diff --git a/kubernetes/thin/apps/emqx/cluster/cluster.yaml b/kubernetes/thin/apps/emqx/cluster/cluster.yaml
new file mode 100644
index 00000000..58cee143
--- /dev/null
+++ b/kubernetes/thin/apps/emqx/cluster/cluster.yaml
@@ -0,0 +1,49 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/apps.emqx.io/emqx_v2beta1.json
+apiVersion: apps.emqx.io/v2beta1
+kind: EMQX
+metadata:
+ name: emqx
+spec:
+ image: public.ecr.aws/emqx/emqx:5.8.4
+ config:
+ data: |
+ authentication {
+ backend = "built_in_database"
+ mechanism = "password_based"
+ password_hash_algorithm {
+ name = "bcrypt"
+ }
+ user_id_type = "username"
+ bootstrap_file = "/opt/init-user.json"
+ bootstrap_type = "plain"
+ }
+ authorization {
+ sources = [
+ {
+ type = built_in_database
+ enable = true
+ }
+ ]
+ no_match: "deny"
+ }
+ coreTemplate:
+ spec:
+ replicas: 2
+ envFrom:
+ - secretRef:
+ name: emqx-secret
+ extraVolumeMounts:
+ - name: init-user
+ mountPath: /opt/init-user.json
+ subPath: init-user.json
+ readOnly: true
+ extraVolumes:
+ - name: init-user
+ secret:
+ secretName: emqx-init-user-secret
+ listenersServiceTemplate:
+ metadata:
+ annotations:
+ io.cilium/lb-ipam-ips: 192.168.1.52
+ spec:
+ type: LoadBalancer
diff --git a/kubernetes/thin/apps/emqx/cluster/kustomization.yaml b/kubernetes/thin/apps/emqx/cluster/kustomization.yaml
new file mode 100644
index 00000000..798e3fa8
--- /dev/null
+++ b/kubernetes/thin/apps/emqx/cluster/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./secret.sops.yaml
+- ./cluster.yaml
diff --git a/kubernetes/thin/apps/emqx/cluster/secret.sops.yaml b/kubernetes/thin/apps/emqx/cluster/secret.sops.yaml
new file mode 100644
index 00000000..161ece37
--- /dev/null
+++ b/kubernetes/thin/apps/emqx/cluster/secret.sops.yaml
@@ -0,0 +1,142 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: emqx-secret
+stringData:
+ EMQX_DASHBOARD__DEFAULT_USERNAME: ENC[AES256_GCM,data:IsbvziQ=,iv:b/8O8BoFNgOPJHq1hqWLM9TUlTEZ+FEfNGmvclk9+HI=,tag:mCm55wYwJ03hN0/2VaI/CA==,type:str]
+ EMQX_DASHBOARD__DEFAULT_PASSWORD: ENC[AES256_GCM,data:jUDB9jxnaML0nYqjK4bSXU/lyZBPudEp,iv:rBqAI+edgezHmQoqZy1Hw20yijKlB47RU55PHxtkink=,tag:ysdknK+DLci+BZSYcRkbxA==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2025-02-18T00:19:20Z"
+ mac: ENC[AES256_GCM,data:Zw8qoO8/XXCcMFul8HBuCBmIREW9HW1z2mLyot2O2OcloiPJBbIcyhqD7IuCYP+WVwrBCOqlSPvZuurUX4i/K6r4tlvcZDmXVSdZtGnFGLnaAefP/SFYnbAUL2AYjRKFc0DHa74TZbZmcRzTWpeX55XtMjTDLz9fmVEmrgpUkkc=,iv:aOOLK4UwRIPhUbTHpiLDORk9EWjueqyd8VBgMagfTfc=,tag:8Qfryh4qIqcUvjJklWkjkg==,type:str]
+ pgp:
+ - created_at: "2025-02-18T00:19:20Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAyqlIeyoxYovARAA4f/EiQcqDQed44x0NVp8tWm6sT40Mz5hBzcPhVhu4uGZ
+ DUn0ladxuLaky1gTCXu2uR54F25y+YTTOb3cDsZxKMppOufM3lJ53d27BFivBbUO
+ p8KqzqzcCxD8dPyqS7Frorleq9V/pusEVx1xCjYvFG1N4n5WFAthX9XK+dWbRvtB
+ bOLQIzJ4ID5lIuOjKtmswAeR5W6cNQ37lImA0feLWm5anTF2JmIBHTQ3SYhhjFN4
+ 9u+E6BivqCWO2EBYeUNzJ9bI/o1DhXvr7VRewILs9kLMn1MHfEDeaavZ6YEiM50U
+ WsWEzTBFpZhHRnzJ7vT0mH7lFHwP8uFcyi0wZBjVXurTMOiJurjT2bNwaz+lgw7T
+ aameMjoiK3v3DtmS1yu0AxIBCDG131/ZckxITFuuud3ZDODyttfCTWskvy6lCcOR
+ kCXc7I1YVN6zWX8oKU0+FPGpkbSORiDhFk5F3AGI96KMeKmaWcSBy8Qb1hwM5VfP
+ 1HqDElOG2VeZ6aGV9gtQAlUTMhhNP3cENgUzIibq2p0ClHXXYByplJfoFU7qo30X
+ DnAC3ucd3pa9lyGENL4ajLC3VxbzikOHR2kh/7SWsV/W/nxXKt1fp+Ql73roKpD4
+ 8tQpK1dR3aDjfbes575bzvdeteB3FRnapN/ariCXleLLY7b7lNKS0IrX4e0PQsyF
+ AgwDXjg0p2IN1X8BEADetZRi4tdeMPCypLHTjLCerlpUGaxxfLVIFnIshEvCof7j
+ nK2qURTJn7R4O1/2k4SUGlRmL6yryuadH0VRH6iqHttWA/QUH1xlS/KZ6rSLf++6
+ iRDrMDldU5ybNxEPUUlTyFTfhCJZWGD708jezZ6rZxyS48T4hX6JZfxD6BpsQVVZ
+ cAqWm9A98xldo8WWz/FCz/DfpSDBg7XB8pfA6oGoA6uhz0DGq1ID/SSvO2Y29oK9
+ em6pLIeAG0G+PAjToCD3B01nLevfPG2vMwWvoAqUy47oRhl6MCEyU8knxxnlo+uO
+ VVeRl9uTIrCwDBAlGzdOgZO3iCjFv0/uCxjPvAn5MCz9MF2aOMVzPaT+u4oKgU6F
+ zGlV9aDE19j53cKLOcSIxJOZdfv1qAAAqswyITtREq2yRzjfQqINW026ShCCZcxL
+ 1OPyz6n3LaOZWjSAyy298hFlKXsqOm25UtlDb7ED9t1cu3fY2SHjI2L5osvLWich
+ lq2clU3yIuQC8diXjID1474+cVrXTEWW72XNUXshBG3CN61sn9NxQPHdK5cfEyVE
+ lyLltAAkYGb+300vF0bYWk5pGDlXSebyhxIFgb+hxFlxJdpeZXYIuXBlXVPv/GBs
+ OcQ+SrrKEtbnX+e3n90dAuyzZGu+5+Oyqd9PuJnjP2GZuA51BoT3BCOcTUZDMdRo
+ AQkCELme2XKkKIxJYjCtZGOBYFoSxo0OI7QW4u4R+4n8/RGyEviy39JCvIVt8tTq
+ XL6wAyYVvPYWcVQ0d2ybrnNKIiHMqrU7b6r5Neq8LVFGFuMlowRpu1/MxnsX5Yqy
+ uiX344jRJFg=
+ =nX/v
+ -----END PGP MESSAGE-----
+ fp: BD1AAF9D8170F4BEE437365FF6F0933799CFEBCD
+ - created_at: "2025-02-18T00:19:20Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAy5t8IMoPu4VAQ//dp8gWin8n5nE2Qs5b2SLkxdZ3vkCZYyv6HMdc64vjIvY
+ wW8uJbj4zNJzWcorZAMmf7mWrj4yyOklZpLxswp6oWF7o6CR1evgnDIJRoJLIaL6
+ JHxomw4CJqm0ZwfksYWSudKglvbEnYIPvA1vyKYRkfM4C3H5g71Kt3B0qo5o2Zjr
+ zJlNK7gWoA43SWYOCCYijJrMUs54Iu7JlUCn/fQtih/ZAlrrloBt2gNnQqqQz3gV
+ BeXRvn+vd129Sstas9x0b6vbGcLB0yo5FOb+NhsM/jOCriMYH2PIdLB2W+sBvaPp
+ 7gpbsMr+eie+DM7jbpgM6teAwMgIYtYoGmZ5EC3b+1FiXQA2pW/5YNgTzImDlkyh
+ l7MOougBKt/7J+StcXI+bqEjX5lqWr/mcaPW+mkOjCjU4qcQjV9XgHCCdsSjSWlC
+ Eg2R1zyG/TPJkxyWkAAe9PKji+9jFR9iaiCzC1EqkSgN9RmB/MhTpAJtbPu1nBNS
+ wROlpE35jRdVGSsTn7KBulCgeOTDe+IBMH/B7g550ngxLNlgJi3tF0exEz+wEBME
+ /UD5z/iCTlnyWxBARQKMSx72F9mpg6JBBMGh2RTgSPF5MEwBA7hytT030AF8usxX
+ aohlHU9g+bi3aBk4SLfsRMXBakVZZkltaqaA7zHfcI9/91omYc8CAKdUqRzaOlLU
