diff --git a/pkg/nats/options.go b/pkg/nats/options.go new file mode 100644 index 0000000000..43d54be2e6 --- /dev/null +++ b/pkg/nats/options.go @@ -0,0 +1,20 @@ +package nats + +import ( + "crypto/tls" + + "github.com/nats-io/nats.go" +) + +func Secure(enableTLS, insecure bool, rootCA string) nats.Option { + if enableTLS { + if rootCA != "" { + return nats.RootCAs(rootCA) + } + return nats.Secure(&tls.Config{ + MinVersion: tls.VersionTLS12, + InsecureSkipVerify: insecure, + }) + } + return nil +} diff --git a/pkg/shared/shared_types.go b/pkg/shared/shared_types.go index a3dc0437d0..16f7fbda7e 100644 --- a/pkg/shared/shared_types.go +++ b/pkg/shared/shared_types.go @@ -48,14 +48,17 @@ type HTTPServiceTLS struct { } type Cache struct { - Store string `yaml:"store" env:"OC_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES" desc:"A comma separated list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"OC_CACHE_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"OC_CACHE_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL" desc:"Time to live for events in the store. The duration can be set as number followed by a unit identifier like s, m or h." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"auth_username" env:"OC_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"auth_password" env:"OC_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES" desc:"A comma separated list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"OC_CACHE_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"OC_CACHE_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL" desc:"Time to live for events in the store. The duration can be set as number followed by a unit identifier like s, m or h." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"auth_username" env:"OC_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"auth_password" env:"OC_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided OC_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // Commons holds configuration that are common to all extensions. Each extension can then decide whether diff --git a/services/activitylog/pkg/command/server.go b/services/activitylog/pkg/command/server.go index 10533fa9a5..59b7cef3a8 100644 --- a/services/activitylog/pkg/command/server.go +++ b/services/activitylog/pkg/command/server.go @@ -9,9 +9,7 @@ import ( "github.com/opencloud-eu/reva/v2/pkg/events" "github.com/opencloud-eu/reva/v2/pkg/events/stream" "github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool" - "github.com/opencloud-eu/reva/v2/pkg/store" "github.com/spf13/cobra" - microstore "go-micro.dev/v4/store" "github.com/opencloud-eu/opencloud/pkg/config/configlog" "github.com/opencloud-eu/opencloud/pkg/generators" @@ -77,15 +75,6 @@ func Server(cfg *config.Config) *cobra.Command { return err } - evStore := store.Create( - store.Store(cfg.Store.Store), - store.TTL(cfg.Store.TTL), - microstore.Nodes(cfg.Store.Nodes...), - microstore.Database(cfg.Store.Database), - microstore.Table(cfg.Store.Table), - store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword), - ) - tm, err := pool.StringToTLSMode(cfg.GRPCClientTLS.Mode) if err != nil { logger.Error().Err(err).Msg("Failed to parse tls mode") @@ -120,7 +109,6 @@ func Server(cfg *config.Config) *cobra.Command { http.Context(ctx), // NOTE: not passing this "option" leads to a panic in go-micro http.TraceProvider(tracerProvider), http.Stream(evStream), - http.Store(evStore), http.GatewaySelector(gatewaySelector), http.HistoryClient(hClient), http.ValueClient(vClient), diff --git a/services/activitylog/pkg/config/config.go b/services/activitylog/pkg/config/config.go index 3e904571c9..41cd8ea96c 100644 --- a/services/activitylog/pkg/config/config.go +++ b/services/activitylog/pkg/config/config.go @@ -50,13 +50,15 @@ type Events struct { // Store configures the store to use type Store struct { - Store string `yaml:"store" env:"OC_PERSISTENT_STORE;ACTIVITYLOG_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;ACTIVITYLOG_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"ACTIVITYLOG_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"ACTIVITYLOG_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;ACTIVITYLOG_STORE_TTL" desc:"Time to live for events in the store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;ACTIVITYLOG_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;ACTIVITYLOG_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_PERSISTENT_STORE;ACTIVITYLOG_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;ACTIVITYLOG_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"ACTIVITYLOG_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;ACTIVITYLOG_STORE_TTL" desc:"Time to live for events in the store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;ACTIVITYLOG_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;ACTIVITYLOG_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;ACTIVITYLOG_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;ACTIVITYLOG_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;ACTIVITYLOG_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided ACTIVITYLOG_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // ServiceAccount is the configuration for the used service account diff --git a/services/activitylog/pkg/config/defaults/defaultconfig.go b/services/activitylog/pkg/config/defaults/defaultconfig.go index 7265cd56eb..7b6e8306d7 100644 --- a/services/activitylog/pkg/config/defaults/defaultconfig.go +++ b/services/activitylog/pkg/config/defaults/defaultconfig.go @@ -37,7 +37,6 @@ func DefaultConfig() *config.Config { Store: "nats-js-kv", Nodes: []string{"127.0.0.1:9233"}, Database: "activitylog", - Table: "", }, RevaGateway: shared.DefaultRevaConfig().Address, DefaultLanguage: "en", diff --git a/services/activitylog/pkg/server/debug/server.go b/services/activitylog/pkg/server/debug/server.go index 4d29a4480f..79a016f421 100644 --- a/services/activitylog/pkg/server/debug/server.go +++ b/services/activitylog/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("http reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/activitylog/pkg/server/http/server.go b/services/activitylog/pkg/server/http/server.go index 2e4515806c..735a33d011 100644 --- a/services/activitylog/pkg/server/http/server.go +++ b/services/activitylog/pkg/server/http/server.go @@ -81,7 +81,6 @@ func Server(opts ...Option) (http.Service, error) { svc.Logger(options.Logger), svc.Stream(options.Stream), svc.Mux(mux), - svc.Store(options.Store), svc.Config(options.Config), svc.GatewaySelector(options.GatewaySelector), svc.TraceProvider(options.TraceProvider), diff --git a/services/activitylog/pkg/service/options.go b/services/activitylog/pkg/service/options.go index 22c6d6282b..282b1147f1 100644 --- a/services/activitylog/pkg/service/options.go +++ b/services/activitylog/pkg/service/options.go @@ -11,7 +11,6 @@ import ( "github.com/opencloud-eu/opencloud/services/activitylog/pkg/config" "github.com/opencloud-eu/reva/v2/pkg/events" "github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool" - microstore "go-micro.dev/v4/store" "go.opentelemetry.io/otel/trace" ) @@ -25,7 +24,6 @@ type Options struct { TraceProvider trace.TracerProvider Stream events.Stream RegisteredEvents []events.Unmarshaller - Store microstore.Store GatewaySelector pool.Selectable[gateway.GatewayAPIClient] Mux *chi.Mux HistoryClient ehsvc.EventHistoryService @@ -69,13 +67,6 @@ func RegisteredEvents(e []events.Unmarshaller) Option { } } -// Store configures the store to use -func Store(store microstore.Store) Option { - return func(o *Options) { - o.Store = store - } -} - // GatewaySelector adds a grpc client selector for the gateway service func GatewaySelector(gatewaySelector pool.Selectable[gateway.GatewayAPIClient]) Option { return func(o *Options) { diff --git a/services/activitylog/pkg/service/service.go b/services/activitylog/pkg/service/service.go index c97c855b54..9eec13962c 100644 --- a/services/activitylog/pkg/service/service.go +++ b/services/activitylog/pkg/service/service.go @@ -2,6 +2,7 @@ package service import ( "context" + "crypto/tls" "encoding/base32" "encoding/json" "fmt" @@ -166,6 +167,18 @@ func New(opts ...Option) (*ActivitylogService, error) { natsOptions := nats.Options{ Servers: o.Config.Store.Nodes, } + if o.Config.Store.EnableTLS { + if o.Config.Store.TLSRootCACertificate != "" { + // when root ca is configured use it. an insecure flag is ignored. + nats.RootCAs(o.Config.Store.TLSRootCACertificate)(&natsOptions) + } else { + // enable tls and use insecure flag + nats.Secure(&tls.Config{MinVersion: tls.VersionTLS12, InsecureSkipVerify: o.Config.Store.TLSInsecure})(&natsOptions) + } + } + if o.Config.Store.AuthUsername != "" && o.Config.Store.AuthPassword != "" { + nats.UserInfo(o.Config.Store.AuthUsername, o.Config.Store.AuthPassword)(&natsOptions) + } conn, err := natsOptions.Connect() if err != nil { return nil, err diff --git a/services/antivirus/pkg/server/debug/server.go b/services/antivirus/pkg/server/debug/server.go index 7916f6f887..29836059ce 100644 --- a/services/antivirus/pkg/server/debug/server.go +++ b/services/antivirus/pkg/server/debug/server.go @@ -10,6 +10,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -18,9 +19,14 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)). + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)). WithCheck("antivirus