If you don't have an k3s cluster up and running — have a look at my other article how to setup your own kubernetes:
I use a persistent volume claim to store the openhab configuration. So longhorn needs to be in place as described in the article above.
Setting up basic auth
Since openhab has no complete user authentication, you should setup basic auth to secure your setup:
Create a auth file with your user/password:
htpasswd -c auth dirkInstall the IngressRoute with a custom middleware
Openhab needs some tricky customizations to get basic auth and the UI up and running. I needed to setup an IngressRoute for this to work. This can leverage Custom-Resource-Definitions von Traefik to modify requests.
So first setup the middleware rules:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: openhab-header
spec:
headers:
customResponseHeaders:
X-Custom-Response-Header: "Set-Cookie: X-OPENHAB-AUTH-HEADER=1"---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: auth-middleware
spec:
basicAuth:
secret: authsecret
removeHeader: true---
# Note: in a kubernetes secret the string (e.g. generated by htpasswd) must be base64-encoded first.
# To create an encoded user:password pair, the following command can be used:
# htpasswd -nb user password | openssl base64apiVersion: v1
kind: Secret
metadata:
name: authsecret
namespace: defaultdata:
users:<paste your encoded username:password from above>
The you can define your IngressRoute:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: openhab-ingressroute
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
tls:
secretName: openhab-tls
domains:
- main: dheoh.duckdns.org
routes:
- match: Host("dheoh.duckdns.org") && (PathPrefix("/settings") || PathPrefix("/auth"))
kind: Rule
services:
- name: oh-openhab-helm-chart
port: 8080
- match: Host("dheoh.duckdns.org")
kind: Rule
middlewares:
- name: openhab-header
- name: auth-middleware
services:
- name: oh-openhab-helm-chart
port: 8080Have a look at the linked article how to setup a letsencrypt cluster-issuer.
It turned out the cert-manager isn't able to recognize the above configured routes. And therefore didn't create the tls secret storing the certificate.
So create the certificate metadata manually:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: openhab-tls
namespace: default
spec:
dnsNames:
- yourdomain.org
secretName: openhab-tls
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: letsencrypt-prodThe cert-manager should create a secret containing the certificate afterwards. You can check that by:
kubectl get secretsYou should find a secret name openhab-tls.
Installing the openhab helm chart
Add my openhab helm chart to your helm client:
helm repo add ns https://dhermanns.github.io/openhab-helm-chart/
helm repo update
helm show values oh/openhab-helm-chart > oh.valuesYou could modify the oh.values if you like. Then install the chart:
helm upgrade — install — values oh.values oh openhab-helm-chartYou can now access openhab.
Restore a influxdb backup
If you have a backup of an old openhab database, you can restore it by copying your backup to the pod:
Kubectl cp . oh-influxdb-0:/backupThen enter the pod and do a restore:
kubectl exec --stdin --tty oh-influxdb-0 -- /bin/bashThen execute the restore inside the pod:
influxd restore -portable /backupSetting up Grafana
To logon to the grafana UI you would need the admin password. Retrieve the secret like this:
kubectl get secret — namespace default oh-grafana -o jsonpath=”{.data.admin-password}” | base64 — decode ; echoNow you should be able to call grafana.lan in your browser. Modify /etc/hosts if you can't resolve grafana.lan URI.
Next import the openhab influxdb datasource to your grafana UI:
for i in data_sources/*; do \
curl -X “POST” “http://grafana.lan/api/datasources" \
-H “Content-Type: application/json” \
— user admin:<yourpasswordhere> \
— data-binary @$i
doneRemember the enter your grafana admin password in the snipped above.
Enabling openhab cloud
This is useful e.g. to have the Alexa Skill control your devices. Go into your openhab pod and get your openhab uuid and secret:
cat /openhab/userdata/uuid
cat /openhab/userdata/openhabcloud/secretEnter this in your myopenhab account.
