-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add comms (mqtt) component to forge platform #706
Conversation
Currently reviewing whether this is the right approach for the security integration with the broker. The problem with the dynamic security approach is we don't hold the master record of who can access what. We are reliant on the broker storing that information and it always being available. In the k8s world, that means having a persistent volume - which complicates matters. There is also the matter of bootstrapping its config file with the admin username/password. We wouldn't be able to mount that file in like we do An alternative approach would be to use https://github.com/iegomez/mosquitto-go-auth which supports talking directly to sqlite/postgres to validate users. That would allow us to keep the information in our own database - and the mosquitto instance can be more ephemeral. The added complication is building that plugin (written in Go) for the platforms we want to support and getting it installed properly. |
Updated the main description to reflect the move to the go-auth plugin. |
Rebased this branch to |
This can happen on restart of the platform when the container driver is restarting projects that should be running
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good
Part of #464
This adds the Comms component to the platform, enabling MQTT communication.
The Comms component will enable the following uses:
Launchers reporting status and receiving commands from the platform -
Broker Configuration
This requires a properly configured MQTT broker to be running and available to the platform.
We are using mosquitto, with the mosquitto-go-auth plugin.
The following is an example configuration:
Note it includes the http host/port of the forge platform, as well as the full path to the go-auth plugin.
API Routes
The mosquitto auth plugin uses http requests to the platform to authenticate and authorise requests. These are made to two new api routes:
POST /api/comms/auth/client
- validate a given username/password is validPOST /api/comms/auth/acl
- validate an access request to a given topic is valid for a particular clientDatabase Changes
Adds a
BrokerClient
table to store username/passwords for MQTT Clients.The platform generates its own BrokerClient on initialisation (
forge_platform
) - used to subscribe to status events and publish commands to devices/launchers.Devices get a BrokerClient generated whenever they generate credentials - and the details are provided along with the other device credentials in the UI.
Runtime Configuration
A
broker
configuration must be provided viaflowforge.yml
:Next steps