Start managing mqtt ACL

Include sample comsos-rules entry for testing out template
2024-10-06 14:26:10 +02:00 · 2024-10-06 14:26:10 +02:00 · 7352a20143
parent 6664c9c356
commit 7352a20143
3 changed files with 36 additions and 0 deletions
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@ -18,3 +18,14 @@

 '^internal-.+-test-mqtt-[0-9]+\.cdn\.sunet\.se$':
  cdn::mqtt:
+    dc: tug
+    clients:
+      - shared-tug-test-cache-1.cdn.sunet.se
+      - shared-tug-test-cache-2.cdn.sunet.se
+    bridges:
+      sto3:
+        address: internal-sto3-test-mqtt-1.cdn.sunet.se
+        port: 8883
+      dco:
+        address: internal-dco-test-mqtt-1.cdn.sunet.se
+        port: 8883
--- a/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp
+++ b/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp
@ -1,6 +1,16 @@
 # Configure a SUNET CDN mqtt server
 class cdn::mqtt(
+  String $dc = '',
+  Hash[String, Hash] $bridges = {},
 )
 {
  package {'mosquitto': ensure => installed }
+
+  file { '/etc/mosquitto/aclfile':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => template('cdn/runner/aclfile.erb'),
+  }
 }
--- a/global/overlay/etc/puppet/modules/cdn/templates/mqtt/aclfile.erb
+++ b/global/overlay/etc/puppet/modules/cdn/templates/mqtt/aclfile.erb
@ -0,0 +1,15 @@
+# Clients in the local datacenter
+<% @clients.each do |client| -%>
+user <%= @client %>
+topic readwrite cdn/<%= @dc %>/purge
+topic read cdn/+/purge
+
+<% end -%>
+# Bridge queues to other datacenters
+<% @bridges.each do |remote_dc, bridge_config| -%>
+user <%= bridge_config['address'] %>
+topic readwrite cdn/<%= @remote_dc %>/purge
+
+<% end -%>
+# This affects all clients.
+pattern write $SYS/broker/connection/%c/state