Replace bjw-s app-template with SINTEF Mosquitto chart v0.1.1

[Copilot]

Replaces the generic bjw-s/app-template deployment with the dedicated SINTEF Mosquitto Helm chart. Authentication now sources passwords from 1Password while ACL configuration remains in values.

Changes

Chart migration (argocd/apps/platform/mqtt-broker.yml):

• Chart: sintef.github.io/mosquitto-helm-chart v0.1.1
• Disabled websockets via mqttOverWebsocket: false
• Auth configured with usersExistingSecret: mosquitto-auth + user ACL definitions in values
• Resources: 10m/32Mi requests, 100m/128Mi limits

OnePassword integration (k8s/infra-mqtt/onepassword/mosquitto-auth.yml):

• Secret key must be passwords.conf containing mosquitto password file format (username:hash)
• Generate hashes: mosquitto_passwd -c /tmp/mosquitto_passwd <username>

Cleanup (k8s/infra-mqtt/kustomization.yml):

• Removed custom mosquitto.conf ConfigMap generator (chart provides its own)

Architecture pattern

The SINTEF chart separates concerns cleanly:

auth:
  usersExistingSecret: mosquitto-auth  # Passwords from 1Password
  users:                                # ACL in GitOps
    - username: admin
      password: ""                      # Ignored when usersExistingSecret set
      acl:
        - topic: "#"
          access: readwrite

Pre-deployment requirement

Create 1Password item mosquitto-auth in HomeLab vault with field passwords.conf. See k8s/infra-mqtt/README.md for hash generation steps.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Deploy Mosquitto MQTT Broker via SINTEF Helm chart (Argo CD) + OnePassword-managed auth</issue_title>
<issue_description>### Why

Copilot used bjw-s/app-template, but we want the dedicated Mosquitto chart from SINTEF (helm repo add mosquitto https://sintef.github.io/mosquitto-helm-chart). The SINTEF chart also supports sourcing users/passwords from an existing Secret (auth.usersExistingSecret) so we don’t ship credentials in Git. ([Artifact Hub][1])

---

Goal

Replace the current mqtt-broker Application (app-template) with an Argo CD Application that deploys SINTEF Mosquitto into namespace infra-mqtt, using:

• Chart repo: https://sintef.github.io/mosquitto-helm-chart
• Chart: mosquitto
• Chart version: 0.1.1 (latest release tag shown in upstream releases) ([GitHub][2])
• Auth: enabled, but no default admin user from values.yaml (must override to use auth.usersExistingSecret) ([GitHub][3])
• Only override non-default values in valuesObject

---

Work items

1) Remove/replace the broken chart usage

• Delete or replace the existing Argo app that points to bjw-s/app-template for MQTT.
• Keep the destination namespace infra-mqtt and Argo project coachlight-k3s-infra.

2) Add OnePassword-backed Kubernetes Secret for Mosquitto users

In k8s/infra-mqtt/ (the path already used by mqtt-broker-secrets), add the OnePassword Operator CRDs needed to create a Secret that Mosquitto will read.

Secret requirements

• Secret name: mosquitto-auth

• Data key(s): follow the chart’s expected format for auth.usersExistingSecret (read the chart templates and confirm the expected key name and file format).

  • The chart docs indicate auth.usersExistingSecret “holds user/password pairs”. ([Artifact Hub][1])

• The stored content should be a mosquitto password file (e.g., lines like username:<sha512-pbkdf2-hash>). The upstream values show passwords are expected in sha512-pbkdf2 format. ([GitHub][3])

1Password item fields

• Create/update a 1Password item (vault: HomeLab) with a field for the password-file content.
• Field name suggestion: mosquitto_passwd
• Value: multiline password file content (e.g. admin:<hash>)

Note: generate hash using mosquitto_passwd tooling (store the hash/file content in 1Password; do not commit it).

Ensure the mqtt-broker-secrets app (sync-wave 10) applies these CRDs before the Helm release (sync-wave 20).

3) Create/update the Argo CD Application for Mosquitto chart

Create a new Application manifest (or update existing) that uses:

• spec.source.repoURL: https://sintef.github.io/mosquitto-helm-chart
• spec.source.chart: mosquitto
• spec.source.targetRevision: 0.1.1 ([GitHub][2])

valuesObject rules

• Do not set chart defaults.
• Only apply these sensible overrides (and only if they differ from defaults):

Suggested overrides to implement:

1. Disable websockets unless we actually need them

• Default is mqttOverWebsocket: true ([GitHub][3])
  Set:
• mqttOverWebsocket: false

2. Pin image tag only if you want something different than chart appVersion

• The default values set image.tag: "" (meaning “use chart appVersion”). ([GitHub][3])
  If you don’t need a pin, don’t set it.
  If you do want to pin, set:
• image.tag: "2.0.20" (or whatever version you want)

3. Resources

• Default is resources: {} ([GitHub][3])
  Set requests/limits appropriate for your lightweight broker:

resources:
  requests:
    cpu: 10m
    memory: 32Mi
  limits:
    cpu: 100m
    memory: 128Mi

4. Auth: 반드시 default admin 제거

• The default values include an admin user and hash in auth.users. ([GitHub][3])
  We must override so we do not deploy that default user.

Set:

• auth.enabled: true (ONLY if required to activate the block—if it’s already true...

• Fixes Deploy Mosquitto MQTT Broker via SINTEF Helm chart (Argo CD) + OnePassword-managed auth #181

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[SRF-Audio]

@copilot remove the comment, and just remove the password field from this file since it's ignored anyway.

[SRF-Audio]

@copilot delete this