From 45b92fc56f6a708305186873bc6bbc2138b9762f Mon Sep 17 00:00:00 2001 From: David Christofas Date: Thu, 20 Oct 2022 17:13:11 +0200 Subject: [PATCH] add config option to enable or disable TLS for nats --- .drone.star | 5 --- changelog/unreleased/nats-tls.md | 10 ++++++ go.mod | 2 ++ services/audit/pkg/command/server.go | 31 ++++++++-------- services/audit/pkg/config/config.go | 1 + .../pkg/config/defaults/defaultconfig.go | 1 + services/graph/pkg/config/config.go | 1 + .../pkg/config/defaults/defaultconfig.go | 5 +-- services/graph/pkg/server/http/server.go | 32 +++++++++-------- services/nats/pkg/command/server.go | 36 ++++++++++--------- services/nats/pkg/config/config.go | 1 + .../nats/pkg/config/defaults/defaultconfig.go | 1 + services/nats/pkg/server/nats/nats.go | 1 - services/nats/pkg/server/nats/options.go | 7 ++++ services/notifications/pkg/command/server.go | 32 +++++++++-------- services/notifications/pkg/config/config.go | 1 + .../pkg/config/defaults/defaultconfig.go | 1 + services/search/pkg/config/config.go | 1 + .../pkg/config/defaults/defaultconfig.go | 1 + services/search/pkg/service/v0/service.go | 31 ++++++++-------- services/sharing/pkg/config/config.go | 1 + .../pkg/config/defaults/defaultconfig.go | 6 ++-- services/sharing/pkg/revaconfig/config.go | 1 + services/storage-users/pkg/config/config.go | 1 + .../pkg/config/defaults/defaultconfig.go | 6 ++-- .../storage-users/pkg/revaconfig/config.go | 2 ++ 26 files changed, 132 insertions(+), 86 deletions(-) diff --git a/.drone.star b/.drone.star index 68f39c0c5..3d74bf575 100644 --- a/.drone.star +++ b/.drone.star @@ -1892,11 +1892,6 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = [], depends_on = "IDM_CREATE_DEMO_USERS": True, "IDM_ADMIN_PASSWORD": "admin", # override the random admin password from `ocis init` "FRONTEND_SEARCH_MIN_LENGTH": "2", - "AUDIT_EVENTS_TLS_INSECURE": True, - "GRAPH_EVENTS_TLS_INSECURE": True, - "NOTIFICATIONS_EVENTS_TLS_INSECURE": True, - "SEARCH_EVENTS_TLS_INSECURE": True, - "NATS_TLS_SKIP_VERIFY_CLIENT_CERT": True, } wait_for_ocis = { "name": "wait-for-ocis-server", diff --git a/changelog/unreleased/nats-tls.md b/changelog/unreleased/nats-tls.md index 316c35b81..f27c53434 100644 --- a/changelog/unreleased/nats-tls.md +++ b/changelog/unreleased/nats-tls.md @@ -1,6 +1,16 @@ Enhancement: Secure the nats connectin with TLS Encyrpted the connection to the event broker using TLS. +Per default TLS is not enabled but can be enabled by setting either `OCIS_EVENTS_ENABLE_TLS=true` or the respective service configs: + +- `AUDIT_EVENTS_ENABLE_TLS=true` +- `GRAPH_EVENTS_ENABLE_TLS=true` +- `NATS_EVENTS_ENABLE_TLS=true` +- `NOTIFICATIONS_EVENTS_ENABLE_TLS=true` +- `SEARCH_EVENTS_ENABLE_TLS=true` +- `SHARING_EVENTS_ENABLE_TLS=true` +- `STORAGE_USERS_EVENTS_ENABLE_TLS=true` https://github.com/owncloud/ocis/pull/4781 https://github.com/owncloud/ocis/pull/4800 +https://github.com/owncloud/ocis/pull/4867 diff --git a/go.mod b/go.mod index 00976d148..42cb300ad 100644 --- a/go.mod +++ b/go.mod @@ -287,3 +287,5 @@ require ( gopkg.in/yaml.v3 v3.0.1 // indirect stash.kopano.io/kgol/kcc-go/v5 v5.0.1 // indirect ) + +replace github.com/cs3org/reva/v2 => github.com/c0rby/reva/v2 v2.0.0-20221020150403-9582e39cd8e8 diff --git a/services/audit/pkg/command/server.go b/services/audit/pkg/command/server.go index 11c312dc0..8bbabfe1a 100644 --- a/services/audit/pkg/command/server.go +++ b/services/audit/pkg/command/server.go @@ -41,23 +41,26 @@ func Server(cfg *config.Config) *cli.Command { evtsCfg := cfg.Events - var rootCAPool *x509.CertPool - if evtsCfg.TLSRootCACertificate != "" { - rootCrtFile, err := os.Open(evtsCfg.TLSRootCACertificate) - if err != nil { - return err + var tlsConf *tls.Config + if evtsCfg.EnableTLS { + var rootCAPool *x509.CertPool + if evtsCfg.TLSRootCACertificate != "" { + rootCrtFile, err := os.Open(evtsCfg.TLSRootCACertificate) + if err != nil { + return err + } + + rootCAPool, err = ociscrypto.NewCertPoolFromPEM(rootCrtFile) + if err != nil { + return err + } + evtsCfg.TLSInsecure = false } - rootCAPool, err = ociscrypto.NewCertPoolFromPEM(rootCrtFile) - if err != nil { - return err + tlsConf = &tls.Config{ + InsecureSkipVerify: evtsCfg.TLSInsecure, //nolint:gosec + RootCAs: rootCAPool, } - evtsCfg.TLSInsecure = false - } - - tlsConf := &tls.Config{ - InsecureSkipVerify: evtsCfg.TLSInsecure, //nolint:gosec - RootCAs: rootCAPool, } client, err := server.NewNatsStream( natsjs.TLSConfig(tlsConf), diff --git a/services/audit/pkg/config/config.go b/services/audit/pkg/config/config.go index ef6ba9f49..37b6f17ce 100644 --- a/services/audit/pkg/config/config.go +++ b/services/audit/pkg/config/config.go @@ -28,6 +28,7 @@ type Events struct { ConsumerGroup string `yaml:"group" env:"AUDIT_EVENTS_GROUP" desc:"The consumergroup of the service. One group will only get one copy of an event."` TLSInsecure bool `yaml:"tls_insecure" env:"OCIS_INSECURE;AUDIT_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."` TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"AUDIT_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided AUDIT_EVENTS_TLS_INSECURE will be seen as false."` + EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;AUDIT_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker."` } // Auditlog holds audit log information diff --git a/services/audit/pkg/config/defaults/defaultconfig.go b/services/audit/pkg/config/defaults/defaultconfig.go index 5a4286cbc..51d0140dd 100644 --- a/services/audit/pkg/config/defaults/defaultconfig.go +++ b/services/audit/pkg/config/defaults/defaultconfig.go @@ -25,6 +25,7 @@ func DefaultConfig() *config.Config { Endpoint: "127.0.0.1:9233", Cluster: "ocis-cluster", ConsumerGroup: "audit", + EnableTLS: false, }, Auditlog: config.Auditlog{ LogToConsole: true, diff --git a/services/graph/pkg/config/config.go b/services/graph/pkg/config/config.go index 6d6e56581..708bf4f6d 100644 --- a/services/graph/pkg/config/config.go +++ b/services/graph/pkg/config/config.go @@ -74,4 +74,5 @@ type Events struct { Cluster string `yaml:"cluster" env:"GRAPH_EVENTS_CLUSTER" desc:"The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture."` TLSInsecure bool `yaml:"tls_insecure" env:"OCIS_INSECURE;GRAPH_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."` TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"GRAPH_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false."` + EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;GRAPH_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker."` } diff --git a/services/graph/pkg/config/defaults/defaultconfig.go b/services/graph/pkg/config/defaults/defaultconfig.go index a4648a557..34d05c2b0 100644 --- a/services/graph/pkg/config/defaults/defaultconfig.go +++ b/services/graph/pkg/config/defaults/defaultconfig.go @@ -66,8 +66,9 @@ func DefaultConfig() *config.Config { }, }, Events: config.Events{ - Endpoint: "127.0.0.1:9233", - Cluster: "ocis-cluster", + Endpoint: "127.0.0.1:9233", + Cluster: "ocis-cluster", + EnableTLS: false, }, } } diff --git a/services/graph/pkg/server/http/server.go b/services/graph/pkg/server/http/server.go index d7ba70be8..489e6ed86 100644 --- a/services/graph/pkg/server/http/server.go +++ b/services/graph/pkg/server/http/server.go @@ -38,23 +38,27 @@ func Server(opts ...Option) (http.Service, error) { if options.Config.Events.Endpoint != "" { var err error - var rootCAPool *x509.CertPool - if options.Config.Events.TLSRootCACertificate != "" { - rootCrtFile, err := os.Open(options.Config.Events.TLSRootCACertificate) - if err != nil { - return http.Service{}, err + + var tlsConf *tls.Config + if options.Config.Events.EnableTLS { + var rootCAPool *x509.CertPool + if options.Config.Events.TLSRootCACertificate != "" { + rootCrtFile, err := os.Open(options.Config.Events.TLSRootCACertificate) + if err != nil { + return http.Service{}, err + } + + rootCAPool, err = ociscrypto.NewCertPoolFromPEM(rootCrtFile) + if err != nil { + return http.Service{}, err + } + options.Config.Events.TLSInsecure = false } - rootCAPool, err = ociscrypto.NewCertPoolFromPEM(rootCrtFile) - if err != nil { - return http.Service{}, err + tlsConf = &tls.Config{ + InsecureSkipVerify: options.Config.Events.TLSInsecure, //nolint:gosec + RootCAs: rootCAPool, } - options.Config.Events.TLSInsecure = false - } - - tlsConf := &tls.Config{ - InsecureSkipVerify: options.Config.Events.TLSInsecure, //nolint:gosec - RootCAs: rootCAPool, } publisher, err = server.NewNatsStream( natsjs.TLSConfig(tlsConf), diff --git a/services/nats/pkg/command/server.go b/services/nats/pkg/command/server.go index fae3e0cd6..c8de4e2ee 100644 --- a/services/nats/pkg/command/server.go +++ b/services/nats/pkg/command/server.go @@ -38,25 +38,28 @@ func Server(cfg *config.Config) *cli.Command { defer cancel() - // Generate a self-signing cert if no certificate is present - if err := pkgcrypto.GenCert(cfg.Nats.TLSCert, cfg.Nats.TLSKey, logger); err != nil { - logger.Fatal().Err(err).Msgf("Could not generate test-certificate") - } + var tlsConf *tls.Config + if cfg.Nats.EnableTLS { + // Generate a self-signing cert if no certificate is present + if err := pkgcrypto.GenCert(cfg.Nats.TLSCert, cfg.Nats.TLSKey, logger); err != nil { + logger.Fatal().Err(err).Msgf("Could not generate test-certificate") + } - crt, err := tls.LoadX509KeyPair(cfg.Nats.TLSCert, cfg.Nats.TLSKey) - if err != nil { - return err - } + crt, err := tls.LoadX509KeyPair(cfg.Nats.TLSCert, cfg.Nats.TLSKey) + if err != nil { + return err + } - clientAuth := tls.RequireAndVerifyClientCert - if cfg.Nats.TLSSkipVerifyClientCert { - clientAuth = tls.NoClientCert - } + clientAuth := tls.RequireAndVerifyClientCert + if cfg.Nats.TLSSkipVerifyClientCert { + clientAuth = tls.NoClientCert + } - tlsConf := &tls.Config{ - MinVersion: tls.VersionTLS12, - ClientAuth: clientAuth, - Certificates: []tls.Certificate{crt}, + tlsConf = &tls.Config{ + MinVersion: tls.VersionTLS12, + ClientAuth: clientAuth, + Certificates: []tls.Certificate{crt}, + } } natsServer, err := nats.NewNATSServer( ctx, @@ -66,6 +69,7 @@ func Server(cfg *config.Config) *cli.Command { nats.ClusterID(cfg.Nats.ClusterID), nats.StoreDir(cfg.Nats.StoreDir), nats.TLSConfig(tlsConf), + nats.AllowNonTLS(!cfg.Nats.EnableTLS), ) if err != nil { return err diff --git a/services/nats/pkg/config/config.go b/services/nats/pkg/config/config.go index 903a4de9b..61a001cd4 100644 --- a/services/nats/pkg/config/config.go +++ b/services/nats/pkg/config/config.go @@ -29,4 +29,5 @@ type Nats struct { TLSCert string `yaml:"tls_cert" env:"NATS_TLS_CERT" desc:"File name of the TLS server certificate for the nats listener."` TLSKey string `yaml:"tls_key" env:"NATS_TLS_KEY" desc:"File name for the TLS certificate key for the server certificate."` TLSSkipVerifyClientCert bool `yaml:"tls_skip_verify_client_cert" env:"OCIS_INSECURE;NATS_TLS_SKIP_VERIFY_CLIENT_CERT" desc:"Whether the NATS server should skip the client certificate verification during the TLS handshake."` + EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;NATS_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker."` } diff --git a/services/nats/pkg/config/defaults/defaultconfig.go b/services/nats/pkg/config/defaults/defaultconfig.go index fb5f91a8e..30ef1ace2 100644 --- a/services/nats/pkg/config/defaults/defaultconfig.go +++ b/services/nats/pkg/config/defaults/defaultconfig.go @@ -32,6 +32,7 @@ func DefaultConfig() *config.Config { StoreDir: filepath.Join(defaults.BaseDataPath(), "nats"), TLSCert: filepath.Join(defaults.BaseDataPath(), "nats/tls.crt"), TLSKey: filepath.Join(defaults.BaseDataPath(), "nats/tls.key"), + EnableTLS: false, }, } } diff --git a/services/nats/pkg/server/nats/nats.go b/services/nats/pkg/server/nats/nats.go index 8536804cc..e346596fd 100644 --- a/services/nats/pkg/server/nats/nats.go +++ b/services/nats/pkg/server/nats/nats.go @@ -23,7 +23,6 @@ func NewNATSServer(ctx context.Context, logger nserver.Logger, opts ...NatsOptio // enable JetStream natsOpts.JetStream = true - natsOpts.AllowNonTLS = false server, err := nserver.NewServer(natsOpts) if err != nil { diff --git a/services/nats/pkg/server/nats/options.go b/services/nats/pkg/server/nats/options.go index d2c66869e..fa596e235 100644 --- a/services/nats/pkg/server/nats/options.go +++ b/services/nats/pkg/server/nats/options.go @@ -43,3 +43,10 @@ func TLSConfig(c *tls.Config) NatsOption { o.TLSConfig = c } } + +// AllowNonTLS sets the allow non tls options for the nats server +func AllowNonTLS(v bool) NatsOption { + return func(o *nserver.Options) { + o.AllowNonTLS = v + } +} diff --git a/services/notifications/pkg/command/server.go b/services/notifications/pkg/command/server.go index 6bc5034db..c27787ac3 100644 --- a/services/notifications/pkg/command/server.go +++ b/services/notifications/pkg/command/server.go @@ -39,23 +39,27 @@ func Server(cfg *config.Config) *cli.Command { } evtsCfg := cfg.Notifications.Events - var rootCAPool *x509.CertPool - if evtsCfg.TLSRootCACertificate != "" { - rootCrtFile, err := os.Open(evtsCfg.TLSRootCACertificate) - if err != nil { - return err + + var tlsConf *tls.Config + if evtsCfg.EnableTLS { + var rootCAPool *x509.CertPool + if evtsCfg.TLSRootCACertificate != "" { + rootCrtFile, err := os.Open(evtsCfg.TLSRootCACertificate) + if err != nil { + return err + } + + rootCAPool, err = crypto.NewCertPoolFromPEM(rootCrtFile) + if err != nil { + return err + } + evtsCfg.TLSInsecure = false } - rootCAPool, err = crypto.NewCertPoolFromPEM(rootCrtFile) - if err != nil { - return err + tlsConf = &tls.Config{ + InsecureSkipVerify: evtsCfg.TLSInsecure, //nolint:gosec + RootCAs: rootCAPool, } - evtsCfg.TLSInsecure = false - } - - tlsConf := &tls.Config{ - InsecureSkipVerify: evtsCfg.TLSInsecure, //nolint:gosec - RootCAs: rootCAPool, } client, err := server.NewNatsStream( natsjs.TLSConfig(tlsConf), diff --git a/services/notifications/pkg/config/config.go b/services/notifications/pkg/config/config.go index c2c20f025..15c0a6bbd 100644 --- a/services/notifications/pkg/config/config.go +++ b/services/notifications/pkg/config/config.go @@ -48,4 +48,5 @@ type Events struct { ConsumerGroup string `yaml:"group" env:"NOTIFICATIONS_EVENTS_GROUP" desc:"Name of the event group / queue on the event system."` TLSInsecure bool `yaml:"tls_insecure" env:"OCIS_INSECURE;NOTIFICATIONS_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."` TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"NOTIFICATIONS_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false."` + EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;NOTIFICATIONS_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker."` } diff --git a/services/notifications/pkg/config/defaults/defaultconfig.go b/services/notifications/pkg/config/defaults/defaultconfig.go index 849592926..53f8faa1d 100644 --- a/services/notifications/pkg/config/defaults/defaultconfig.go +++ b/services/notifications/pkg/config/defaults/defaultconfig.go @@ -34,6 +34,7 @@ func DefaultConfig() *config.Config { Endpoint: "127.0.0.1:9233", Cluster: "ocis-cluster", ConsumerGroup: "notifications", + EnableTLS: false, }, RevaGateway: "127.0.0.1:9142", }, diff --git a/services/search/pkg/config/config.go b/services/search/pkg/config/config.go index 6a1f56e83..a903ca8de 100644 --- a/services/search/pkg/config/config.go +++ b/services/search/pkg/config/config.go @@ -34,4 +34,5 @@ type Events struct { ConsumerGroup string `yaml:"group" env:"SEARCH_EVENTS_GROUP" desc:"The customer group of the service. One group will only get one copy of an event"` TLSInsecure bool `yaml:"tls_insecure" env:"OCIS_INSECURE;SEARCH_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."` TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"SEARCH_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided SEARCH_EVENTS_TLS_INSECURE will be seen as false."` + EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;SEARCH_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker."` } diff --git a/services/search/pkg/config/defaults/defaultconfig.go b/services/search/pkg/config/defaults/defaultconfig.go index 58eef0661..e3b2a5535 100644 --- a/services/search/pkg/config/defaults/defaultconfig.go +++ b/services/search/pkg/config/defaults/defaultconfig.go @@ -36,6 +36,7 @@ func DefaultConfig() *config.Config { Endpoint: "127.0.0.1:9233", Cluster: "ocis-cluster", ConsumerGroup: "search", + EnableTLS: false, }, MachineAuthAPIKey: "", } diff --git a/services/search/pkg/service/v0/service.go b/services/search/pkg/service/v0/service.go index ec7ef06c2..cd6a3baae 100644 --- a/services/search/pkg/service/v0/service.go +++ b/services/search/pkg/service/v0/service.go @@ -37,23 +37,26 @@ func NewHandler(opts ...Option) (searchsvc.SearchProviderHandler, error) { // Connect to nats to listen for changes that need to trigger an index update evtsCfg := cfg.Events - var rootCAPool *x509.CertPool - if evtsCfg.TLSRootCACertificate != "" { - rootCrtFile, err := os.Open(evtsCfg.TLSRootCACertificate) - if err != nil { - return nil, err + var tlsConf *tls.Config + if evtsCfg.EnableTLS { + var rootCAPool *x509.CertPool + if evtsCfg.TLSRootCACertificate != "" { + rootCrtFile, err := os.Open(evtsCfg.TLSRootCACertificate) + if err != nil { + return nil, err + } + + rootCAPool, err = ociscrypto.NewCertPoolFromPEM(rootCrtFile) + if err != nil { + return nil, err + } + evtsCfg.TLSInsecure = false } - rootCAPool, err = ociscrypto.NewCertPoolFromPEM(rootCrtFile) - if err != nil { - return nil, err + tlsConf = &tls.Config{ + InsecureSkipVerify: evtsCfg.TLSInsecure, //nolint:gosec + RootCAs: rootCAPool, } - evtsCfg.TLSInsecure = false - } - - tlsConf := &tls.Config{ - InsecureSkipVerify: evtsCfg.TLSInsecure, //nolint:gosec - RootCAs: rootCAPool, } client, err := server.NewNatsStream( natsjs.TLSConfig(tlsConf), diff --git a/services/sharing/pkg/config/config.go b/services/sharing/pkg/config/config.go index 74a980431..77da2b31c 100644 --- a/services/sharing/pkg/config/config.go +++ b/services/sharing/pkg/config/config.go @@ -154,4 +154,5 @@ type Events struct { ClusterID string `yaml:"cluster" env:"SHARING_EVENTS_CLUSTER" desc:"The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system."` TLSInsecure bool `yaml:"tls_insecure" env:"OCIS_INSECURE;SHARING_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."` TLSRootCaCertPath string `yaml:"tls_root_ca_cert_path" env:"SHARING_EVENTS_TLS_ROOT_CA_CERT" desc:"The root CA certificate used to validate the server's TLS certificate. If provided SHARING_EVENTS_TLS_INSECURE will be seen as false."` + EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;SHARING_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker."` } diff --git a/services/sharing/pkg/config/defaults/defaultconfig.go b/services/sharing/pkg/config/defaults/defaultconfig.go index 0b136a97a..d404b874d 100644 --- a/services/sharing/pkg/config/defaults/defaultconfig.go +++ b/services/sharing/pkg/config/defaults/defaultconfig.go @@ -69,9 +69,9 @@ func DefaultConfig() *config.Config { // TODO implement and add owncloudsql publicshare driver }, Events: config.Events{ - Addr: "127.0.0.1:9233", - ClusterID: "ocis-cluster", - TLSInsecure: true, + Addr: "127.0.0.1:9233", + ClusterID: "ocis-cluster", + EnableTLS: false, }, } } diff --git a/services/sharing/pkg/revaconfig/config.go b/services/sharing/pkg/revaconfig/config.go index 49761b8ae..a054d85ad 100644 --- a/services/sharing/pkg/revaconfig/config.go +++ b/services/sharing/pkg/revaconfig/config.go @@ -108,6 +108,7 @@ func SharingConfigFromStruct(cfg *config.Config) map[string]interface{} { "clusterID": cfg.Events.ClusterID, "tls-insecure": cfg.Events.TLSInsecure, "tls-root-ca-cert": cfg.Events.TLSRootCaCertPath, + "enable-tls": cfg.Events.EnableTLS, }, "prometheus": map[string]interface{}{ "namespace": "ocis", diff --git a/services/storage-users/pkg/config/config.go b/services/storage-users/pkg/config/config.go index 4fb933cae..0f2652bd1 100644 --- a/services/storage-users/pkg/config/config.go +++ b/services/storage-users/pkg/config/config.go @@ -137,6 +137,7 @@ type Events struct { ClusterID string `yaml:"cluster" env:"STORAGE_USERS_EVENTS_CLUSTER" desc:"The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system."` TLSInsecure bool `yaml:"tls_insecure" env:"OCIS_INSECURE;STORAGE_USERS_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."` TLSRootCaCertPath string `yaml:"tls_root_ca_cert_path" env:"STORAGE_USERS_EVENTS_TLS_ROOT_CA_CERT" desc:"The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_EVENTS_TLS_INSECURE will be seen as false."` + EnableTLS bool `yaml:"enable_tls" env:"OCIS_EVENTS_ENABLE_TLS;STORAGE_USERS_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker."` } // Cache holds cache config diff --git a/services/storage-users/pkg/config/defaults/defaultconfig.go b/services/storage-users/pkg/config/defaults/defaultconfig.go index 0fdad518c..e1f98cb00 100644 --- a/services/storage-users/pkg/config/defaults/defaultconfig.go +++ b/services/storage-users/pkg/config/defaults/defaultconfig.go @@ -75,9 +75,9 @@ func DefaultConfig() *config.Config { }, }, Events: config.Events{ - Addr: "127.0.0.1:9233", - ClusterID: "ocis-cluster", - TLSInsecure: true, + Addr: "127.0.0.1:9233", + ClusterID: "ocis-cluster", + EnableTLS: false, }, Cache: config.Cache{ Store: "memory", diff --git a/services/storage-users/pkg/revaconfig/config.go b/services/storage-users/pkg/revaconfig/config.go index 332f8a5ef..4bc0ce988 100644 --- a/services/storage-users/pkg/revaconfig/config.go +++ b/services/storage-users/pkg/revaconfig/config.go @@ -40,6 +40,7 @@ func StorageUsersConfigFromStruct(cfg *config.Config) map[string]interface{} { "clusterID": cfg.Events.ClusterID, "tls-insecure": cfg.Events.TLSInsecure, "tls-root-ca-cert": cfg.Events.TLSRootCaCertPath, + "enable-tls": cfg.Events.EnableTLS, }, "prometheus": map[string]interface{}{ "namespace": "ocis", @@ -60,6 +61,7 @@ func StorageUsersConfigFromStruct(cfg *config.Config) map[string]interface{} { "nats_clusterID": cfg.Events.ClusterID, "nats_tls_insecure": cfg.Events.TLSInsecure, "nats_root_ca_cert_path": cfg.Events.TLSRootCaCertPath, + "nats_enable_tls": cfg.Events.EnableTLS, "data_txs": map[string]interface{}{ "simple": map[string]interface{}{ "cache_store": cfg.Cache.Store,