feat: tedge connect to c8y mqtt service endpoint

[albinsuresh]

Proposed changes

• Specification (with multiple approaches) for connecting thin-edge to the new Cumulocity MQTT service endpoint.
• Impl finalised approach (connect to mqtt service along with core mqtt)
• mosquitto bridge support
• builtin bridge support

Types of changes

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Improvement (general improvements like code refactoring that doesn't explicitly fix a bug or add any new functionality)
• Documentation Update (if none of the other choices apply)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Paste Link to the issue

Checklist

• I have read the CONTRIBUTING doc
• I have signed the CLA (in all commits with git commit -s. You can activate automatic signing by running just prepare-dev once)
• I ran just format as mentioned in CODING_GUIDELINES
• I used just check as mentioned in CODING_GUIDELINES
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Further comments

[codecov]

Codecov Report

❌ Patch coverage is 35.62992% with 327 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
crates/core/tedge_mapper/src/c8y/mapper.rs	0.00%	196 Missing ⚠️
crates/core/tedge/src/bridge/c8y.rs	77.41%	37 Missing and 5 partials ⚠️
crates/core/tedge/src/cli/connect/c8y.rs	0.00%	38 Missing ⚠️
crates/core/tedge/src/cli/connect/command.rs	27.90%	31 Missing ⚠️
...core/tedge/src/cli/disconnect/disconnect_bridge.rs	41.66%	12 Missing and 2 partials ⚠️
crates/core/tedge/src/cli/connect/aws.rs	0.00%	4 Missing ⚠️
...s/extensions/tedge_mqtt_bridge/src/test_helpers.rs	50.00%	2 Missing ⚠️

📢 Thoughts on this report? Let us know!

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[reubenmiller]

Given that there is a clear vision that the Cumulocity mqtt-service will replace the MQTT core functionality, then approach 1 is probably the best approach for delivering the immediate "mqtt-service support" feature. As it would also add a smooth transition to only using the mqtt-service without changing much on the device side, e.g. tedge connect c8y would still be the same UX but it would just do something differently behind the scenes.

Though I still think we should explore the idea of support the connection to any MQTT broker by allowing option 2, but we could do that specific stuff in a different feature implementation.

Where a generic feature could look very similar to what is being proposed, by you can also specify a "type"

[bridge.custom]     # where "custom" is the unique id of the mapper
type = "generic | c8y (mqtt-core) | c8y-mqtt-service | aws | az"        # type control default mapping rules and any type specific connection logic
device.key_path = ""
device.cert_path = ""
bridge.username = "${cert.Issuer.CN}"   # reference meta info from the device's certificate
bridge.topic_prefix = "${bridge.id}"    # reference its own id, custom

# control which subscriptions the bridge will subscribe to
remote_subscriptions = [
    "3"
]

# type specific settings (e.g. for the c8y proxy)
c8y.proxy.bind.port = 8001

# future properties
pipelines_dir = "/etc/tedge/pipelines/${bridge.id}"      # specify which mapping/filtering rules should be used (once we have a generic mapper)

[didier-wenzek]

How can I check that the connection to the MQTT service is actually established?

• Neither tedge connect c8y nor tedge connect c8y --test tells a word about the MQTT service and status.
• I tried on purpose to break the config, no errors are returned by tedge connect.

Good. The bridge status published on te/device/main/service/mosquitto-c8y-mqtt-bridge/status/health is working and reports broken as well as correct settings.

=> I would add a test assertion that a status message of 1 is received on this topic.

[albinsuresh]

Addressed in 7a827c8 by checking the health status of the bridge service in C8Y.

[albinsuresh]

There's something really weird with multiple subscriptions on MQTT service. MQTT service is rejecting subscription requests with multiple topics from the built-in bridge, which is why this test case was failing. Here is the same reproduced with mosquitto_sub client:

$ mosquitto_sub -v -h albin.latest.stage.c8y.io -p 9883 -i albin-123 --key device.key --cert device.crt --cafile c8y-root.crt -u t37070943 -t sub/topic -t demo/topic
All subscription requests were denied.

Once you limit the subscription to a single topic, it works. This test also works when there is only one subscription topic.

But to my surprise, the mosquitto bridge with multiple subscriptions works just fine (as done in the first test case).

[reubenmiller]

This was discussed offline, but the outcome was that it seems to be a current limitation of the MQTT Service, however we provided the appropriate RnD team that supporting multiple subscriptions would mean that the MQTT service would be more compatible with different MQTT tooling (and what users expect when interacting with such as service)

[albinsuresh]

It is already working with mosquitto bridge as it sends separate subscription requests for each bridge rule. The same behaviour was replicated in built-in bridge as well with 584b438

[jarhodes314]

Is this not better derived from c8y.mqtt, which will likely already have the correct domain for MQTT connections (I'm assuming this is the same issue as for standard MQTT connections)?

[albinsuresh]

Resolved by 015ee3d

[jarhodes314]

Given mosquitto seemingly does this by default, I wonder whether we actually don't want a flag and just want to change the behaviour to always use subscribe per topic.

[albinsuresh]

Resolved by c06940e

[rina23q]

Just a trivial comment and a question

[albinsuresh]

Since August 7 release of MQTT service, device isolation is enabled by default preventing another MQTT client from receiving the message published by this device. Since there isn't any another easy option to test the message passing between the device and the cloud, you may turn device isolation off as follows (using your tenant admin credentials):

curl --location --request PUT "https://<TENANT_DOMAIN>/features/mqtt-service.tenant.isolation/by-tenant" \
--header "Authorization: Basic <AUTHORIZATION>" \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data-raw '{ "active":true }'

before connecting the test client to subscribe/publish to the device topics.

[reubenmiller]

Or using go-c8y-cli

c8y features tenants enable --key mqtt-service.tenant.isolation

[rina23q]

Approved

[reubenmiller]

Approved