Expose MQTT and others outside the cluster - Where is the TLS cert?
Closed this issue · 2 comments
Hi!
As explained in #45, I try exposing access to the event broker outside the cluster. Especially the MQTT and AMQP connectors.
I saw that each protocol seems to have 2 connectors: many tcp-protocol and TLS tls-protocol ports specifications are present within the Kubernetes Service - eg. for MQTT we have 1883 port for tcp-mqtt and 8883 port for tls-mqtt.
In theory, we should be able to use the OpenShift Router to directly expose the TLS ports to the outside of the cluster thanks to SNI and using a passthrough route. This is how we typically can expose services like ActiveMQ Broker or MongoDB to the outer world.
I expected to do the same things for event broker but does not succeed for the moment. I've tried to create this route with:
oc create route passthrough mqtt-solace-pubsubplus --service my-release-pubsubplus --port tls-mqtt
But I cannot reach out from outside the cluster. I was - at first - expecting to get a TLS Handshake error because I didn't have any cert on client side but the connection seems to be closed by the server even before the handshake happens.
So that's a 2 part questions:
- Is creating a route the good option to access MQTT connector? Does it supports TLS SNI?
- How can a user retrieve the certification to use for connecting it? I did not found any
Secretcontaining generated certs during the installation of the event broker...
Many thanks!
Hi @lbroudoux, describing TLS routes iincluding SNI will be part of a next update.
As a start to use TLS ports, you'll need to configure certificates on the broker - refer to
https://github.com/SolaceProducts/pubsubplus-kubernetes-quickstart/blob/master/docs/PubSubPlusK8SDeployment.md#enabling-use-of-tls-to-access-broker-services