feat: add emqx

kubernetes/main/apps/database/emqx/app/helmrelease.yaml

@@ -0,0 +1,35 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: emqx-operator
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: emqx-operator
+      version: 2.2.22
+      sourceRef:
+        kind: HelmRepository
+        name: emqx
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  dependsOn:
+    - name: cert-manager
+      namespace: cert-manager
+  values:
+    image:
+      repository: ghcr.io/emqx/emqx-operator
+    resources:
+      requests:
+        cpu: 10m
+      limits:
+        memory: 512Mi

kubernetes/main/apps/database/emqx/app/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml

kubernetes/main/apps/database/emqx/cluster/cluster.yaml

@@ -0,0 +1,59 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/apps.emqx.io/emqx_v2beta1.json
+apiVersion: apps.emqx.io/v2beta1
+kind: EMQX
+metadata:
+  name: emqx-cluster
+spec:
+  image: public.ecr.aws/emqx/emqx:5.6.1
+  config:
+    data: |
+      authentication {
+        backend = "built_in_database"
+        mechanism = "password_based"
+        password_hash_algorithm {
+            name = "bcrypt",
+        }
+        user_id_type = "username"
+      }
+      authorization {
+        sources = [
+          {
+            type = built_in_database
+            enable = true
+          }
+        ]
+        no_match: "deny"
+      }
+  bootstrapAPIKeys:
+    - secretRef:
+        key:
+          secretName: mqtt-secret
+          secretKey: username
+        secret:
+          secretName: mqtt-secret
+          secretKey: password
+  coreTemplate:
+    metadata:
+      annotations:
+        secret.reloader.stakater.com/reload: "emqx-cluster-secret,mqtt-secret"
+    spec:
+      replicas: 3
+      env:
+        - name: EMQX_DASHBOARD__DEFAULT_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: emqx-cluster-secret
+              key: username
+        - name: EMQX_DASHBOARD__DEFAULT_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: emqx-cluster-secret
+              key: password
+      volumeClaimTemplates:
+        storageClassName: local-standard
+        resources:
+          requests:
+            storage: 1Gi
+        accessModes:
+          - ReadWriteOnce

kubernetes/main/apps/database/emqx/cluster/ingress.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: emqx-cluster-dashboard
+spec:
+  ingressClassName: internal
+  rules:
+    - host: &host emqx.${SECRET_DOMAIN}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: emqx-cluster-dashboard
+                port:
+                  number: 18083
+  tls:
+    - hosts:
+        - *host

kubernetes/main/apps/database/emqx/cluster/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./cluster.yaml
+  - ./ingress.yaml
+  - ./secret.sops.yaml

kubernetes/main/apps/database/emqx/cluster/secret.sops.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: emqx-cluster-secret
+type: kubernetes.io/basic-auth
+stringData:
+    username: ENC[AES256_GCM,data:1h9p9A==,iv:dabeRzJ6xQhpDkGC5N3hWXJQ78JpNl5bCxNwHoiPHp8=,tag:0l8vMUagmkQ4Y1SJ3yLtxw==,type:str]
+    password: ENC[AES256_GCM,data:+kV8qHzgY4IdVPws1YLm5cQ=,iv:THP3lPCJVh+lCkGMcKvSgp5GlMHkkDilsxsSdywxYVs=,tag:zeNsuiaSD/ZmuaHetipm4Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ve9kzacrwq7l9l0emvs326uk6t576d75r596e083r2tq6xu28qcsacy3s7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBheTNjZ1pWazNGblE1ZzlB
+            QjE2YmFvVzJ6MVUwanI0TnQvcXBWVUtnbkFrCmY1UnBXT1hRSlZ5MHRJLzQ2R0p5
+            NzdUS01sT3UwbG0wQjZpejhQVUhTc1kKLS0tIFlIZ3FjUFE2MG9CeVB6b3ZwTFMy
+            QStYM3c2MXBDcWtFRXMwOVQrUUt6KzgKZ4Lff78YgvkFXUgeMYrFtXiHU6OGcE4R
+            XkBvRAT/hK5S+l4rSnUxkRFrOUa11cFlg8yHYR7k310LAAOpnlL/JA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-23T12:34:40Z"
+    mac: ENC[AES256_GCM,data:KQOG8fhoxW/hN11V26xaYRRics3yDeVO+wUUAuXewPRCj/Y1kR2TJ1TisEcYTrmafgO5f7kw9MV470ZE2K7PdSr3LA52wx3rUoB1h3GsJKJOGa637uGnWPrVvGMhg7M73kUiAICEgZdprgywbNxlU18QgMcUEJQdtnP8H8hVJGY=,iv:57wxKaOZSmi8lS696LIVTmfJXRlklcUzCSTDU16PzFw=,tag:XY3lHsCChHBDK4J1Bbx0Qg==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1

kubernetes/main/apps/database/emqx/ks.yaml

@@ -0,0 +1,66 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app emqx-operator
+  namespace: flux-system
+spec:
+  targetNamespace: database
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/main/apps/database/emqx/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app emqx-secret-store
+  namespace: flux-system
+spec:
+  targetNamespace: database
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/main/apps/database/emqx/secret-store
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app emqx-cluster
+  namespace: flux-system
+spec:
+  targetNamespace: database
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: emqx-operator
+    - name: emqx-secret-store
+  path: ./kubernetes/main/apps/database/emqx/cluster
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

kubernetes/main/apps/database/emqx/secret-store/clustersecretstore.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: mqtt-secret-store
+spec:
+  provider:
+    kubernetes:
+      remoteNamespace: database
+      auth:
+        serviceAccount:
+          name: mqtt-secret-manager
+          namespace: database
+      server:
+        caProvider:
+          type: ConfigMap
+          name: kube-root-ca.crt
+          namespace: database
+          key: ca.crt

kubernetes/main/apps/database/emqx/secret-store/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./clustersecretstore.yaml
+  - ./rbac.yaml
+  - ./secret.sops.yaml

kubernetes/main/apps/database/emqx/secret-store/rbac.yaml

@@ -0,0 +1,39 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mqtt-secret-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: mqtt-secret-manager-role
+rules:
+  - apiGroups: [""]
+    resources:
+      - secrets
+    resourceNames:
+      - mqtt-secret
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - selfsubjectrulesreviews
+    verbs:
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: mqtt-secret-manager-binding
+subjects:
+  - kind: ServiceAccount
+    name: mqtt-secret-manager
+    namespace: database
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: mqtt-secret-manager-role

kubernetes/main/apps/database/emqx/secret-store/secret.sops.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: mqtt-secret
+type: kubernetes.io/basic-auth
+stringData:
+    username: ENC[AES256_GCM,data:NuQKbSSjr7rh+8BYLO/yGl3AJN8=,iv:EshK/hJ4wOFo3EHVGqI3+27cXXBRzDAts5+OMVHXxlw=,tag:FT2nZOdXQjeVXIYTShgfnw==,type:str]
+    password: ENC[AES256_GCM,data:MWWiZ1wC3npnov3FL/+QoHmM9ymW77Ij46KcQFUat5vJtxAUPOof40Y5U753ulLjbE04OWLcuZAI8kkcttk2/A==,iv:pXDTYEnB1AxU1TOMYMUsri07qAMGo83mP7z3oGaaT1g=,tag:fmU8I7Fnp9KcHRVWLrG8Kg==,type:str]
+    host: ENC[AES256_GCM,data:7LPSN5dTGaF+79mytRAsHGy5n6lze7yWZvFgyPZIcOtr+OQ5BIySYIfEtt6PnEEe,iv:WewMKjDeMO6AsfesjiYgIAyCCHfayqJDHLkbUfxG4cc=,tag:YXPMCx9i4czEynUvW3I5QA==,type:str]
+    port: ENC[AES256_GCM,data:CI8f+A==,iv:CX5ct6OxviolPfC2ksg1dzzI/8uwh35cyFKTDJL9PIo=,tag:ZOC1OmIF50qf3oKUYNxI1w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ve9kzacrwq7l9l0emvs326uk6t576d75r596e083r2tq6xu28qcsacy3s7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOU2gxZU9ST2ZJTytrdTFp
+            Q1hMWjdkeDZUM2IwWjh1NGhIemlOQWRnQm1nCjFha2pVc0JDZFduMlk3MlVZUVhX
+            MkFYWVkvTkRjN2ZDN0NPOFl5RUNzdjQKLS0tIHNzTWttZGFNbkRTZFN0bUZaWGVk
+            Y3ZPVUtIUEZLRitqTktMMi8vVmdDNDgKcQ4inSMDnurYaD1q4IyDNJZQFJ2cR+GK
+            7f+tt3W/7k3JntOglSsPyV7otq5GykWwa0qpopXLSy18iX5Dne+Hkg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-23T09:25:26Z"
+    mac: ENC[AES256_GCM,data:uZgY0s1lIFBB77uTFNUsZtIDqTRrInZYNxvZQbcYh+RjMFVnkmfUOk5PQppR35UO9QSsrg9I8M36Yei2tFXlQ5Ufei3YCL4HFFELvRAwxnzDhwQ5E+obtu5kHYXH83ntkad2IwvhUVD41i6ibdBN7ex0tqYRzAXthknRPfIs5YU=,iv:yoga0gkdwRaTxpwYdb7DpfqIGahWM+xUBl9rywlU92Q=,tag:QeddCZWCmBlCkP+Oyk6ETA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1

kubernetes/main/apps/database/kustomization.yaml

@@ -5,3 +5,4 @@ resources:
   - ./namespace.yaml
   - ./cloudnative-pg/ks.yaml
   - ./dragonfly/ks.yaml
+  - ./emqx/ks.yaml

kubernetes/main/flux/repositories/helm/emqx.yaml

@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1beta2.json
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: emqx
+  namespace: flux-system
+spec:
+  interval: 2h
+  url: https://repos.emqx.io/charts

kubernetes/main/flux/repositories/helm/kustomization.yaml

@@ -7,6 +7,7 @@ resources:
   - ./cilium.yaml
   - ./cloudnative-pg.yaml
   - ./descheduler.yaml
+  - ./emqx.yaml
   - ./external-dns.yaml
   - ./external-secrets.yaml
   - ./ingress-nginx.yaml