Skip to content

Commit

Permalink
[helm nats 1.x] remove tls.ca options
Browse files Browse the repository at this point in the history 
Signed-off-by: Caleb Lloyd <[email protected]>
  • Loading branch information
Caleb Lloyd committed Jul 6, 2023
1 parent 732d758 commit 817c921
Show file tree
Hide file tree
Showing 5 changed files with 11 additions and 32 deletions.
4 changes: 0 additions & 4 deletions helm/charts/nats/files/config/tls.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,5 @@
{{- $dir := trimSuffix "/" .dir }}
cert_file: {{ printf "%s/%s" $dir .cert }}
key_file: {{ printf "%s/%s" $dir .key }}
{{- if .ca }}
ca_file: {{ printf "%s/%s" $dir .ca }}
verify: true
{{- end }}
{{- end }}
{{- end }}
11 changes: 2 additions & 9 deletions helm/charts/nats/files/nats-box/contexts-secret/context.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
{{- $contextName := .contextName }}
{{- $caSet := false }}

# url
{{- if .Values.service.enabled }}
Expand Down Expand Up @@ -34,14 +33,8 @@ nkey: {{ $dir }}/{{ .key }}
{{- with .tls }}
{{- if .secretName }}
{{- $dir := trimSuffix "/" .dir }}
{{- if and .cert .key }}
cert: {{ $dir }}/{{ .cert }}
key: {{ $dir }}/{{ .key }}
{{- end }}
{{- if .ca }}
{{- $caSet = true }}
ca: {{ $dir }}/{{ .ca }}
{{- end }}
cert: {{ $dir }}/{{ .cert | default "tls.crt" }}
key: {{ $dir }}/{{ .key | default "tls.key" }}
{{- end }}
{{- end }}

Expand Down
7 changes: 3 additions & 4 deletions helm/charts/nats/test/config_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -539,8 +539,8 @@ config:
tls:
enabled: true
secretName: nats-tls
ca: tls.ca
merge:
ca_file: /etc/my-ca/ca.crt
verify_cert_and_check_known_urls: true
patch: [{op: add, path: /verify_and_map, value: true}]
leafnodes:
Expand Down Expand Up @@ -603,8 +603,7 @@ config:
"key_file": "/etc/nats-certs/" + protocol + "/tls.key",
}
if protocol == "nats" {
tls["ca_file"] = "/etc/nats-certs/" + protocol + "/tls.ca"
tls["verify"] = true
tls["ca_file"] = "/etc/my-ca/ca.crt"
tls["verify_cert_and_check_known_urls"] = true
tls["verify_and_map"] = true
expected.Conf.Value["tls"] = tls
Expand Down Expand Up @@ -640,7 +639,7 @@ config:
reloaderArgs := expected.StatefulSet.Value.Spec.Template.Spec.Containers[1].Args
for _, protocol := range []string{"cluster", "gateway", "leafnodes", "mqtt", "nats", "websocket"} {
if protocol == "nats" {
reloaderArgs = append(reloaderArgs, "-config", "/etc/nats-certs/"+protocol+"/tls.ca")
reloaderArgs = append(reloaderArgs, "-config", "/etc/my-ca/ca.crt")
}
reloaderArgs = append(reloaderArgs, "-config", "/etc/nats-certs/"+protocol+"/tls.crt", "-config", "/etc/nats-certs/"+protocol+"/tls.key")
}
Expand Down
7 changes: 3 additions & 4 deletions helm/charts/nats/test/resources_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,9 +79,8 @@ natsBox:
key: nats.nk
tls:
secretName: loaded-tls
cert: tls.crt
key: tls.key
ca: tls.ca
merge:
ca: /etc/my-ca/ca.crt
loadedContents:
creds:
contents: aabbcc
Expand Down Expand Up @@ -258,7 +257,7 @@ natsBox:
expected.NatsBoxContextsSecret.Value.ObjectMeta.Labels["global"] = "global"
expected.NatsBoxContextsSecret.Value.ObjectMeta.Namespace = "foo"
expected.NatsBoxContextsSecret.Value.StringData["loadedSecret.json"] = `{
"ca": "/etc/nats-certs/loadedSecret/tls.ca",
"ca": "/etc/my-ca/ca.crt",
"cert": "/etc/nats-certs/loadedSecret/tls.crt",
"creds": "/etc/nats-creds/loadedSecret/nats.creds",
"key": "/etc/nats-certs/loadedSecret/tls.key",
Expand Down
14 changes: 3 additions & 11 deletions helm/charts/nats/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,6 @@ config:
dir: /etc/nats-certs/cluster
cert: tls.crt
key: tls.key
ca:
# merge or patch the tls config
# https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
merge: {}
Expand Down Expand Up @@ -109,7 +108,6 @@ config:
dir: /etc/nats-certs/nats
cert: tls.crt
key: tls.key
ca:
# merge or patch the tls config
# https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
merge: {}
Expand All @@ -125,7 +123,6 @@ config:
dir: /etc/nats-certs/leafnodes
cert: tls.crt
key: tls.key
ca:
# merge or patch the tls config
# https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
merge: {}
Expand All @@ -146,7 +143,6 @@ config:
dir: /etc/nats-certs/websocket
cert: tls.crt
key: tls.key
ca:
# merge or patch the tls config
# https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
merge: {}
Expand Down Expand Up @@ -189,7 +185,6 @@ config:
dir: /etc/nats-certs/mqtt
cert: tls.crt
key: tls.key
ca:
# merge or patch the tls config
# https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
merge: {}
Expand All @@ -210,7 +205,6 @@ config:
dir: /etc/nats-certs/gateway
cert: tls.crt
key: tls.key
ca:
# merge or patch the tls config
# https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
merge: {}
Expand Down Expand Up @@ -526,16 +520,14 @@ natsBox:
# defaults to /etc/nats-nkeys/<context-name>
dir:
key: nats.nk
# used to connect with client certificates
tls:
# set secretName in order to mount an existing secret to dir
secretName:
# defaults to /etc/nats-certs/<context-name>
dir:
# set cert and key to name of secret data keys to enable mTLS
cert:
key:
# set ca to name of secret data key to verify server CA
ca:
cert: tls.crt
key: tls.ca

# merge or patch the context
# https://docs.nats.io/using-nats/nats-tools/nats_cli#nats-contexts
Expand Down

0 comments on commit 817c921

Please sign in to comment.