Add Helm Chart for EclipseMosquitto – Track 2 (ZopDev SoC 2025)

charts/mosquitto/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v2
+appVersion: "1.0"
+description: Helm chart for Eclipse Mosquitto MQTT Broker
+name: mosquitto
+version: 0.0.1
+maintainers:
+  - name: ZopDev
+    url: zop.dev

charts/mosquitto/README.md

@@ -0,0 +1,150 @@
+# Mosquitto Helm Chart
+
+The Mosquitto Helm chart enables the deployment of Eclipse Mosquitto, a lightweight MQTT message broker, in a Kubernetes cluster. Mosquitto is designed for IoT messaging and supports MQTT protocol versions 5.0, 3.1.1, and 3.1.
+
+---
+
+## Prerequisites
+
+- Kubernetes 1.19+
+- Helm 3+
+
+---
+
+## Add Helm Repository
+
+Add the Helm repository to your local setup:
+
+```bash
+helm repo add zopdev https://helm.zop.dev
+helm repo update
+```
+
+Refer to the [Helm Repository Documentation](https://helm.sh/docs/helm/helm_repo/) for more information.
+
+---
+
+## Install Helm Chart
+
+To install the Mosquitto Helm chart, use the following command:
+
+```bash
+helm install [RELEASE_NAME] zopdev/mosquitto
+```
+
+Replace `[RELEASE_NAME]` with your desired release name. For example:
+
+```bash
+helm install my-mosquitto zopdev/mosquitto
+```
+
+To customize configurations, provide a `values.yaml` file or override values via the command line.
+
+Refer to the [Helm Install Documentation](https://helm.sh/docs/helm/helm_install/) for more details.
+
+---
+
+## Uninstall Helm Chart
+
+To uninstall the Mosquitto Helm chart and remove all associated Kubernetes resources, use the command:
+
+```bash
+helm uninstall [RELEASE_NAME]
+```
+
+For example:
+
+```bash
+helm uninstall my-mosquitto
+```
+
+See the [Helm Uninstall Documentation](https://helm.sh/docs/helm/helm_uninstall/) for additional details.
+
+---
+
+## Configuration
+
+Below is a summary of configurable parameters for the Mosquitto Helm chart:
+
+| Input | Type | Description | Default |
+| --- | --- | --- | --- |
+| `version` | string | Eclipse Mosquitto image version. | `2.0.18` |
+| `disk_size` | string | Size of the persistent volume for Mosquitto data. | `10Gi` |
+| `auth.enabled` | boolean | Enable password authentication. | `true` |
+| `auth.users` | list | List of usernames to create (passwords auto-generated). | `[admin]` |
+| `service.type` | string | Kubernetes Service type (ClusterIP, LoadBalancer, NodePort). | `ClusterIP` |
+| `tls.enabled` | boolean | Enable TLS encryption (requires existing secret). | `false` |
+| `tls.cert_secret` | string | Name of the Kubernetes Secret containing TLS certs. | `mosquitto-tls-secret` |
+| `resources.requests.cpu` | string | Minimum CPU resources required. | `50m` |
+| `resources.requests.memory` | string | Minimum memory resources required. | `64Mi` |
+| `resources.limits.cpu` | string | Maximum CPU resources allowed. | `100m` |
+| `resources.limits.memory` | string | Maximum memory resources allowed. | `128Mi` |
+
+You can override these values in a `values.yaml` file or via the command line during installation.
+
+---
+
+## Example `values.yaml` File
+
+```yaml
+disk_size: "20Gi"
+
+version: "2.0.18"
+
+resources:
+  limits:
+    cpu: 200m
+    memory: 256Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi
+
+service:
+  type: LoadBalancer
+```
+
+Apply the configuration file during installation:
+
+```bash
+helm install my-mosquitto zopdev/mosquitto -f values.yaml
+```
+
+---
+
+## Features
+
+- Lightweight MQTT broker supporting MQTT 5.0, 3.1.1, and 3.1.
+- Authentication and authorization via Kubernetes Secrets.
+- TLS support for secure MQTT connections.
+- Persistent storage through StatefulSet volume claims.
+- Built-in liveness and readiness probes for high availability.
+
+---
+
+## Contributing
+
+We welcome contributions to improve this Helm chart. Please refer to the [CONTRIBUTING.md](../../CONTRIBUTING.md) for contribution guidelines.
+
+---
+
+## Code of Conduct
+
+To maintain a healthy and collaborative community, please adhere to our [Code of Conduct](../../CODE_OF_CONDUCT.md).
+
+---
+
+## License
+
+This project is licensed under the [LICENSE](../../LICENSE). Please review it for terms of use.
+
+---
+
+## Connection Config
+
+- `MQTT_HOST`: Service name for the Mosquitto broker.
+- `MQTT_PORT`: Port number (default: 1883).
+- `MQTT_TLS_PORT`: Secure port number (default: 8883).
+- `MQTT_USERNAME`: Admin username (retrieved from Secret).
+- `MQTT_PASSWORD`: Admin password (retrieved from Secret).
+
+---