+ aAEJAhBsi6Uuh97jhkBT8qfCmfXUxM+S8G3LRuY7LA8M/vIWvSWzvo39vsnJlbiV
+ ODKfYyr4C+pfYTRHZkzXqTdi4uWJq4gbyM5CtGFbPD5TOMSvaBorTZsgLb68/klO
+ ihGWcmPPieEU
+ =xoAO
+ -----END PGP MESSAGE-----
+ fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
+ encrypted_regex: ^(data|stringData)$
+ version: 3.9.1
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: emqx-init-user-secret
+stringData:
+ init-user.json: ENC[AES256_GCM,data:gkd2lvCUn0lhVdyKu6MUZ5LjUqwO4u7HrbuwGh6h5hW5oC8aIPTxQZrNlvk/c4Af2VQ4P3jDhQZxPKngRyJ902n+clnr8gKGN7IrjuAsHltkUBCl/w==,iv:eOVuVR4SbDyyFjhURnNBv4V4TDL3urtbdzH61wTxxcY=,tag:0FwftIXIDIjUq8CsgI2JhA==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2025-02-18T00:19:20Z"
+ mac: ENC[AES256_GCM,data:Zw8qoO8/XXCcMFul8HBuCBmIREW9HW1z2mLyot2O2OcloiPJBbIcyhqD7IuCYP+WVwrBCOqlSPvZuurUX4i/K6r4tlvcZDmXVSdZtGnFGLnaAefP/SFYnbAUL2AYjRKFc0DHa74TZbZmcRzTWpeX55XtMjTDLz9fmVEmrgpUkkc=,iv:aOOLK4UwRIPhUbTHpiLDORk9EWjueqyd8VBgMagfTfc=,tag:8Qfryh4qIqcUvjJklWkjkg==,type:str]
+ pgp:
+ - created_at: "2025-02-18T00:19:20Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAyqlIeyoxYovARAA4f/EiQcqDQed44x0NVp8tWm6sT40Mz5hBzcPhVhu4uGZ
+ DUn0ladxuLaky1gTCXu2uR54F25y+YTTOb3cDsZxKMppOufM3lJ53d27BFivBbUO
+ p8KqzqzcCxD8dPyqS7Frorleq9V/pusEVx1xCjYvFG1N4n5WFAthX9XK+dWbRvtB
+ bOLQIzJ4ID5lIuOjKtmswAeR5W6cNQ37lImA0feLWm5anTF2JmIBHTQ3SYhhjFN4
+ 9u+E6BivqCWO2EBYeUNzJ9bI/o1DhXvr7VRewILs9kLMn1MHfEDeaavZ6YEiM50U
+ WsWEzTBFpZhHRnzJ7vT0mH7lFHwP8uFcyi0wZBjVXurTMOiJurjT2bNwaz+lgw7T
+ aameMjoiK3v3DtmS1yu0AxIBCDG131/ZckxITFuuud3ZDODyttfCTWskvy6lCcOR
+ kCXc7I1YVN6zWX8oKU0+FPGpkbSORiDhFk5F3AGI96KMeKmaWcSBy8Qb1hwM5VfP
+ 1HqDElOG2VeZ6aGV9gtQAlUTMhhNP3cENgUzIibq2p0ClHXXYByplJfoFU7qo30X
+ DnAC3ucd3pa9lyGENL4ajLC3VxbzikOHR2kh/7SWsV/W/nxXKt1fp+Ql73roKpD4
+ 8tQpK1dR3aDjfbes575bzvdeteB3FRnapN/ariCXleLLY7b7lNKS0IrX4e0PQsyF
+ AgwDXjg0p2IN1X8BEADetZRi4tdeMPCypLHTjLCerlpUGaxxfLVIFnIshEvCof7j
+ nK2qURTJn7R4O1/2k4SUGlRmL6yryuadH0VRH6iqHttWA/QUH1xlS/KZ6rSLf++6
+ iRDrMDldU5ybNxEPUUlTyFTfhCJZWGD708jezZ6rZxyS48T4hX6JZfxD6BpsQVVZ
+ cAqWm9A98xldo8WWz/FCz/DfpSDBg7XB8pfA6oGoA6uhz0DGq1ID/SSvO2Y29oK9
+ em6pLIeAG0G+PAjToCD3B01nLevfPG2vMwWvoAqUy47oRhl6MCEyU8knxxnlo+uO
+ VVeRl9uTIrCwDBAlGzdOgZO3iCjFv0/uCxjPvAn5MCz9MF2aOMVzPaT+u4oKgU6F
+ zGlV9aDE19j53cKLOcSIxJOZdfv1qAAAqswyITtREq2yRzjfQqINW026ShCCZcxL
+ 1OPyz6n3LaOZWjSAyy298hFlKXsqOm25UtlDb7ED9t1cu3fY2SHjI2L5osvLWich
+ lq2clU3yIuQC8diXjID1474+cVrXTEWW72XNUXshBG3CN61sn9NxQPHdK5cfEyVE
+ lyLltAAkYGb+300vF0bYWk5pGDlXSebyhxIFgb+hxFlxJdpeZXYIuXBlXVPv/GBs
+ OcQ+SrrKEtbnX+e3n90dAuyzZGu+5+Oyqd9PuJnjP2GZuA51BoT3BCOcTUZDMdRo
+ AQkCELme2XKkKIxJYjCtZGOBYFoSxo0OI7QW4u4R+4n8/RGyEviy39JCvIVt8tTq
