add config option to enable or disable TLS for nats

2026-02-26 23:48:55 -06:00 · 2022-10-20 17:13:11 +02:00
parent ff8b16f9da
commit 45b92fc56f
26 changed files with 132 additions and 86 deletions
--- a/.drone.star
+++ b/.drone.star
@@ -1892,11 +1892,6 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = [], depends_on =
            "IDM_CREATE_DEMO_USERS": True,
            "IDM_ADMIN_PASSWORD": "admin",  # override the random admin password from `ocis init`
            "FRONTEND_SEARCH_MIN_LENGTH": "2",
-            "AUDIT_EVENTS_TLS_INSECURE": True,
-            "GRAPH_EVENTS_TLS_INSECURE": True,
-            "NOTIFICATIONS_EVENTS_TLS_INSECURE": True,
-            "SEARCH_EVENTS_TLS_INSECURE": True,
-            "NATS_TLS_SKIP_VERIFY_CLIENT_CERT": True,
        }
        wait_for_ocis = {
            "name": "wait-for-ocis-server",
--- a/changelog/unreleased/nats-tls.md
+++ b/changelog/unreleased/nats-tls.md
@@ -1,6 +1,16 @@
 Enhancement: Secure the nats connectin with TLS

 Encyrpted the connection to the event broker using TLS.
+Per default TLS is not enabled but can be enabled by setting either `OCIS_EVENTS_ENABLE_TLS=true` or the respective service configs:
+
+- `AUDIT_EVENTS_ENABLE_TLS=true`
+- `GRAPH_EVENTS_ENABLE_TLS=true`
+- `NATS_EVENTS_ENABLE_TLS=true`
+- `NOTIFICATIONS_EVENTS_ENABLE_TLS=true`
+- `SEARCH_EVENTS_ENABLE_TLS=true`
+- `SHARING_EVENTS_ENABLE_TLS=true`
+- `STORAGE_USERS_EVENTS_ENABLE_TLS=true`

 https://github.com/owncloud/ocis/pull/4781
 https://github.com/owncloud/ocis/pull/4800
+https://github.com/owncloud/ocis/pull/4867
--- a/go.mod
+++ b/go.mod
@@ -287,3 +287,5 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	stash.kopano.io/kgol/kcc-go/v5 v5.0.1 // indirect
 )
+
+replace github.com/cs3org/reva/v2 => github.com/c0rby/reva/v2 v2.0.0-20221020150403-9582e39cd8e8
--- a/services/audit/pkg/command/server.go
+++ b/services/audit/pkg/command/server.go
@@ -41,23 +41,26 @@ func Server(cfg *config.Config) *cli.Command {

 			evtsCfg := cfg.Events

-			var rootCAPool *x509.CertPool
-			if evtsCfg.TLSRootCACertificate != "" {
-				rootCrtFile, err := os.Open(evtsCfg.TLSRootCACertificate)
-				if err != nil {
-					return err
+			var tlsConf *tls.Config
+			if evtsCfg.EnableTLS {
+				var rootCAPool *x509.CertPool
+				if evtsCfg.TLSRootCACertificate != "" {
+					rootCrtFile, err := os.Open(evtsCfg.TLSRootCACertificate)
+					if err != nil {
+						return err
+					}
+
+					rootCAPool, err = ociscrypto.NewCertPoolFromPEM(rootCrtFile)
+					if err != nil {
+						return err
+					}
+					evtsCfg.TLSInsecure = false
 				}

-				rootCAPool, err = ociscrypto.NewCertPoolFromPEM(rootCrtFile)
-				if err != nil {
-					return err
+				tlsConf = &tls.Config{
+					InsecureSkipVerify: evtsCfg.TLSInsecure, //nolint:gosec
+					RootCAs:            rootCAPool,
 				}
-				evtsCfg.TLSInsecure = false
-			}
-
-			tlsConf := &tls.Config{
-				InsecureSkipVerify: evtsCfg.TLSInsecure, //nolint:gosec
-				RootCAs:            rootCAPool,
 			}
 			client, err := server.NewNatsStream(
 				natsjs.TLSConfig(tlsConf),
--- a/services/audit/pkg/config/config.go
+++ b/services/audit/pkg/config/config.go
@@ -28,6 +28,7 @@ type Events struct {
 	ConsumerGroup        string `yaml:"group" env:"AUDIT_EVENTS_GROUP" desc:"The consumergroup of the service. One group will only get one copy of an event."`
 	TLSInsecure          bool   `yaml:"tls_insecure" env:"OCIS_INSECURE;AUDIT_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."`
 	TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"AUDIT_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided AUDIT_EVENTS_TLS_INSECURE will be seen as false."`
+	EnableTLS            bool   `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;AUDIT_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker."`
 }

