search

nats-io / k8s

NATS on Kubernetes with Helm Charts
Apache License 2.0
444 stars 300 forks source link

how to Allow leafnode remotes but not leafnode connections #895

Closed tommyjcarpenter closed 4 months ago

tommyjcarpenter commented 4 months ago

What motivated this proposal?

i dont see how its possible to form a config that looks like this:

listen:4222

port: 4222 # client port

leafnodes {
    # NO PORT DOES NOT LISTEN FOR  LEAFS
    remotes = [
        {
            url: "nats://...:7422",
            account: ...
            credentials: ...
        },
    ],
}

without adding a port, so that this server itself does not allow leaf connections.

I have tested that this works, without helm.

even explicitly setting to null:

nats:
   config:
      leafnodes:
        enabled: true
        port: null   # doesnt work
        remotes:
          - url: xxx:7222
            account: ...
            credentials: ...

doesnt work:

[7] 2024/04/26 15:34:31.189556 [INF] Listening for leafnode connections on 0.0.0.0:7422.  # DONT WANT
[7] 2024/04/26 15:34:31.189855 [INF] Listening for client connections on 0.0.0.0:4222
[7] 2024/04/26 15:34:31.189865 [INF] TLS required for client connections
[7] 2024/04/26 15:34:31.189974 [INF] Server is ready
[7] 2024/04/26 15:34:31.190021 [INF] Cluster name is infra-nats
[7] 2024/04/26 15:34:31.190045 [INF] Listening for route connections on 0.0.0.0:6222
... trying to connect to route (attempt 1): dial (unrelated error connecting out to xxx:7222)

the relevent template is here: https://github.com/nats-io/k8s/blob/main/helm/charts/nats/files/config/leafnodes.yaml#L2

What is the proposed change?

maybe move port under a flag like if allowConnections?

Who benefits from this change?

No response

What alternatives have you evaluated?

No response

caleblloyd commented 4 months ago

Dupe of #772

Right now the config.leafnodes.enabled turns on the server portion. If all you need is remotes leave config.leafnodes.enabled=false, you should be able to workaoround with something like this:

config:
  merge:
    lefanodes:
      remotes:
      - url: xxx:7222
        account: ...
        credentials: ...

Since you can put any valid nats.conf into config.merge

tommyjcarpenter commented 4 months ago

@caleblloyd that still leaves:

[7] 2024/04/26 23:19:40.432725 [ERR] Error trying to connect as leafnode to remote server ":7422" (attempt 1): lookup for host "": lookup : no such host

because it gets merged in with the default parameters..