Connect Local baetyl-broker of Edge Node
Background description
Since baetyl 2.1.1, all official applications (baetyl-broker, baetyl-function, and baetyl-rule) are integrated with baetyl-go-sdk by default, baetyl-core is responsible for issuing the certificate for such official applications, and the certificate issued by baetyl-core is used for the authentication of the inter-service call by default.
The developers can access the local baetyl-broker in two ways:
- Scheme 1: Configure baetyl-broker, and develop the external access. Set the user name and password to access the broker, and bind the host listening port, so that you can access to the
host_machne_ip:port
through by using the MQTT Client on any device. - Scheme 2: The MQTT Client simulates the identity of applications and accesses the broker by using the certificate obtained from baetyl-core to access the baetyl-broker. The MQTT Client can run on the edge node device only, but cannot run on other operating PCs.
This article explains the above two schemes.
## Operation Guide
Install node
Refer to the [Getting Started](BIE/Getting Started /Getting Started Guide.md) to install the edge node. After the installation command is executed on the edge side, view the system applications in the baetyl-edge-system
namespace through thekubectl
Command<5/>.
root@userver-desk:~# kubectl get pod -n baetyl-edge-system
NAME READY STATUS RESTARTS AGE
baetyl-init-d968b7bb9-c8b22 1/1 Running 0 3h24m
baetyl-core-7d5995f956-7jszr 1/1 Running 0 3h24m
baetyl-rule-5f4d7f964-xprx8 1/1 Running 0 3h24m
baetyl-function-6c7fd69f44-xwnxk 1/1 Running 0 3h24m
baetyl-broker-6f9cbbd794-rb9p7 1/1 Running 0 3h24m
Scheme 1: Configure baetyl-broker to open external access
1. baetyl-broker port binding to local port 8883
Enter the edge node, click "Application Deployment" to find the baetyl-broker application, and click View as shown in the figure below:
Enter the baetyl-broker Application interface, and click Configure as shown in the figure below:
Add a port mapping record on the Port Mapping ——> Host Port as shown in the figure below:
- Host port: 8883
- Container port: 8883
- Protocol: TCP
Return to the Application Configuration interface, switch to the Data Volume page, and click "baetyl-broker-conf Configuration Volume" as shown in the figure below:
Enter the Configuration Item page, and click Edit as shown in the figure below:
Enter the following configuration information on the conf.yaml configuration interface as shown in the figure below:
session:
sysTopics:
- $link
- $baetyl
logger:
level: debug
encoding: console
listeners:
- address: 'tcp://0.0.0.0:8883'
principals:
- username: test
password: test
permissions:
- action: pub
permit:
- '#'
- action: sub
permit:
- '#'
Configuration parse:
- Add the
8883
listening port for baetyl-broker, and use thetest/test
user name and password to access. This user has thepub/sub
permission of#
topic.- Here, it doesn't have to be port 8883, and it can be any other unused port. You can view whether the port 8883 is occupied through the
netstat -ap | grep 8883
command
2. Access with MQTT Box
Install MQTT Box on the operating PC, and configure the connection information as shown in the figure below:
Return to MQTT Box, and you can see that the connection status is connected, and test the message subscription and sending as shown in the following figure:
Scheme 2: Simulate application identity access
1. Port 50010 mapping to local port 1883 in the baetyl-broker system by default
Enter the edge node, click "Application Deployment" to find the baetyl-broker application, and click View.
Enter the baetyl-broker Application interface, and click Configure.
Fill in 1883 on the Port Mapping -> Host Port, and map the pot in the baetyl-broker container to the host. Here, it doesn't have to be port 1883, and it can be any other unused port. But MQTT uses the port 1883, so the port 1883 is used here. Click "OK" finally.
2. Get certificate
The certificate for accessing the baetyl-broker is located in the baetyl-core pod.
Scheme 1: Execute kubectl exec
on the edge side.
Enter the baetyl-core to get the certificate through the kubectl exec
command. The certificate is saved in the /var/lib/baetyl/system/certs
directory. Execute the command as follows.
root@userver-desk:~# kubectl exec -it baetyl-core-7d5995f956-7jszr -n baetyl-edge-system /bin/sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
/ # cd /var/lib/baetyl/system/certs
/var/lib/baetyl/system/certs # ls
ca.pem crt.pem key.pem
Copy the contents of the above three certificates locally as shown in the figure below:
Scheme 2: Enter the baetyl-core through the Remote Debug in the cloud directly.
Click "Remote Debug".
Enter the/var/lib/baetyl/system/certs
directory to view the certificate file.
3. Connect to local broker through MQTT Box
Note: You can only connect the edge node device where baetyl-broker is deployed to baetyl-broker through the MQTT Box. Other devices cannot be connected to baetyl-broker even if they have the certificate.
The current edge node is ubuntu desktop. Download and install MQTT Box, and then configure the connection. The configuration is shown as follows:
- Protocol:mqtts/tls
- Host: It must be
127.0.0.1:1883
orlocalhost:1883
and it is invalid when another IP address is used.- Certificate: Use three certificates saved previously.
4. Connect to the local broker through mosquitto.
If your Linux is not a desktop system, you cannot install the MQTT Box, but you can use mosquitto. The operation is shown as follows:
- Install the mosquitto-clients.
sudo apt-get install mosquitto-clients
- Subscribe to the baetyl-broker.
Enter the certificate storage directory, and execute the following commands.
mosquitto_sub -h 127.0.0.1 -p 1883 --cafile ca.pem --cert crt.pem --key key.pem -t topic -i adsf
- Release the message to baetyl-broker:
Create a session, enter the certificate storage directory, and execute the following commands.
mosquitto_pub -h 127.0.0.1 -p 1883 --cafile ca.pem --cert crt.pem --key key.pem -t topic -i adsfasd -m test
- View subscription message
Return to the session to subscribe to the baetyl-broker. Then, you can receive the message test.
- (-i) The parameter is followed by a random code to identify the MQTT Client. If there is not the parameter with -i, it may report a
Connection Refused: identifier rejected.
error- If you do not enter the certificate directory, you can use the absolute path of the certificate.