Skip to main content

Bulk configuration operations

In some cases—such as when working with applications—multiple related objects need to be managed together. This typically includes the application specification and associated secrets. The bulk operation feature enables users or systems to create and update these resources in a single batch.

The bulk API is transactional: either all operations succeed, or none are applied. If any part of the transaction fails, all changes are rolled back to ensure consistency.

A full list of available operations can be found in the reference documentation.

You can run the bulk operation from subctl and pass a set of objects as a file:

supctl patch < mosquitto.yaml

The rest of this instruction will show you the contents of the mosquitto.yamlfile that creates everything needed for a MQTT broker mosqitto to run.

Mosquitto

The Mosquitto MQTT applications requires a number of resurces to function:

  1. CA certificate
  2. Server certificate
  3. Credentials
  4. Application specification

The example below highlights the replace operation. This operation is idempotent—it will update an existing resource or create it if it doesn’t already exist.

To generate the payloads you can run

supctl show applications mosquitto --with-operation replace

which will output

---
x-path: /v1/config/applications/mosquitto
x-operation: replace
name: mosquitto
version: "1.0"
...

Bulk example

Mosquitto
---
x-path: /v1/config/strongbox/tls/ca/mosquitto
x-operation: replace
name: mosquitto
ttl: 3y
cert-key-type: rsa
auto-renew:
  # Auto renew the CA when there are 30 days left
  renew-threshold: 30d
distribute:
  deployments:
    - mosquitto
---
x-path: /v1/config/strongbox/vaults/mosquitto
x-operation: replace
name: mosquitto
distribute:
  deployments:
    - mosquitto
---
x-path: /v1/config/strongbox/vaults/mosquitto/secrets/cert
x-operation: replace
name: cert
auto-cert:
  issuing-ca: mosquitto
  ttl: 30d
  truncate-ttl: false
  host: mosquitto
  cert-type: server
allow-image-access:
  - "*"
---
x-path: /v1/config/strongbox/vaults/mosquitto/secrets/credentials
x-operation: replace
name: credentials
data: 
  # username: "test-user"
  # password: "test-pwd"
  # test-user/test-pwd
  # Generated using: mosquitto_passwd -b pwd test-user test-pwd
  password: "test-user:$7$101$ctWMAD+/YScCjE9m$mzaBRxx9APbjOcsFkwr0brASw1jIjDPsEiRdmvWmYOycQ3OC4f9C9zUBjhdTCkLl8afToTeTFSTXxtztLIiO5g=="
allow-image-access: ["*"]
---
x-path: /v1/config/applications/mosquitto
x-operation: replace
name: mosquitto
version: "1.0"
services:
  - name: mqtt
    mode: replicated
    replicas: 1
    volumes:
      - name: log
        ephemeral-volume:
          size: 20MB
          file-mode: "755"
          file-ownership: 1883:1883
      - name: data
        ephemeral-volume:
          size: 100MB
          file-mode: "755"
          file-ownership: 1883:1883
      - name: cert
        vault-secret:
          vault: mosquitto
          secret: cert
          file-mode: "400"
          file-ownership: 1883:1883
      - name: credentials
        vault-secret:
          vault: mosquitto
          secret: credentials
          file-mode: "400"
          file-ownership: 1883:1883
      - name: cfg
        config-map:
          items:
            - name: mosquitto.conf
              data: |
                listener 8883 0.0.0.0
                log_type debug
                log_type error
                log_type warning
                log_type notice
                log_type information
                password_file /mosquitto/config/password
                cafile /mosquitto/cert/ca-cert.pem
                certfile /mosquitto/cert/cert.pem
                keyfile /mosquitto/cert/cert.key

                # For healthchecks
                listener 1880 127.0.0.1
                allow_anonymous true
              file-mode: "600"
              file-ownership: 1883:1883
    share-pid-namespace: false
    containers:
      - name: mosquitto
        image: registry-1.docker.io/eclipse-mosquitto
        container-log-size: 100 MB
        container-log-archive: false
        mounts:
          - volume-name: log
            mount-path: /mosquitto/log
            mode: read-write
          - volume-name: data
            mount-path: /mosquitto/data
            mode: read-write
          - volume-name: cfg
            files:
              - name: mosquitto.conf
                mount-path: /mosquitto/config/mosquitto.conf
          - volume-name: cert
            files:
              - name: cert.pem
                mount-path: /mosquitto/cert/cert.pem
              - name: cert.key
                mount-path: /mosquitto/cert/cert.key
              - name: ca-cert.pem
                mount-path: /mosquitto/cert/ca-cert.pem
          - volume-name: credentials
            files:
              - name: password
                mount-path: /mosquitto/config/password
        env: {}
        probes:
          readiness:
            exec:
              cmd:
                - mosquitto_sub 
                - -p 
                - "1880" 
                - -t 
                - '$SYS/broker/uptime' 
                - -C 
                - "1"
                - -i 
                - healthcheck 
                - -W 
                - "3"
            initial-delay: 0s
            timeout: 5s
            period: 10s
            success-threshold: 1
            failure-threshold: 2
        on-mounted-file-change:
          restart: true
    network:
      ingress-ip-per-instance:
        protocols:
          - name: tcp
            port-ranges: "8883"
        inbound-access:
          allow-all: true
      outbound-access:
        allow-all: true
# Optionally put this on a shared application network
# network:
#     shared-application-network: sensors
on-mutable-variable-change: restart-service-instance