 // Auditlog holds audit log information
--- a/services/audit/pkg/config/defaults/defaultconfig.go
+++ b/services/audit/pkg/config/defaults/defaultconfig.go
@@ -25,6 +25,7 @@ func DefaultConfig() *config.Config {
 			Endpoint:      "127.0.0.1:9233",
 			Cluster:       "ocis-cluster",
 			ConsumerGroup: "audit",
+			EnableTLS:     false,
 		},
 		Auditlog: config.Auditlog{
 			LogToConsole: true,
--- a/services/graph/pkg/config/config.go
+++ b/services/graph/pkg/config/config.go
@@ -74,4 +74,5 @@ type Events struct {
 	Cluster              string `yaml:"cluster" env:"GRAPH_EVENTS_CLUSTER" desc:"The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture."`
 	TLSInsecure          bool   `yaml:"tls_insecure" env:"OCIS_INSECURE;GRAPH_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."`
 	TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"GRAPH_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false."`
+	EnableTLS            bool   `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;GRAPH_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker."`
 }
--- a/services/graph/pkg/config/defaults/defaultconfig.go
+++ b/services/graph/pkg/config/defaults/defaultconfig.go
@@ -66,8 +66,9 @@ func DefaultConfig() *config.Config {
 			},
 		},
 		Events: config.Events{
-			Endpoint: "127.0.0.1:9233",
-			Cluster:  "ocis-cluster",
+			Endpoint:  "127.0.0.1:9233",
+			Cluster:   "ocis-cluster",
+			EnableTLS: false,
 		},
 	}
 }
--- a/services/graph/pkg/server/http/server.go
+++ b/services/graph/pkg/server/http/server.go
@@ -38,23 +38,27 @@ func Server(opts ...Option) (http.Service, error) {

 	if options.Config.Events.Endpoint != "" {
 		var err error
-		var rootCAPool *x509.CertPool
-		if options.Config.Events.TLSRootCACertificate != "" {
-			rootCrtFile, err := os.Open(options.Config.Events.TLSRootCACertificate)
-			if err != nil {
-				return http.Service{}, err
+
+		var tlsConf *tls.Config
+		if options.Config.Events.EnableTLS {
+			var rootCAPool *x509.CertPool
+			if options.Config.Events.TLSRootCACertificate != "" {
+				rootCrtFile, err := os.Open(options.Config.Events.TLSRootCACertificate)
+				if err != nil {
+					return http.Service{}, err
+				}
+
+				rootCAPool, err = ociscrypto.NewCertPoolFromPEM(rootCrtFile)
+				if err != nil {
+					return http.Service{}, err
+				}
+				options.Config.Events.TLSInsecure = false
 			}

-			rootCAPool, err = ociscrypto.NewCertPoolFromPEM(rootCrtFile)
-			if err != nil {
-				return http.Service{}, err
+			tlsConf = &tls.Config{
+				InsecureSkipVerify: options.Config.Events.TLSInsecure, //nolint:gosec
+				RootCAs:            rootCAPool,
 			}
-			options.Config.Events.TLSInsecure = false
-		}
-
-		tlsConf := &tls.Config{
-			InsecureSkipVerify: options.Config.Events.TLSInsecure, //nolint:gosec
-			RootCAs:            rootCAPool,
 		}
 		publisher, err = server.NewNatsStream(
 			natsjs.TLSConfig(tlsConf),
--- a/services/nats/pkg/command/server.go
+++ b/services/nats/pkg/command/server.go
@@ -38,25 +38,28 @@ func Server(cfg *config.Config) *cli.Command {

 			defer cancel()

-			// Generate a self-signing cert if no certificate is present
-			if err := pkgcrypto.GenCert(cfg.Nats.TLSCert, cfg.Nats.TLSKey, logger); err != nil {
-				logger.Fatal().Err(err).Msgf("Could not generate test-certificate")
-			}
+			var tlsConf *tls.Config
+			if cfg.Nats.EnableTLS {
+				// Generate a self-signing cert if no certificate is present
+				if err := pkgcrypto.GenCert(cfg.Nats.TLSCert, cfg.Nats.TLSKey, logger); err != nil {
+					logger.Fatal().Err(err).Msgf("Could not generate test-certificate")
+				}

-			crt, err := tls.LoadX509KeyPair(cfg.Nats.TLSCert, cfg.Nats.TLSKey)
-			if err != nil {
-				return err
-			}
+				crt, err := tls.LoadX509KeyPair(cfg.Nats.TLSCert, cfg.Nats.TLSKey)
+				if err != nil {
+					return err
+				}

