From 29616ec60b5da7ed404f283192004ce75439a394 Mon Sep 17 00:00:00 2001 From: Julie Vogelman Date: Wed, 6 Apr 2022 15:52:26 -0700 Subject: [PATCH] feat: TLS for Jetstream (#1815) * starting to incorporate TLS into Jetstream Signed-off-by: Julie Vogelman --- common/common.go | 12 + common/leaderelection/leaderelection.go | 19 +- common/tls/tls.go | 45 ++-- common/tls/tls_test.go | 2 +- .../installer/assets/jetstream/nats.conf | 6 + .../assets/jetstream/server-auth.conf | 6 + controllers/eventbus/installer/jetstream.go | 206 ++++++++++++------ .../eventbus/installer/jetstream_test.go | 8 +- eventbus/common/structs.go | 4 +- eventbus/driver.go | 4 +- eventbus/jetstream/base/jetstream.go | 10 +- eventbus/stan/base/stan.go | 2 +- webhook/webhook.go | 2 +- 13 files changed, 220 insertions(+), 106 deletions(-) diff --git a/common/common.go b/common/common.go index 08c0342263..106f239758 100644 --- a/common/common.go +++ b/common/common.go @@ -69,6 +69,18 @@ const ( JetStreamServerSecretEncryptionKey = "encryption" // key of client auth secret JetStreamClientAuthSecretKey = "client-auth" + // key for server private key + JetStreamServerPrivateKeyKey = "private-key" + // key for server TLS certificate + JetStreamServerCertKey = "cert" + // key for server CA certificate + JetStreamServerCACertKey = "ca-cert" + // key for server private key + JetStreamClusterPrivateKeyKey = "cluster-private-key" + // key for server TLS certificate + JetStreamClusterCertKey = "cluster-cert" + // key for server CA certificate + JetStreamClusterCACertKey = "cluster-ca-cert" // key of nats-js.conf in the configmap JetStreamConfigMapKey = "nats-js" // Jetstream Stream name diff --git a/common/leaderelection/leaderelection.go b/common/leaderelection/leaderelection.go index a4e92d0e53..4cf896a519 100644 --- a/common/leaderelection/leaderelection.go +++ b/common/leaderelection/leaderelection.go @@ -2,6 +2,7 @@ package leaderelection import ( "context" + "crypto/tls" "github.com/fsnotify/fsnotify" "github.com/nats-io/graft" @@ -28,6 +29,7 @@ type LeaderCallbacks struct { func NewEventBusElector(ctx context.Context, eventBusConfig eventbusv1alpha1.BusConfig, clusterName string, clusterSize int) (Elector, error) { logger := logging.FromContext(ctx) + var eventBusType apicommon.EventBusType var eventBusAuth *eventbusv1alpha1.AuthStrategy switch { @@ -40,6 +42,7 @@ func NewEventBusElector(ctx context.Context, eventBusConfig eventbusv1alpha1.Bus default: return nil, errors.New("invalid event bus") } + var auth *eventbuscommon.Auth cred := &eventbuscommon.AuthCredential{} if eventBusAuth == nil || *eventBusAuth == eventbusv1alpha1.AuthStrategyNone { @@ -66,10 +69,11 @@ func NewEventBusElector(ctx context.Context, eventBusConfig eventbusv1alpha1.Bus logger.Fatal("Eventbus auth config file changed, exiting..") }) auth = &eventbuscommon.Auth{ - Strategy: *eventBusAuth, - Crendential: cred, + Strategy: *eventBusAuth, + Credential: cred, } } + var elector Elector switch eventBusType { case apicommon.EventBusNATS: @@ -107,11 +111,16 @@ func (e *natsEventBusElector) RunOrDie(ctx context.Context, callbacks LeaderCall opts.MaxReconnect = -1 opts.Url = e.url if e.auth.Strategy == eventbusv1alpha1.AuthStrategyToken { - opts.Token = e.auth.Crendential.Token + opts.Token = e.auth.Credential.Token } else if e.auth.Strategy == eventbusv1alpha1.AuthStrategyBasic { - opts.User = e.auth.Crendential.Username - opts.Password = e.auth.Crendential.Password + opts.User = e.auth.Credential.Username + opts.Password = e.auth.Credential.Password } + + opts.TLSConfig = &tls.Config{ // seems fine to pass this in even when we're not using TLS + InsecureSkipVerify: true, + } + rpc, err := graft.NewNatsRpc(opts) if err != nil { log.Fatalw("failed to new Nats Rpc", zap.Error(err)) diff --git a/common/tls/tls.go b/common/tls/tls.go index 33d4c9a747..e6a012de74 100644 --- a/common/tls/tls.go +++ b/common/tls/tls.go @@ -42,16 +42,6 @@ func createCACertTemplate(org string, hosts []string, notAfter time.Time) (*x509 return rootCert, nil } -func createServerCertTemplate(org string, hosts []string, notAfter time.Time) (*x509.Certificate, error) { - serverCert, err := certTemplate(org, hosts, notAfter) - if err != nil { - return nil, err - } - serverCert.KeyUsage = x509.KeyUsageDigitalSignature - serverCert.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth} - return serverCert, err -} - // Sign the cert func createCert(template, parent *x509.Certificate, pub, parentPriv interface{}) ( cert *x509.Certificate, certPEM []byte, err error) { @@ -86,9 +76,15 @@ func createCA(org string, hosts []string, notAfter time.Time) (*rsa.PrivateKey, return rootKey, rootCert, rootCertPEM, nil } -// CreateCerts creates and returns a CA certificate and certificate and -// key for the server -func CreateCerts(org string, hosts []string, notAfter time.Time) (serverKey, serverCert, caCert []byte, err error) { +// CreateCerts creates and returns a CA certificate and certificate and key +// if server==true, generate these for a server +// if client==true, generate these for a client +// can generate for both server and client but at least one must be specified +func CreateCerts(org string, hosts []string, notAfter time.Time, server bool, client bool) (serverKey, serverCert, caCert []byte, err error) { + if !server && !client { + return nil, nil, nil, errors.Wrap(err, "CreateCerts() must specify either server or client") + } + // Create a CA certificate and private key caKey, caCertificate, caCertificatePEM, err := createCA(org, hosts, notAfter) if err != nil { @@ -96,22 +92,31 @@ func CreateCerts(org string, hosts []string, notAfter time.Time) (serverKey, ser } // Create the private key - servKey, err := rsa.GenerateKey(rand.Reader, 2048) + privateKey, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { return nil, nil, nil, errors.Wrap(err, "failed to generate random key") } - servCertTemplate, err := createServerCertTemplate(org, hosts, notAfter) + var cert *x509.Certificate + + cert, err = certTemplate(org, hosts, notAfter) if err != nil { - return nil, nil, nil, errors.Wrap(err, "failed to create server cert template") + return nil, nil, nil, err + } + cert.KeyUsage = x509.KeyUsageDigitalSignature + if server { + cert.ExtKeyUsage = append(cert.ExtKeyUsage, x509.ExtKeyUsageServerAuth) + } + if client { + cert.ExtKeyUsage = append(cert.ExtKeyUsage, x509.ExtKeyUsageClientAuth) } // create a certificate wrapping the public key, sign it with the CA private key - _, servCertPEM, err := createCert(servCertTemplate, caCertificate, &servKey.PublicKey, caKey) + _, certPEM, err := createCert(cert, caCertificate, &privateKey.PublicKey, caKey) if err != nil { return nil, nil, nil, errors.Wrap(err, "failed to sign server