Replace bjw-s app-template with SINTEF Mosquitto chart v0.1.1

argocd/apps/platform/mqtt-broker.yml

@@ -9,51 +9,29 @@ metadata:
 spec:
   project: coachlight-k3s-infra
   source:
-    repoURL: https://bjw-s.github.io/helm-charts
-    chart: app-template
-    targetRevision: 3.7.0
+    repoURL: https://sintef.github.io/mosquitto-helm-chart
+    chart: mosquitto
+    targetRevision: 0.1.1
     helm:
       valuesObject:
-        controllers:
-          mosquitto:
-            containers:
-              app:
-                image:
-                  repository: eclipse-mosquitto
-                  tag: 2.0.20
-                resources:
-                  requests:
-                    cpu: 10m
-                    memory: 32Mi
-                  limits:
-                    cpu: 100m
-                    memory: 128Mi
-
-        service:
-          mosquitto:
-            controller: mosquitto
-            ports:
-              mqtt:
-                port: 1883
-
-        persistence:
-          data:
-            enabled: true
-            storageClass: nfs-synology-retain
-            size: 1Gi
-            globalMounts:
-              - path: /mosquitto/data
-          config:
-            type: configMap
-            name: mosquitto-config
-            globalMounts:
-              - path: /mosquitto/config/mosquitto.conf
-                subPath: mosquitto.conf
-          secret:
-            type: secret
-            name: mosquitto-auth
-            globalMounts:
-              - path: /mosquitto/secret
+        mqttOverWebsocket: false
+        auth:
+          usersExistingSecret: mosquitto-auth
+          users:
+            - username: admin
+              # Password field is ignored when usersExistingSecret is set
+              # The actual password comes from the mosquitto-auth secret
+              password: ""
+              acl:
+                - topic: "#"
+                  access: readwrite
+        resources:
+          requests:
+            cpu: 10m
+            memory: 32Mi
+          limits:
+            cpu: 100m
+            memory: 128Mi
 
   destination:
     server: https://kubernetes.default.svc

k8s/infra-mqtt/README.md

@@ -0,0 +1,107 @@
+# MQTT Broker (Mosquitto) - OnePassword Setup
+
+## Overview
+
+This directory contains the Kubernetes resources for deploying Mosquitto MQTT broker in the `infra-mqtt` namespace. The broker uses the SINTEF Mosquitto Helm chart and authenticates users via credentials stored in 1Password.
+
+## 1Password Item Configuration
+
+### Item Location
+- **Vault**: `HomeLab`
+- **Item Name**: `mosquitto-auth`
+
+### Required Fields
+
+The 1Password item must contain a field named **`passwords.conf`** (exact name, case-sensitive) with the following content format:
+
+```
+admin:<password-hash>
+```
+
+### Generating Password Hashes
+
+Use the `mosquitto_passwd` utility to generate password hashes:
+
+```bash
+# Install mosquitto clients (if not already installed)
+# On macOS:
+brew install mosquitto
+
+# On Debian/Ubuntu:
+sudo apt-get install mosquitto
+
+# Generate a password file with a user
+mosquitto_passwd -c /tmp/mosquitto_passwd admin
+# Enter password when prompted
+
+# View the generated hash
+cat /tmp/mosquitto_passwd
+```
+
+The output will look like:
+```
+admin:$7$101$...hash...$...hash...
+```
+
+Copy the entire line (including username and hash) into the `passwords.conf` field in 1Password.
+
+### Adding Multiple Users
+
+To add multiple users, run `mosquitto_passwd` without the `-c` flag to append:
+
+```bash
+# Add another user to existing file
+mosquitto_passwd /tmp/mosquitto_passwd user2
+
+# View all users
+cat /tmp/mosquitto_passwd
+```
+
+Then copy all lines into the `passwords.conf` field in 1Password:
+```
+admin:$7$101$...hash1...
+user2:$7$101$...hash2...
+```
+
+## Deployment
+
+The deployment is managed by ArgoCD:
+
+1. **Sync Wave 10**: `mqtt-broker-secrets` app deploys the OnePasswordItem CRD
+   - Creates Kubernetes Secret `mosquitto-auth` in namespace `infra-mqtt`
+   - Secret key `passwords.conf` contains the password file content
+
+2. **Sync Wave 20**: `mqtt-broker` app deploys the Mosquitto Helm chart
+   - Uses the SINTEF Mosquitto chart from `https://sintef.github.io/mosquitto-helm-chart`
+   - References the `mosquitto-auth` secret for user authentication
+
+## ACL Configuration
+
+Access control is configured in the ArgoCD Application values:
+
+```yaml
+auth:
+  users:
+    - username: admin
+      acl:
+        - topic: "#"
+          access: readwrite
+```
+
+- The `username` must match a username in the `passwords.conf` secret
+- The `password` field in values is ignored when using `usersExistingSecret`
+- ACL rules grant the admin user full access to all topics (`#`)
+
+## Service
+
+The MQTT broker is exposed as a ClusterIP service on port 1883:
+- **Service Name**: `mosquitto` (managed by Helm)
+- **Port**: 1883 (MQTT)
+- **Websockets**: Disabled
+
+## Security Notes
+
+- Anonymous access is disabled
+- Authentication is required for all connections
+- Passwords are stored in 1Password, not in Git
+- Password hashes use SHA512-PBKDF2 format (Mosquitto default)

k8s/infra-mqtt/kustomization.yml

@@ -4,8 +4,3 @@ kind: Kustomization
 resources:
   - namespace.yml
   - onepassword/mosquitto-auth.yml
-
-configMapGenerator:
-  - name: mosquitto-config
-    files:
-      - config/mosquitto.conf

k8s/infra-mqtt/onepassword/mosquitto-auth.yml

@@ -1,4 +1,9 @@
 ---
+# This OnePasswordItem creates a Secret named "mosquitto-auth" in the
+# infra-mqtt namespace. The 1Password item must have a field named
+# "passwords.conf" containing the mosquitto password file content
+# (username:hash format, one per line).
+# Generate hashes using: mosquitto_passwd -c /tmp/mosquitto_passwd username
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata: