If you don't have an k3s cluster up and running — have a look at my other article how to setup your own kubernetes:
I use a persistent volume claim to store the openhab configuration. So longhorn needs to be in place as described in the article above.
Setting up basic auth
Since openhab has no complete user authentication, you should setup basic auth to secure your setup:
Create a auth file with your user/password:
htpasswd -c auth dirk
Install the IngressRoute with a custom middleware
Openhab needs some tricky customizations to get basic auth and the UI up and running. I needed to setup an IngressRoute for this to work. This can leverage Custom-Resource-Definitions von Traefik to modify requests.
So first setup the middleware rules:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: openhab-header
spec:
headers:
customResponseHeaders:
X-Custom-Response-Header: "Set-Cookie: X-OPENHAB-AUTH-HEADER=1"---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: auth-middleware
spec:
basicAuth:
secret: authsecret
removeHeader: true---
# Note: in a kubernetes secret the string (e.g. generated by htpasswd) must be base64-encoded first.
# To create an encoded user:password pair, the following command can be used:
# htpasswd -nb user password | openssl base64apiVersion: v1
kind: Secret
metadata:
name: authsecret
namespace: defaultdata:
users:<paste your encoded username:password from above>
The you can define your IngressRoute:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: openhab-ingressroute
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
tls:
secretName: openhab-tls
domains:
- main: dheoh.duckdns.org
routes:
- match: Host("dheoh.duckdns.org") && (PathPrefix("/settings") || PathPrefix("/auth"))
kind: Rule
services:
- name: oh-openhab-helm-chart
port: 8080
- match: Host("dheoh.duckdns.org")
kind: Rule
middlewares:
- name: openhab-header
- name: auth-middleware
services:
- name: oh-openhab-helm-chart
port: 8080
Have a look at the linked article how to setup a letsencrypt cluster-issuer.
It turned out the cert-manager isn't able to recognize the above configured routes. And therefore didn't create the tls secret storing the certificate.
So create the certificate metadata manually:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: openhab-tls
namespace: default
spec:
dnsNames:
- yourdomain.org
secretName: openhab-tls
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: letsencrypt-prod
The cert-manager should create a secret containing the certificate afterwards. You can check that by:
kubectl get secrets
You should find a secret name openhab-tls.
Installing the openhab helm chart
Add my openhab helm chart to your helm client:
helm repo add ns https://dhermanns.github.io/openhab-helm-chart/
helm repo update
helm show values oh/openhab-helm-chart > oh.values
You could modify the oh.values if you like. Then install the chart:
helm upgrade — install — values oh.values oh openhab-helm-chart
You can now access openhab.
Restore a influxdb backup
If you have a backup of an old openhab database, you can restore it by copying your backup to the pod:
Kubectl cp . oh-influxdb-0:/backup
Then enter the pod and do a restore:
kubectl exec --stdin --tty oh-influxdb-0 -- /bin/bash
Then execute the restore inside the pod:
influxd restore -portable /backup
Setting up Grafana
To logon to the grafana UI you would need the admin password. Retrieve the secret like this:
kubectl get secret — namespace default oh-grafana -o jsonpath=”{.data.admin-password}” | base64 — decode ; echo
Now you should be able to call grafana.lan in your browser. Modify /etc/hosts if you can't resolve grafana.lan URI.
Next import the openhab influxdb datasource to your grafana UI:
for i in data_sources/*; do \
curl -X “POST” “http://grafana.lan/api/datasources" \
-H “Content-Type: application/json” \
— user admin:<yourpasswordhere> \
— data-binary @$i
done
Remember the enter your grafana admin password in the snipped above.
Enabling openhab cloud
This is useful e.g. to have the Alexa Skill control your devices. Go into your openhab pod and get your openhab uuid and secret:
cat /openhab/userdata/uuid
cat /openhab/userdata/openhabcloud/secret
Enter this in your myopenhab account.