployment:
+  env:
+    "DATABASE_HOST": ""
+    "DATABASE_PORT": ""
+    "DATABASE_USERNAME": ""
+    "DATABASE_PASSWORD": ""
+    "DATABASE_NAME": ""

helm/charts/os2iot-backend/templates/deployment.yaml

@@ -80,4 +80,26 @@ spec:
             - name: EMAIL_PASS
               value: some-login-pass
             - name: EMAIL_FROM
-              value: [email protected]
+              value: [email protected]
+            - name: MQTT_SUPER_USER_PASSWORD 
+              value: some-super-user-password
+            - name: MQTT_BROKER_HOSTNAME
+              value: some-mqtt-broker-hostname
+            - name: ENCRYPTION_SYMMETRIC_KEY
+              value: some-encryption-symmetric-key
+            - name: CA_KEY_PASSWORD
+              value: some-ca-key-password
+           volumeMounts:
+            - name: secret-ca-crt
+              mountPath: /tmp/os2iot/backend/resources
+              readOnly: true
+      volumes:
+        - name: "{{ $.Chart.Name }}-configmap"
+          configMap:
+            name: "{{ $.Chart.Name }}-configmap"
+        - name: secret-ca-crt
+          secret:
+            secretName: ca-keys
+      restartPolicy: Always
+
+