From b7d48be1815c1c4de2ed2cf4bd7cad70f48fc350 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Sun, 31 Mar 2024 19:36:01 -0400
Subject: [PATCH] fix: update mosquitto

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .../default/mosquitto/app/externalsecret.yaml |  2 --
 .../default/mosquitto/app/helmrelease.yaml    | 23 +++++++++++--------
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/kubernetes/main/apps/default/mosquitto/app/externalsecret.yaml b/kubernetes/main/apps/default/mosquitto/app/externalsecret.yaml
index 54bd04b710720..14886be9d8859 100644
--- a/kubernetes/main/apps/default/mosquitto/app/externalsecret.yaml
+++ b/kubernetes/main/apps/default/mosquitto/app/externalsecret.yaml
@@ -13,8 +13,6 @@ spec:
     template:
       engineVersion: v2
       data:
-        username: "{{ .MOSQUITTO_MQTT_USERNAME }}"
-        password: "{{ .MOSQUITTO_MQTT_PASSWORD }}"
         mosquitto_pwd: |-
           {{ .MOSQUITTO_MQTT_USERNAME }}:{{ .MOSQUITTO_MQTT_PASSWORD }}
   dataFrom:
diff --git a/kubernetes/main/apps/default/mosquitto/app/helmrelease.yaml b/kubernetes/main/apps/default/mosquitto/app/helmrelease.yaml
index c02382142811b..861396ae4a437 100644
--- a/kubernetes/main/apps/default/mosquitto/app/helmrelease.yaml
+++ b/kubernetes/main/apps/default/mosquitto/app/helmrelease.yaml
@@ -36,7 +36,11 @@ spec:
               repository: public.ecr.aws/docker/library/eclipse-mosquitto
               tag: 2.0.18@sha256:cb3afd02611b0c58b328196ab00de0158322b4c1e014841fb182d2a0ea3a79b9
             command: ["/bin/sh", "-c"]
-            args: ["cp /tmp/secret/* /mosquitto/external_config/ && mosquitto_passwd -U /mosquitto/external_config/mosquitto_pwd"]
+            args:
+              - |
+                cp /tmp/secret/mosquitto_pwd /mosquitto/external_config/;
+                chmod 600 /mosquitto/external_config/mosquitto_pwd;
+                mosquitto_passwd -U /mosquitto/external_config/mosquitto_pwd;
         containers:
           app:
             image:
@@ -55,13 +59,13 @@ spec:
               requests:
                 cpu: 10m
               limits:
-                memory: 16Mi
+                memory: 64Mi
         pod:
           securityContext:
-            runAsUser: 568
-            runAsGroup: 568
+            runAsUser: 65534
+            runAsGroup: 65534
             runAsNonRoot: true
-            fsGroup: 568
+            fsGroup: 65534
             fsGroupChangePolicy: OnRootMismatch
     service:
       app:
@@ -74,10 +78,8 @@ spec:
           http:
             port: 1883
     persistence:
-      config:
+      data:
         existingClaim: mosquitto
-        globalMounts:
-          - path: /data
       config-file:
         type: configMap
         name: mosquitto-configmap
@@ -86,13 +88,16 @@ spec:
             app:
               - path: /mosquitto/config/mosquitto.conf
                 subPath: mosquitto.conf
+                readOnly: true
       secret-file:
         type: secret
         name: mosquitto-secret
         advancedMounts:
           mosquitto:
             init-config:
-              - path: /tmp/secret
+              - path: /tmp/secret/mosquitto_pwd
+                subPath: mosquitto_pwd
+                readOnly: true
       external-config:
         type: emptyDir
         globalMounts: