wip: update sample user

ZEISS · Dec 16, 2024 · 74fbe8e · 74fbe8e
1 parent c5ac8df
commit 74fbe8e
Show file tree

Hide file tree

Showing 8 changed files with 138 additions and 56 deletions.
diff --git a/api/v1alpha1/nats_user_types.go b/api/v1alpha1/nats_user_types.go
@@ -46,7 +46,7 @@ type NatsUserSpec struct {
 	// PrivateKey is a reference to a secret that contains the private key
 	PrivateKey NatsKeyReference `json:"privateKey,omitempty"`
 	// SignerKeyRef is a reference to a secret that contains the account signing key
-	SignerKeyRef NatsKeyReference `json:"signerKeyRef,omitempty"`
+	SignerKeyRef NatsKeyReference `json:"signerKeyRef"`
 	// Permissions define the permissions for the user
 	Permissions Permissions `json:"permissions,omitempty"`
 	// Limits define the limits for the user

diff --git a/controllers/natsaccount_controller.go b/controllers/natsaccount_controller.go
@@ -175,13 +175,38 @@ func (r *NatsAccountReconciler) reconcileAccount(ctx context.Context, account *n
 	}
 
 	token := jwt.NewAccountClaims(public)
+	token.Name = account.Name
 	token.Account = account.Spec.ToJWTAccount()
 
-	jwt, err := token.Encode(signerKp)
+	// for _, key := range account.Spec.SigningKeys {
+	// 	sk := &corev1.Secret{}
+	// 	skName := client.ObjectKey{
+	// 		Namespace: account.Namespace,
+	// 		Name:      key.Name,
+	// 	}
+
+	// 	if err := r.Get(ctx, skName, sk); err != nil {
+	// 		return err
+	// 	}
+
+	// 	skSigner, err := nkeys.FromSeed(sk.Data[OPERATOR_SEED_KEY])
+	// 	if err != nil {
+	// 		return err
+	// 	}
+
+	// 	pkSigner, err := skSigner.PublicKey()
+	// 	if err != nil {
+	// 		return err
+	// 	}
+
+	// 	token.SigningKeys.Add(pkSigner)
+	// }
+
+	t, err := token.Encode(signerKp)
 	if err != nil {
 		return err
 	}
-	account.Status.JWT = jwt
+	account.Status.JWT = t
 	account.Status.PublicKey = public
 
 	if !controllerutil.ContainsFinalizer(account, natsv1alpha1.FinalizerName) {

diff --git a/controllers/natsuser_controller.go b/controllers/natsuser_controller.go
@@ -117,6 +117,16 @@ func (r *NatsUserReconciler) reconcileResources(ctx context.Context, user *natsv
 }
 
 func (r *NatsUserReconciler) reconcileCredentials(ctx context.Context, user *natsv1alpha1.NatsUser) error {
+	privateKey := &corev1.Secret{}
+	privateKeyName := client.ObjectKey{
+		Namespace: user.Namespace,
+		Name:      user.Spec.PrivateKey.Name,
+	}
+
+	if err := r.Get(ctx, privateKeyName, privateKey); err != nil {
+		return err
+	}
+
 	secret := &corev1.Secret{}
 	secretName := client.ObjectKey{
 		Namespace: user.Namespace,
@@ -132,7 +142,7 @@ func (r *NatsUserReconciler) reconcileCredentials(ctx context.Context, user *nat
 	secret.Type = natsv1alpha1.SecretUserCredentialsName
 	secret.Data = map[string][]byte{
 		"user.jwt":   []byte(user.Status.JWT),
-		"user.creds": []byte(fmt.Sprintf(ACCOUNT_TEMPLATE, user.Status.JWT, user.Spec.PrivateKey.Name)),
+		"user.creds": []byte(fmt.Sprintf(ACCOUNT_TEMPLATE, user.Status.JWT, privateKey.Data[OPERATOR_SEED_KEY])),
 	}
 
 	_, err := controllerutil.CreateOrUpdate(ctx, r.Client, secret, func() error {
@@ -167,6 +177,16 @@ func (r *NatsUserReconciler) reconcileUser(ctx context.Context, user *natsv1alph
 		return err
 	}
 
+	// skAccount := &natsv1alpha1.NatsAccount{}
+	// skAccountName := client.ObjectKey{
+	// 	Namespace: user.Namespace,
+	// 	Name:      user.Spec.AccountRef.Name,
+	// }
+
+	// if err := r.Get(ctx, skAccountName, skAccount); err != nil {
+	// 	return err
+	// }
+
 	pk := &natsv1alpha1.NatsKey{}
 	pkName := client.ObjectKey{
 		Namespace: user.Namespace,
@@ -183,7 +203,7 @@ func (r *NatsUserReconciler) reconcileUser(ctx context.Context, user *natsv1alph
 		Name:      user.Spec.PrivateKey.Name,
 	}
 