reachability", func(ctx context.Context) error { cfg := options.Config switch cfg.Scanner.Type { diff --git a/services/audit/pkg/server/debug/server.go b/services/audit/pkg/server/debug/server.go index eb0f31b16c..0fb247d718 100644 --- a/services/audit/pkg/server/debug/server.go +++ b/services/audit/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -13,9 +14,14 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/clientlog/pkg/server/debug/server.go b/services/clientlog/pkg/server/debug/server.go index eb0f31b16c..0fb247d718 100644 --- a/services/clientlog/pkg/server/debug/server.go +++ b/services/clientlog/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -13,9 +14,14 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/collaboration/pkg/command/server.go b/services/collaboration/pkg/command/server.go index afbd1ebf7f..2eeb48c0b5 100644 --- a/services/collaboration/pkg/command/server.go +++ b/services/collaboration/pkg/command/server.go @@ -101,6 +101,9 @@ func Server(cfg *config.Config) *cobra.Command { microstore.Database(cfg.Store.Database), microstore.Table(cfg.Store.Table), store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword), + store.TLSEnabled(cfg.Store.EnableTLS), + store.TLSInsecure(cfg.Store.TLSInsecure), + store.TLSRootCA(cfg.Store.TLSRootCACertificate), ) gr := runner.NewGroup() diff --git a/services/collaboration/pkg/config/store.go b/services/collaboration/pkg/config/store.go index ab2f5e4e2e..5386fa43f5 100644 --- a/services/collaboration/pkg/config/store.go +++ b/services/collaboration/pkg/config/store.go @@ -4,11 +4,14 @@ import "time" // Store configures the store to use type Store struct { - Store string `yaml:"store" env:"OC_PERSISTENT_STORE;COLLABORATION_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;COLLABORATION_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"COLLABORATION_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"COLLABORATION_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;COLLABORATION_STORE_TTL" desc:"Time to live for events in the store. Defaults to '30m' (30 minutes). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;COLLABORATION_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;COLLABORATION_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_PERSISTENT_STORE;COLLABORATION_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;COLLABORATION_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"COLLABORATION_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"COLLABORATION_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;COLLABORATION_STORE_TTL" desc:"Time to live for events in the store. Defaults to '30m' (30 minutes). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;COLLABORATION_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;COLLABORATION_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;COLLABORATION_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;COLLABORATION_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;COLLABORATION_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided COLLABORATION_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/eventhistory/pkg/command/server.go b/services/eventhistory/pkg/command/server.go index d3612fc251..84d7f3d7b2 100644 --- a/services/eventhistory/pkg/command/server.go +++ b/services/eventhistory/pkg/command/server.go @@ -71,6 +71,9 @@ func Server(cfg *config.Config) *cobra.Command { microstore.Database(cfg.Store.Database), microstore.Table(cfg.Store.Table), store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword), + store.TLSEnabled(cfg.Store.EnableTLS), + store.TLSInsecure(cfg.Store.TLSInsecure), + store.TLSRootCA(cfg.Store.TLSRootCACertificate), ) service := grpc.NewService( diff --git a/services/eventhistory/pkg/config/config.go b/services/eventhistory/pkg/config/config.go index 5b93e5f2ed..e0b20253bd 100644 --- a/services/eventhistory/pkg/config/config.go +++ b/services/eventhistory/pkg/config/config.go @@ -36,13 +36,16 @@ type GRPCConfig struct { // Store configures the store to use type Store struct { - Store string `yaml:"store" env:"OC_PERSISTENT_STORE;EVENTHISTORY_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;EVENTHISTORY_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"EVENTHISTORY_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"EVENTHISTORY_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;EVENTHISTORY_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;EVENTHISTORY_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;EVENTHISTORY_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_PERSISTENT_STORE;EVENTHISTORY_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;EVENTHISTORY_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"EVENTHISTORY_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"EVENTHISTORY_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;EVENTHISTORY_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;EVENTHISTORY_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;EVENTHISTORY_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;EVENTHISTORY_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;EVENTHISTORY_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;EVENTHISTORY_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided EVENTHISTORY_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // Events combines the configuration options for the event bus. diff --git a/services/eventhistory/pkg/server/debug/server.go b/services/eventhistory/pkg/server/debug/server.go index 57a232dd05..664ff2558a 100644 --- a/services/eventhistory/pkg/server/debug/server.go +++ b/services/eventhistory/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/frontend/pkg/config/config.go b/services/frontend/pkg/config/config.go index 96a475fb5c..5077b6d849 100644 --- a/services/frontend/pkg/config/config.go +++ b/services/frontend/pkg/config/config.go @@ -121,18 +121,21 @@ type DataGateway struct { } type OCS struct { - Prefix string `yaml:"prefix" env:"FRONTEND_OCS_PREFIX" desc:"URL path prefix for the OCS service. Note that the string must not start with '/'." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` - SharePrefix string `yaml:"share_prefix" env:"FRONTEND_OCS_SHARE_PREFIX" desc:"Path prefix for shares as part of a CS3 resource. Note that the path must start with '/'." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` - HomeNamespace string `yaml:"home_namespace" env:"FRONTEND_OCS_PERSONAL_NAMESPACE" desc:"Home namespace identifier." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` - AdditionalInfoAttribute string `yaml:"additional_info_attribute" env:"FRONTEND_OCS_ADDITIONAL_INFO_ATTRIBUTE" desc:"Additional information attribute for the user like {{.Mail}}." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` - StatCacheType string `yaml:"stat_cache_type" env:"OC_CACHE_STORE;FRONTEND_OCS_STAT_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_STORE, the OCS API is deprecated" deprecationReplacement:""` - StatCacheNodes []string `yaml:"stat_cache_nodes" env:"OC_CACHE_STORE_NODES;FRONTEND_OCS_STAT_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_STORE_NODES, the OCS API is deprecated" deprecationReplacement:""` - StatCacheDatabase string `yaml:"stat_cache_database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - StatCacheTable string `yaml:"stat_cache_table" env:"FRONTEND_OCS_STAT_CACHE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` - StatCacheTTL time.Duration `yaml:"stat_cache_ttl" env:"OC_CACHE_TTL;FRONTEND_OCS_STAT_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_TTL, the OCS API is deprecated" deprecationReplacement:""` - StatCacheDisablePersistence bool `yaml:"stat_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE" desc:"Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE, the OCS API is deprecated" deprecationReplacement:""` - StatCacheAuthUsername string `yaml:"stat_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when using the 'nats-js-kv' store type." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME, the OCS API is deprecated" deprecationReplacement:""` - StatCacheAuthPassword string `yaml:"stat_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when using the 'nats-js-kv' store type." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD, the OCS API is deprecated" deprecationReplacement:""` + Prefix string `yaml:"prefix" env:"FRONTEND_OCS_PREFIX" desc:"URL path prefix for the OCS service. Note that the string must not start with '/'." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` + SharePrefix string `yaml:"share_prefix" env:"FRONTEND_OCS_SHARE_PREFIX" desc:"Path prefix for shares as part of a CS3 resource. Note that the path must start with '/'." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` + HomeNamespace string `yaml:"home_namespace" env:"FRONTEND_OCS_PERSONAL_NAMESPACE" desc:"Home namespace identifier." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` + AdditionalInfoAttribute string `yaml:"additional_info_attribute" env:"FRONTEND_OCS_ADDITIONAL_INFO_ATTRIBUTE" desc:"Additional information attribute for the user like {{.Mail}}." