Start managing mqtt ACL

Include sample comsos-rules entry for testing out template

global/overlay/etc/puppet/cosmos-rules.yaml

@@ -18,3 +18,14 @@
 
 '^internal-.+-test-mqtt-[0-9]+\.cdn\.sunet\.se$':
   cdn::mqtt:
+    dc: tug
+    clients:
+      - shared-tug-test-cache-1.cdn.sunet.se
+      - shared-tug-test-cache-2.cdn.sunet.se
+    bridges:
+      sto3:
+        address: internal-sto3-test-mqtt-1.cdn.sunet.se
+        port: 8883
+      dco:
+        address: internal-dco-test-mqtt-1.cdn.sunet.se
+        port: 8883

global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp

@@ -1,6 +1,16 @@
 # Configure a SUNET CDN mqtt server
 class cdn::mqtt(
+  String $dc = '',
+  Hash[String, Hash] $bridges = {},
 )
 {
   package {'mosquitto': ensure => installed }
+
+  file { '/etc/mosquitto/aclfile':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => template('cdn/runner/aclfile.erb'),
+  }
 }

global/overlay/etc/puppet/modules/cdn/templates/mqtt/aclfile.erb

@@ -0,0 +1,15 @@
+# Clients in the local datacenter
+<% @clients.each do |client| -%>
+user <%= @client %>
+topic readwrite cdn/<%= @dc %>/purge
+topic read cdn/+/purge
+
+<% end -%>
+# Bridge queues to other datacenters
+<% @bridges.each do |remote_dc, bridge_config| -%>
+user <%= bridge_config['address'] %>
+topic readwrite cdn/<%= @remote_dc %>/purge
+
+<% end -%>
+# This affects all clients.
+pattern write $SYS/broker/connection/%c/state