Skip to content

Commit

Permalink
Add tlsfirst option to pass through to NATS connection (#189)
Browse files Browse the repository at this point in the history
* Add tlsfirst option to pass through to NATS connection

* Code review feedback; better description of tlsfirst flag
  • Loading branch information
johnweldon authored Jul 2, 2024
1 parent 6867d25 commit 2dd3825
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 0 deletions.
2 changes: 2 additions & 0 deletions cmd/jetstream-controller/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ func run() error {
cert := flag.String("tlscert", "", "NATS TLS public certificate")
key := flag.String("tlskey", "", "NATS TLS private key")
ca := flag.String("tlsca", "", "NATS TLS certificate authority chain")
tlsfirst := flag.Bool("tlsfirst", false, "If enabled, forces explicit TLS without waiting for Server INFO")
server := flag.String("s", "", "NATS Server URL")
crdConnect := flag.Bool("crd-connect", false, "If true, then NATS connections will be made from CRD config, not global config")
cleanupPeriod := flag.Duration("cleanup-period", 30*time.Second, "Period to run object cleanup")
Expand Down Expand Up @@ -111,6 +112,7 @@ func run() error {
NATSCA: *ca,
NATSCertificate: *cert,
NATSKey: *key,
NATSTLSFirst: *tlsfirst,
KubeIface: kc,
JetstreamIface: jc,
Namespace: *namespace,
Expand Down
5 changes: 5 additions & 0 deletions controllers/jetstream/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,8 @@ type Options struct {
NATSCertificate string
NATSKey string

NATSTLSFirst bool

Namespace string
CRDConnect bool
CleanupPeriod time.Duration
Expand Down Expand Up @@ -180,6 +182,9 @@ func (c *Controller) Run() error {
opts := make([]nats.Option, 0)
// Always attempt to have a connection to NATS.
opts = append(opts, nats.MaxReconnects(-1))
if c.opts.NATSTLSFirst {
opts = append(opts, nats.TLSHandshakeFirst())
}
natsCtxDefaults := &natsContextDefaults{Name: c.opts.NATSClientName}
if !c.opts.CRDConnect {
// Use JWT/NKEYS based credentials if present.
Expand Down

0 comments on commit 2dd3825

Please sign in to comment.