You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add support for mTLS-only authentication with NATS for Route-Emitter
Summary
With the adoption of nats-tls we now have client authentication built-in with the mTLS handshake that verifies the client certificate.
This makes the additional basic authentication with the "nats" user obsolete. Currently, the erb for route-emitter requires a username and password to be set via the bosh link. This PR makes the template rendering of route-emitter work even when there is no user and password set by NATS.
Diego repo
route-emitter
Describe alternatives you've considered (optional)
An alternative to outright removing the password on NATS side would have been to set a default of "" (empty string) for the NATS password which would have made sure that there is a password and user set at all times. This would have made this PR unnecessary because the link property would always be set. However, I refrained from this approach because empty passwords are bad practise. So on cf-deployment level there should either be set a meaningful (secure) password or no password at all - which is now possible.
Additional Text Output, Screenshots, or contextual information (optional)
Once they are all merged, you can remove this section from cf-deployment.yml. This could be done directly or via an ops-file that keeps the basic authentication as a default.
The text was updated successfully, but these errors were encountered:
Enter an issue title
Add support for mTLS-only authentication with NATS for Route-Emitter
Summary
With the adoption of nats-tls we now have client authentication built-in with the mTLS handshake that verifies the client certificate.
This makes the additional basic authentication with the "nats" user obsolete. Currently, the erb for route-emitter requires a username and password to be set via the bosh link. This PR makes the template rendering of route-emitter work even when there is no user and password set by NATS.
Diego repo
route-emitter
Describe alternatives you've considered (optional)
An alternative to outright removing the password on NATS side would have been to set a default of "" (empty string) for the NATS password which would have made sure that there is a password and user set at all times. This would have made this PR unnecessary because the link property would always be set. However, I refrained from this approach because empty passwords are bad practise. So on cf-deployment level there should either be set a meaningful (secure) password or no password at all - which is now possible.
Additional Text Output, Screenshots, or contextual information (optional)
There is a slack conversation about the issue.
Since this basically affects all NATS clients and the NATS release, there are a set of PRs to be merged as companions to this PR:
NATS-release: cloudfoundry/nats-release#39
routing-release: cloudfoundry/routing-release#244
metrics-discovery-release: cloudfoundry/metrics-discovery-release#14
Once they are all merged, you can remove this section from cf-deployment.yml. This could be done directly or via an ops-file that keeps the basic authentication as a default.
The text was updated successfully, but these errors were encountered: