You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On the same VM nats-tls job and metrics-discovery-registrar job are running
We removed nats/user and password from the cf-deployment using ops file as it is made optional in routing-release:0.228.0
During update cf-deployment:
The first nats-tls VM got error during update as metric-discovery-registrar failed due "nats: Authorization Violation"
The first nats-tls VM could not also connect to not-yet-updated nats as it does not provide password for authentication anymore
diego-api and uaa were also failing due to "nats: Authorization Violation" between route_registrar and not-yet-updated nats
Steps to Reproduce
Bump routing-release to 0.228.0 and nats-release to 41.
Remove nats/password and nats/user from cf-deployment using ops file.
Set the mTLS certificates in nats/internal/tls/* for passwordless authentication
Run deploy-cf
Expected result
Deployment should run through and succeed.
Current result
Failing deployment that tries to access username/password fields that are not available anymore
Possible Fix
We have provided a PR in Nats-release that adds a configuration flag to disables password based authentication but allows providing the fields in the configuration: Introduce nats.auth_required for nats-tls nats-release#43. This works around the need of an existing deployment to have username/password, while a new deployment can move to mTLS based authentication.
Additional Context
The text was updated successfully, but these errors were encountered:
On that VM, the nats-tls job was already updated and running without password authentication. However, the
metrics-discovery-registrar uses the hostname NATS_HOSTS: nats://nats.service.cf.internal:4224. This name only resolves to the two other NATS VMs (10.0.65.5, 10.0.65.4) that have not yet been updated, therefore still require a password to connect.
So as @Mrizwanshaik and @b1tamara suggest, introducing a flag could help, because the flag is not part of the BOSH link that other deployments use to connect to NATS.
You could then update in two steps:
Set auth_required to false and deploy CF completely, this will only remove the password from NATS but not the clients.
Remove the password from cf-deployment.yml and deploy CF again so it also disappears from the BOSH link that is used by clients.
Issue
Affected Versions
metrics-discovery-release: 3.0.7
routing-release:0.228.0
Context
routing-release:0.228.0
Steps to Reproduce
nats/password
andnats/user
from cf-deployment using ops file.nats/internal/tls/*
for passwordless authenticationExpected result
Current result
Possible Fix
Additional Context
The text was updated successfully, but these errors were encountered: