search

nats-io / nats-streaming-operator

NATS Streaming Operator
Apache License 2.0
174 stars 44 forks source link

Support custom certs for TLS via Secret #2

Open wallyqs opened 5 years ago

wallyqs commented 5 years ago

It should be possible to configure the certs used for the client connection to the NATS cluster.

visheyra commented 5 years ago

This might be a dumb question. But would you consider using the kubernetes' certificate API ? This would be useful since the certificates can be managed using CRD. Another point is that certificates issued this way use the cluster CA which can be configurable to be mounted into pod using service account.

The link to the certificate API documentation is here

wallyqs commented 5 years ago

Not a dumb question at all, that looks like might be a good approach and would also help keeping everything in terms of Kubernetes.

visheyra commented 5 years ago

@wallyqs I'm delighted that you like the idea. Are you or anyone currently working on this topic ?

wallyqs commented 5 years ago

Not planned at this moment, currently pending to investigate a simple way to integrate with that feature.

wallyqs commented 5 years ago

When using secrets for the certs and mounting them, this could be done via template but would be good to add an example.

dmitryzykov commented 4 years ago

is there any example how to can use TLS in NATS streaming operator to connect to NATS cluster?

sdhoward commented 4 years ago

I was unable to set container command line flags through the podtemplate spec, but it looks like you can specify a config file configmap in the NatsStreamingCluster spec... if anyone has a better way please comment.

apiVersion: "streaming.nats.io/v1alpha1"
kind: NatsStreamingCluster
metadata:
  name: streaming-nats
  namespace: foo
spec:
  size: 3
  natsSvc: nats.foo.svc.cluster.local
  configFile: /etc/stan/config/stan.conf
  template:
    spec:
      containers:
        - name: stan
          volumeMounts:
            - mountPath: /etc/stan/config
              name: stan-config-volume
            - mountPath: /etc/stan-ssl
              name: nats-secrets-volume
      volumes:
        - configMap:
            name: stan-config
          name: stan-config-volume
        - secret:
            secretName: nats-tls
          name: nats-secrets-volume
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: stan-config
  namespace: foo
data:
  stan.conf: |
    streaming {
      tls: {
          client_cert: "/etc/stan-ssl/server.pem"
          client_key: "/etc/stan-ssl/server-key.pem"
          client_cacert: "/etc/stan-ssl/ca.pem"
      }
    }