Merge pull request #35 from nats-io/account-server

[helm] Add support for using NATS Account Server as the resolver
nats-io · Apr 3, 2020 · fbbe257 · fbbe257
2 parents bccec69 + 7945641
commit fbbe257
Show file tree

Hide file tree

Showing 10 changed files with 389 additions and 11 deletions.
diff --git a/helm/charts/nats-account-server/Chart.yaml b/helm/charts/nats-account-server/Chart.yaml
@@ -0,0 +1,20 @@
+apiVersion: v2
+appVersion: "0.8.6"
+description: A Helm chart for the NATS.io JWT Account Server
+name: nats-account-server
+keywords:
+  - nats
+  - messaging
+  - cncf
+  - jwt
+  - auth
+version: 0.3.0
+home: http://github.com/nats-io/k8s
+maintainers:
+  - name: Waldemar Quevedo
+    github: https://github.com/wallyqs
+    email: [email protected]
+  - name: Colin Sullivan
+    github: https://github.com/ColinSullivan1
+    email: [email protected]
+icon: https://nats.io/img/logo.png
diff --git a/helm/charts/nats-account-server/templates/_helpers.tpl b/helm/charts/nats-account-server/templates/_helpers.tpl
@@ -0,0 +1,6 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "name" -}}
+{{- default .Release.Name -}}
+{{- end -}}
diff --git a/helm/charts/nats-account-server/templates/configmap.yaml b/helm/charts/nats-account-server/templates/configmap.yaml
@@ -0,0 +1,35 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "name" . }}-config
+  labels:
+    app: {{ template "name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+data:
+  accountserver.conf: |
+    # Host/Port for the NATS Account Server
+    http {
+      host: "0.0.0.0"
+      port: 9090
+    }
+
+    # Operator JWT used to validate the accounts.
+    operatorjwtpath: "/etc/nats-config/operator/{{ .Values.operator.operatorjwt.configMap.key }}"
+
+    {{- if .Values.nats.url }}
+    # System Account JWT
+    systemaccountjwtpath: "/etc/nats-config/sys/{{ .Values.operator.systemaccountjwt.configMap.key }}"
+
+    # NATS Server connection
+    nats {
+      servers: [{{ .Values.nats.url }}]
+      usercredentials: "/etc/nats-config/syscreds/{{ .Values.nats.credentials.secret.key }}"
+    }
+    {{- end }}
+
+    {{- if eq .Values.store.type "file"}}
+    store {
+      dir: "/store"
+    }
+    {{- end }}
diff --git a/helm/charts/nats-account-server/templates/service.yaml b/helm/charts/nats-account-server/templates/service.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+spec:
+  selector:
+    app: {{ template "name" . }}
+  clusterIP: None
+  ports:
+  - name: server
+    port: 9090
diff --git a/helm/charts/nats-account-server/templates/statefulset.yaml b/helm/charts/nats-account-server/templates/statefulset.yaml
@@ -0,0 +1,92 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ template "name" . }}
+  labels:
+    app: {{ template "name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ template "name" . }}
+  replicas: 1
+  serviceName: {{ template "name" . }}
+  {{- if eq .Values.store.type "file"}}
+  volumeClaimTemplates:
+  - metadata:
+      name: {{ template "name" . }}-pvc
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: {{ .Values.store.file.storageSize }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        app: {{ template "name" . }}
+        chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    spec:
+      volumes:
+      - name: config-volume
+        configMap:
+          name: {{ template "name" . }}-config
+      - name: nats-sys-creds
+        secret:
+          secretName: {{ .Values.nats.credentials.secret.name }}
+      - name: system-account-jwt-volume
+        configMap:
+          name: {{ .Values.operator.systemaccountjwt.configMap.name }}
+      - name: operator-jwt-volume
+        configMap:
+          name: {{ .Values.operator.operatorjwt.configMap.name }}
+
+      ########################
+      #                      #
+      #  NATS Account Server #
+      #                      #
+      ########################
+      terminationGracePeriodSeconds: 60
+      containers:
+      - name: nats-account-server
+        image: {{ .Values.accountserver.image }}
+        imagePullPolicy: {{ .Values.accountserver.pullPolicy }}
+        ports:
+        - containerPort: 9090
+          # hostPort: 9090
+          name: server
+        command:
+         - "nats-account-server"
+         - "-c"
+         - "/etc/nats-config/conf/accountserver.conf"
+
+        volumeMounts:
+          - name: config-volume
+            mountPath: /etc/nats-config/conf
+          - name: system-account-jwt-volume
+            mountPath: /etc/nats-config/sys
+          - name: operator-jwt-volume
+            mountPath: /etc/nats-config/operator
+          - name: nats-sys-creds
+            mountPath: /etc/nats-config/syscreds
+          {{- if eq .Values.store.type "file"}}
+          - name: {{ template "name" . }}-pvc
+            mountPath: /store
+          {{- end }}
+
+        # Liveness/Readiness probes against the monitoring.
+        #
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 9090
+          initialDelaySeconds: 10
+          timeoutSeconds: 5
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 9090
+          initialDelaySeconds: 10
+          timeoutSeconds: 5
diff --git a/helm/charts/nats-account-server/values.yaml b/helm/charts/nats-account-server/values.yaml
@@ -0,0 +1,47 @@
+# Copyright 2020 The NATS Authors
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+# http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+accountserver:
+  image: "synadia/nats-account-server:0.8.4"
+  pullPolicy: IfNotPresent
+
+store:
+  type: file
+  file:
+    storageSize: 1Gi
+
+# NATS Server connection settings.
+# nats:
+#   # # NATS Service to which we can connect.
+#   # url: "nats://nats:4222"
+#   # 
+#   # # Credentials to connect to the NATS Server.
+#   # credentials:
+#   #   secret:
+#   #     name: nats-sys-creds
+#   #     key: sys.creds
+
+# Trusted Operator mode settings.
+# operator:
+#   # # Reference to the system account jwt.
+#   # systemaccountjwt:
+#   #   configMap:
+#   #     name: nats-sys-jwt
+#   #     key: SYS.jwt
+#   # 
+#   # # Reference to the Operator JWT.
+#   # operatorjwt:
+#   #   configMap:
+#   #     name: operator-jwt
+#   #     key: KO.jwt
diff --git a/helm/charts/nats/templates/configmap.yaml b/helm/charts/nats/templates/configmap.yaml
@@ -41,12 +41,66 @@ data:
     include "advertise/client_advertise.conf"
     {{- end }}
 
