Add Mosquitto Kustomize Component

kustomization/components/mosquitto/README.md

@@ -0,0 +1,86 @@
+# Mosquitto Component
+
+This will deploy the [Mosquitto](https://mosquitto.org/). This runs as as the `mosquitto` user
+from the [`mosquitto` Docker image](https://github.com/eclipse/mosquitto/tree/master/docker/2.0),
+which runs with a `uid` and `gid` of `1883`. This component can run under a `restricted`
+[pod security standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/).
+
+# Example Usage
+
+```yaml
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+components:
+  - https://github.com/marinatedconcrete/config/kustomization/components/mosquitto
+```
+
+See below for additionally required patches and secrets.
+
+## Required Secrets
+
+### `mosquitto-password-conf-secret`
+
+This contains the logins that you want to be included in the `password.conf` file in the container.
+Each key will be treated as the username, and the contents the password to hash and add to
+`password.conf`.
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mosquitto-password-conf-secret
+stringData:
+  someuser: super-secure-unhashed-password
+```
+
+## Optional Patches
+
+### Add Configuration Options
+
+If you want to change the [configuration](https://mosquitto.org/man/mosquitto-conf-5.html) of
+`mosquitto`, you can patch in your own config files. You can place as many `.conf` files as you
+would like in the `ConfigMap`.
+
+#### `kustomization.yml`
+
+```yaml
+configMapGenerator:
+  - files:
+      - configmap/logging.conf
+    name: mosquitto-config-configmap
+patches:
+  - path: patches/add_custom_config.yml
+    target:
+      kind: Deployment
+      name: mosquitto-deployment
+```
+
+#### `configmap/logging.conf`
+
+```
+log_type all
+```
+
+#### `patches/add_custom_config.yml`
+
+This patch is taking advantage of the `$patch: delete` functionality of Kustomize to remove the
+`emptyDir` configuration and instead mount the `ConfigMap` that was just defined.
+
+```yaml
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: this-is-ignored-but-is-required
+spec:
+  template:
+    spec:
+      volumes:
+        - emptyDir:
+            $patch: delete
+          name: mosquitto-config
+          configMap:
+            name: mosquitto-config-configmap
+```

kustomization/components/mosquitto/configmap/default-config/mosquitto.conf

@@ -0,0 +1,17 @@
+# Log to the container's stdout, and include a useful timestamp.
+log_dest stdout
+log_timestamp_format %Y-%m-%dT%H:%M:%S
+
+# Allow different auth per listener.  This is helpful for our liveness probe.
+per_listener_settings true
+
+# This listener exists just for a liveness probe!
+listener 0 /mosquitto/socket
+allow_anonymous true
+
+# Default Listener
+listener 1883
+
+password_file /mosquitto/data/password.conf
+
+include_dir /mosquitto/config.d/

kustomization/components/mosquitto/configmap/scripts/create_password.conf.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+cd /mosquitto/data || exit 1
+touch password.conf
+chmod o-rwx password.conf
+for username_path in password-conf-data/* ; do
+    username="$(echo "$username_path" | awk -F / -e '{print $2}')"
+    password="$(cat password-conf-data/"$username")"
+    mosquitto_passwd -b password.conf "$username" "$password"
+done

kustomization/components/mosquitto/deployment.yml

@@ -0,0 +1,99 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mosquitto-deployment
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: mosquitto
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: mosquitto
+    spec:
+      containers:
+        - image: eclipse-mosquitto
+          name: mosquitto
+          ports:
+            - containerPort: 1883
+              name: mqtt
+          readinessProbe:
+            exec:
+              command:
+                - /usr/bin/mosquitto_sub
+                - --unix
+                - /mosquitto/socket
+                - -t
+                - "#"
+                - -E
+                - -i
+                - healthcheck
+            initialDelaySeconds: 5
+            periodSeconds: 60
+          resources:
+            limits:
+              cpu: 500m
+              memory: 200Mi
+            requests:
+              cpu: 50m
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - mountPath: /mosquitto/config.d
+              name: mosquitto-config
+            - mountPath: /mosquitto/config
+              name: mosquitto-default-config
+            - mountPath: /mosquitto/data
+              name: mosquitto-data
+      initContainers:
+        - command:
+            - /bin/sh
+            - -c
+            - /scripts/create_password.conf.sh
+          image: eclipse-mosquitto
+          name: mosquitto-password-conf
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - mountPath: /mosquitto/data/password-conf-data
+              name: password-conf-data
+            - mountPath: /scripts
+              name: mosquitto-scripts
+            - mountPath: /mosquitto/data
+              name: mosquitto-data
+      securityContext:
+        fsGroup: 1883 #mosquitto
+        runAsGroup: 1883 # mosquitto
+        runAsUser: 1883 # mosquitto
+      volumes:
+        - emptyDir:
+            medium: Memory
+          name: mosquitto-config
+        - name: mosquitto-default-config
+          configMap:
+            name: mosquitto-default-config-configmap
+        - name: mosquitto-data
+          persistentVolumeClaim:
+            claimName: mosquitto-data-pvc
+        - name: mosquitto-scripts
+          configMap:
+            defaultMode: 0777
+            name: mosquitto-scripts-configmap
+        - name: password-conf-data
+          secret:
+            secretName: mosquitto-password-conf-secret

kustomization/components/mosquitto/kustomization.yml

@@ -0,0 +1,18 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+configMapGenerator:
+  - name: mosquitto-default-config-configmap
+    files:
+      - configmap/default-config/mosquitto.conf
+  - name: mosquitto-scripts-configmap
+    files:
+      - configmap/scripts/create_password.conf.sh
+images:
+  - name: eclipse-mosquitto
+    newTag: 2.0.18
+resources:
+  - persistentvolumeclaim.yml
+  - deployment.yml
+  - service.yml

kustomization/components/mosquitto/persistentvolumeclaim.yml

@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mosquitto-data-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

kustomization/components/mosquitto/service.yml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mosquitto-svc
+spec:
+  ports:
+    - name: mqtt
+      port: 1883
+      protocol: TCP
+  selector:
+    app.kubernetes.io/name: mosquitto