-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for reading Auth data from a file on disk #159
Conversation
Untested, and needs a test. What do you recommend here @wallyqs ? |
Implements #156 ? |
Okay, if this looks good, I'll try to write some tests. Looks pretty gnarly though. |
Also, should I put the sample NatsCluster file somewhere? |
Thanks @schancel ! fwiw I think this approach might better than the other one of injecting all the credentials into the same config secret. The test could be a variation of this one maybe: https://github.com/nats-io/nats-operator/blob/master/test/e2e/config_reload_test.go#L100 |
@wallyqs Well, I finally got it compiling. I still can't setup the e2e tests locally due to virtualization being disabled on the hardware I'm using. Do you have any idea what's going on here w/ the panic and failing test? |
Okay it's failing on:
Specifically for my test. There must be something wrong with the manifest being provided to kubernetes. |
@@ -0,0 +1,32 @@ | |||
# This is an example NatsCluster manifest which uses a 3rd party initContainer |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I built a new version of the reloader and the following works for me:
# This is an example NatsCluster manifest which uses a 3rd party initContainer
# to fetch the authorization credentials from outside kubernetes.
#
# An example of this could be consul-template getting user/passwords from vault.
apiVersion: "nats.io/v1alpha2"
kind: "NatsCluster"
metadata:
name: nats-auth-file-example
namespace: default
spec:
size: 1
version: "1.4.1"
natsConfig:
maxPayload: 20971520
pod:
enableConfigReload: true
reloaderImage: "wallyqs/nats-server-config-reloader"
reloaderImageTag: "0.4.4-v1alpha2"
reloaderImagePullPolicy: "IfNotPresent"
volumeMounts:
- name: authconfig
mountPath: /etc/nats-config/authconfig
auth:
clientsAuthFile: "authconfig/auth.json"
template:
spec:
initContainers:
- name: secret-getter
image: "busybox"
command: ["sh", "-c", "echo 'users = [ { user: 'foo', pass: 'bar' } ]' > /etc/nats-config/authconfig/auth.json"]
volumeMounts:
- name: authconfig
mountPath: /etc/nats-config/authconfig
volumes:
- name: authconfig
emptyDir: {}
natsCluster.Spec.Pod = &natsv1alpha2.PodPolicy{ | ||
// Enable configuration reloading. | ||
EnableConfigReload: true, | ||
VolumeMounts: []v1.VolumeMount{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reloader image does not get build along with the test so currently have to specify the new reloader image that can be used, for example using these that I pushed:
reloaderImage: "wallyqs/nats-server-config-reloader"
reloaderImageTag: "0.4.5-v1alpha2"
test/e2e/config_reload_test.go
Outdated
ConfigReloadTestHelper(t, func(natsCluster *natsv1alpha2.NatsCluster, cas *v1.Secret) { | ||
natsCluster.Spec.Auth = &natsv1alpha2.AuthConfig{ | ||
// Use the secret created above for client authentication. | ||
ClientsAuthFile: "/authconfig/auth.json", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the include
to work it has to be mounted at /etc/nats-config/authconfig/
since the includes have to be relative to where the main config is located which is /etc/nats-config/
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
😱
That's a huge caveat to add to the documentation. Will definitely cause confusion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree... we'd have to cover with documentation for now.
pkg/util/kubernetes/pod.go
Outdated
@@ -93,6 +93,10 @@ func natsPodReloaderContainer(image, tag, pullPolicy string) v1.Container { | |||
constants.PidFilePath, | |||
}, | |||
} | |||
if authFilePath != "" { | |||
container.Command = append(container.Command, "-authfile", authFilePath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I might have been wrong on this one... it looks like the reloader would already follow the events in the folder so if the volume is mounted underneath the main nats config file, it would signal as well in case of changes:
https://github.com/nats-io/nats-operator/blob/master/pkg/reloader/reloader.go#L94-L99
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, it's not supposed to be recursively watching. (According to the documentation)
I created another PR to fix these problems with reloader independently.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's right... it only works per folder, it is not recursive so would need to list each of the folders that should be tracked for changes.
@wallyqs Yeah, I noticed that. I'm updating the reloader now to be a bit more generic |
Once the There was an issue in the reloader test that when decoding JSON it would also accidentally escape @@ -211,11 +215,24 @@ func ConfigReloadTestHelper(t *testing.T, customizer NatsClusterCustomizerWSecre
},
},
}
- // Serialize the object containing authentication data.
- if d, err = json.Marshal(auth); err != nil {
+ // Serialize the object containing authentication data,
+ // we are using wildcard so need to unescape the HTML
+ // which the JSON encoder does by default...
+ buf := &bytes.Buffer{}
+ encoder := json.NewEncoder(buf)
+ encoder.SetEscapeHTML(false)
+ err = encoder.Encode(auth)
+ if err != nil {
+ t.Fatal(err)
+ }
+ buf2 := &bytes.Buffer{}
+ err = json.Indent(buf2, buf.Bytes(), "", " ")
+ if err != nil {
t.Fatal(err)
}
+
// Create a secret containing authentication data.
+ d = buf2.Bytes()
if cas, err = f.CreateSecret(f.Namespace, "data", d); err != nil {
t.Fatal(err)
} |
Currently the config file expects there to only be one config file watched. However, the nats config file can include other paths, and we may also want to watch those. This commit implements being able to specify an arbtirary number of configuration files to be watched.
This commit adds support from reading the authorization section of the gnatsd config from a JSON file located within the nats-operator container. This allows secrets the data to be placed on disk using sidecars like consul-template. Depends on #171
Merged via 7ad614f |
This commit adds support from reading the authorization section of the
gnatsd config from a JSON file located within the nats-operator container.
This allows secrets the data to be placed on disk using sidecars like
consul-template
.Depends on #171