I have setup VerneMQ to pull CRL (Certificate Revocation List) from Vault. Followingis my setup manifest.
kind: ConfigMap
apiVersion: v1
metadata:
name: vernemq-refresh-crl
namespace: backend
labels:
app: vernemq
data:
pull_crl.sh: |
#!/usr/bin/env sh
if ! apk info | grep ^curl ; then apk update && apk add curl; fi
while true
do
echo $(date)
curl -w "\n" --header "X-Vault-Token: $VAULT_TOKEN" http://vault.backend.svc.cluster.local:8200/v1/my-ca/crl/pem > /tmp/shared/ca.crl
sleep $SLEEP_INTERVAL
done
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: vernemq
namespace: backend
spec:
replicas: 1
selector:
matchLabels:
app: vernemq
template:
metadata:
labels:
app: vernemq
spec:
serviceAccountName: vernemq
containers:
- name: vernemq
image: vernemq/vernemq:1.12.3
ports:
- name: mqtt
containerPort: 1883
- name: mqtts
containerPort: 8883
- name: mqtt-ws
containerPort: 8080
- name: epmd
containerPort: 4369
- name: vmq
containerPort: 44053
- name: metrics
containerPort: 8888
env:
- name: DOCKER_VERNEMQ_ACCEPT_EULA
value: "yes"
- name: MY_POD_NAME
value: "vernemq"
- name: DOCKER_VERNEMQ_KUBERNETES_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: DOCKER_VERNEMQ_KUBERNETES_APP_LABEL
value: "vernemq"
- name: DOCKER_VERNEMQ_LOG__CONSOLE__LEVEL
value: "debug"
- name: DOCKER_VERNEMQ_KUBERNETES_LABEL_SELECTOR
value: "app=vernemq"
- name: DOCKER_VERNEMQ_LISTENER__TCP__ALLOWED_PROTOCOL_VERSIONS
value: "3,4,5"
- name: DOCKER_VERNEMQ_LISTENER__SSL__ALLOWED_PROTOCOL_VERSIONS
value: "3,4,5"
- name: DOCKER_VERNEMQ_ALLOW_ANONYMOUS
value: "on"
- name: DOCKER_VERNEMQ_TOPIC_MAX_DEPTH
value: "20"
- name: DOCKER_VERNEMQ_KUBERNETES_INSECURE
value: "1"
- name: DOCKER_VERNEMQ_MAX_ONLINE_MESSAGES
value: "-1"
- name: DOCKER_VERNEMQ_MAX_OFFLINE_MESSAGES
value: "-1"
- name: DOCKER_VERNEMQ_MAX_INFLIGHT_MESSAGES
value: "0"
- name: DOCKER_VERNEMQ_LISTENER__TCP__DEFAULT
value: "0.0.0.0:1883"
- name: DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT
value: "0.0.0.0:8883"
- name: DOCKER_VERNEMQ_LISTENER__WS__DEFAULT
value: "0.0.0.0:8080"
- name: DOCKER_VERNEMQ_LISTENER__HTTP__METRICS
value: "0.0.0.0:8888"
- name: DOCKER_VERNEMQ_LISTENER__HTTP__DEFAULT
value: "0.0.0.0:8888"
- name: DOCKER_VERNEMQ_LISTENER__SSL__REQUIRE_CERTIFICATE
value: "on"
- name: DOCKER_VERNEMQ_LISTENER__SSL__USE_IDENTITY_AS_USERNAME
value: "on"
- name: DOCKER_VERNEMQ_LISTENER__SSL__CAFILE
value: "/vernemq/cert/ca.crt"
- name: DOCKER_VERNEMQ_LISTENER__SSL__CERTFILE
value: "/vernemq/cert/server.crt"
- name: DOCKER_VERNEMQ_LISTENER__SSL__KEYFILE
value: "/vernemq/cert/server.key"
- name: DOCKER_VERNEMQ_LISTENER__SSL__CRLFILE
value: "/tmp/shared/ca.crl"
volumeMounts:
- name: cert
mountPath: /vernemq/cert
readOnly: true
- name: acl
mountPath: /vernemq/acl
readOnly: true
- name: tmp-shared
mountPath: /tmp/shared
- name: pull-crl
image: alpine
command: ["/bin/sh"]
args: ["-c", "/script/pull_crl.sh"]
env:
- name: VAULT_TOKEN
valueFrom:
secretKeyRef:
name: vault
key: root-token
- name: SLEEP_INTERVAL
value: "300"
volumeMounts:
- name: pull-crl-sh
mountPath: /script/pull_crl.sh
subPath: pull_crl.sh
- name: tmp-shared
mountPath: /tmp/shared
volumes:
- name: cert
secret:
secretName: vernemq-cert
- name: pull-crl-sh
configMap:
name: vernemq-refresh-crl
defaultMode: 0744
- name: tmp-shared
emptyDir: {}
I do see serial number of revoked certificate in /tmp/shared/ca.crl but client using the revoked certificate is able to maintain already establish session with broker.
Is there a easy way to kick the client with revoked certificate
Check the administrative disconnect command with sudo vmq-admin session disconnect --help.
In general, it is a wrong assumption that adding a cert to the CRL will disrupt an existing connection. You have to couple that step with an administrative disconnect of the client.