+ XL6wAyYVvPYWcVQ0d2ybrnNKIiHMqrU7b6r5Neq8LVFGFuMlowRpu1/MxnsX5Yqy
+ uiX344jRJFg=
+ =nX/v
+ -----END PGP MESSAGE-----
+ fp: BD1AAF9D8170F4BEE437365FF6F0933799CFEBCD
+ - created_at: "2025-02-18T00:19:20Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAy5t8IMoPu4VAQ//dp8gWin8n5nE2Qs5b2SLkxdZ3vkCZYyv6HMdc64vjIvY
+ wW8uJbj4zNJzWcorZAMmf7mWrj4yyOklZpLxswp6oWF7o6CR1evgnDIJRoJLIaL6
+ JHxomw4CJqm0ZwfksYWSudKglvbEnYIPvA1vyKYRkfM4C3H5g71Kt3B0qo5o2Zjr
+ zJlNK7gWoA43SWYOCCYijJrMUs54Iu7JlUCn/fQtih/ZAlrrloBt2gNnQqqQz3gV
+ BeXRvn+vd129Sstas9x0b6vbGcLB0yo5FOb+NhsM/jOCriMYH2PIdLB2W+sBvaPp
+ 7gpbsMr+eie+DM7jbpgM6teAwMgIYtYoGmZ5EC3b+1FiXQA2pW/5YNgTzImDlkyh
+ l7MOougBKt/7J+StcXI+bqEjX5lqWr/mcaPW+mkOjCjU4qcQjV9XgHCCdsSjSWlC
+ Eg2R1zyG/TPJkxyWkAAe9PKji+9jFR9iaiCzC1EqkSgN9RmB/MhTpAJtbPu1nBNS
+ wROlpE35jRdVGSsTn7KBulCgeOTDe+IBMH/B7g550ngxLNlgJi3tF0exEz+wEBME
+ /UD5z/iCTlnyWxBARQKMSx72F9mpg6JBBMGh2RTgSPF5MEwBA7hytT030AF8usxX
+ aohlHU9g+bi3aBk4SLfsRMXBakVZZkltaqaA7zHfcI9/91omYc8CAKdUqRzaOlLU
+ aAEJAhBsi6Uuh97jhkBT8qfCmfXUxM+S8G3LRuY7LA8M/vIWvSWzvo39vsnJlbiV
+ ODKfYyr4C+pfYTRHZkzXqTdi4uWJq4gbyM5CtGFbPD5TOMSvaBorTZsgLb68/klO
+ ihGWcmPPieEU
+ =xoAO
+ -----END PGP MESSAGE-----
+ fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
+ encrypted_regex: ^(data|stringData)$
+ version: 3.9.1
diff --git a/kubernetes/thin/apps/emqx/ks.yaml b/kubernetes/thin/apps/emqx/ks.yaml
new file mode 100644
index 00000000..f86e9596
--- /dev/null
+++ b/kubernetes/thin/apps/emqx/ks.yaml
@@ -0,0 +1,64 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ name: &app emqx
+ namespace: flux-system
+spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: *app
+ targetNamespace: emqx
+ timeout: 5m
+ interval: 30m
+ path: ./kubernetes/thin/apps/emqx/operator
+ prune: true
+ wait: true
+ sourceRef:
+ kind: GitRepository
+ name: home-cluster
+ decryption:
+ provider: sops
+ secretRef:
+ name: sops-gpg
+ postBuild:
+ substitute: {}
+ substituteFrom:
+ - kind: ConfigMap
+ name: cluster-settings
+ - kind: Secret
+ name: cluster-secrets
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ name: &app emqx-cluster
+ namespace: flux-system
+spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: *app
+ targetNamespace: emqx
+ timeout: 5m
+ interval: 30m
+ path: ./kubernetes/thin/apps/emqx/cluster
+ prune: true
+ wait: true
+ sourceRef:
+ kind: GitRepository
+ name: home-cluster
+ decryption:
+ provider: sops
+ secretRef:
+ name: sops-gpg
+ dependsOn:
+ - name: emqx
+ namespace: flux-system
+ postBuild:
+ substitute: {}
+ substituteFrom:
+ - kind: ConfigMap
+ name: cluster-settings
