certificate not accepted with latest Nats Chart

nats-io / terraform-provider-jetstream

Terraform Provider to manage NATS JetStream

Apache License 2.0

55 stars 13 forks source link

certificate not accepted with latest Nats Chart #86

Closed Soneca-ii closed 1 year ago

Soneca-ii commented 1 year ago

Hi,

I was upgrading from Nats chart 0.19.5 to 1.0.0-beta6.

With the previous chart I managed to configure TLS and use the jetstream provider to create Streams:

provider "jetstream" { servers = ":" tls { ca_file = "./certs/ca.crt" } }

With the new chart I received "- cid:6 - TLS handshake error: tls: client didn't provide a certificate"

I saw a PR specifying the client certificates from last year. Will this solve the issue and if so possible to be delivered in a release?

ripienaar commented 1 year ago

That means the helm chart is configuring nats to require a certificate and indeed in the config you show here you didn’t provide one.

Did you try to provide one? But sounds like a behaviour change in the chart.

InfiRR commented 1 year ago

I'm passing the ca_file according to the documentation:

https://registry.terraform.io/providers/nats-io/jetstream/latest/docs

tls.ca_file - (optional) Fully Qualified Path to a file containing Root CA (PEM format). Use when the server has certs signed by an unknown authority.

What other properties shall I use to pass the certificate in the terraform provider?

ripienaar commented 1 year ago

Ah appears the current release does not yet support adding a certificate. Next release will but it’s some way off as we need to wait for nats server 2.10

ripienaar commented 1 year ago

Ah even the latest code does not support supplying a cert.

Can you show your server config that the chart made? Did you intend to configure TLS cert authentication required?

InfiRR commented 1 year ago

Hi yes, TLS was enabled in the previous chart version 0.19.5 and Clients/provider were successfully working.

For current config:

Chart.yaml:

name: nats version: 1.0.0-beta.6 repository: https://nats-io.github.io/k8s/helm/charts/ condition: nats.enabled

Values.yaml: ` nats:

natsbox:

enabled: false

config:

nats:

  tls:

    enabled: true

    secretName: nats-server-tls

    ca: "ca.crt"

    cert: "tls.crt"

    key: "tls.key"    

jetstream:

  enabled: true

  memStorage:

    enabled: true

    size: 2Gi

ripienaar commented 1 year ago

Weird and for other clients do you now need to supply a certificate? Like the nats cli?

InfiRR commented 1 year ago

yes, using natsbox:

nats-box v0.13.8 7596dad70379:~# nats -s nats://10.46.100.19:31222 --tlscert=/certs/js_server.crt --tlskey=/certs/js_server.key --tlsca=/certs/ca.crt stream ls No Streams defined

the result is correct since I could not create the streams via terraform.

ripienaar commented 1 year ago

And without the certs and key it fails?

InfiRR commented 1 year ago

yes:

7596dad70379:~# nats -s nats://10.46.100.19:31222 --tlsca=/certs/ca.crt stream ls nats: error: setup failed: remote error: tls: bad certificate 7596dad70379:~# nats -s nats://10.46.100.19:31222 stream ls nats: error: setup failed: x509: certificate signed by unknown authority

ripienaar commented 1 year ago

OK, will add the options to the terraform provider but as mentioned, be a while before next release

ripienaar commented 1 year ago

Have added this here for the next release https://github.com/nats-io/terraform-provider-jetstream/pull/87

ripienaar commented 1 year ago

Reverted mine, will use this one instead: https://github.com/nats-io/terraform-provider-jetstream/pull/70