-	if err := r.Get(ctx, pkSecretName, pkSecret); errors.IsNotFound(err) {
+	if err := r.Get(ctx, pkSecretName, pkSecret); err != nil {
 		return err
 	}
 
@@ -204,12 +224,14 @@ func (r *NatsUserReconciler) reconcileUser(ctx context.Context, user *natsv1alph
 
 	token := jwt.NewUserClaims(public)
 	token.User = user.Spec.ToNatsJWT()
+	// by default sigining key is the account public key
+	// token.IssuerAccount = skAccount.Status.PublicKey
 
-	jwt, err := token.Encode(signerKp)
+	t, err := token.Encode(signerKp)
 	if err != nil {
 		return err
 	}
-	user.Status.JWT = jwt
+	user.Status.JWT = t
 
 	if !controllerutil.HasControllerReference(user) {
 		if err := controllerutil.SetControllerReference(user, pk, r.Scheme); err != nil {

diff --git a/examples/account.yaml b/examples/account.yaml
diff --git a/examples/sample_user.yaml b/examples/sample_user.yaml
@@ -0,0 +1,67 @@
+apiVersion: natz.zeiss.com/v1alpha1
+kind: NatsKey
+metadata:
+  name: natsaccount-sample-private-key
+spec:
+  type: Account
+---
+apiVersion: natz.zeiss.com/v1alpha1
+kind: NatsKey
+metadata:
+  name: natsaccount-demo-signing-key
+spec:
+  type: Account
+---
+apiVersion: natz.zeiss.com/v1alpha1
+kind: NatsAccount
+metadata:
+  name: natsaccount-sample
+spec:
+  signerKeyRef:
+    name: natsoperator-sample-private-key
+  privateKey:
+    name: natsaccount-sample-private-key
+  signingKeys:
+    - name: natsaccount-demo-signing-key
+  imports: []
+  exports: []
+  limits:
+    conn: -1
+    imports: -1
+    exports: -1
+    subs: -1
+    payload: -1
+    data: -1
+---
+apiVersion: natz.zeiss.com/v1alpha1
+kind: NatsKey
+metadata:
+  name: natsuser-sample-private-key
+spec:
+  type: User
+---
+apiVersion: natz.zeiss.com/v1alpha1
+kind: NatsUser
+metadata:
+  name: natsuser-sample
+spec:
+  privateKey:
+    name: natsuser-sample-private-key
+  signerKeyRef:
+    name: natsaccount-sample-private-key
+  permissions:
+    sub:
+      allow:
+        - "app.input.>"
+        - "app.process.data"
+    pub:
+      allow:
+        - "app.output.>"
+    resp:
+      # Allow request/reply
+      max: 1
+      ttl: -1
+  limits:
+    payload: -1
+    subs: -1
+    data: -1
diff --git a/examples/system_account.yaml b/examples/system_account.yaml
@@ -17,26 +17,24 @@ kind: NatsAccount
 metadata:
   name: natsoperator-system
 spec:
+  name: SYS
   signerKeyRef:
-    name: natsoperator-sample-private-key
+    name: natsoperator-system-private-key
   privateKey:
     name: natsoperator-system-private-key
   signingKeys:
     - name: natsoperator-system-signing-key
-  exports:
-    - name: account-monitoring-services
-      subject: $SYS.REQ.ACCOUNT.*.*
-      type: 2
-      response_type: Stream
-      account_token_position: 4
-      description: "Request account specific monitoring services for: SUBSZ, CONNZ, LEAFZ, JSZ and INFO"
-      info_url: "https://docs.nats.io/nats-server/configuration/sys_accounts"
-    - name: account-monitoring-streams
-      subject: $SYS.ACCOUNT.*.>"
-      type: 1
-      account_token_position: 3
-      description: "Account specific monitoring stream"
-      info_url: "https://docs.nats.io/nats-server/configuration/sys_accounts"
+  pub:
+    allow:
+      - $SYS.REQ.ACCOUNT.*.CLAIMS.LOOKUP
+      - $SYS.REQ.CLAIMS.UPDATE
+    sub:
+      allow:
+        - $SYS.REQ.ACCOUNT.*.CLAIMS.LOOKUP
+    resp:
+      max: -1
+      ttl: -1
+export:
   limits:
     exports: -1
     imports: -1

diff --git a/helm/charts/natz-operator/templates/crds/natsusers.yaml b/helm/charts/natz-operator/templates/crds/natsusers.yaml
@@ -152,6 +152,8 @@ spec:
                 required:
                 - name
                 type: object
+            required:
+            - signerKeyRef
             type: object
           status:
             description: NatsUserStatus defines the observed state of NatsUser

diff --git a/manifests/crd/bases/natz.zeiss.com_natsusers.yaml b/manifests/crd/bases/natz.zeiss.com_natsusers.yaml
@@ -152,6 +152,8 @@ spec:
                 required:
                 - name
                 type: object
+            required:
+            - signerKeyRef
             type: object
           status:
             description: NatsUserStatus defines the observed state of NatsUser