Skip to content
This repository has been archived by the owner on Dec 15, 2021. It is now read-only.

kubeless trigger nats publish needs direct access #708

Open
sebgoa opened this issue Apr 20, 2018 · 6 comments
Open

kubeless trigger nats publish needs direct access #708

sebgoa opened this issue Apr 20, 2018 · 6 comments
Labels
enhancement

Comments

@sebgoa
Copy link
Contributor

sebgoa commented Apr 20, 2018

seems we don't use a proxy to get to the nats broker.

So if we run in the cloud, we need to open the broker to the world to be able to reach it with the convenience function kubeless trigger nats publish

I would rather do a proxy under the hood to avoid this security hole.
@murali-reddy
Copy link
Contributor

murali-reddy commented Apr 23, 2018
edited

kubeless trigger nats publish just takes URL for NATS cluster, there is no assumption on where NATS service is running (in-cluster or outside cluster).

I can keep the default behaviour is to assume the NATS is running as nats.nats-io.svc.cluster.local:4222 and proxy to it. --url can be specified explicilty to override the default behaviour.

@sebgoa
Copy link
Contributor Author

sebgoa commented Apr 23, 2018

I believe that realistically, nats admin would not open the broker without any type of auth/security.

So sine we use the kubeless cli has a convenience for testing/debugging, proxying is an ok mechanism

@xydinesh
Copy link

xydinesh commented Oct 14, 2018
edited

I think issue I'm running into related to this. I have a nats cluster name "nats" in "nats-io" namespace. I can't reach it via following command.

kubeless trigger nats publish --url nats://nats.nats-io.svc.cluster.local:4222 --topic test --message "Hello World"

FATA[0000] nats: no servers available for connection

I think, kubeless function deployed in the cluster can access the nats cluster. Not sure why I'm getting an error.

@andresmgot
Copy link
Contributor

hi @xydinesh, the url nats.nats-io.svc.cluster.local is internal for the cluster so you cannot access it from the outside with that.

That command kubeless trigger nats publish is used mostly for testing purposes in our side. If you want to use that command, you can expose the nats service (kubectl edit svc -n nats nats) and change the type of service to a NodePort. That way you will be able to reach the cluster with CLUSTER_IP:NODE_PORT as the URL. Note that doing that will leave your cluster exposed to anyone without authentication which is discouraged for anything other than testing.

@xydinesh
Copy link

@andresmgot Got it. Thanks ! Didn't realize kubeless trigger nats publish trying to access nats.nats-io.svc.cluster.local.

@xydinesh xydinesh mentioned this issue Oct 17, 2018
Open
@mpalumbo7
Copy link
Contributor

FWIW, I was able to use kubectl port-forward to bind the NATS port to my localhost.

$ kubectl -n kubeless port-forward svc/nats 4222:4222
Forwarding from 127.0.0.1:4222 -> 4222
Forwarding from [::1]:4222 -> 4222
Handling connection for 4222

Which allows me to use:

$ kubeless trigger nats publish --url nats://localhost:4222 --topic hello-world --message "Hello World!"
INFO[0000] Published [hello-world] : 'Hello World!'

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@xydinesh @sebgoa @murali-reddy @andresmgot @mpalumbo7