我想要通过helm安装一个不落盘的emqx，但是又有需求进行客户端认证配置，通过测试发现，通过环境变量注入例如EMQX_AUTHENTICATION__BACKEND等，容器内会提示无法识别该变量，也许是社区版不支持，但是修改emqx.conf是可以完成初始化配置的。
我的最终解决方案是通过修改helm文件，新增一个configmap，用来替换容器内默认的emqx.conf文件。

获取helm文件

1 2	helm repo add emqx-operator https://repos.emqx.io/charts helm pull emqx-operator/emqx --version 5.7.1

修改文件

增加配置文件模板

template目录中新增emqx_config.yaml，相比原生配置增加了authentication这一段内容，如果需要进行修改可参考官方文档

{{- if .Values.authentication }}
apiVersion: v1
kind: ConfigMap
metadata:
  name: emqx-config
  namespace: {{ .Values.namespace }}
data:
  emqx.conf: |-
    node {
      name = "emqx@127.0.0.1"
      cookie = "emqxsecretcookie"
      data_dir = "data"
    }

    cluster {
      name = emqxcl
      discovery_strategy = manual
    }

    log {
    }

    dashboard {
      listeners.http {
        bind = 18083
      }
    }

    authentication {
      mechanism = "password_based"
      backend = "mysql"
      password_hash_algorithm = { 
        name = "sha256",
        salt_position = "suffix"
      }
      query = "SELECT password_hash, salt FROM mqtt_user where username = ${username} LIMIT 1"
      query_timeout = "5s"
      server = "{{ .Values.authenticationConfig.server }}"
      database = "{{ .Values.authenticationConfig.database }}"
      username = "{{ .Values.authenticationConfig.username }}"
      password = "{{ .Values.authenticationConfig.password }}"
    }
{{- end }}

修改values.yaml

新增如下内容，用来控制是否开启认证


authentication: true
authenticationConfig:
  server: mysql-primary.mysql
  database: mqtt_user
  username: sylink
  password: sylink

修改StatefulSet.yaml

修改了volume和volumes内容，挂载配置文件

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: {{ include "emqx.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ include "emqx.name" . }}
    helm.sh/chart: {{ include "emqx.chart" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
  serviceName: {{ include "emqx.fullname" . }}-headless
  podManagementPolicy: {{ .Values.podManagementPolicy }}
  {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
  volumeClaimTemplates:
    - metadata:
        name: emqx-data
        namespace: {{ .Release.Namespace }}
        labels:
          app.kubernetes.io/name: {{ include "emqx.name" . }}
          app.kubernetes.io/instance: {{ .Release.Name }}
          app.kubernetes.io/managed-by: {{ .Release.Service }}
      spec:
        {{- if .Values.persistence.storageClassName }}
        storageClassName: {{ .Values.persistence.storageClassName | quote }}
        {{- end }}
        accessModes:
          - {{ .Values.persistence.accessMode | quote }}
        resources:
         requests:
           storage: {{ .Values.persistence.size | quote }}
  {{- end }}
  updateStrategy:
    type: RollingUpdate
  {{- if .Values.minReadySeconds }}
  minReadySeconds: {{ .Values.minReadySeconds }}
  {{- end }}
  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
      app.kubernetes.io/name: {{ include "emqx.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
  template:
    metadata:
      labels:
        app: {{ include "emqx.name" . }}
        version: {{ .Chart.AppVersion }}
        app.kubernetes.io/name: {{ include "emqx.name" . }}
        app.kubernetes.io/instance: {{ .Release.Name }}
      annotations:
      {{- with .Values.podAnnotations }}
          {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- if .Values.recreatePods }}
        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum | quote }}
      {{- end }}
    spec:
      serviceAccountName: {{ include "emqx.serviceAccountName" . }}
      {{- if .Values.priorityClassName }}
      priorityClassName: {{ .Values.priorityClassName }}
      {{- end }}
      volumes:
      {{- if .Values.ssl.enabled }}
      - name: ssl-cert
        secret:
          secretName: {{ include "emqx.ssl.secretName" . }}
      {{- end }}
      {{- if not .Values.persistence.enabled }}
      - name: emqx-data
        emptyDir: {}
      {{- else if .Values.persistence.existingClaim }}
      - name: emqx-data
        persistentVolumeClaim:
        {{- with .Values.persistence.existingClaim }}
          claimName: {{ tpl . $ }}
        {{- end }}
      {{- end }}
      {{- if .Values.emqxLicenseSecretName  }}
      - name: emqx-license
        secret:
          secretName: {{ .Values.emqxLicenseSecretName }}
      {{- end }}
      {{- if .Values.authentication }}
      - name: emqx-config
        configMap:
          name: emqx-config
      {{- end }}
    {{- if .Values.extraVolumes }}
      {{- toYaml .Values.extraVolumes | nindent 6 }}
    {{- end }}
      {{- if .Values.podSecurityContext.enabled }}
      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
      {{- end }}
      {{- if .Values.initContainers }}
      initContainers:
        {{- toYaml .Values.initContainers | nindent 8 }}
      {{- end }}
      {{- if .Values.image.pullSecrets }}
      imagePullSecrets:
        {{- range .Values.image.pullSecrets }}
        - name: {{ . }}
      {{- end }}
      {{- end }}
      containers:
        - name: emqx
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          {{- if .Values.containerSecurityContext.enabled }}
          securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
          {{- end }}
          ports:
          - name: mqtt
            containerPort: {{ splitList ":" ( .Values.emqxConfig.EMQX_LISTENERS__TCP__DEFAULT__BIND | default "1883" ) | last }}
          - name: mqttssl
            containerPort: {{ splitList ":" ( .Values.emqxConfig.EMQX_LISTENERS__SSL__DEFAULT__BIND | default "8883" ) | last }}
          - name: ws
            containerPort: {{ splitList ":" ( .Values.emqxConfig.EMQX_LISTENERS__WS__DEFAULT__BIND | default "8083" ) | last }}
          - name: wss
            containerPort: {{ splitList ":" ( .Values.emqxConfig.EMQX_LISTENERS__WSS__DEFAULT__BIND | default "8084" ) | last }}
          - name: dashboard
            containerPort: {{ splitList ":" ( .Values.emqxConfig.EMQX_DASHBOARD__LISTENERS__HTTP__BIND | default "18083" ) | last }}
          {{- if not (empty .Values.emqxConfig.EMQX_DASHBOARD__LISTENERS__HTTPS__BIND) }}
          - name: dashboardtls
            containerPort: {{ splitList ":" .Values.emqxConfig.EMQX_DASHBOARD__LISTENERS__HTTPS__BIND | last }}
          {{- end }}
          - name: ekka
            containerPort: 4370
          - name: genrpc-manual
            containerPort: 5369
          envFrom:
            - configMapRef:
                name: {{ include "emqx.fullname" . }}-env
         {{- if .Values.envFromSecret }}
            - secretRef:
                name: {{ .Values.envFromSecret }}
         {{- end }}
          resources:
{{ toYaml .Values.resources | indent 12 }}
          volumeMounts:
          - name: emqx-data
            mountPath: "/opt/emqx/data"
          {{- if .Values.ssl.enabled }}
          - name: ssl-cert
            mountPath: /tmp/ssl
            readOnly: true
          {{- end}}
          {{ if .Values.emqxLicenseSecretName }}
          - name: emqx-license
            mountPath: "/opt/emqx/etc/emqx.lic"
            subPath: "emqx.lic"
            readOnly: true
          {{- end }}
          {{- if .Values.authentication }}
          - name: emqx-config
            mountPath: "/opt/emqx/etc/emqx.conf"
            subPath: "emqx.conf"
            readOnly: true
          {{- end }}
        {{- if .Values.extraVolumeMounts }}
          {{- toYaml .Values.extraVolumeMounts | nindent 10 }}
        {{- end }}
          readinessProbe:
            httpGet:
              path: /status
              port: {{ splitList ":" ( .Values.emqxConfig.EMQX_DASHBOARD__LISTENERS__HTTP__BIND | default "18083" ) | last }}
            initialDelaySeconds: 10
            periodSeconds: 5
            failureThreshold: 30
          livenessProbe:
            httpGet:
              path: /status
              port: {{ splitList ":" ( .Values.emqxConfig.EMQX_DASHBOARD__LISTENERS__HTTP__BIND | default "18083" ) | last }}
            initialDelaySeconds: 60
            periodSeconds: 30
            failureThreshold: 10
    {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
    {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
    {{- end }}
    {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
    {{- end }}
    {{- with .Values.topologySpreadConstraints }}
      topologySpreadConstraints:
        {{- range . }}
        - maxSkew: {{ .maxSkew }}
          topologyKey: {{ .topologyKey }}
          whenUnsatisfiable: {{ .whenUnsatisfiable }}
          labelSelector:
            matchLabels:
              app.kubernetes.io/name: {{ include "emqx.name" $ }}
              app.kubernetes.io/instance: {{ $.Release.Name }}
        {{- if .minDomains }}
          minDomains: {{ .minDomains }}
        {{- end }}
        {{- if .matchLabelKeys }}
          matchLabelKeys:
            {{- range .matchLabelKeys }}
            - {{ . }}
            {{- end }}
        {{- end }}
        {{- if .nodeAffinityPolicy }}
          nodeAffinityPolicy: {{ .nodeAffinityPolicy }}
        {{- end }}
        {{- if .nodeTaintsPolicy }}
          nodeTaintsPolicy: {{ .nodeTaintsPolicy }}
        {{- end }}
        {{- end }}
    {{- end }}

参考：
helm仓库地址：
https://artifacthub.io/packages/helm/emqx-operator/emqx/5.7.1
官方emqx配置文档：
https://docs.emqx.com/zh/emqx/latest/configuration/configuration.html#%E7%8E%AF%E5%A2%83%E5%8F%98%E9%87%8F
https://docs.emqx.com/zh/enterprise/v5.10.0/hocon/#T-authentication-S-mysql