Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: TLS for Jetstream #1815

Merged
merged 13 commits into from
Apr 6, 2022
Merged

feat: TLS for Jetstream #1815

merged 13 commits into from
Apr 6, 2022

Conversation

juliev0
Copy link
Contributor

@juliev0 juliev0 commented Apr 5, 2022

Fixes: #1797

Includes both client->server and intra-cluster

Uses self-signed certificates

Checklist:

juliev0 added 11 commits April 4, 2022 08:00
Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
…Verify; also spelling fix

Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
cert_file: "/etc/nats-config/cluster-server-cert.pem"
key_file: "/etc/nats-config/cluster-server-key.pem"
ca_file: "/etc/nats-config/cluster-ca-cert.pem"
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In some ways this belongs in server-auth.conf. I tried adding a second "cluster" section into there but I don't think NATS can handle the two sections.

Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
common/leaderelection/leaderelection.go Show resolved Hide resolved
return fmt.Errorf("failed to delete malformed nats client auth secret, err: %w", err)
// Generate TLS self signed certificate for Jetstream cluster nodes: includes TLS private key, certificate, and CA certificate
clusterNodeHosts := []string{}
for i := 0; i < r.eventBus.Spec.JetStream.GetReplicas(); i++ {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it able to do "*.xxx"? Updating replicas will not regenerate the CERT.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good thinking. Let me see.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great, using a wildcard in the first position seems to work:
"fmt.Sprintf("*.%s.%s.svc.cluster.local", generateJetStreamServiceName(r.eventBus), r.eventBus.Namespace)"

… the DNS names passed to generate the certificate

Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
Copy link
Member

@whynowy whynowy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Good work!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Jetstream - incorporate TLS as default
2 participants