VerneMQ is a high-performance, distributed MQTT message broker. It scales horizontally and vertically on commodity hardware to support a high number of concurrent publishers and consumers while maintaining low latency and fault tolerance. VerneMQ is the reliable message hub for your IoT platform or smart products.
VerneMQ is an Apache2 licensed distributed MQTT broker, developed in Erlang.
$ helm install vernemq/vernemq
This chart bootstraps a VerneMQ deployment on a Kubernetes cluster using the Helm package manager.
- Kubernetes 1.9, or 1.5 with Beta features enabled
To install the chart with the release name my-release
:
$ helm install --name my-release vernemq/vernemq
The command deploys VerneMQ on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.
Tip: List all releases using helm list
To uninstall/delete the my-release deployment:
$ helm delete my-release
The command removes all the Kubernetes components associated with the chart and deletes the release.
The following table lists the configurable parameters of the VerneMQ chart and their default values.
Parameter | Description | Default |
---|---|---|
additionalEnv |
additional environment variables | see values.yaml |
envFrom |
additional envFrom configmaps or secrets | see values.yaml |
image.pullPolicy |
container image pull policy | IfNotPresent |
image.repository |
container image repository | vernemq/vernemq |
image.tag |
container image tag | the current versions (e.g. 1.13.0 ) |
ingress.enabled |
whether to enable an ingress object to route to the WebSocket service. Requires an ingress controller and the WebSocket service to be enabled. | false |
ingress.labels |
additional ingress labels | {} |
ingress.annotations |
additional service annotations | {} |
ingress.hosts |
a list of routable hostnames for host-based routing of traffic to the WebSocket service | [] |
ingress.paths |
a list of paths for path-based routing of traffic to the WebSocket service | / |
ingress.tls |
a list of TLS ingress configurations for securing the WebSocket ingress | [] |
nodeSelector |
node labels for pod assignment | {} |
persistentVolume.accessModes |
data Persistent Volume access modes | [ReadWriteOnce] |
persistentVolume.annotations |
annotations for Persistent Volume Claim | {} |
persistentVolume.enabled |
if true, create a Persistent Volume Claim | true |
persistentVolume.size |
data Persistent Volume size | 5Gi |
persistentVolume.storageClass |
data Persistent Volume Storage Class | unset |
extraVolumeMounts |
Additional volumeMounts to the pod | [] |
extraVolumes |
Additional volumes to the pod | [] |
secretMounts |
mounts a secret as a file inside the statefulset. Useful for mounting certificates and other secrets. | [] |
podAntiAffinity |
pod anti affinity, soft for trying not to run pods on the same nodes, hard to force kubernetes not to run 2 pods on the same node |
soft |
rbac.create |
if true, create & use RBAC resources | true |
rbac.serviceAccount.create |
if true, create a serviceAccount | true |
rbac.serviceAccount.name |
name of the service account to use or create | {{ include "vernemq.fullname" . }} |
replicaCount |
desired number of nodes | 1 |
resources |
resource requests and limits (YAML) | {} |
securityContext |
securityContext for containers in pod | {} |
service.annotations |
service annotations | {} |
service.clusterIP |
custom cluster IP when service.type is ClusterIP |
none |
service.externalIPs |
optional service external IPs | none |
service.labels |
additional service labels | {} |
service.loadBalancerIP |
optional load balancer IP when service.type is LoadBalancer |
none |
service.loadBalancerSourceRanges |
optional load balancer source ranges when service.type is LoadBalancer |
none |
service.externalTrafficPolicy |
set this to Local to preserve client source IPs and prevent additional hops between K8s nodes if the service type is LoadBalancer or NodePort |
unset |
service.sessionAffinity |
service session affinity | none |
service.sessionAffinityConfig |
service session affinity config | none |
service.mqtt.enabled |
whether to expose MQTT port | true |
service.mqtt.nodePort |
the MQTT port exposed by the node when service.type is NodePort |
1883 |
service.mqtt.port |
the MQTT port exposed by the service | 1883 |
service.mqtts.enabled |
whether to expose MQTTS port | false |
service.mqtts.nodePort |
the MQTTS port exposed by the node when service.type is NodePort |
8883 |
service.mqtts.port |
the MQTTS port exposed by the service | 8883 |
service.type |
type of service to create | ClusterIP |
service.ws.enabled |
whether to expose WebSocket port | false |
service.ws.nodePort |
the WebSocket port exposed by the node when service.type is NodePort |
8080 |
service.ws.port |
the WebSocket port exposed by the service | 8080 |
service.wss.enabled |
whether to expose secure WebSocket port | false |
service.wss.nodePort |
the secure WebSocket port exposed by the node when service.type is NodePort |
8443 |
service.wss.port |
the secure WebSocket port exposed by the service | 8443 |
statefulset.annotations |
additional annotations to the StatefulSet | {} |
statefulset.labels |
additional labels on the StatefulSet | {} |
statefulset.podAnnotations |
additional pod annotations | {} |
statefulset.podManagementPolicy |
start and stop pods in Parallel or OrderedReady (one-by-one.) Note - Cannot change after first release. | OrderedReady |
statefulset.terminationGracePeriodSeconds |
configure how much time VerneMQ takes to move offline queues to other nodes | 60 |
statefulset.updateStrategy |
Statefulset updateStrategy | RollingUpdate |
statefulset.lifecycle |
Statefulset lifecycle hooks | {} |
serviceMonitor.create |
whether to create a ServiceMonitor for Prometheus Operator | false |
serviceMonitor.labels |
whether to add more labels to ServiceMonitor for Prometheus Operator | {} |
pdb.enabled |
whether to create a Pod Disruption Budget | false |
pdb.minAvailable |
PDB (min available) for the cluster | 1 |
pdb.maxUnavailable |
PDB (max unavailable) for the cluster | nil |
certificates.cert |
String (not base64 encoded) containing the listener certificate in PEM format | nil |
certificates.key |
String (not base64 encoded) containing the listener private key in PEM format | nil |
certificates.ca |
String (not base64 encoded) containing the CA certificate for validating client certs | nil |
certificates.secret.labels |
additional labels for the created secret containing certificates and keys | nil |
certificates.secret.annotations |
additional labels for the created secret containing certificates and keys | nil |
acl.enabled |
whether acls should be applied | false |
acl.content |
content of the acl file | topic # |
acl.labels |
additional labels on the acl configmap | {} |
acl.annotations |
additional annotations on the acl configmap | {} |
Specify each parameter using the --set key=value[,key=value]
argument to helm install. For example,
$ helm install vernemq/vernemq --name my-release --set replicaCount=3
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
$ helm install vernemq/vernemq --name my-release -f values.yaml
Tip: You can use the default values.yaml
Roles and RoleBindings resources will be created automatically.