-			clientAuth := tls.RequireAndVerifyClientCert
-			if cfg.Nats.TLSSkipVerifyClientCert {
-				clientAuth = tls.NoClientCert
-			}
+				clientAuth := tls.RequireAndVerifyClientCert
+				if cfg.Nats.TLSSkipVerifyClientCert {
+					clientAuth = tls.NoClientCert
+				}

-			tlsConf := &tls.Config{
-				MinVersion:   tls.VersionTLS12,
-				ClientAuth:   clientAuth,
-				Certificates: []tls.Certificate{crt},
+				tlsConf = &tls.Config{
+					MinVersion:   tls.VersionTLS12,
+					ClientAuth:   clientAuth,
+					Certificates: []tls.Certificate{crt},
+				}
 			}
 			natsServer, err := nats.NewNATSServer(
 				ctx,
@@ -66,6 +69,7 @@ func Server(cfg *config.Config) *cli.Command {
 				nats.ClusterID(cfg.Nats.ClusterID),
 				nats.StoreDir(cfg.Nats.StoreDir),
 				nats.TLSConfig(tlsConf),
+				nats.AllowNonTLS(!cfg.Nats.EnableTLS),
 			)
 			if err != nil {
 				return err
--- a/services/nats/pkg/config/config.go
+++ b/services/nats/pkg/config/config.go
@@ -29,4 +29,5 @@ type Nats struct {
 	TLSCert                 string `yaml:"tls_cert" env:"NATS_TLS_CERT" desc:"File name of the TLS server certificate for the nats listener."`
 	TLSKey                  string `yaml:"tls_key" env:"NATS_TLS_KEY" desc:"File name for the TLS certificate key for the server certificate."`
 	TLSSkipVerifyClientCert bool   `yaml:"tls_skip_verify_client_cert" env:"OCIS_INSECURE;NATS_TLS_SKIP_VERIFY_CLIENT_CERT" desc:"Whether the NATS server should skip the client certificate verification during the TLS handshake."`
+	EnableTLS               bool   `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;NATS_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker."`
 }
--- a/services/nats/pkg/config/defaults/defaultconfig.go
+++ b/services/nats/pkg/config/defaults/defaultconfig.go
@@ -32,6 +32,7 @@ func DefaultConfig() *config.Config {
 			StoreDir:  filepath.Join(defaults.BaseDataPath(), "nats"),
 			TLSCert:   filepath.Join(defaults.BaseDataPath(), "nats/tls.crt"),
 			TLSKey:    filepath.Join(defaults.BaseDataPath(), "nats/tls.key"),
+			EnableTLS: false,
 		},
 	}
 }
--- a/services/nats/pkg/server/nats/nats.go
+++ b/services/nats/pkg/server/nats/nats.go
@@ -23,7 +23,6 @@ func NewNATSServer(ctx context.Context, logger nserver.Logger, opts ...NatsOptio

 	// enable JetStream
 	natsOpts.JetStream = true
-	natsOpts.AllowNonTLS = false

 	server, err := nserver.NewServer(natsOpts)
 	if err != nil {
--- a/services/nats/pkg/server/nats/options.go
+++ b/services/nats/pkg/server/nats/options.go
@@ -43,3 +43,10 @@ func TLSConfig(c *tls.Config) NatsOption {
 		o.TLSConfig = c
 	}
 }
+
+// AllowNonTLS sets the allow non tls options for the nats server
+func AllowNonTLS(v bool) NatsOption {
+	return func(o *nserver.Options) {
+		o.AllowNonTLS = v
+	}
+}
--- a/services/notifications/pkg/command/server.go
+++ b/services/notifications/pkg/command/server.go
@@ -39,23 +39,27 @@ func Server(cfg *config.Config) *cli.Command {
 			}

 			evtsCfg := cfg.Notifications.Events
-			var rootCAPool *x509.CertPool
-			if evtsCfg.TLSRootCACertificate != "" {
-				rootCrtFile, err := os.Open(evtsCfg.TLSRootCACertificate)
-				if err != nil {
-					return err
+
+			var tlsConf *tls.Config
+			if evtsCfg.EnableTLS {
+				var rootCAPool *x509.CertPool
+				if evtsCfg.TLSRootCACertificate != "" {
+					rootCrtFile, err := os.Open(evtsCfg.TLSRootCACertificate)
+					if err != nil {
+						return err
+					}
+
+					rootCAPool, err = crypto.NewCertPoolFromPEM(rootCrtFile)
+					if err != nil {
+						return err
+					}
+					evtsCfg.TLSInsecure = false
 				}

-				rootCAPool, err = crypto.NewCertPoolFromPEM(rootCrtFile)
-				if err != nil {
-					return err
+				tlsConf = &tls.Config{
+					InsecureSkipVerify: evtsCfg.TLSInsecure, //nolint:gosec
+					RootCAs:            rootCAPool,
 				}
-				evtsCfg.TLSInsecure = false
-			}
-
-			tlsConf := &tls.Config{
-				InsecureSkipVerify: evtsCfg.TLSInsecure, //nolint:gosec
-				RootCAs:            rootCAPool,
 			}
 			client, err := server.NewNatsStream(
 				natsjs.TLSConfig(tlsConf),
--- a/services/notifications/pkg/config/config.go
+++ b/services/notifications/pkg/config/config.go
@@ -48,4 +48,5 @@ type Events struct {
 	ConsumerGroup        string `yaml:"group" env:"NOTIFICATIONS_EVENTS_GROUP" desc:"Name of the event group / queue on the event system."`
 	TLSInsecure          bool   `yaml:"tls_insecure" env:"OCIS_INSECURE;NOTIFICATIONS_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."`
 	TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"NOTIFICATIONS_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false."`
+	EnableTLS            bool   `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;NOTIFICATIONS_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker."`
 }
--- a/services/notifications/pkg/config/defaults/defaultconfig.go
+++ b/services/notifications/pkg/config/defaults/defaultconfig.go
@@ -34,6 +34,7 @@ func DefaultConfig() *config.Config {
 				Endpoint:      "127.0.0.1:9233",
 				Cluster:       "ocis-cluster",
 				ConsumerGroup: "notifications",
+				EnableTLS:     false,
 			},
 			RevaGateway: "127.0.0.1:9142",
 		},
--- a/services/search/pkg/config/config.go
+++ b/services/search/pkg/config/config.go
@@ -34,4 +34,5 @@ type Events struct {
 	ConsumerGroup        string `yaml:"group" env:"SEARCH_EVENTS_GROUP" desc:"The customer group of the service. One group will only get one copy of an event"`
 	TLSInsecure          bool   `yaml:"tls_insecure" env:"OCIS_INSECURE;SEARCH_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."`
 	TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"SEARCH_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided SEARCH_EVENTS_TLS_INSECURE will be seen as false."`
+	EnableTLS            bool   `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;SEARCH_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker."`
 }
--- a/services/search/pkg/config/defaults/defaultconfig.go
+++ b/services/search/pkg/config/defaults/defaultconfig.go
@@ -36,6 +36,7 @@ func DefaultConfig() *config.Config {
 			Endpoint:      "127.0.0.1:9233",
 			Cluster:       "ocis-cluster",
 			ConsumerGroup: "search",
+			EnableTLS:     false,
 		},
 		MachineAuthAPIKey: "",
 	}
--- a/services/search/pkg/service/v0/service.go
+++ b/services/search/pkg/service/v0/service.go
@@ -37,23 +37,26 @@ func NewHandler(opts ...Option) (searchsvc.SearchProviderHandler, error) {
 	// Connect to nats to listen for changes that need to trigger an index update
 	evtsCfg := cfg.Events

-	var rootCAPool *x509.CertPool
-	if evtsCfg.TLSRootCACertificate != "" {
-		rootCrtFile, err := os.Open(evtsCfg.TLSRootCACertificate)
-		if err != nil {
-			return nil, err
+	var tlsConf *tls.Config
+	if evtsCfg.EnableTLS {
+		var rootCAPool *x509.CertPool
+		if evtsCfg.TLSRootCACertificate != "" {
+			rootCrtFile, err := os.Open(evtsCfg.TLSRootCACertificate)
+			if err != nil {
+				return nil, err
+			}
+
+			rootCAPool, err = ociscrypto.NewCertPoolFromPEM(rootCrtFile)
+			if err != nil {
+				return nil, err
+			}
+			evtsCfg.TLSInsecure = false
 		}

-		rootCAPool, err = ociscrypto.NewCertPoolFromPEM(rootCrtFile)
-		if err != nil {
-			return nil, err
+		tlsConf = &tls.Config{
+			InsecureSkipVerify: evtsCfg.TLSInsecure, //nolint:gosec
+			RootCAs:            rootCAPool,
 		}
-		evtsCfg.TLSInsecure = false
-	}
-
-	tlsConf := &tls.Config{
-		InsecureSkipVerify: evtsCfg.TLSInsecure, //nolint:gosec
-		RootCAs:            rootCAPool,
 	}
 	client, err := server.NewNatsStream(
 		natsjs.TLSConfig(tlsConf),
--- a/services/sharing/pkg/config/config.go
+++ b/services/sharing/pkg/config/config.go
@@ -154,4 +154,5 @@ type Events struct {
 	ClusterID         string `yaml:"cluster" env:"SHARING_EVENTS_CLUSTER" desc:"The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system."`
 	TLSInsecure       bool   `yaml:"tls_insecure" env:"OCIS_INSECURE;SHARING_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."`
 	TLSRootCaCertPath string `yaml:"tls_root_ca_cert_path" env:"SHARING_EVENTS_TLS_ROOT_CA_CERT" desc:"The root CA certificate used to validate the server's TLS certificate. If provided SHARING_EVENTS_TLS_INSECURE will be seen as false."`
+	EnableTLS         bool   `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;SHARING_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker."`
 }
--- a/services/sharing/pkg/config/defaults/defaultconfig.go
+++ b/services/sharing/pkg/config/defaults/defaultconfig.go
@@ -69,9 +69,9 @@ func DefaultConfig() *config.Config {
 			// TODO implement and add owncloudsql publicshare driver
 		},
 		Events: config.Events{
-			Addr:        "127.0.0.1:9233",
-			ClusterID:   "ocis-cluster",
-			TLSInsecure: true,
+			Addr:      "127.0.0.1:9233",
+			ClusterID: "ocis-cluster",
+			EnableTLS: false,
 		},
 	}
 }
--- a/services/sharing/pkg/revaconfig/config.go
+++ b/services/sharing/pkg/revaconfig/config.go
@@ -108,6 +108,7 @@ func SharingConfigFromStruct(cfg *config.Config) map[string]interface{} {
 					"clusterID":        cfg.Events.ClusterID,
 					"tls-insecure":     cfg.Events.TLSInsecure,
 					"tls-root-ca-cert": cfg.Events.TLSRootCaCertPath,
+					"enable-tls":       cfg.Events.EnableTLS,
 				},
 				"prometheus": map[string]interface{}{
 					"namespace": "ocis",
--- a/services/storage-users/pkg/config/config.go
+++ b/services/storage-users/pkg/config/config.go
@@ -137,6 +137,7 @@ type Events struct {
 	ClusterID         string `yaml:"cluster" env:"STORAGE_USERS_EVENTS_CLUSTER" desc:"The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system."`
 	TLSInsecure       bool   `yaml:"tls_insecure" env:"OCIS_INSECURE;STORAGE_USERS_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."`
 	TLSRootCaCertPath string `yaml:"tls_root_ca_cert_path" env:"STORAGE_USERS_EVENTS_TLS_ROOT_CA_CERT" desc:"The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_EVENTS_TLS_INSECURE will be seen as false."`
+	EnableTLS         bool   `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;STORAGE_USERS_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker."`
 }

 // Cache holds cache config
--- a/services/storage-users/pkg/config/defaults/defaultconfig.go
+++ b/services/storage-users/pkg/config/defaults/defaultconfig.go
@@ -75,9 +75,9 @@ func DefaultConfig() *config.Config {
 			},
 		},
 		Events: config.Events{
-			Addr:        "127.0.0.1:9233",
-			ClusterID:   "ocis-cluster",
-			TLSInsecure: true,
+			Addr:      "127.0.0.1:9233",
+			ClusterID: "ocis-cluster",
+			EnableTLS: false,
 		},
 		Cache: config.Cache{
 			Store:    "memory",
--- a/services/storage-users/pkg/revaconfig/config.go
+++ b/services/storage-users/pkg/revaconfig/config.go
@@ -40,6 +40,7 @@ func StorageUsersConfigFromStruct(cfg *config.Config) map[string]interface{} {
 					"clusterID":        cfg.Events.ClusterID,
 					"tls-insecure":     cfg.Events.TLSInsecure,
 					"tls-root-ca-cert": cfg.Events.TLSRootCaCertPath,
+					"enable-tls":       cfg.Events.EnableTLS,
 				},
 				"prometheus": map[string]interface{}{
 					"namespace": "ocis",
@@ -60,6 +61,7 @@ func StorageUsersConfigFromStruct(cfg *config.Config) map[string]interface{} {
 					"nats_clusterID":         cfg.Events.ClusterID,
 					"nats_tls_insecure":      cfg.Events.TLSInsecure,
 					"nats_root_ca_cert_path": cfg.Events.TLSRootCaCertPath,
+					"nats_enable_tls":        cfg.Events.EnableTLS,
 					"data_txs": map[string]interface{}{
 						"simple": map[string]interface{}{
 							"cache_store":    cfg.Cache.Store,