cert") } - servKeyPEM := pem.EncodeToMemory(&pem.Block{ - Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(servKey), + privateKeyPEM := pem.EncodeToMemory(&pem.Block{ + Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey), }) - return servKeyPEM, servCertPEM, caCertificatePEM, nil + return privateKeyPEM, certPEM, caCertificatePEM, nil } diff --git a/common/tls/tls_test.go b/common/tls/tls_test.go index 5f3ee1183a..1ff14f267a 100644 --- a/common/tls/tls_test.go +++ b/common/tls/tls_test.go @@ -12,7 +12,7 @@ import ( func TestCreateCerts(t *testing.T) { t.Run("test create certs", func(t *testing.T) { - sKey, serverCertPEM, caCertBytes, err := CreateCerts("test-org", []string{"test-host"}, time.Now().AddDate(1, 0, 0)) + sKey, serverCertPEM, caCertBytes, err := CreateCerts("test-org", []string{"test-host"}, time.Now().AddDate(1, 0, 0), true, false) assert.NoError(t, err) p, _ := pem.Decode(sKey) assert.Equal(t, "RSA PRIVATE KEY", p.Type) diff --git a/controllers/eventbus/installer/assets/jetstream/nats.conf b/controllers/eventbus/installer/assets/jetstream/nats.conf index 2dc882d06e..50ef7f89cf 100644 --- a/controllers/eventbus/installer/assets/jetstream/nats.conf +++ b/controllers/eventbus/installer/assets/jetstream/nats.conf @@ -29,6 +29,12 @@ cluster { routes: [{{.Routes}}] cluster_advertise: $CLUSTER_ADVERTISE connect_retries: 120 + + tls { + cert_file: "/etc/nats-config/cluster-server-cert.pem" + key_file: "/etc/nats-config/cluster-server-key.pem" + ca_file: "/etc/nats-config/cluster-ca-cert.pem" + } } lame_duck_duration: 120s ################## diff --git a/controllers/eventbus/installer/assets/jetstream/server-auth.conf b/controllers/eventbus/installer/assets/jetstream/server-auth.conf index dedfa06ee9..4257cd2382 100644 --- a/controllers/eventbus/installer/assets/jetstream/server-auth.conf +++ b/controllers/eventbus/installer/assets/jetstream/server-auth.conf @@ -13,3 +13,9 @@ accounts: { ] } } + +tls { + cert_file: "/etc/nats-config/server-cert.pem" + key_file: "/etc/nats-config/server-key.pem" + ca_file: "/etc/nats-config/ca-cert.pem" +} \ No newline at end of file diff --git a/controllers/eventbus/installer/jetstream.go b/controllers/eventbus/installer/jetstream.go index 65e693b0f2..7736c1ad4c 100644 --- a/controllers/eventbus/installer/jetstream.go +++ b/controllers/eventbus/installer/jetstream.go @@ -8,6 +8,7 @@ import ( "strconv" "strings" "text/template" + "time" "github.com/spf13/viper" "go.uber.org/zap" @@ -17,11 +18,13 @@ import ( apiresource "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" + apitypes "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/intstr" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/yaml" "github.com/argoproj/argo-events/common" + "github.com/argoproj/argo-events/common/tls" "github.com/argoproj/argo-events/controllers" "github.com/argoproj/argo-events/pkg/apis/eventbus/v1alpha1" ) @@ -38,6 +41,18 @@ var ( jetStremAssets embed.FS ) +const ( + secretServerKeyPEMFile = "server-key.pem" + secretServerCertPEMFile = "server-cert.pem" + secretCACertPEMFile = "ca-cert.pem" + + secretClusterKeyPEMFile = "cluster-server-key.pem" + secretClusterCertPEMFile = "cluster-server-cert.pem" + secretClusterCACertPEMFile = "cluster-ca-cert.pem" + + certOrg = "io.argoproj" +) + type jetStreamInstaller struct { client client.Client eventBus *v1alpha1.EventBus @@ -292,6 +307,30 @@ func (r *jetStreamInstaller) buildStatefulSetSpec(jsVersion *controllers.JetStre Key: common.JetStreamServerSecretAuthKey, Path: "auth.conf", }, + { + Key: common.JetStreamServerPrivateKeyKey, + Path: secretServerKeyPEMFile, + }, + { + Key: common.JetStreamServerCertKey, + Path: secretServerCertPEMFile, + }, + { + Key: common.JetStreamServerCACertKey, + Path: secretCACertPEMFile, + }, + { + Key: common.JetStreamClusterPrivateKeyKey, + Path: secretClusterKeyPEMFile, + }, + { + Key: common.JetStreamClusterCertKey, + Path: secretClusterCertPEMFile, + }, + { + Key: common.JetStreamClusterCACertKey, + Path: secretClusterCACertPEMFile, + }, }, }, }, @@ -437,59 +476,11 @@ func (r *jetStreamInstaller) buildStatefulSetSpec(jsVersion *controllers.JetStre } func (r *jetStreamInstaller) createSecrets(ctx context.Context) error { - encryptionKey := common.RandomString(12) - jsUser := common.RandomString(8) - jsPass := common.RandomString(16) - sysPassword := common.RandomString(24) - authTpl := template.Must(template.ParseFS(jetStremAssets, "assets/jetstream/server-auth.conf")) - var authTplOutput bytes.Buffer - if err := authTpl.Execute(&authTplOutput, struct { - JetStreamUser string - JetStreamPassword string - SysPassword string - }{ - JetStreamUser: jsUser, - JetStreamPassword: jsPass, - SysPassword: sysPassword, - }); err != nil { - return fmt.Errorf("failed to parse nats auth template, error: %w", err) - } - - serverObj := &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: r.eventBus.Namespace, - Name: generateJetStreamServerSecretName(r.eventBus), - Labels: r.labels, - OwnerReferences: []metav1.OwnerReference{ - *metav1.NewControllerRef(r.eventBus.GetObjectMeta(), v1alpha1.SchemaGroupVersionKind), - }, - }, - Type: corev1.SecretTypeOpaque, - Data: map[string][]byte{ - common.JetStreamServerSecretAuthKey: authTplOutput.Bytes(), - common.JetStreamServerSecretEncryptionKey: []byte(encryptionKey), - }, - } - - clientAuthObj := &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: r.eventBus.Namespace, - Name: generateJetStreamClientAuthSecretName(r.eventBus), - Labels: r.labels, - OwnerReferences: []metav1.OwnerReference{ - *metav1.NewControllerRef(r.eventBus.GetObjectMeta(), v1alpha1.SchemaGroupVersionKind), - }, - }, - Type: corev1.SecretTypeOpaque, - Data: map[string][]byte{ - common.JetStreamClientAuthSecretKey: []byte(fmt.Sprintf("username: %s\npassword: %s", jsUser, jsPass)), - }, - } - + // first check to see if the secrets already exist oldServerObjExisting, oldClientObjExisting := true, true oldSObj := &corev1.Secret{} - if err := r.client.Get(ctx, client.ObjectKeyFromObject(serverObj), oldSObj); err != nil { + if err := r.client.Get(ctx, apitypes.NamespacedName{Namespace: r.eventBus.Namespace, Name: generateJetStreamServerSecretName(r.eventBus)}, oldSObj); err != nil { if apierrors.IsNotFound(err) { oldServerObjExisting = false } else { @@ -498,7 +489,7 @@ func (r *jetStreamInstaller) createSecrets(ctx context.Context) error { } oldCObj := &corev1.Secret{} - if err := r.client.Get(ctx, client.ObjectKeyFromObject(clientAuthObj), oldCObj); err != nil { + if err := r.client.Get(ctx, apitypes.NamespacedName{Namespace: r.eventBus.Namespace, Name: generateJetStreamClientAuthSecretName(r.eventBus)}, oldCObj); err != nil { if apierrors.IsNotFound(err) { oldClientObjExisting = false } else { @@ -506,33 +497,106 @@ func (r *jetStreamInstaller) createSecrets(ctx context.Context) error { } } - if oldClientObjExisting && oldServerObjExisting { // Both existing, do nothing - return nil - } + if !oldClientObjExisting || !oldServerObjExisting { + // Generate server-auth.conf file + encryptionKey := common.RandomString(12) + jsUser := common.RandomString(8) + jsPass := common.RandomString(16) + sysPassword := common.RandomString(24) + authTpl := template.Must(template.ParseFS(jetStremAssets, "assets/jetstream/server-auth.conf")) + var authTplOutput bytes.Buffer + if err := authTpl.Execute(&authTplOutput, struct { + JetStreamUser string + JetStreamPassword string + SysPassword string + }{ + JetStreamUser: jsUser, + JetStreamPassword: jsPass, + SysPassword: sysPassword, + }); err != nil { + return fmt.Errorf("failed to parse nats auth template, error: %w", err) + } - if oldClientObjExisting { - if err := r.client.Delete(ctx, oldSObj); err != nil { - return fmt.Errorf("failed to delete malformed nats server auth secret, err: %w", err) + // Generate TLS self signed certificate for Jetstream bus: includes TLS private key, certificate, and CA certificate + hosts := []string{} + hosts = append(hosts, fmt.Sprintf("%s.%s.svc.cluster.local", generateJetStreamServiceName(r.eventBus), r.eventBus.Namespace)) // todo: get an error in the log file related to this: do we need it? + hosts = append(hosts, fmt.Sprintf("%s.%s.svc", generateJetStreamServiceName(r.eventBus), r.eventBus.Namespace)) + + serverKeyPEM, serverCertPEM, caCertPEM, err := tls.CreateCerts(certOrg, hosts, time.Now().Add(10*365*24*time.Hour), true, false) // expires in 10 years + if err != nil { + return err } - r.logger.Infow("deleted malformed nats server auth secret successfully") - } - if oldServerObjExisting { - if err := r.client.Delete(ctx, oldCObj); err != nil { - return fmt.Errorf("failed to delete malformed nats client auth secret, err: %w", err) + // Generate TLS self signed certificate for Jetstream cluster nodes: includes TLS private key, certificate, and CA certificate + clusterNodeHosts := []string{fmt.Sprintf("*.%s.%s.svc.cluster.local", generateJetStreamServiceName(r.eventBus), r.eventBus.Namespace)} + r.logger.Infof("cluster node hosts: %+v", clusterNodeHosts) + clusterKeyPEM, clusterCertPEM, clusterCACertPEM, err := tls.CreateCerts(certOrg, clusterNodeHosts, time.Now().Add(10*365*24*time.Hour), true, true) // expires in 10 years + if err != nil { + return err } - r.logger.Infow("deleted malformed nats client auth secret successfully") - } - if err := r.client.Create(ctx, serverObj); err != nil { - return fmt.Errorf("failed to create nats server auth secret, err: %w", err) - } - r.logger.Infow("created nats server auth secret successfully") + serverObj := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: r.eventBus.Namespace, + Name: generateJetStreamServerSecretName(r.eventBus), + Labels: r.labels, + OwnerReferences: []metav1.OwnerReference{ + *metav1.NewControllerRef(r.eventBus.GetObjectMeta(), v1alpha1.SchemaGroupVersionKind), + }, + }, + Type: corev1.SecretTypeOpaque, + Data: map[string][]byte{ + common.JetStreamServerSecretAuthKey: authTplOutput.Bytes(), + common.JetStreamServerSecretEncryptionKey: []byte(encryptionKey), + common.JetStreamServerPrivateKeyKey: serverKeyPEM, + common.JetStreamServerCertKey: serverCertPEM, + common.JetStreamServerCACertKey: caCertPEM, + common.JetStreamClusterPrivateKeyKey: clusterKeyPEM, + common.JetStreamClusterCertKey: clusterCertPEM, + common.JetStreamClusterCACertKey: clusterCACertPEM, + }, + } + + clientAuthObj := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: r.eventBus.Namespace, + Name: generateJetStreamClientAuthSecretName(r.eventBus), + Labels: r.labels, + OwnerReferences: []metav1.OwnerReference{ + *metav1.NewControllerRef(r.eventBus.GetObjectMeta(), v1alpha1.SchemaGroupVersionKind), + }, + }, + Type: corev1.SecretTypeOpaque, + Data: map[string][]byte{ + common.JetStreamClientAuthSecretKey: []byte(fmt.Sprintf("username: %s\npassword: %s", jsUser, jsPass)), + }, + } + + if oldServerObjExisting { + if err := r.client.Delete(ctx, oldSObj); err != nil { + return fmt.Errorf("failed to delete malformed nats server auth secret, err: %w", err) + } + r.logger.Infow("deleted malformed nats server auth secret successfully") + } + + if oldClientObjExisting { + if err := r.client.Delete(ctx, oldCObj); err != nil { + return fmt.Errorf("failed to delete malformed nats client auth secret, err: %w", err) + } + r.logger.Infow("deleted malformed nats client auth secret successfully") + } - if err := r.client.Create(ctx, clientAuthObj); err != nil { - return fmt.Errorf("failed to create nats client auth secret, err: %w", err) + if err := r.client.Create(ctx, serverObj); err != nil { + return fmt.Errorf("failed to create nats server auth secret, err: %w", err) + } + r.logger.Infow("created nats server auth secret successfully") + + if err := r.client.Create(ctx, clientAuthObj); err != nil { + return fmt.Errorf("failed to create nats client auth secret, err: %w", err) + } + r.logger.Infow("created nats client auth secret successfully") } - r.logger.Infow("created nats client auth secret successfully") + return nil } diff --git a/controllers/eventbus/installer/jetstream_test.go b/controllers/eventbus/installer/jetstream_test.go index d6899c1d92..bd56b64ff7 100644 --- a/controllers/eventbus/installer/jetstream_test.go +++ b/controllers/eventbus/installer/jetstream_test.go @@ -118,9 +118,15 @@ func TestJetStreamCreateObjects(t *testing.T) { s := &corev1.Secret{} err = cl.Get(ctx, types.NamespacedName{Namespace: testObj.Namespace, Name: generateJetStreamServerSecretName(testObj)}, s) assert.NoError(t, err) - assert.Equal(t, 2, len(s.Data)) + assert.Equal(t, 8, len(s.Data)) assert.Contains(t, s.Data, common.JetStreamServerSecretAuthKey) assert.Contains(t, s.Data, common.JetStreamServerSecretEncryptionKey) + assert.Contains(t, s.Data, common.JetStreamServerPrivateKeyKey) + assert.Contains(t, s.Data, common.JetStreamServerCertKey) + assert.Contains(t, s.Data, common.JetStreamServerCACertKey) + assert.Contains(t, s.Data, common.JetStreamClusterPrivateKeyKey) + assert.Contains(t, s.Data, common.JetStreamClusterCertKey) + assert.Contains(t, s.Data, common.JetStreamClusterCACertKey) s = &corev1.Secret{} err = cl.Get(ctx, types.NamespacedName{Namespace: testObj.Namespace, Name: generateJetStreamClientAuthSecretName(testObj)}, s) assert.NoError(t, err) diff --git a/eventbus/common/structs.go b/eventbus/common/structs.go index 1bbca68f2e..c19dcd4707 100644 --- a/eventbus/common/structs.go +++ b/eventbus/common/structs.go @@ -6,8 +6,8 @@ import ( // Auth contains the auth infor for event bus type Auth struct { - Strategy