Connecting to the broker from external mqtt clients
When you expose an acceptor to external clients (that is, by setting the value of the expose parameter to true), the Operator automatically creates an ingress on Kubernetes or a route on OpenShift for each broker pod of the deployment. An external client can connect to the broker by specifying the full host name of the ingress/route created for the broker pod.
Prerequisite
Before you start you need to have access to a running Kubernetes cluster environment. A Minikube with Ingress running on your laptop will just do fine. The ArkMQ operator also runs in Openshift cluster environment like CodeReady Container. In this blog we assume you have Kubernetes cluster environment. Execute the following command to enable Ingress in minikube:
$ minikube addons enable ingress
Enable SSL Passthrough
SSL Passthrough leverages SNI and reads the virtual domain from the TLS negotiation, which requires compatible clients. After a connection has been accepted by the TLS listener, it is handled by the controller itself and piped back and forth between the backend and the client. Execute the following command to enable SSL Passthrough in minikube:
$ minikube kubectl -- patch deployment -n ingress-nginx ingress-nginx-controller --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--enable-ssl-passthrough"}]'
Deploy ArkMQ operator
First you need to deploy the ArkMQ operator. If you are not sure how to deploy the operator take a look at this blog.
Download the test certficates from Apache ActiveMQ Artemis
$ wget -O server-keystore.jks https://github.com/apache/activemq-artemis/raw/main/tests/security-resources/server-keystore.jks
$ wget -O client-ca-truststore.jks https://github.com/apache/activemq-artemis/raw/main/tests/security-resources/client-ca-truststore.jks
$ wget -O server-ca-keystore.p12 https://github.com/apache/activemq-artemis/raw/main/tests/security-resources/server-ca-keystore.p12
$ keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass securepass -alias server-ca -exportcert -rfc > server-ca.crt
Create a secret with the test certificates
Use the following command to create a secret with the test certificates:
$ kubectl create secret generic my-tls-secret \
--from-file=broker.ks=server-keystore.jks \
--from-file=client.ts=client-ca-truststore.jks \
--from-literal=keyStorePassword=securepass \
--from-literal=trustStorePassword=securepass
Deploy ActiveMQArtemis with an mqtt acceptor
Use the following command to deploy ActiveMQArtemis with an mqtt acceptor:
$ kubectl apply -f - <<EOF
apiVersion: broker.amq.io/v1beta1
kind: ActiveMQArtemis
metadata:
name: artemis-mqtt-ssl
spec:
acceptors:
- name: my-acceptor
expose: true
port: 5672
protocols: mqtt
sslEnabled: true
sslSecret: my-tls-secret
env:
- name: JAVA_ARGS_APPEND
value: -Djavax.net.debug=all
EOF
Publish a message with mosquitto
Eclipse Mosquitto is an open source project and it provides a message broker that implements the MQTT protocol, a C library for implementing MQTT clients, and the very popular mosquitto_pub and mosquitto_sub command line MQTT clients.
Use the following command to publish a message with mosquitto_pub from your host:
$ mosquitto_pub -d --insecure -t "test" -m "test" -u admin -P admin -h artemis-mqtt-ssl-my-acceptor-0-svc-ing.apps.arkmq.org -p 443 --cafile server-ca.crt
Alternatively you can execute mosquitto_pub from the eclipse-mosquitto container running on your host with podman. Use the following command to publish a message with mosquitto_pub from the eclipse-mosquitto container running on your host:
$ podman run --name mosquitto_pub -it --rm --add-host artemis-mqtt-ssl-my-acceptor-0-svc-ing.apps.arkmq.org:$(minikube ip) --network host --entrypoint /usr/bin/mosquitto_pub -v ${PWD}/server-ca.crt:/mosquitto/config/server-ca.crt:Z eclipse-mosquitto -d --insecure -t "test" -m "test" -u admin -P admin -h artemis-mqtt-ssl-my-acceptor-0-svc-ing.apps.arkmq.org -p 443 --cafile /mosquitto/config/server-ca.crt