From f9de4d6136a98f13e4bc6fa89c4e7b89a67c927b Mon Sep 17 00:00:00 2001 From: Waldemar Quevedo Date: Thu, 7 Jun 2018 17:45:17 -0700 Subject: [PATCH 1/6] Bump version Signed-off-by: Waldemar Quevedo --- version/version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version/version.go b/version/version.go index 6cfef85c..4dd285c6 100644 --- a/version/version.go +++ b/version/version.go @@ -15,6 +15,6 @@ package version var ( - OperatorVersion = "0.2.1-v1alpha2+git" + OperatorVersion = "0.2.2-v1alpha2+git" GitSHA = "Not provided" ) From 1b17aa388584f139ff40ef2b4f29ff0c2aed7e36 Mon Sep 17 00:00:00 2001 From: Waldemar Quevedo Date: Thu, 7 Jun 2018 17:45:40 -0700 Subject: [PATCH 2/6] Update auth example Signed-off-by: Waldemar Quevedo --- example/example-nats-cluster-auth.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/example/example-nats-cluster-auth.yaml b/example/example-nats-cluster-auth.yaml index 9550b22e..69f05cd3 100644 --- a/example/example-nats-cluster-auth.yaml +++ b/example/example-nats-cluster-auth.yaml @@ -6,6 +6,14 @@ spec: size: 3 version: "1.1.0" + # On Kubernetes v1.10+ clusters with feature=`--feature-gates=PodShareProcessNamespace=true + pod: + enableConfigReload: true + + # Defaults but can be customized to be a different image + reloaderImage: "connecteverything/nats-server-config-reloader" + reloaderImageTag: "0.2.2-v1alpha2" + reloaderImagePullPolicy: "IfNotPresent" auth: # Definition in JSON of the users permissions clientsAuthSecret: "nats-clients-auth" From 9e2d703b744e1c00e8efbfdab17f7f12bfd52a38 Mon Sep 17 00:00:00 2001 From: Waldemar Quevedo Date: Thu, 7 Jun 2018 17:48:10 -0700 Subject: [PATCH 3/6] Update default reloader image from operator Signed-off-by: Waldemar Quevedo --- pkg/constants/constants.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index cd7cc464..b5091043 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -74,7 +74,8 @@ const ( // Default Docker Images DefaultServerImage = "nats" - DefaultReloaderImage = "wallyqs/nats-server-config-reloader" - DefaultReloaderImageTag = "0.2.1-v1alpha2" + DefaultReloaderImage = "connecteverything/nats-server-config-reloader" + DefaultReloaderImageTag = "0.2.2-v1alpha2" DefaultReloaderImagePullPolicy = "IfNotPresent" ) + From 89b9f10fbf0863d5f46bb756a0cde0d47ba3040b Mon Sep 17 00:00:00 2001 From: Waldemar Quevedo Date: Thu, 7 Jun 2018 17:48:29 -0700 Subject: [PATCH 4/6] Update README with new features Signed-off-by: Waldemar Quevedo --- README.md | 97 ++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 89 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index de6140d3..7b3b0e8e 100644 --- a/README.md +++ b/README.md @@ -68,10 +68,7 @@ Then this will deploy a `nats-operator` on the `nats-io` namespace. ``` $ kubectl -n nats-io logs deployment/nats-operator -time="2018-03-23T00:45:49Z" level=info msg="nats-operator Version: 0.2.0-v1alpha2+git" -time="2018-03-23T00:45:49Z" level=info msg="Git SHA: 4040d87" -time="2018-03-23T00:45:49Z" level=info msg="Go Version: go1.9" -time="2018-03-23T00:45:49Z" level=info msg="Go OS/Arch: linux/amd64" +time="2018-06-07T15:53:17-07:00" level=info msg="nats-operator Version: 0.2.2-v1alpha2+git" ``` Note that the NATS operator only monitors the `NatsCluster` resources @@ -88,10 +85,10 @@ NAME AGE example-nats-1 6m $ kubectl -n nats-io get pods -l nats_cluster=example-nats-1 -NAME READY STATUS RESTARTS AGE -nats-2jgb0tg3sm 1/1 Running 0 7m -nats-h8z9dckvfr 1/1 Running 0 7m -nats-px28gkx5wk 1/1 Running 0 6m +NAME READY STATUS RESTARTS AGE +example-nats-1-1 1/1 Running 0 7m +example-nats-1-2 1/1 Running 0 7m +example-nats-1-3 1/1 Running 0 6m ``` ### TLS support @@ -137,6 +134,90 @@ with the clients. $ kubectl create secret generic nats-clients-tls --from-file=ca.pem --from-file=server-key.pem --from-file=server.pem ``` +### Authorization + +Authorization can be set for the server by using a secret +where the permissions are defined in JSON: + +```json +{ + "users": [ + { "username": "user1", "password": "secret1" }, + { "username": "user2", "password": "secret2", + "permissions": { + "publish": ["hello.