k8s icon indicating copy to clipboard operation
k8s copied to clipboard

Published 20 hours ago verified publisher icon nats-io

Provide documentation about setting nats with own credentials/certificates/configuration

Open vkuznet opened this issue 5 years ago • 3 comments

It would be extremely useful if you provide additional details how one line installer can use user own credentials/certificates/conf files during k8s deployment. If I read correctly https://github.com/nats-io/k8s/blob/master/nats-server/nats-server-with-auth-and-tls.yml file I see that someone should provide proper secret files which should contain proper file names, etc.

I expect that if someone wants to use own set of certificates/conf we need to create first proper secrets and then run one line installer. If so could you please document all used secrets and provide examples how to create them.

Thanks, Valentin.

vkuznet avatar Nov 19 '19 16:11 vkuznet

Thanks, yes I will add some docs/options for that approach.

wallyqs avatar Nov 19 '19 17:11 wallyqs

It would be extremely useful if you provide additional details how one line installer can use user own credentials/certificates/conf files during k8s deployment. If I read correctly https://github.com/nats-io/k8s/blob/master/nats-server/nats-server-with-auth-and-tls.yml file I see that someone should provide proper secret files which should contain proper file names, etc.

I expect that if someone wants to use own set of certificates/conf we need to create first proper secrets and then run one line installer. If so could you please document all used secrets and provide examples how to create them.

Thanks, Valentin.

I was looking for this myself. It's fairly easy.

You can use a kustomization:

# kustomization.yaml
---
secretGenerator:
  - name: nats-server-tls
    files:
      # relative paths to this file
      - ca.crt
      - tls.crt
      - tls.key
generatorOptions:
  disableNameSuffixHash: true
  labels:
    type: generated
  annotations:
    note: generated

Apply it:

kubectl apply -k .

That should create the secret w/ the certs you need for NATS.

rolandjitsu avatar Aug 21 '21 01:08 rolandjitsu

I'm using Cert Manager, for example:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: server-cert
spec:
  secretName: server-cert
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  subject:
    organizations:
    - Operator
  commonName: my-nats.nats
  privateKey:
    algorithm: ECDSA
    encoding: PKCS1
    size: 256
  usages:
    - server auth
    - client auth # use for cluster tls mutual-auth
  dnsNames:
  - my-nats
  - my-nats.default.svc.cluster.local
  - my-nats-0.my-nats.default.svc.cluster.local
  - my-nats-1.my-nats.default.svc.cluster.local
  - my-nats-2.my-nats.default.svc.cluster.local
  - external.name.example.com
  issuerRef:
    name: local-cluster-issuer
    kind: ClusterIssuer
    group: cert-manager.io

Here's an example of the client cert I'm using for natsbox

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: client-cert-natsbox
spec:
  secretName: client-cert-natsbox
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  subject:
    organizationalUnits:
    - SVC
  commonName: natsbox
  privateKey:
    algorithm: ECDSA
    encoding: PKCS1
    size: 256
  usages:
  - client auth
  issuerRef:
    name: local-cluster-issuer
    kind: ClusterIssuer
    group: cert-manager.io
And in case it helps, here's the generated nats config (I used Helm for this one) 
    # NATS Clients Port
    port: 4222

    # PID file shared with configuration reloader.
    pid_file: "/var/run/nats/nats.pid"

    ###############
    #             #
    # Monitoring  #
    #             #
    ###############
    http: 8222
    server_name:$POD_NAME
    #####################
    #                   #
    # TLS Configuration #
    #                   #
    #####################
    tls {
        cert_file: /etc/nats-certs/clients/server-cert/tls.crt
        key_file:  /etc/nats-certs/clients/server-cert/tls.key
        ca_file: /etc/nats-certs/clients/server-cert/ca.crt
        verify: true
        verify_and_map: true
    }
    ###################################
    #                                 #
    # NATS JetStream                  #
    #                                 #
    ###################################
    jetstream {
      max_mem: 1Gi
      domain: blah
      store_dir: /data

      max_file:10Gi
    }
    ###################################
    #                                 #
    # NATS Full Mesh Clustering Setup #
    #                                 #
    ###################################
    cluster {
      port: 6222
      name: nats
      tls {
          cert_file: /etc/nats-certs/cluster/server-cert/tls.crt
          key_file:  /etc/nats-certs/cluster/server-cert/tls.key
          ca_file: /etc/nats-certs/cluster/server-cert/ca.crt
          verify: true
      }

      routes = [
        nats://my-nats-0.my-nats.default.svc.cluster.local:6222,nats://my-nats-1.my-nats.default.svc.cluster.local:6222,nats://my-nats-2.my-nats.default.svc.cluster.local:6222,

      ]
      cluster_advertise: $CLUSTER_ADVERTISE
      no_advertise: true

      connect_retries: 120
    }
    debug: true
    lame_duck_grace_period: 10s
    lame_duck_duration: 30s
    ##################
    #                #
    # Authorization  #
    #                #
    ##################
    authorization {

      users: [
        {"permissions":{"publish":["hello.world"],"subscribe":["hello.>"]}, "user":"CN=natsbox,OU=SVC"},
      ]

      # not yet available, see PR #539 
      default_permissions: {
        publish: ["SANDBOX.>"],
        subscribe: ["SANDBOX.>"],
      }
    }

NickLarsenNZ avatar Jul 28 '22 10:07 NickLarsenNZ

Documented in the values.yaml file of nats-1.0.0-beta.0

caleblloyd avatar May 03 '23 17:05 caleblloyd