Extend Account to support token and user/password auth #219
Conversation
|
@samuelattwood @adriandieter @ramonberrutti @Jarema @johnweldon @vsinger UPD: I will really appreciate if you create a release as well so I could get rid of using a forked docker image. |
|
We will take a look at this one shortly. |
|
@samuelattwood could you please provide feedback for this PR? |
There was a problem hiding this comment.
Thanks for the contribution! Apologies as well for the delay. A few comments but nothing major.
I do have some mixed feelings on using the Account CRD for all types of shared auth. My concern is that it creates conceptual confusion with user/password authentication, as defining an Account resource in NACK would not inherently correspond to a NATS account - as it generally does now (except maybe in the case of TLS user mapping.)
I don't know if that would be sufficient justification to add a dedicated User CRD or if we want to just leave it in Account. @Jarema perhaps you have thoughts on this.
|
@samuelattwood ✅ Fixed all your notes. Please take a look |
When I started using NACK I had a confusion with |
I had the same issue when reading about the |
|
I also agree with the confusion that We should at least give a clarification in Or I'm missing something here @samuelattwood ? |
|
Something like this would be clear and easy to understand for me as a NACK user apiVersion: v1
kind: Secret
metadata:
name: nats-token
type: Opaque
data:
token: dG9rZW4=
---
apiVersion: jetstream.nats.io/v1beta3 # ⚠️ New API since it's a breaking change
kind: NatsClientConfig
metadata:
name: nats-client-config-account1
spec:
servers:
- 'nats://localhost:4222'
# We allow all auth options here.
# ⚠️ For those who does not care about security and just wants to test quickly: if I do not set secret.name then keys contain my creds in plaintext (no need to search for secret)
token:
secret:
name: nats-token
token: token
---
apiVersion: jetstream.nats.io/v1beta3
kind: Stream
metadata:
name: js-example
spec:
# ⚠️ No other options to configure connection - simpler NACK code and less confusion for new NACK users
# Focus on stream itself here and let natsClientConfig handle connection & auth.
natsClientConfig: nats-client-config-account1
name: js-example
storage: file
subjects:
- data.> |
|
To clarify my original point, with adding User/Password auth to the I don't disagree with the comments that the From scratch I would approach this differently, but I have concerns about such breaking changes as renaming it and stripping connect options from consumer/stream resources. If we do want to go that route I would be inclined to support the existing config for some period into the future, with deprecation warnings. |
I vote for quick changes. My company needs these changes for yesterday. I want to get rid of our NACK fork asap. |
Even if I had no accounts I would not use
So anyway you will need to introduce breaking changes in the future. |
|
The Along those lines, I think if we add the user/pass and token options to consumer and stream resources they should probably be file paths as well. You could already put the user:pass or token in the connection URL if you wanted to store them in the resource. That being said, since it seems there is support for amending the auth config in general, I would be ok with leaving those options out of the I am ok with proceeding with this merge, and doing an API revision in the near future to replace the |
|
@samuelattwood Thank you for clarifications. Applied review comments |
|
So to clarify, I no longer have to mount the |
Also moved repeated parts into shared controller to avoid code duplication.
Why not env var injection like initially proposed?
Injecting as env vars into server URL will leak secrets in logs. To avoid this we need to pass sensitive params into nats client as separate options.
Related to
nats-io/k8s#876
#76
Usage example (token)
Usage example (user with password)