From 15a519040aff3e5a9375606752f25386509eeb23 Mon Sep 17 00:00:00 2001 From: John Weldon Date: Mon, 1 Jul 2024 15:55:41 -0700 Subject: [PATCH] Add tlsfirst option to pass through to NATS connection --- cmd/jetstream-controller/main.go | 2 ++ controllers/jetstream/controller.go | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/cmd/jetstream-controller/main.go b/cmd/jetstream-controller/main.go index 40c24ff2..6afc4b50 100644 --- a/cmd/jetstream-controller/main.go +++ b/cmd/jetstream-controller/main.go @@ -57,6 +57,7 @@ func run() error { cert := flag.String("tlscert", "", "NATS TLS public certificate") key := flag.String("tlskey", "", "NATS TLS private key") ca := flag.String("tlsca", "", "NATS TLS certificate authority chain") + tlsfirst := flag.Bool("tlsfirst", false, "If true, then NATS connections will be initiated with a TLS negotiation, rather than using a plain text / STARTTLS approach") server := flag.String("s", "", "NATS Server URL") crdConnect := flag.Bool("crd-connect", false, "If true, then NATS connections will be made from CRD config, not global config") cleanupPeriod := flag.Duration("cleanup-period", 30*time.Second, "Period to run object cleanup") @@ -111,6 +112,7 @@ func run() error { NATSCA: *ca, NATSCertificate: *cert, NATSKey: *key, + NATSTLSFirst: *tlsfirst, KubeIface: kc, JetstreamIface: jc, Namespace: *namespace, diff --git a/controllers/jetstream/controller.go b/controllers/jetstream/controller.go index 828e5561..785b3559 100644 --- a/controllers/jetstream/controller.go +++ b/controllers/jetstream/controller.go @@ -75,6 +75,8 @@ type Options struct { NATSCertificate string NATSKey string + NATSTLSFirst bool + Namespace string CRDConnect bool CleanupPeriod time.Duration @@ -180,6 +182,9 @@ func (c *Controller) Run() error { opts := make([]nats.Option, 0) // Always attempt to have a connection to NATS. opts = append(opts, nats.MaxReconnects(-1)) + if c.opts.NATSTLSFirst { + opts = append(opts, nats.TLSHandshakeFirst()) + } natsCtxDefaults := &natsContextDefaults{Name: c.opts.NATSClientName} if !c.opts.CRDConnect { // Use JWT/NKEYS based credentials if present.