diff --git a/helm/charts/nats/files/config/tls.yaml b/helm/charts/nats/files/config/tls.yaml index baab89e7..e658453d 100644 --- a/helm/charts/nats/files/config/tls.yaml +++ b/helm/charts/nats/files/config/tls.yaml @@ -3,9 +3,5 @@ {{- $dir := trimSuffix "/" .dir }} cert_file: {{ printf "%s/%s" $dir .cert }} key_file: {{ printf "%s/%s" $dir .key }} -{{- if .ca }} -ca_file: {{ printf "%s/%s" $dir .ca }} -verify: true -{{- end }} {{- end }} {{- end }} diff --git a/helm/charts/nats/files/nats-box/contexts-secret/context.yaml b/helm/charts/nats/files/nats-box/contexts-secret/context.yaml index 5467e679..5abeac41 100644 --- a/helm/charts/nats/files/nats-box/contexts-secret/context.yaml +++ b/helm/charts/nats/files/nats-box/contexts-secret/context.yaml @@ -1,5 +1,4 @@ {{- $contextName := .contextName }} -{{- $caSet := false }} # url {{- if .Values.service.enabled }} @@ -34,14 +33,8 @@ nkey: {{ $dir }}/{{ .key }} {{- with .tls }} {{- if .secretName }} {{- $dir := trimSuffix "/" .dir }} -{{- if and .cert .key }} -cert: {{ $dir }}/{{ .cert }} -key: {{ $dir }}/{{ .key }} -{{- end }} -{{- if .ca }} -{{- $caSet = true }} -ca: {{ $dir }}/{{ .ca }} -{{- end }} +cert: {{ $dir }}/{{ .cert | default "tls.crt" }} +key: {{ $dir }}/{{ .key | default "tls.key" }} {{- end }} {{- end }} diff --git a/helm/charts/nats/test/config_test.go b/helm/charts/nats/test/config_test.go index 993f649c..ea46d9ef 100644 --- a/helm/charts/nats/test/config_test.go +++ b/helm/charts/nats/test/config_test.go @@ -539,8 +539,8 @@ config: tls: enabled: true secretName: nats-tls - ca: tls.ca merge: + ca_file: /etc/my-ca/ca.crt verify_cert_and_check_known_urls: true patch: [{op: add, path: /verify_and_map, value: true}] leafnodes: @@ -603,8 +603,7 @@ config: "key_file": "/etc/nats-certs/" + protocol + "/tls.key", } if protocol == "nats" { - tls["ca_file"] = "/etc/nats-certs/" + protocol + "/tls.ca" - tls["verify"] = true + tls["ca_file"] = "/etc/my-ca/ca.crt" tls["verify_cert_and_check_known_urls"] = true tls["verify_and_map"] = true expected.Conf.Value["tls"] = tls @@ -640,7 +639,7 @@ config: reloaderArgs := expected.StatefulSet.Value.Spec.Template.Spec.Containers[1].Args for _, protocol := range []string{"cluster", "gateway", "leafnodes", "mqtt", "nats", "websocket"} { if protocol == "nats" { - reloaderArgs = append(reloaderArgs, "-config", "/etc/nats-certs/"+protocol+"/tls.ca") + reloaderArgs = append(reloaderArgs, "-config", "/etc/my-ca/ca.crt") } reloaderArgs = append(reloaderArgs, "-config", "/etc/nats-certs/"+protocol+"/tls.crt", "-config", "/etc/nats-certs/"+protocol+"/tls.key") } diff --git a/helm/charts/nats/test/resources_test.go b/helm/charts/nats/test/resources_test.go index fe830b50..ea41cda5 100644 --- a/helm/charts/nats/test/resources_test.go +++ b/helm/charts/nats/test/resources_test.go @@ -79,9 +79,8 @@ natsBox: key: nats.nk tls: secretName: loaded-tls - cert: tls.crt - key: tls.key - ca: tls.ca + merge: + ca: /etc/my-ca/ca.crt loadedContents: creds: contents: aabbcc @@ -258,7 +257,7 @@ natsBox: expected.NatsBoxContextsSecret.Value.ObjectMeta.Labels["global"] = "global" expected.NatsBoxContextsSecret.Value.ObjectMeta.Namespace = "foo" expected.NatsBoxContextsSecret.Value.StringData["loadedSecret.json"] = `{ - "ca": "/etc/nats-certs/loadedSecret/tls.ca", + "ca": "/etc/my-ca/ca.crt", "cert": "/etc/nats-certs/loadedSecret/tls.crt", "creds": "/etc/nats-creds/loadedSecret/nats.creds", "key": "/etc/nats-certs/loadedSecret/tls.key", diff --git a/helm/charts/nats/values.yaml b/helm/charts/nats/values.yaml index 45afae43..277677f6 100644 --- a/helm/charts/nats/values.yaml +++ b/helm/charts/nats/values.yaml @@ -54,7 +54,6 @@ config: dir: /etc/nats-certs/cluster cert: tls.crt key: tls.key - ca: # merge or patch the tls config # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls merge: {} @@ -109,7 +108,6 @@ config: dir: /etc/nats-certs/nats cert: tls.crt key: tls.key - ca: # merge or patch the tls config # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls merge: {} @@ -125,7 +123,6 @@ config: dir: /etc/nats-certs/leafnodes cert: tls.crt key: tls.key - ca: # merge or patch the tls config # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls merge: {} @@ -146,7 +143,6 @@ config: dir: /etc/nats-certs/websocket cert: tls.crt key: tls.key - ca: # merge or patch the tls config # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls merge: {} @@ -189,7 +185,6 @@ config: dir: /etc/nats-certs/mqtt cert: tls.crt key: tls.key - ca: # merge or patch the tls config # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls merge: {} @@ -210,7 +205,6 @@ config: dir: /etc/nats-certs/gateway cert: tls.crt key: tls.key - ca: # merge or patch the tls config # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls merge: {} @@ -526,16 +520,14 @@ natsBox: # defaults to /etc/nats-nkeys/ dir: key: nats.nk + # used to connect with client certificates tls: # set secretName in order to mount an existing secret to dir secretName: # defaults to /etc/nats-certs/ dir: - # set cert and key to name of secret data keys to enable mTLS - cert: - key: - # set ca to name of secret data key to verify server CA - ca: + cert: tls.crt + key: tls.ca # merge or patch the context # https://docs.nats.io/using-nats/nats-tools/nats_cli#nats-contexts