Nats tls (#4781)

* use tls for nats connections * add config options for nats client tls config * add nats tls config to CI * add function to create a certpool * add option to provide a rootCA to validate the server's TLS certificate * add option to provide a rootCA to validate the server's TLS certificate * add option to provide a rootCA to validate the server's TLS certificate * add option to provide a rootCA to validate the server's TLS certificate * configure nats clients in reva to use tls
2026-01-06 12:19:37 -06:00 · 2022-10-12 14:56:47 +02:00
parent 24807bbac8
commit 4623b6c8e7
27 changed files with 289 additions and 54 deletions
--- a/services/sharing/pkg/config/config.go
+++ b/services/sharing/pkg/config/config.go
@@ -150,6 +150,8 @@ type PublicSharingJSONCS3Driver struct {
 }

 type Events struct {
-	Addr      string `yaml:"endpoint" env:"SHARING_EVENTS_ENDPOINT" desc:"The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture."`
-	ClusterID string `yaml:"cluster" env:"SHARING_EVENTS_CLUSTER" desc:"The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system."`
+	Addr              string `yaml:"endpoint" env:"SHARING_EVENTS_ENDPOINT" desc:"The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture."`
+	ClusterID         string `yaml:"cluster" env:"SHARING_EVENTS_CLUSTER" desc:"The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system."`
+	TLSInsecure       bool   `yaml:"tls_insecure" env:"OCIS_INSECURE;SHARING_EVENTS_TLS_INSECURE" desc:"Whether to verify the server TLS certificates."`
+	TLSRootCaCertPath string `yaml:"tls_root_ca_cert_path" env:"SHARING_EVENTS_TLS_ROOT_CA_CERT" desc:"The root CA certificate used to validate the server's TLS certificate. If provided SHARING_EVENTS_TLS_INSECURE will be seen as false."`
 }
--- a/services/sharing/pkg/config/defaults/defaultconfig.go
+++ b/services/sharing/pkg/config/defaults/defaultconfig.go
@@ -69,8 +69,9 @@ func DefaultConfig() *config.Config {
 			// TODO implement and add owncloudsql publicshare driver
 		},
 		Events: config.Events{
-			Addr:      "127.0.0.1:9233",
-			ClusterID: "ocis-cluster",
+			Addr:        "127.0.0.1:9233",
+			ClusterID:   "ocis-cluster",
+			TLSInsecure: true,
 		},
 	}
 }
--- a/services/sharing/pkg/revaconfig/config.go
+++ b/services/sharing/pkg/revaconfig/config.go
@@ -102,10 +102,12 @@ func SharingConfigFromStruct(cfg *config.Config) map[string]interface{} {
 			},
 			"interceptors": map[string]interface{}{
 				"eventsmiddleware": map[string]interface{}{
-					"group":     "sharing",
-					"type":      "nats",
-					"address":   cfg.Events.Addr,
-					"clusterID": cfg.Events.ClusterID,
+					"group":            "sharing",
+					"type":             "nats",
+					"address":          cfg.Events.Addr,
+					"clusterID":        cfg.Events.ClusterID,
+					"tls-insecure":     cfg.Events.TLSInsecure,
+					"tls-root-ca-cert": cfg.Events.TLSRootCaCertPath,
 				},
 			},
 		},