MQTT behind Traefik
To secure your MQTT broker with TLS, you can place it behind a Traefik reverse proxy. This setup allows Traefik to manage TLS termination.
Since it is TCP then use IngressRouteTCP to handle the connection.
Traefik
Need to enable/expose MQTT ports i.e. configure Traefik helm values to expose port 8883 and also redirect unsecure 1883 to secure 8883 port.
mqtt:
port: 1883
protocol: TCP
redirectTo:
port: mqttsecure
mqttsecure:
port: 8883
protocol: TCP
expose:
default: true
exposedPort: 8883
tls:
enabled: true
Set up a password
# Ignore initial password files i.e. mosquitto_passwd_file and mqtt.secret.yaml
echo mosquitto_passwd_file >> .gitignore
echo mqtt.secret.yaml >> .gitignore
# First create password acc. to mosquitto rules. (mosquitto_passwd is included in mosquitto broker package)
mosquitto_passwd -c mosquitto_passwd_file USERNAME
# Base64 encode password
base64 mosquitto_passwd_file
# Create secret file and add enccoded password
cat mqtt.secret.yaml
data:
mosquitto_passwd_file: |
fjdJfdhjdhf
# Do the usual sops encoding
task utils:encode