eventbusv1alpha1.AuthStrategy - Crendential *AuthCredential + Strategy eventbusv1alpha1.AuthStrategy + Credential *AuthCredential } // AuthCredential host the credential info diff --git a/eventbus/driver.go b/eventbus/driver.go index 351c38b251..7252a48600 100644 --- a/eventbus/driver.go +++ b/eventbus/driver.go @@ -140,8 +140,8 @@ func GetAuth(ctx context.Context, eventBusConfig eventbusv1alpha1.BusConfig) (*e logger.Fatal("Eventbus auth config file changed, exiting..") }) auth = &eventbuscommon.Auth{ - Strategy: *eventBusAuth, - Crendential: cred, + Strategy: *eventBusAuth, + Credential: cred, } } diff --git a/eventbus/jetstream/base/jetstream.go b/eventbus/jetstream/base/jetstream.go index 52bb1b6929..c3076308f8 100644 --- a/eventbus/jetstream/base/jetstream.go +++ b/eventbus/jetstream/base/jetstream.go @@ -2,6 +2,7 @@ package base import ( "bytes" + "crypto/tls" "fmt" "github.com/argoproj/argo-events/common" @@ -55,6 +56,7 @@ func (stream *Jetstream) Init() error { func (stream *Jetstream) MakeConnection() (*JetstreamConnection, error) { log := stream.Logger conn := &JetstreamConnection{Logger: stream.Logger} + opts := []nats.Option{ // todo: try out Jetstream's auto-reconnection capability nats.NoReconnect(), @@ -66,14 +68,18 @@ func (stream *Jetstream) MakeConnection() (*JetstreamConnection, error) { conn.NATSConnected = true log.Info("Reconnected to NATS server") }), + nats.Secure(&tls.Config{ + InsecureSkipVerify: true, + }), } + switch stream.auth.Strategy { case eventbusv1alpha1.AuthStrategyToken: log.Info("NATS auth strategy: Token") - opts = append(opts, nats.Token(stream.auth.Crendential.Token)) + opts = append(opts, nats.Token(stream.auth.Credential.Token)) case eventbusv1alpha1.AuthStrategyBasic: log.Info("NATS auth strategy: Basic") - opts = append(opts, nats.UserInfo(stream.auth.Crendential.Username, stream.auth.Crendential.Password)) + opts = append(opts, nats.UserInfo(stream.auth.Credential.Username, stream.auth.Credential.Password)) case eventbusv1alpha1.AuthStrategyNone: log.Info("NATS auth strategy: None") default: diff --git a/eventbus/stan/base/stan.go b/eventbus/stan/base/stan.go index ece02490bf..afa4a7fb6e 100644 --- a/eventbus/stan/base/stan.go +++ b/eventbus/stan/base/stan.go @@ -45,7 +45,7 @@ func (n *STAN) MakeConnection(clientID string) (*STANConnection, error) { switch n.auth.Strategy { case eventbusv1alpha1.AuthStrategyToken: log.Info("NATS auth strategy: Token") - opts = append(opts, nats.Token(n.auth.Crendential.Token)) + opts = append(opts, nats.Token(n.auth.Credential.Token)) case eventbusv1alpha1.AuthStrategyNone: log.Info("NATS auth strategy: None") default: diff --git a/webhook/webhook.go b/webhook/webhook.go index c9ad6ff9c2..6b5b6412de 100644 --- a/webhook/webhook.go +++ b/webhook/webhook.go @@ -292,7 +292,7 @@ func (ac *AdmissionController) generateSecret(ctx context.Context) (*corev1.Secr hosts := []string{} hosts = append(hosts, fmt.Sprintf("%s.%s.svc.cluster.local", ac.Options.ServiceName, ac.Options.Namespace)) hosts = append(hosts, fmt.Sprintf("%s.%s.svc", ac.Options.ServiceName, ac.Options.Namespace)) - serverKey, serverCert, caCert, err := commontls.CreateCerts(certOrg, hosts, time.Now().Add(10*365*24*time.Hour)) + serverKey, serverCert, caCert, err := commontls.CreateCerts(certOrg, hosts, time.Now().Add(10*365*24*time.Hour), true, false) if err != nil { return nil, err }