Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mTLS Support for NATS server? #115

Closed
HakShak opened this issue Oct 25, 2022 · 5 comments
Closed

mTLS Support for NATS server? #115

HakShak opened this issue Oct 25, 2022 · 5 comments

Comments

@HakShak
Copy link

HakShak commented Oct 25, 2022

I saw this #54

But was unsure if this implies server support on top of Jetstream support.
@HakShak
Copy link
Author

HakShak commented Oct 28, 2022

Are there plans to support this information without JetStream?

@ripienaar
Copy link
Collaborator

ripienaar commented Oct 28, 2022
edited
Loading

@HakShak what exactly are you asking maybe the question isnt clear?

mTLS to NATS Server when connecting? Those options already exist in --tlscacert, --tlscert and --tlskey. If you're asking for mTLS on the HTTP port, those also exist using --http-tlscert etc.

@ingvarch
Copy link

@ripienaar let me answer on your question to @HakShak

We use the following config for NATS:

    # NATS Clients Port
    port: 4222

    # PID file shared with configuration reloader.
    pid_file: "/var/run/nats/nats.pid"
    http: 8222
    server_name: $POD_NAME

    cluster {
      name: super-cluster
      port: 6222

      tls {
        cert_file: "/etc/nats-config/tls/route-cert.pem"
        key_file: "/etc/nats-config/tls/route-key.pem"
        ca_file: "/etc/nats-config/tls/root-ca.pem"
      }

      routes = [
        tls://nats-0.nats.nats-dev:6222,
        tls://nats-1.nats.nats-dev:6222,
        tls://nats-2.nats.nats-dev:6222,
      ]

      cluster_advertise: $CLUSTER_ADVERTISE
      connect_retries: 120
    }

    lame_duck_grace_period: 10s
    lame_duck_duration: 30s

    authorization: {
      default_permissions = {
        publish = ">"
        subscribe = ">"
      }

      users: [
      ]
    }
    tls: {
      cert_file: "/etc/nats-config/tls/server-cert.pem"
      key_file: "/etc/nats-config/tls/server-key.pem"
      ca_file: "/etc/nats-config/tls/root-ca.pem"
      verify_and_map: true
    }
    debug: true
    trace: false

    accounts: {
      USERS: {
        users: [
          {user: "CN=dev.example.com,OU=service-one"},
          {user: "CN=dev.example.com,OU=service-two"}
        ]
      },
      SYS: {
        users: [
          {user: "CN=something.example.com"}
        ]
      },
    }
    system_account: SYS

and these args for nats-surveyor:

        - --servers=tls://nats.nats-dev:4222
        - --port=7777
        - --tlscacert=/etc/nats-config/tls/root-ca.pem
        - --tlscert=/etc/nats-config/tls/surveyor-cert.pem
        - --tlskey=/etc/nats-config/tls/surveyor-key.pem
        - --log-level=debug
        - --count=3

Everything works fine and we can see many metrics in your dashboards except Service Observations because it supports only Nkey or JWT auth methods.

We tried to combine Nkey and mTLS but it doesn't work.

Could you say is it possible to grab Service Observations metrics with mTLS auth ?

@ripienaar
Copy link
Collaborator

At present it inherits the options from the --tlscert etc options and use those for connecting. So we'd need to add similar options on observation options that could be used to override.

Thanks for the clarification though this was not clear at all from the question

@caleblloyd
Copy link
Contributor

Fixed in #134 and will be in next release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ripienaar @ingvarch @caleblloyd @HakShak