bootc-edge-ai/tekton/common/mosquitto.yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: mosquitto-data
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  volumeMode: Filesystem
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: mosquitto
spec:
  replicas: 1
  serviceName: mosquitto
  selector:
    matchLabels:
      name: mosquitto
  template:
    metadata:
      labels:
        name: mosquitto
    spec:
      containers:
      - name: mosquitto
        image: docker.io/library/eclipse-mosquitto:latest
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8883
        livenessProbe:
          tcpSocket:
            port: 1883
          failureThreshold: 1
          initialDelaySeconds: 5
          periodSeconds: 30
          successThreshold: 1
          timeoutSeconds: 5
        readinessProbe:
          exec:
            command:
            - mosquitto_pub
            - -t
            - _ping
            - -m
            - ping 
          failureThreshold: 1
          initialDelaySeconds: 5
          periodSeconds: 30
          successThreshold: 1
          timeoutSeconds: 5
        volumeMounts:
        - name: data
          mountPath: /mosquitto/data
          subPath: data
        - name: data
          mountPath: /mosquitto/log
          subPath: log
        - name: config
          mountPath: /mosquitto/config
        - name: tls
          mountPath: /mosquitto/tls
          readOnly: true
        - name: ca
          mountPath: /mosquitto/ca
          readOnly: true
      - name: mosquitto-subscriber
        image: docker.io/library/eclipse-mosquitto:latest
        imagePullPolicy: IfNotPresent
        command:
        - mosquitto_sub
        args:
        - -v
        - -t
        - '#'
        volumeMounts:
        - name: tls
          mountPath: /mosquitto/tls
          readOnly: true
        - name: ca
          mountPath: /mosquitto/ca
          readOnly: true
      terminationGracePeriodSeconds: 30
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: mosquitto-data
      - name: config
        configMap:
          name: mosquitto-config
          defaultMode: 0640
      - name: ca
        configMap:
          name: openshift-service-ca.crt
      - name: tls
        secret:
          secretName: mosquitto-tls
---
apiVersion: v1
kind: Service
metadata:
  name: mosquitto
  annotations:
    service.beta.openshift.io/serving-cert-secret-name: mosquitto-tls
spec:
  type: ClusterIP
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: mqtt
    port: 1883
    protocol: TCP
    targetPort: 1883
  - name: tls
    port: 8883
    protocol: TCP
    targetPort: 8883
  selector:
    name: mosquitto
  sessionAffinity: None
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: mosquitto-config
data:
  mosquitto.conf: |
    autosave_interval 60
    persistence true
    persistence_file mosquitto.db
    persistence_location /mosquitto/data
    allow_anonymous true
    password_file /mosquitto/config/pwfile
    acl_file /mosquitto/config/aclfile
    listener 1883 0.0.0.0
    protocol mqtt
    listener 8883 0.0.0.0
    protocol mqtt
    cafile /mosquitto/ca/service-ca.crt
    certfile /mosquitto/tls/tls.crt
    keyfile /mosquitto/tls/tls.key    
  aclfile: |
    # This affects access control for clients with no username.
    topic read $SYS/#
    # Allow anonymous users to read all updates.
    topic read #
    # Allow the tekton user to write updates.
    user tekton
    topic readwrite #
    # This affects all clients.
    pattern write /broker/connection/%c/state    
  # pwfile is generated using "mosquitto_passwd -c /tmp/pwfile $username"
  pwfile: |
        tekton:REDACTED
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: mosquitto
spec:
  to:
    kind: Service
    name: mosquitto
  port:
    targetPort: 8883
  tls:
    termination: passthrough
    insecureEdgeTerminationPolicy: None