Support for authenticated NATS cluster

[typusomega]

Hi,

we are using an authenticated NATS cluster and are big fans of this operator. Since the operator is overriding the STAN pods' command, I see no chance to add --user/--pass.

Is there a way to authenticate NatsStreamingClusters?

Best regards

[typusomega]

Hi,

finally managed to make it work: Since STAN is using NATS' options, it's possible to mount a config file (in a secret) containing the credentials.

Is this the recommended way to go?

[wallyqs]

Yes that approach would recommended in order to handle the credentials as a secret.

[wallyqs]

Using the secret for the credentials recommended way for now to avoid leaking creds via crd definitions, env vars, etc... closing for now

[Upperfoot]

@wallyqs How exactly was this achieved? I can't find any documentation for this with Kubernetes. I would like to use Service Accounts which have already been set up and are being used by the nats-clusters

[pja-kit]

@wallyqs @typusomega Could you give an example on how you have achieved this, for me it is not clear how the configFile should created

edit: Figured out the configuration needed: The NatsStreaming resource should look similar to this:

apiVersion: streaming.nats.io/v1alpha1
kind: NatsStreamingCluster
metadata:
  name: stan
  namespace: default
spec:
  configFile: /etc/stan/config/stan.conf
  natsSvc: nats
  size: 3
  template:
    spec:
      containers:
      - name: stan
        volumeMounts:
        - mountPath: /etc/stan/config
          name: stan-config
      volumes:
      - name: stan-config
        secret:
          secretName: stan-conf

Given af file stan.conf with the following contents:

{
 "authorization": {
   "user": "<username>",
  "password": "<password",
  }
}

the secret can be created by: kubectl create secret generic stan-conf --from-file=stan.conf