*"], + "subscribe": ["hello.world"] + } + } + ], + "default_permissions": { + "publish": ["SANDBOX.*"], + "subscribe": ["PUBLIC.>"] + } +} +``` + +Example of creating a secret to set the permissions: + +``` +kubectl create secret generic nats-clients-auth --from-file=clients-auth.json +``` + +Now when creating a NATS cluster it is possible to set the permissions as +in the following example: + +```yaml +apiVersion: "nats.io/v1alpha2" +kind: "NatsCluster" +pmetadata: + name: "example-nats-auth" +spec: + size: 3 + version: "1.1.0" + + auth: + # Definition in JSON of the users permissions + clientsAuthSecret: "nats-clients-auth" + + # How long to wait for authentication + clientsAuthTimeout: 5 +``` + +### Configuration Reload + +On Kubernetes +v1.10 clusters that have been started with support for +sharing the process namespace (via `--feature-gates=PodShareProcessNamespace=true`), +it is possible to enable on-the-fly reloading of configuration for the +servers that are part of the cluster. This can also be combined with the +authorization support, so in case the user permissions change, then the +servers will reload and apply the new permissions. + +```yaml +apiVersion: "nats.io/v1alpha2" +kind: "NatsCluster" +metadata: + name: "example-nats-auth" +spec: + size: 3 + version: "1.1.0" + + pod: + # Enable on-the-fly NATS Server config reload + # Note: only supported in Kubernetes clusters with PID namespace sharing enabled. + enableConfigReload: true + + # Possible to customize version of reloader image + reloaderImage: connecteverything/nats-server-config-reloader" + reloaderImageTag: "0.2.2-v1alpha2" + reloaderImagePullPolicy: "IfNotPresent" + auth: + # Definition in JSON of the users permissions + clientsAuthSecret: "nats-clients-auth" + + # How long to wait for authentication + clientsAuthTimeout: 5 +``` + ## Development ### Building the Docker Image From 88f19bcd7da571a3004c364859ebbce3202c510e Mon Sep 17 00:00:00 2001 From: Waldemar Quevedo Date: Thu, 7 Jun 2018 19:05:06 -0700 Subject: [PATCH 5/6] Update version of operator used in examples Signed-off-by: Waldemar Quevedo --- example/deployment-rbac.yaml | 2 +- example/deployment.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/example/deployment-rbac.yaml b/example/deployment-rbac.yaml index cdf6230b..fdd05108 100644 --- a/example/deployment-rbac.yaml +++ b/example/deployment-rbac.yaml @@ -28,7 +28,7 @@ spec: serviceAccountName: nats-operator containers: - name: nats-operator - image: connecteverything/nats-operator:0.2.0-v1alpha2 + image: connecteverything/nats-operator:0.2.2-v1alpha2 imagePullPolicy: Always env: - name: MY_POD_NAMESPACE diff --git a/example/deployment.yaml b/example/deployment.yaml index 18e31205..94dd2184 100644 --- a/example/deployment.yaml +++ b/example/deployment.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: nats-operator - image: connecteverything/nats-operator:0.2.0-v1alpha2 + image: connecteverything/nats-operator:0.2.2-v1alpha2 imagePullPolicy: Always env: - name: MY_POD_NAMESPACE From fb2847b5f0c0b0a0966014b720def73827e0e7fe Mon Sep 17 00:00:00 2001 From: Waldemar Quevedo Date: Fri, 8 Jun 2018 09:14:23 -0700 Subject: [PATCH 6/6] Fix nil return in ConfigMap create Signed-off-by: Waldemar Quevedo --- pkg/util/kubernetes/kubernetes.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/util/kubernetes/kubernetes.go b/pkg/util/kubernetes/kubernetes.go index a5345365..51b875e4 100644 --- a/pkg/util/kubernetes/kubernetes.go +++ b/pkg/util/kubernetes/kubernetes.go @@ -251,7 +251,7 @@ func CreateConfigMap(kubecli corev1client.CoreV1Interface, clusterName, ns strin return err } - return err + return nil } // UpdateConfigMap applies the new configuration of the cluster,