+ - kind: Secret
+ name: cluster-secrets
diff --git a/kubernetes/thin/apps/emqx/kustomization.yaml b/kubernetes/thin/apps/emqx/kustomization.yaml
new file mode 100644
index 00000000..0e8d1720
--- /dev/null
+++ b/kubernetes/thin/apps/emqx/kustomization.yaml
@@ -0,0 +1,6 @@
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./namespace.yaml
+- ./ks.yaml
diff --git a/kubernetes/thin/apps/emqx/namespace.yaml b/kubernetes/thin/apps/emqx/namespace.yaml
new file mode 100644
index 00000000..4f701747
--- /dev/null
+++ b/kubernetes/thin/apps/emqx/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: emqx
+ annotations:
+ kustomize.toolkit.fluxcd.io/prune: emqx
diff --git a/kubernetes/thin/apps/emqx/operator/helm-release.yaml b/kubernetes/thin/apps/emqx/operator/helm-release.yaml
new file mode 100644
index 00000000..22b3b2eb
--- /dev/null
+++ b/kubernetes/thin/apps/emqx/operator/helm-release.yaml
@@ -0,0 +1,32 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ name: emqx-operator
+ namespace: emqx
+spec:
+ interval: 5m
+ chart:
+ spec:
+ chart: emqx-operator
+ version: 2.2.28
+ sourceRef:
+ kind: HelmRepository
+ name: emqx
+ namespace: flux-system
+ install:
+ remediation:
+ retries: 3
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ strategy: rollback
+ retries: 3
+ dependsOn:
+ - name: cert-manager
+ namespace: cert-manager
+ values:
+ fullnameOverride: emqx
+ replicaCount: 1
+ image:
+ repository: ghcr.io/emqx/emqx-operator
diff --git a/kubernetes/thin/apps/emqx/operator/kustomization.yaml b/kubernetes/thin/apps/emqx/operator/kustomization.yaml
new file mode 100644
index 00000000..9d785df4
--- /dev/null
+++ b/kubernetes/thin/apps/emqx/operator/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./helm-release.yaml
diff --git a/kubernetes/thin/apps/helm-repositories.yaml b/kubernetes/thin/apps/helm-repositories.yaml
index bf6a712e..9a09fe9c 100644
--- a/kubernetes/thin/apps/helm-repositories.yaml
+++ b/kubernetes/thin/apps/helm-repositories.yaml
@@ -61,3 +61,12 @@ metadata:
spec:
interval: 2h
url: https://helm.cilium.io/
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+ name: emqx
+ namespace: flux-system
+spec:
+ interval: 2h
+ url: https://repos.emqx.io/charts
diff --git a/kubernetes/thin/apps/kustomization.yaml b/kubernetes/thin/apps/kustomization.yaml
index ab5be4ee..781eee42 100644
--- a/kubernetes/thin/apps/kustomization.yaml
+++ b/kubernetes/thin/apps/kustomization.yaml
@@ -19,4 +19,5 @@ resources:
- ./database
- ../../common/apps/exim/ks.yaml
- ./monitoring
-- ./default
\ No newline at end of file
+- ./default
+- ./emqx