Nats tls (#4781)

* use tls for nats connections * add config options for nats client tls config * add nats tls config to CI * add function to create a certpool * add option to provide a rootCA to validate the server's TLS certificate * add option to provide a rootCA to validate the server's TLS certificate * add option to provide a rootCA to validate the server's TLS certificate * add option to provide a rootCA to validate the server's TLS certificate * configure nats clients in reva to use tls
2026-01-06 12:19:37 -06:00 · 2022-10-12 14:56:47 +02:00
parent 24807bbac8
commit 4623b6c8e7
27 changed files with 289 additions and 54 deletions
--- a/services/audit/pkg/command/server.go
+++ b/services/audit/pkg/command/server.go
@@ -2,12 +2,16 @@ package command

 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"os"

 	"github.com/cs3org/reva/v2/pkg/events"
 	"github.com/cs3org/reva/v2/pkg/events/server"
 	"github.com/go-micro/plugins/v4/events/natsjs"
 	"github.com/owncloud/ocis/v2/ocis-pkg/config/configlog"
+	ociscrypto "github.com/owncloud/ocis/v2/ocis-pkg/crypto"
 	"github.com/owncloud/ocis/v2/services/audit/pkg/config"
 	"github.com/owncloud/ocis/v2/services/audit/pkg/config/parser"
 	"github.com/owncloud/ocis/v2/services/audit/pkg/logging"
@@ -36,7 +40,27 @@ func Server(cfg *config.Config) *cli.Command {
 			defer cancel()

 			evtsCfg := cfg.Events
+
+			var rootCAPool *x509.CertPool
+			if evtsCfg.TLSRootCACertificate != "" {
+				rootCrtFile, err := os.Open(evtsCfg.TLSRootCACertificate)
+				if err != nil {
+					return err
+				}
+
+				rootCAPool, err = ociscrypto.NewCertPoolFromPEM(rootCrtFile)
+				if err != nil {
+					return err
+				}
+				evtsCfg.TLSInsecure = false
+			}
+
+			tlsConf := &tls.Config{
+				InsecureSkipVerify: evtsCfg.TLSInsecure, //nolint:gosec
+				RootCAs:            rootCAPool,
+			}
 			client, err := server.NewNatsStream(
+				natsjs.TLSConfig(tlsConf),
 				natsjs.Address(evtsCfg.Endpoint),
 				natsjs.ClusterID(evtsCfg.Cluster),
 			)