nats-io / k8s

NATS on Kubernetes with Helm Charts
Apache License 2.0
455 stars 305 forks source link

NATS helm setup example - error: nats: secure connection not available #777

Closed ekmobile closed 1 year ago

ekmobile commented 1 year ago

I'm using Kubernetes 1.27.2 on Docker Desktop for macOS. I reset the Kubernetes Cluster before running any command. I'm using the example from here to create a TLS Enabled Cluster:

kubectl create secret generic nats-client-tls --from-file=tls.crt=./certs/server.pem --from-file=tls.key=./certs/server-key.pem --from-file=ca.crt=./certs/ca.pem

tls.yaml:

nats:
  tls:
    secret:
      name: nats-client-tls
    ca: "ca.crt"
    cert: "tls.crt"
    key: "tls.key"

helm install nats nats/nats --values tls.yaml

helm get values nats gets me:

USER-SUPPLIED VALUES:
nats:
  tls:
    ca: ca.crt
    cert: tls.crt
    key: tls.key
    secret:
      name: nats-client-tls

after

kubectl port-forward service/nats 4222:4222

then, i'm using the client example taken from here to access the server:

package main

import (
    "encoding/json"
    "flag"
    "fmt"
    "log"
    "os"
    "time"

    "github.com/nats-io/nats.go"
    "github.com/nats-io/nuid"
)

func main() {
    var (
        serverList     string
        rootCACertFile string
        clientCertFile string
        clientKeyFile  string
    )
    flag.StringVar(&serverList, "s", "localhost:4222", "List of NATS of servers available")
    flag.StringVar(&rootCACertFile, "cacert", "ca.pem", "Root CA Certificate File")
    flag.StringVar(&clientCertFile, "cert", "client.pem", "Client Certificate File")
    flag.StringVar(&clientKeyFile, "key", "client-key.pem", "Client Private key")
    flag.Parse()

    log.Println("NATS endpoint:", serverList)
    log.Println("Root CA:", rootCACertFile)
    log.Println("Client Cert:", clientCertFile)
    log.Println("Client Key:", clientKeyFile)

    // Connect options
    rootCA := nats.RootCAs(rootCACertFile)
    clientCert := nats.ClientCert(clientCertFile, clientKeyFile)
    alwaysReconnect := nats.MaxReconnects(-1)
    user := os.Getenv("NATS_USER")
    password := os.Getenv("NATS_PASSWORD")
    userInfo := nats.UserInfo(user, password)

    var nc *nats.Conn
    var err error
    for {
        nc, err = nats.Connect(serverList, rootCA, clientCert, alwaysReconnect, userInfo)
        if err != nil {
            log.Printf("Error while connecting to NATS, backing off for a sec... (error: %s)", err)
            time.Sleep(1 * time.Second)
            continue
        }
        break
    }

    nc.Subscribe("discovery.*.status", func(m *nats.Msg) {
        log.Printf("[Received on %q] %s", m.Subject, string(m.Data))
    })

    discoverySubject := fmt.Sprintf("discovery.%s.status", nuid.Next())
    info := struct {
        InMsgs        uint64   `json:"in_msgs"`
        OutMsgs       uint64   `json:"out_msgs"`
        Reconnects    uint64   `json:"reconnects"`
        CurrentServer string   `json:"current_server"`
        Servers       []string `json:"servers"`
    }{}

    for range time.NewTicker(1 * time.Second).C {
        stats := nc.Stats()
        info.InMsgs = stats.InMsgs
        info.OutMsgs = stats.OutMsgs
        info.Reconnects = stats.Reconnects
        info.CurrentServer = nc.ConnectedUrl()
        info.Servers = nc.Servers()
        payload, err := json.Marshal(info)
        if err != nil {
            log.Printf("Error marshalling data: %s", err)
        }
        err = nc.Publish(discoverySubject, payload)
        if err != nil {
            log.Printf("Error during publishing: %s", err)
        }
        nc.Flush()
    }
}

which gives me:

2023/08/11 13:50:41 NATS endpoint: localhost:4222
2023/08/11 13:50:41 Root CA: ca.pem
2023/08/11 13:50:41 Client Cert: client.pem
2023/08/11 13:50:41 Client Key: client-key.pem
2023/08/11 13:50:41 Error while connecting to NATS, backing off for a sec... (error: nats: secure connection not available)
2023/08/11 13:50:42 Error while connecting to NATS, backing off for a sec... (error: nats: secure connection not available)
2023/08/11 13:50:43 Error while connecting to NATS, backing off for a sec... (error: nats: secure connection not available)

Do you have an idea what's going wrong?

Thanks

caleblloyd commented 1 year ago

nats.tls.enabled must be true

Also if you are using mTLS the CA goes in tlsCA

ekmobile commented 1 year ago

Thanks for your response, I used this configuration

nats:
  tls:
    enabled: true
    secret:
      name: nats-client-tls
    ca: "ca.crt"
    cert: "tls.crt"
    key: "tls.key"

but it gives me the same error.

caleblloyd commented 1 year ago

If you can, join the #k8s channel on https://natsio.slack.com and we can try to debug there - it is probably environment related or missing a value, not looking like a bug