nats-io / k8s

NATS on Kubernetes with Helm Charts
Apache License 2.0
455 stars 305 forks source link

Fix nats cluster authorization when empty user/pass #685

Closed MikaelElkiaer closed 1 year ago

MikaelElkiaer commented 1 year ago

Problem

Stumbled upon an interesting, and very chaotic issue.

Installing the chart with a simple values file like this:

cluster:
  enabled: true
authorization:
  timeout: 10

will be templates into a bad nats server config. The config will parse, but the generated routes will contain bad values:

cluster {
  port: 6222
  name: nats
  authorization {
    timeout: 10
  }

  routes = [
    nats://%3Cno+value%3E:%3Cno+value%3E@nats-0.nats.nats.svc.cluster.local:6222,nats://%3Cno+value%3E:%3Cno+value%3E@nats-1.nats.nats.svc.cluster.local:6222,nats://%3Cno+value%3E:%3Cno+value%3E@nats-2.nats.nats.svc.cluster.local:6222,

  ]
  cluster_advertise: $CLUSTER_ADVERTISE
  no_advertise: true

  connect_retries: 120
}

Since the cluster.authorization.timeout is set, username:password@ will be added to the cluster node URLs. But, there are no default values for username or password, so when url-encoding the values they turn into <no value>.

The consequence of this seems to have been very chaotic coordination between cluster nodes.

Fix

I've added an extra conditional around the authorization template.

caleblloyd commented 1 year ago

This should not be a problem anymore in 1.x, which has now been released