-
Notifications
You must be signed in to change notification settings - Fork 747
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: TLS for Jetstream #1815
feat: TLS for Jetstream #1815
Conversation
Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
…Verify; also spelling fix Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
cert_file: "/etc/nats-config/cluster-server-cert.pem" | ||
key_file: "/etc/nats-config/cluster-server-key.pem" | ||
ca_file: "/etc/nats-config/cluster-ca-cert.pem" | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In some ways this belongs in server-auth.conf. I tried adding a second "cluster" section into there but I don't think NATS can handle the two sections.
Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
return fmt.Errorf("failed to delete malformed nats client auth secret, err: %w", err) | ||
// Generate TLS self signed certificate for Jetstream cluster nodes: includes TLS private key, certificate, and CA certificate | ||
clusterNodeHosts := []string{} | ||
for i := 0; i < r.eventBus.Spec.JetStream.GetReplicas(); i++ { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it able to do "*.xxx"? Updating replicas will not regenerate the CERT.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good thinking. Let me see.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great, using a wildcard in the first position seems to work:
"fmt.Sprintf("*.%s.%s.svc.cluster.local", generateJetStreamServiceName(r.eventBus), r.eventBus.Namespace)"
… the DNS names passed to generate the certificate Signed-off-by: Julie Vogelman <julie_vogelman@intuit.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Good work!
Fixes: #1797
Includes both client->server and intra-cluster
Uses self-signed certificates
Checklist: