Nats tls (#4781)

* use tls for nats connections

* add config options for nats client tls config

* add nats tls config to CI

* add function to create a certpool

* add option to provide a rootCA to validate the server's TLS certificate

* add option to provide a rootCA to validate the server's TLS certificate

* add option to provide a rootCA to validate the server's TLS certificate

* add option to provide a rootCA to validate the server's TLS certificate

* configure nats clients in reva to use tls

services/graph/pkg/server/http/server.go

@@ -1,10 +1,15 @@
 package http
 
 import (
+	"crypto/tls"
+	"crypto/x509"
+	"os"
+
 	"github.com/cs3org/reva/v2/pkg/events/server"
 	chimiddleware "github.com/go-chi/chi/v5/middleware"
 	"github.com/go-micro/plugins/v4/events/natsjs"
 	"github.com/owncloud/ocis/v2/ocis-pkg/account"
+	ociscrypto "github.com/owncloud/ocis/v2/ocis-pkg/crypto"
 	"github.com/owncloud/ocis/v2/ocis-pkg/middleware"
 	"github.com/owncloud/ocis/v2/ocis-pkg/service/http"
 	"github.com/owncloud/ocis/v2/ocis-pkg/version"
@@ -33,7 +38,26 @@ func Server(opts ...Option) (http.Service, error) {
 
 	if options.Config.Events.Endpoint != "" {
 		var err error
+		var rootCAPool *x509.CertPool
+		if options.Config.Events.TLSRootCACertificate != "" {
+			rootCrtFile, err := os.Open(options.Config.Events.TLSRootCACertificate)
+			if err != nil {
+				return http.Service{}, err
+			}
+
+			rootCAPool, err = ociscrypto.NewCertPoolFromPEM(rootCrtFile)
+			if err != nil {
+				return http.Service{}, err
+			}
+			options.Config.Events.TLSInsecure = false
+		}
+
+		tlsConf := &tls.Config{
+			InsecureSkipVerify: options.Config.Events.TLSInsecure, //nolint:gosec
+			RootCAs:            rootCAPool,
+		}
 		publisher, err = server.NewNatsStream(
+			natsjs.TLSConfig(tlsConf),
 			natsjs.Address(options.Config.Events.Endpoint),
 			natsjs.ClusterID(options.Config.Events.Cluster),
 		)