nats-streaming-operator icon indicating copy to clipboard operation
nats-streaming-operator copied to clipboard

Published 20 hours ago verified publisher icon nats-io

Support custom certs for TLS via Secret

Open wallyqs opened this issue 6 years ago • 7 comments

It should be possible to configure the certs used for the client connection to the NATS cluster.

wallyqs avatar Jul 27 '18 16:07 wallyqs

This might be a dumb question. But would you consider using the kubernetes' certificate API ? This would be useful since the certificates can be managed using CRD. Another point is that certificates issued this way use the cluster CA which can be configurable to be mounted into pod using service account.

The link to the certificate API documentation is here

visheyra avatar Nov 09 '18 07:11 visheyra

Not a dumb question at all, that looks like might be a good approach and would also help keeping everything in terms of Kubernetes.

wallyqs avatar Nov 09 '18 07:11 wallyqs

@wallyqs I'm delighted that you like the idea. Are you or anyone currently working on this topic ?

visheyra avatar Nov 09 '18 09:11 visheyra

Not planned at this moment, currently pending to investigate a simple way to integrate with that feature.

wallyqs avatar Nov 09 '18 17:11 wallyqs

When using secrets for the certs and mounting them, this could be done via template but would be good to add an example.

wallyqs avatar Mar 05 '19 22:03 wallyqs

is there any example how to can use TLS in NATS streaming operator to connect to NATS cluster?

dmitryzykov avatar Mar 09 '20 23:03 dmitryzykov

I was unable to set container command line flags through the podtemplate spec, but it looks like you can specify a config file configmap in the NatsStreamingCluster spec... if anyone has a better way please comment.

apiVersion: "streaming.nats.io/v1alpha1"
kind: NatsStreamingCluster
metadata:
  name: streaming-nats
  namespace: foo
spec:
  size: 3
  natsSvc: nats.foo.svc.cluster.local
  configFile: /etc/stan/config/stan.conf
  template:
    spec:
      containers:
        - name: stan
          volumeMounts:
            - mountPath: /etc/stan/config
              name: stan-config-volume
            - mountPath: /etc/stan-ssl
              name: nats-secrets-volume
      volumes:
        - configMap:
            name: stan-config
          name: stan-config-volume
        - secret:
            secretName: nats-tls
          name: nats-secrets-volume
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: stan-config
  namespace: foo
data:
  stan.conf: |
    streaming {
      tls: {
          client_cert: "/etc/stan-ssl/server.pem"
          client_key: "/etc/stan-ssl/server-key.pem"
          client_cacert: "/etc/stan-ssl/ca.pem"
      }
    }

sdhoward avatar May 13 '20 17:05 sdhoward