To manually setup RBAC you need to set the parameter rbac.create=false
and specify the service account to be used for each service by setting the parameters: serviceAccounts.create
to false
and serviceAccounts.name
to the name of a pre-existing service account.
If you would like to enable MQTTS, follow these steps:
- (a) Issue a certificate using Cert-Manager OR (b) Create secret resource using existing certificates.
- Set the parameter
service.mqtts.enabled=true
. - Mount the certificate secret inside the statefulset.
- Set the environment variables for the SSL listener.
Cert-Manager is a Kubernetes add-on. It can issue, renew and revoke a certificate from various issuing sources automatically. Cert-Manager obtains certificates from an ACME server (e.g., Let’s Encrypt) using ACME protocol.
You need to issue a new certificate. The issued certificate will be stored as secret vernemq-certificates-secret
under the default
namespace. The secret will be available to be mounted to the statefulset. See the example below:
cat <<EOF > vernemq-certificates.yaml
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: vernemq-certificates
namespace: default
spec:
secretName: vernemq-certificates-secret
issuerRef:
kind: ClusterIssuer
name: letsencrypt-staging
commonName: mqtt.vernemq.com
dnsNames:
- mqtt.vernemq.com
acme:
config:
- dns01:
provider: digitalocean-dns
domains:
- mqtt.vernemq.com
EOF
kubectl apply -f vernemq-certificates.yaml
# output: certificate.certmanager.k8s.io/vernemq-certificates created
Using the key and crt files, you can create a secret. Kubernetes stores these files as a base64 string, so the first step is to encode them.
$ cat ca.crt| base64
LS0tLS1CRUdJTiBDRVJUSUZJQ...CBDRVJUSUZJQ0FURS0tLS0t
$ cat tls.crt | base64
LS0tLS1CRUdJTiBDRVJUSUZJQ...gQ0VSVElGSUNBVEUtLS0tLQo=
$ cat tls.key | base64
LS0tLS1CRUdJTiBSU0EgUFJJV...gUFJJVkFURSBLRVktLS0tLQo=
Now you can create a kubernetes resource definition (YAML) that will create the secret resource.
cat <<EOF > vernemq-certificates-secret.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: vernemq-certificates-secret
namespace: default
type: kubernetes.io/tls
data:
ca.crt:LS0tLS1CRUdJTiBDRVJUSUZJQ...CBDRVJUSUZJQ0FURS0tLS0t
tls.crt:LS0tLS1CRUdJTiBDRVJUSUZJQ...gQ0VSVElGSUNBVEUtLS0tLQo=
tls.key:LS0tLS1CRUdJTiBSU0EgUFJJV...gUFJJVkFURSBLRVktLS0tLQo=
EOF
kubectl apply -f vernemq-certificates-secret.yaml
# output: secret "vernemq-certificates-secret" created
Inside values.yaml
you can declared the mount path and the secret using the secretMounts
parameter. For example:
...
secretMounts:
- name: vernemq-certificates
secretName: vernemq-certificates-secret
path: /etc/ssl/vernemq
...
The exact path of the certificates can be declared inside values.yaml
under additionalEnv
parameter. For example:
additionalEnv:
...
- name: DOCKER_VERNEMQ_LISTENER__SSL__CAFILE
value: "/etc/ssl/vernemq/tls.crt"
- name: DOCKER_VERNEMQ_LISTENER__SSL__CERTFILE
value: "/etc/ssl/vernemq/tls.crt"
- name: DOCKER_VERNEMQ_LISTENER__SSL__KEYFILE
value: "/etc/ssl/vernemq/tls.key"
...
Tip: Cert-Manager includes both CA and TLS certificate in the
tls.crt
file.