Closed typusomega closed 5 years ago
Hi,
finally managed to make it work: Since STAN is using NATS' options, it's possible to mount a config file (in a secret) containing the credentials.
Is this the recommended way to go?
Yes that approach would recommended in order to handle the credentials as a secret.
Using the secret for the credentials recommended way for now to avoid leaking creds via crd definitions, env vars, etc... closing for now
@wallyqs How exactly was this achieved? I can't find any documentation for this with Kubernetes. I would like to use Service Accounts which have already been set up and are being used by the nats-clusters
@wallyqs @typusomega Could you give an example on how you have achieved this, for me it is not clear how the configFile should created
edit: Figured out the configuration needed: The NatsStreaming resource should look similar to this:
apiVersion: streaming.nats.io/v1alpha1
kind: NatsStreamingCluster
metadata:
name: stan
namespace: default
spec:
configFile: /etc/stan/config/stan.conf
natsSvc: nats
size: 3
template:
spec:
containers:
- name: stan
volumeMounts:
- mountPath: /etc/stan/config
name: stan-config
volumes:
- name: stan-config
secret:
secretName: stan-conf
Given af file stan.conf with the following contents:
{
"authorization": {
"user": "<username>",
"password": "<password",
}
}
the secret can be created by:
kubectl create secret generic stan-conf --from-file=stan.conf
Hi,
we are using an authenticated NATS cluster and are big fans of this operator. Since the operator is overriding the STAN pods' command, I see no chance to add
--user
/--pass
.Is there a way to authenticate
NatsStreamingCluster
s?Best regards