Merge pull request #180 from nats-io/verify-toggle

Add support to toggle TLS certs verify for clients

pkg/apis/nats/v1alpha2/cluster.go

@@ -197,6 +197,9 @@ type TLSConfig struct {
 	// RoutesTLSTimeout is the time in seconds that the NATS server will
 	// allow to routes to finish the TLS handshake.
 	RoutesTLSTimeout float64 `json:"routesTLSTimeout,omitempty"`
+
+	// Verify toggles verifying TLS certs for clients.
+	Verify bool `json:"verify,omitempty"`
 }
 
 // PodPolicy defines the policy to create pod for the NATS container.

pkg/util/kubernetes/kubernetes.go

@@ -164,6 +164,9 @@ func addTLSConfig(sconfig *natsconf.ServerConfig, cs v1alpha2.ClusterSpec) {
 		if cs.TLS.ClientsTLSTimeout > 0 {
 			sconfig.TLS.Timeout = cs.TLS.ClientsTLSTimeout
 		}
+
+		// Verifying clients cert is disabled by default.
+		sconfig.TLS.Verify = cs.TLS.Verify
 	}
 	if cs.TLS.RoutesSecret != "" {
 		sconfig.Cluster.TLS = &natsconf.TLSConfig{

test/e2e/tls_test.go

@@ -259,3 +259,58 @@ func TestCreateClusterWithCustomTLSTimeout(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+
+func TestCreateClusterWithVerify(t *testing.T) {
+	natsCluster, err := f.CreateCluster(f.Namespace, "", 1, "", func(natsCluster *natsv1alpha2.NatsCluster) {
+		// The NatsCluster resource must be called "nats" in
+		// order for the pre-provisioned certificates to work.
+		natsCluster.Name = "nats"
+		natsCluster.Spec.ServerImage = "nats"
+		natsCluster.Spec.Version = "1.4.1"
+
+		// Enable TLS using pre-provisioned certificates.
+		natsCluster.Spec.TLS = &natsv1alpha2.TLSConfig{
+			Verify:       true,
+			ServerSecret: "nats-certs",
+		}
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	// Make sure we cleanup the NatsCluster resource after we're done testing.
+	defer func() {
+		if err = f.DeleteCluster(natsCluster); err != nil {
+			t.Error(err)
+		}
+	}()
+
+	// Wait until the full mesh is formed.
+	ctx1, fn := context.WithTimeout(context.Background(), waitTimeout)
+	defer fn()
+	err = f.WaitUntilSecretCondition(ctx1, natsCluster, func(event watchapi.Event) (bool, error) {
+		secret := event.Object.(*v1.Secret)
+		conf, ok := secret.Data[constants.ConfigFileName]
+		if !ok {
+			return false, nil
+		}
+		config, err := natsconf.Unmarshal(conf)
+		if err != nil {
+			return false, nil
+		}
+		if config.TLS == nil || !config.TLS.Verify {
+			return false, nil
+		}
+
+		pods, err := f.PodsForNatsCluster(natsCluster)
+		if err != nil {
+			return false, nil
+		}
+		if len(pods) < 1 {
+			return false, nil
+		}
+		return true, nil
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+}

version/version.go

@@ -15,6 +15,6 @@
 package version
 
 var (
-	OperatorVersion = "0.4.4-v1alpha2+git"
+	OperatorVersion = "0.4.5-v1alpha2+git"
 	GitSHA          = "Not provided"
 )