charts/mosquitto/templates/NOTES.txt

@@ -0,0 +1,38 @@
+{{- if contains "LoadBalancer" .Values.service.type }}
+Your Mosquitto broker is exposed via LoadBalancer.
+
+To get the external IP:
+  kubectl get svc {{ include "mosquitto.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
+
+Then connect your MQTT client to:
+  mqtt://<EXTERNAL-IP>:1883
+  {{- if .Values.tls.enabled }}
+  mqtts://<EXTERNAL-IP>:8883
+  {{- end }}
+{{- else }}
+Your Mosquitto broker is running inside the cluster.
+
+To access it, use port forwarding:
+  kubectl port-forward svc/{{ include "mosquitto.fullname" . }} 1883:1883
+
+Then connect using:
+  mqtt://localhost:1883
+  {{- if .Values.tls.enabled }}
+  mqtts://localhost:8883
+  {{- end }}
+{{- end }}
+
+{{- if .Values.auth.enabled }}
+Authentication is enabled.
+
+User credentials are stored in a Kubernetes Secret:
+  - Secret Name: {{ include "mosquitto.fullname" . }}-auth
+  - You can extract with:
+      kubectl get secret {{ include "mosquitto.fullname" . }}-auth -o yaml
+
+Example decode command (for first user):
+  USER=$(kubectl get secret {{ include "mosquitto.fullname" . }}-auth -o jsonpath="{.data.username}" | base64 -d)
+  PASS=$(kubectl get secret {{ include "mosquitto.fullname" . }}-auth -o jsonpath="{.data.password}" | base64 -d)
+  echo "Username: $USER"
+  echo "Password: $PASS"
+{{- end }}

charts/mosquitto/templates/_helpers.tpl

@@ -0,0 +1,7 @@
+{{- define "mosquitto.name" -}}
+mosquitto
+{{- end -}}
+
+{{- define "mosquitto.fullname" -}}
+{{ include "mosquitto.name" . }}-{{ .Release.Name }}
+{{- end -}}

charts/mosquitto/templates/auth-secret.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.auth.enabled }}
+{{- $secretName := printf "%s-auth" (include "mosquitto.fullname" .) }}
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace $secretName }}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  labels:
+    app.kubernetes.io/name: {{ include "mosquitto.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+type: Opaque
+stringData:
+  passwd: |
+    {{- if $existingSecret }}
+    {{ index $existingSecret.data "passwd" | b64dec }}
+    {{- else }}
+    {{- range .Values.auth.users }}
+    {{ .username }}:{{ randAlphaNum 32 }}
+    {{- end }}
+    {{- end }}
+{{- end }}

charts/mosquitto/templates/configmap.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "mosquitto.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "mosquitto.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+data:
+  mosquitto.conf: |
+    persistence true
+    allow_anonymous false
+    password_file /mosquitto/passwords/passwd
+    listener 1883
+    {{- if .Values.tls.enabled }}
+    listener 8883
+    cafile /mosquitto/certs/ca.crt
+    certfile /mosquitto/certs/tls.crt
+    keyfile /mosquitto/certs/tls.key
+    {{- end }}

charts/mosquitto/templates/connection-configmap.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "mosquitto.fullname" . }}-connection
+  labels:
+    app.kubernetes.io/name: {{ include "mosquitto.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+data:
+  MQTT_HOST: "{{ include "mosquitto.fullname" . }}"
+  MQTT_PORT: "1883"  
+  {{- if .Values.tls.enabled }}
+  MQTT_TLS_PORT: "8883"  
+  MQTT_TLS_ENABLED: "true"
+  {{- else }}
+  MQTT_TLS_ENABLED: "false"
+  {{- end }}
+  MQTT_SERVICE_TYPE: "{{ .Values.service.type }}"

charts/mosquitto/templates/connection-secret.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "mosquitto.fullname" . }}-connection
+  labels:
+    app.kubernetes.io/name: {{ include "mosquitto.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+type: Opaque
+stringData:
+  {{- range $index, $user := .Values.auth.users }}
+  MQTT_USERNAME_{{ $index }}: "{{ $user.username }}"
+  MQTT_PASSWORD_{{ $index }}: "{{ $user.password }}"
+  {{- end }}
+  MQTT_USERNAME: "{{ (index .Values.auth.users 0).username }}"
+  MQTT_PASSWORD: "{{ (index .Values.auth.users 0).password }}"

charts/mosquitto/templates/service.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "mosquitto.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "mosquitto.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - name: mqtt
+      port: 1883       
+      targetPort: mqtt
+    {{- if .Values.tls.enabled }}
+    - name: mqtts
+      port: 8883   
+      targetPort: mqtts
+    {{- end }}
+  selector:
+    app.kubernetes.io/name: {{ include "mosquitto.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}

charts/mosquitto/templates/statefulset.yaml

@@ -0,0 +1,82 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ include "mosquitto.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "mosquitto.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  serviceName: {{ include "mosquitto.fullname" . }}
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "mosquitto.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "mosquitto.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      containers:
+        - name: mosquitto
+          image: "eclipse-mosquitto:{{ .Values.version }}"
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 1883
+              name: mqtt
+            {{- if .Values.tls.enabled }}
+            - containerPort: 8883
+              name: mqtts
+            {{- end }}
+          volumeMounts:
+            - name: config-volume
+              mountPath: /mosquitto/config/mosquitto.conf
+              subPath: mosquitto.conf
+            - name: data
+              mountPath: /mosquitto/data
+            {{- if .Values.auth.enabled }}
+            - name: auth-volume
+              mountPath: /mosquitto/passwords
+              readOnly: true
+            {{- end }}
+            {{- if .Values.tls.enabled }}
+            - name: tls-secret
+              mountPath: /mosquitto/certs
+              readOnly: true
+            {{- end }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          livenessProbe:
+            tcpSocket:
+              port: 1883
+            initialDelaySeconds: 10
+            periodSeconds: 15
+          readinessProbe:
+            tcpSocket:
+              port: 1883
+            initialDelaySeconds: 5
+            periodSeconds: 10
+      volumes:
+        - name: config-volume
+          configMap:
+            name: {{ include "mosquitto.fullname" . }}
+        {{- if .Values.auth.enabled }}
+        - name: auth-volume
+          secret:
+            secretName: {{ include "mosquitto.fullname" . }}-auth
+        {{- end }}
+        {{- if .Values.tls.enabled }}
+        - name: tls-secret
+          secret:
+            secretName: {{ .Values.tls.cert_secret }}
+        {{- end }}
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: {{ .Values.disk_size }}