+    ################# 
+    #               #
+    # NATS Leafnode #
+    #               #
+    #################
     {{- if .Values.leafnodes.enabled }}
     leafnodes {
       listen: "0.0.0.0:7422"
       {{ if and .Values.nats.advertise .Values.nats.externalAccess }}
       include "advertise/gateway_advertise.conf"
       {{ end }}
+      
+      remotes: [
+      {{- range .Values.leafnodes.remotes }}
+      {
+        {{- with .url }}
+        url: {{ . }}
+        {{- end }}
+
+        {{- with .credentials }}
+        credentials: "/etc/nats-creds/{{ .secret.name }}/{{ .secret.key }}"
+        {{- end }}
+      }
+      {{- end }}
+      ]
+    }
+    {{ end }}
+
+    ################# 
+    #               #
+    # NATS Gateways #
+    #               #
+    #################
+    {{- if .Values.gateway.enabled }}
+    gateway {
+      name: {{ .Values.gateway.name }}
+      port: 7522
+
+      {{ if and .Values.nats.advertise .Values.nats.externalAccess }}
+      include "advertise/gateway_advertise.conf"
+      {{ end }}
+
+      # Gateways array here
+      gateways: [
+        {{- range .Values.gateway.gateways }}
+        {
+          {{- with .name }}
+          name: {{ . }}
+          {{- end }}
+
+          {{- with .url }}
+          url: {{ . | quote }}
+          {{- end }}
+
+          {{- with .urls }}
+          urls: {{ . | quote }}
+          {{- end }}
+        },
+        {{- end }}
+      ]
     }
     {{ end }}
 
