Cluster Authorization from Secret #833

joelp172 · 2023-11-30T13:47:08Z

joelp172
Nov 30, 2023

I am trying to deploy NATS on multiple k8s clusters, which I have done successfully. I want to add authorization config to each cluster, however I cant find a way to specify a username and password in the config.cluster.authorization value securely i.e. from a Secret.

Does this functionality not exists or have i missed something? Is the only way to specify these values in plain text when deploying using helm?

Answered by caleblloyd

Nov 30, 2023

It involves some templating. In NATS config, user/pass route auth has to be specified as part of the URL for cluster.routes:

A list of other servers (URLs) to cluster with. Self-routes are ignored. Should authentication via token or username/password be required, specify them as part of the URL.

I don't think NATS config can do string interpolation with variables to build those URLs. So they'd have to be built in Environment Variables. Try this:

config:
  cluster:
    enabled: true
    routeURLs:
      user: foo
      password: << $CLUSTER_AUTH >>
    merge:
      routes:
        $tplYaml: |
          {{- range $i, $_ := until (int $.Values.config.cluster.replicas) }}
          - << $RO…

View full answer

caleblloyd · 2023-11-30T14:32:47Z

caleblloyd
Nov 30, 2023

It involves some templating. In NATS config, user/pass route auth has to be specified as part of the URL for cluster.routes:

A list of other servers (URLs) to cluster with. Self-routes are ignored. Should authentication via token or username/password be required, specify them as part of the URL.

I don't think NATS config can do string interpolation with variables to build those URLs. So they'd have to be built in Environment Variables. Try this:

config:
  cluster:
    enabled: true
    routeURLs:
      user: foo
      password: << $CLUSTER_AUTH >>
    merge:
      routes:
        $tplYaml: |
          {{- range $i, $_ := until (int $.Values.config.cluster.replicas) }}
          - << $ROUTE_{{ $i }} >>
          {{- end }}

container:
  env:
    CLUSTER_AUTH:
       valueFrom:
         secretKeyRef:
           name: secret-name
           key: secret-key
    ROUTES:
      $tplYamlSpread: |
        {{- range $i, $_ := until (int $.Values.config.cluster.replicas) }}
        ROUTE_{{ $i }}: {{ printf "nats://%s:$(CLUSTER_AUTH)@%s-%d.%s:%d" $.Values.config.cluster.routeURLs.user $.Values.statefulSet.name $i $.Values.headlessService.name (int $.Values.config.cluster.port) }}
        {{- end }}

2 replies

joelp172 Dec 1, 2023
Author

Thank you very much for this, I can see how this would work. Ive just realised the NATS chart we are using is 0.19.6 (due to been a dependancy of another application and they have locked it to this version). I had a look at the chart and these options are different. Is there a way to do this on my version?

Ive asked the app developer if there are plans to upgrade the NATS chart but not sure thats going to be quick.

caleblloyd Dec 4, 2023

0.x is not nearly as flexible as 1.x, so you'd probably need to look at how to include a config section in 0.x to achieve this.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cluster Authorization from Secret #833

{{title}}

Replies: 1 comment 2 replies

{{title}}

{{title}}

{{title}}

Select a reply

Cluster Authorization from Secret #833

joelp172 Nov 30, 2023

Replies: 1 comment · 2 replies

caleblloyd Nov 30, 2023

joelp172 Dec 1, 2023 Author

caleblloyd Dec 4, 2023

joelp172
Nov 30, 2023

Replies: 1 comment 2 replies

caleblloyd
Nov 30, 2023

joelp172 Dec 1, 2023
Author