Open benfuu opened 2 months ago
@kobergj Can you take a look please?
Yes. Absolutely valid point. This was not taken into account on initial implementation, but should be fairly easy to implement.
We should also add an option to add TLS config for the nats-js-kv
stores, not only for the registry: https://github.com/cs3org/reva/blob/edge/pkg/store/store.go#L139-L151
But maybe we should adjust envvar names so we can reuse the same on all nats related features (evenst/stores/caches/registry)? I mean this will probably always be the same anyways.
But maybe we should adjust envvar names so we can reuse the same on all nats related features (evenst/stores/caches/registry)? I mean this will probably always be the same anyways.
I strongly vote for sticking to KISS
I strongly vote for sticking to KISS
So that means we add new envvar OCIS_NATS_ENABLE_TLS
and OCIS_NATS_TLS_ROOT_CA_CERTIFICATE
and use them everywhere? We can deprecate exiting events - tls envars.
Any updates on this? I'd be happy to provide a PR, but not sure what direction the team wants to go in regarding the env var naming conventions.
Any updates on this? I'd be happy to provide a PR, but not sure what direction the team wants to go in regarding the env var naming conventions.
That would be very much appreciated, thanks!
Let's stick with simple solution for now. OCIS_NATS_ENABLE_TLS
and OCIS_NATS_TLS_ROOT_CA_CERTIFICATE
Is your feature request related to a problem? Please describe.
Currently there are options to connect to the events bus (NATS) with certificates provided in env vars:
OCIS_EVENTS_ENABLE_TLS
OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE
However, there aren't any similar env vars to connect to the registry when using
nats-js-kv
.Describe the solution you'd like
Add similar env vars to connect to the app registry:
OCIS_REGISTRY_ENABLE_TLS
OCIS_REGISTRY_TLS_ROOT_CA_CERTIFICATE
The NATS options can be configured in the file: https://github.com/owncloud/ocis/blob/master/ocis-pkg/natsjsregistry/registry.go#L170-L182
Describe alternatives you've considered
Currently we'd have to disable TLS completely in our NATS instance, or have a separate NATS instance just for the registry.
Additional context