@@ -118,4 +172,13 @@ data:
     resolver: MEMORY
     include "accounts/{{ .Values.auth.resolver.configMap.key }}"
     {{- end }}
+
+    {{- if eq .Values.auth.resolver.type "URL" }}
+    {{- with .Values.auth.resolver.url }}
+    resolver: URL({{ . }})
+    {{- end }}
+    operator: /etc/nats-config/operator/{{ .Values.auth.operatorjwt.configMap.key }}
+    system_account: {{ .Values.auth.systemAccount }}
+    {{- end }}
+
     {{- end }}
diff --git a/helm/charts/nats/templates/nats-box.yaml b/helm/charts/nats/templates/nats-box.yaml
@@ -8,15 +8,33 @@ metadata:
     app: {{ .Release.Name }}-box
     chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
 spec:
+  volumes:
+  {{- if .Values.natsbox.credentials }}
+  - name: nats-sys-creds
+    secret:
+      secretName: {{ .Values.natsbox.credentials.secret.name }}
+  {{- end }}
+
   containers:
   - name: nats-box
     image: {{ .Values.natsbox.image }}
     imagePullPolicy: {{ .Values.natsbox.pullPolicy }}
     env:
     - name: NATS_URL
       value: {{ .Release.Name }}
+    {{- if .Values.natsbox.credentials }}
+    - name: USER_CREDS
+      value: /etc/nats-config/creds/{{ .Values.natsbox.credentials.secret.key }}
+    - name: USER2_CREDS
+      value: /etc/nats-config/creds/{{ .Values.natsbox.credentials.secret.key }}
+    {{- end }}
     command:
      - "tail"
      - "-f"
      - "/dev/null"
+    {{- if .Values.natsbox.credentials }}
+    volumeMounts:
+    - name: nats-sys-creds
+      mountPath: /etc/nats-config/creds
+    {{- end }}
 {{- end }}
diff --git a/helm/charts/nats/templates/statefulset.yaml b/helm/charts/nats/templates/statefulset.yaml
@@ -43,6 +43,12 @@ spec:
         configMap:
           name: {{ .Values.auth.resolver.configMap.name }}
       {{- end }}
+
+      {{- if eq .Values.auth.resolver.type "URL" }}
+      - name: operator-jwt-volume
+        configMap:
+          name: {{ .Values.auth.operatorjwt.configMap.name }}
+      {{- end }}
       {{- end }}
 
       {{ if and .Values.nats.externalAccess .Values.nats.advertise }}
@@ -51,6 +57,19 @@ spec:
         emptyDir: {}
       {{ end }}
 
+      {{- if .Values.leafnodes.enabled }}
+      # 
+      # Leafnode credential volumes
+      # 
+      {{- range .Values.leafnodes.remotes }}
+      {{- with .credentials }}
+      - name: {{ .secret.name }}-volume
+        secret:
+          secretName: {{ .secret.name }}
+      {{- end }}
+      {{- end }}
+      {{- end }}
+
       {{ if and .Values.nats.externalAccess .Values.nats.advertise }}
       # Assume that we only use the service account in case we want to
       # figure out what is the current external public IP from the server
@@ -154,6 +173,23 @@ spec:
           - name: resolver-volume
             mountPath: /etc/nats-config/accounts
           {{- end }}
+
+          {{- if eq .Values.auth.resolver.type "URL" }}
+          - name: operator-jwt-volume
+            mountPath: /etc/nats-config/operator
+          {{- end }}
+
+          {{- if .Values.leafnodes.enabled }}
+          # 
+          # Leafnode credential volumes
+          # 
+          {{- range .Values.leafnodes.remotes }}
+          {{- with .credentials }}
+          - name: {{ .secret.name }}-volume
+            mountPath: /etc/nats-creds/{{ .secret.name }}
+          {{- end }}
+          {{- end }}
+          {{- end }}
           {{- end }}
 
         # Liveness/Readiness probes against the monitoring.