From 5067ea0f7b63a71ad254d6570938b70d17902b9d Mon Sep 17 00:00:00 2001
From: amrc-benmorrow <b.morrow@amrc.co.uk>
Date: Mon, 27 Nov 2023 10:37:27 +0000
Subject: [PATCH] Keep HiveMQ's TGT up to date (#79)

* Pull in the latest version of the HiveMQ plugin, which will log in to
Kerberos again as needed to keep its TGT up to date.
* Remove k5start from the HiveMQ deployment and give HiveMQ access to
its own client keytab.

This should fix the issues with MQTT falling over every 10 hours.

This is a cherry-pick of 9e345caa2cd01938be4ed3ea999e22d93941e557.
---
 templates/mqtt/mqtt.yaml | 27 ++++-----------------------
 values.yaml              |  2 +-
 2 files changed, 5 insertions(+), 24 deletions(-)

diff --git a/templates/mqtt/mqtt.yaml b/templates/mqtt/mqtt.yaml
index 8b9bbfb5..52ad8eae 100644
--- a/templates/mqtt/mqtt.yaml
+++ b/templates/mqtt/mqtt.yaml
@@ -30,34 +30,17 @@ spec:
                 key: mqtt.mqtt
               - path: client
                 key: sv1mqtt
-        - name: krb5-ccache
-          emptyDir:
         - name: mqtt-conf
           configMap:
             name: mqtt-config
       containers:
-        - name: k5start
-{{ include "amrc-connectivity-stack.image" .Values.shell | indent 10 }}
-          command: ["/bin/sh", "-c"]
-          args:
-            - |
-              chown 10000:10000 /ccache
-              k5start -Uf /keytabs/client -k /ccache/mqtt -K5 -o10000 -v
-          securityContext:
-            runAsUser: 0
-          volumeMounts:
-            - mountPath: /etc/krb5.conf
-              name: krb5-conf
-              subPath: krb5.conf
-            - mountPath: /keytabs
-              name: krb5-keytabs
-            - mountPath: /ccache
-              name: krb5-ccache
         - name: hivemq
 {{ include "amrc-connectivity-stack.image" .Values.mqtt | indent 10 }}
           env:
-            - name: KRB5CCNAME
-              value: "FILE:/ccache/mqtt"
+            - name: CLIENT_KEYTAB
+              value: /keytabs/client
+            - name: CLIENT_PRINCIPAL
+              value: sv1mqtt@{{ .Values.identity.realm }}
             - name: SERVER_KEYTAB
               value: /keytabs/server
             # This needs to name a principal available in the keytab, used for verifying passwords.
@@ -75,8 +58,6 @@ spec:
               subPath: krb5.conf
             - mountPath: /keytabs
               name: krb5-keytabs
-            - mountPath: /ccache
-              name: krb5-ccache
             - mountPath: /opt/hivemq/conf/config.xml
               name: mqtt-conf
               subPath: config.xml
diff --git a/values.yaml b/values.yaml
index a458e586..1b6db379 100644
--- a/values.yaml
+++ b/values.yaml
@@ -99,7 +99,7 @@ mqtt:
     # -- The repository of the MQTT component
     repository: acs-mqtt
     # -- The tag of the MQTT component
-    tag: v1.1.0
+    tag: v1.1.1
     # @ignore
     pullPolicy: IfNotPresent
   # -- Possible values are either 1 to enable all possible debugging, or a comma-separated list of debug tags (the tags printed before the log lines). No logging is specified as an empty string.