Background description

Since baetyl 2.1.1, all official applications (baetyl-broker, baetyl-function, and baetyl-rule) are integrated with baetyl-go-sdk by default, baetyl-core is responsible for issuing the certificate for such official applications, and the certificate issued by baetyl-core is used for the authentication of the inter-service call by default.

The developers can access the local baetyl-broker in two ways:

• Scheme 1: Configure baetyl-broker, and develop the external access. Set the user name and password to access the broker, and bind the host listening port, so that you can access to thehost_machne_ip:port through by using the MQTT Client on any device.
• Scheme 2: The MQTT Client simulates the identity of applications and accesses the broker by using the certificate obtained from baetyl-core to access the baetyl-broker. The MQTT Client can run on the edge node device only, but cannot run on other operating PCs.

This article explains the above two schemes.

Install node

Refer to the [Getting Started](BIE/Getting Started /Getting Started Guide.md) to install the edge node. After the installation command is executed on the edge side, view the system applications in the baetyl-edge-system namespace through thekubectlCommand<5/>.

root@userver-desk:~# kubectl get pod -n baetyl-edge-system
NAME                               READY   STATUS    RESTARTS   AGE
baetyl-init-d968b7bb9-c8b22        1/1     Running   0          3h24m
baetyl-core-7d5995f956-7jszr       1/1     Running   0          3h24m
baetyl-rule-5f4d7f964-xprx8        1/1     Running   0          3h24m
baetyl-function-6c7fd69f44-xwnxk   1/1     Running   0          3h24m
baetyl-broker-6f9cbbd794-rb9p7     1/1     Running   0          3h24m

Scheme 1: Configure baetyl-broker to open external access

1. baetyl-broker port binding to local port 8883

Enter the edge node, click "Application Deployment" to find the baetyl-broker application, and click View as shown in the figure below:

Enter the baetyl-broker Application interface, and click Configure as shown in the figure below:

Add a port mapping record on the Port Mapping ——> Host Port as shown in the figure below:

• Host port: 8883

• Container port: 8883
• Protocol: TCP

Return to the Application Configuration interface, switch to the Data Volume page, and click "baetyl-broker-conf Configuration Volume" as shown in the figure below:

Enter the Configuration Item page, and click Edit as shown in the figure below:

Enter the following configuration information on the conf.yaml configuration interface as shown in the figure below:

session:
  sysTopics:
    - $link
    - $baetyl
logger:
  level: debug
  encoding: console
listeners:
  - address: 'tcp://0.0.0.0:8883'
principals:
  - username: test
    password: test
    permissions:
      - action: pub
        permit:
          - '#'
      - action: sub
        permit:
          - '#'

Configuration parse:

• Add the8883listening port for baetyl-broker, and use the test/test user name and password to access. This user has the pub/sub permission of # topic.
• Here, it doesn't have to be port 8883, and it can be any other unused port. You can view whether the port 8883 is occupied through the netstat -ap | grep 8883 command

2. Access with MQTT Box

Install MQTT Box on the operating PC, and configure the connection information as shown in the figure below:

Return to MQTT Box, and you can see that the connection status is connected, and test the message subscription and sending as shown in the following figure:

Scheme 2: Simulate application identity access

1. Port 50010 mapping to local port 1883 in the baetyl-broker system by default

Enter the edge node, click "Application Deployment" to find the baetyl-broker application, and click View.

Enter the baetyl-broker Application interface, and click Configure.

Fill in 1883 on the Port Mapping -> Host Port, and map the pot in the baetyl-broker container to the host. Here, it doesn't have to be port 1883, and it can be any other unused port. But MQTT uses the port 1883, so the port 1883 is used here. Click "OK" finally.

2. Get certificate

The certificate for accessing the baetyl-broker is located in the baetyl-core pod.

Scheme 1: Execute kubectl exec on the edge side.

Enter the baetyl-core to get the certificate through the kubectl exec command. The certificate is saved in the /var/lib/baetyl/system/certs directory. Execute the command as follows.

root@userver-desk:~# kubectl exec -it baetyl-core-7d5995f956-7jszr -n baetyl-edge-system /bin/sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
/ # cd /var/lib/baetyl/system/certs
/var/lib/baetyl/system/certs # ls
ca.pem   crt.pem  key.pem

Copy the contents of the above three certificates locally as shown in the figure below:

Scheme 2: Enter the baetyl-core through the Remote Debug in the cloud directly.

Click "Remote Debug".

Enter the/var/lib/baetyl/system/certsdirectory to view the certificate file.

3. Connect to local broker through MQTT Box

Note: You can only connect the edge node device where baetyl-broker is deployed to baetyl-broker through the MQTT Box. Other devices cannot be connected to baetyl-broker even if they have the certificate.

The current edge node is ubuntu desktop. Download and install MQTT Box, and then configure the connection. The configuration is shown as follows:

• Protocol：mqtts/tls
• Host: It must be127.0.0.1:1883orlocalhost:1883and it is invalid when another IP address is used.
• Certificate: Use three certificates saved previously.

4. Connect to the local broker through mosquitto.

If your Linux is not a desktop system, you cannot install the MQTT Box, but you can use mosquitto. The operation is shown as follows:

• Install the mosquitto-clients.

sudo apt-get install mosquitto-clients

• Subscribe to the baetyl-broker.

Enter the certificate storage directory, and execute the following commands.

mosquitto_sub -h 127.0.0.1 -p 1883 --cafile ca.pem --cert crt.pem --key key.pem -t topic -i adsf

• Release the message to baetyl-broker:

Create a session, enter the certificate storage directory, and execute the following commands.

mosquitto_pub -h 127.0.0.1 -p 1883 --cafile ca.pem --cert crt.pem --key key.pem -t topic -i adsfasd -m test

• View subscription message

Return to the session to subscribe to the baetyl-broker. Then, you can receive the message test.

• (-i) The parameter is followed by a random code to identify the MQTT Client. If there is not the parameter with -i, it may report a Connection Refused: identifier rejected. error
• If you do not enter the certificate directory, you can use the absolute path of the certificate.