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` + StatCacheType string `yaml:"stat_cache_type" env:"OC_CACHE_STORE;FRONTEND_OCS_STAT_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_STORE, the OCS API is deprecated" deprecationReplacement:""` + StatCacheNodes []string `yaml:"stat_cache_nodes" env:"OC_CACHE_STORE_NODES;FRONTEND_OCS_STAT_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_STORE_NODES, the OCS API is deprecated" deprecationReplacement:""` + StatCacheDatabase string `yaml:"stat_cache_database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + StatCacheTable string `yaml:"stat_cache_table" env:"FRONTEND_OCS_STAT_CACHE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` + StatCacheTTL time.Duration `yaml:"stat_cache_ttl" env:"OC_CACHE_TTL;FRONTEND_OCS_STAT_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_TTL, the OCS API is deprecated" deprecationReplacement:""` + StatCacheDisablePersistence bool `yaml:"stat_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE" desc:"Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE, the OCS API is deprecated" deprecationReplacement:""` + StatCacheAuthUsername string `yaml:"stat_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when using the 'nats-js-kv' store type." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME, the OCS API is deprecated" deprecationReplacement:""` + StatCacheAuthPassword string `yaml:"stat_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when using the 'nats-js-kv' store type." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD, the OCS API is deprecated" deprecationReplacement:""` + StatCacheEnableTLS bool `yaml:"stat_cache_enable_tls" env:"OC_CACHE_ENABLE_TLS;FRONTEND_OCS_STAT_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + StatCacheTLSInsecure bool `yaml:"stat_cache_tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;FRONTEND_OCS_STAT_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + StatCacheTLSRootCACertificate string `yaml:"stat_cache_tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;FRONTEND_OCS_STAT_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided FRONTEND_OCS_STAT_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` CacheWarmupDriver string `yaml:"cache_warmup_driver,omitempty"` // not supported by the OpenCloud product, therefore not part of docs CacheWarmupDrivers CacheWarmupDrivers `yaml:"cache_warmup_drivers,omitempty"` // not supported by the OpenCloud product, therefore not part of docs diff --git a/services/frontend/pkg/revaconfig/config.go b/services/frontend/pkg/revaconfig/config.go index faa7d3b42d..7c86a5b5d2 100644 --- a/services/frontend/pkg/revaconfig/config.go +++ b/services/frontend/pkg/revaconfig/config.go @@ -164,14 +164,17 @@ func FrontendConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string "share_prefix": cfg.OCS.SharePrefix, "home_namespace": cfg.OCS.HomeNamespace, "stat_cache_config": map[string]any{ - "cache_store": cfg.OCS.StatCacheType, - "cache_nodes": cfg.OCS.StatCacheNodes, - "cache_database": cfg.OCS.StatCacheDatabase, - "cache_table": cfg.OCS.StatCacheTable, - "cache_ttl": cfg.OCS.StatCacheTTL, - "cache_disable_persistence": cfg.OCS.StatCacheDisablePersistence, - "cache_auth_username": cfg.OCS.StatCacheAuthUsername, - "cache_auth_password": cfg.OCS.StatCacheAuthPassword, + "cache_store": cfg.OCS.StatCacheType, + "cache_nodes": cfg.OCS.StatCacheNodes, + "cache_database": cfg.OCS.StatCacheDatabase, + "cache_table": cfg.OCS.StatCacheTable, + "cache_ttl": cfg.OCS.StatCacheTTL, + "cache_disable_persistence": cfg.OCS.StatCacheDisablePersistence, + "cache_auth_username": cfg.OCS.StatCacheAuthUsername, + "cache_auth_password": cfg.OCS.StatCacheAuthPassword, + "cache_tls_enabled": cfg.OCS.StatCacheEnableTLS, + "cache_tls_insecure": cfg.OCS.StatCacheTLSInsecure, + "cache_tls_root_ca_certificate": cfg.OCS.StatCacheTLSRootCACertificate, }, "prefix": cfg.OCS.Prefix, "additional_info_attribute": cfg.OCS.AdditionalInfoAttribute, diff --git a/services/frontend/pkg/server/debug/server.go b/services/frontend/pkg/server/debug/server.go index afdc2bc6aa..47a6f84555 100644 --- a/services/frontend/pkg/server/debug/server.go +++ b/services/frontend/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("web reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/gateway/pkg/config/config.go b/services/gateway/pkg/config/config.go index 4e1ad995e5..fb10a4cce2 100644 --- a/services/gateway/pkg/config/config.go +++ b/services/gateway/pkg/config/config.go @@ -84,11 +84,18 @@ type Cache struct { ProviderCacheDisablePersistence bool `yaml:"provider_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GATEWAY_PROVIDER_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the provider cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` ProviderCacheAuthUsername string `yaml:"provider_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;GATEWAY_PROVIDER_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` ProviderCacheAuthPassword string `yaml:"provider_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;GATEWAY_PROVIDER_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - CreateHomeCacheStore string `yaml:"create_home_cache_store" env:"OC_CACHE_STORE;GATEWAY_CREATE_HOME_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - CreateHomeCacheNodes []string `yaml:"create_home_cache_nodes" env:"OC_CACHE_STORE_NODES;GATEWAY_CREATE_HOME_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - CreateHomeCacheDatabase string `yaml:"create_home_cache_database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - CreateHomeCacheTTL time.Duration `yaml:"create_home_cache_ttl" env:"OC_CACHE_TTL;GATEWAY_CREATE_HOME_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - CreateHomeCacheDisablePersistence bool `yaml:"create_home_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the create home cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - CreateHomeCacheAuthUsername string `yaml:"create_home_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - CreateHomeCacheAuthPassword string `yaml:"create_home_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + ProviderCacheEnableTLS bool `yaml:"provider_cache_enable_tls" env:"OC_CACHE_ENABLE_TLS;GATEWAY_PROVIDER_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + ProviderCacheTLSInsecure bool `yaml:"provider_cache_tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;GATEWAY_PROVIDER_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + ProviderCacheTLSRootCACertificate string `yaml:"provider_cache_tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;GATEWAY_PROVIDER_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GATEWAY_PROVIDER_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` + + CreateHomeCacheStore string `yaml:"create_home_cache_store" env:"OC_CACHE_STORE;GATEWAY_CREATE_HOME_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + CreateHomeCacheNodes []string `yaml:"create_home_cache_nodes" env:"OC_CACHE_STORE_NODES;GATEWAY_CREATE_HOME_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + CreateHomeCacheDatabase string `yaml:"create_home_cache_database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + CreateHomeCacheTTL time.Duration `yaml:"create_home_cache_ttl" env:"OC_CACHE_TTL;GATEWAY_CREATE_HOME_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + CreateHomeCacheDisablePersistence bool `yaml:"create_home_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the create home cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + CreateHomeCacheAuthUsername string `yaml:"create_home_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + CreateHomeCacheAuthPassword string `yaml:"create_home_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + CreateHomeCacheEnableTLS bool `yaml:"create_home_cache_enable_tls" env:"OC_CACHE_ENABLE_TLS;GATEWAY_CREATE_HOME_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + CreateHomeCacheTLSInsecure bool `yaml:"create_home_cache_tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;GATEWAY_CREATE_HOME_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + CreateHomeCacheTLSRootCACertificate string `yaml:"create_home_cache_tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;GATEWAY_CREATE_HOME_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GATEWAY_CREATE_HOME_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/gateway/pkg/revaconfig/config.go b/services/gateway/pkg/revaconfig/config.go index 55790fe3b6..97ce19dfa2 100644 --- a/services/gateway/pkg/revaconfig/config.go +++ b/services/gateway/pkg/revaconfig/config.go @@ -45,15 +45,15 @@ func GatewayConfigFromStruct(cfg *config.Config, logger log.Logger) map[string]a "groupprovidersvc": cfg.GroupsEndpoint, "permissionssvc": cfg.PermissionsEndpoint, // sharing is located on the sharing service - "usershareprovidersvc": cfg.SharingEndpoint, - "publicshareprovidersvc": cfg.SharingEndpoint, - "ocmshareprovidersvc": cfg.OCMEndpoint, - "ocminvitemanagersvc": cfg.OCMEndpoint, - "ocmproviderauthorizersvc": cfg.OCMEndpoint, - "ocmcoresvc": cfg.OCMEndpoint, + "usershareprovidersvc": cfg.SharingEndpoint, + "publicshareprovidersvc": cfg.SharingEndpoint, + "ocmshareprovidersvc": cfg.OCMEndpoint, + "ocminvitemanagersvc": cfg.OCMEndpoint, + "ocmproviderauthorizersvc": cfg.OCMEndpoint, + "ocmcoresvc": cfg.OCMEndpoint, "use_common_space_root_share_logic": true, - "commit_share_to_storage_grant": cfg.CommitShareToStorageGrant, - "share_folder": cfg.ShareFolder, // ShareFolder is the location where to create shares in the recipient's storage provider. + "commit_share_to_storage_grant": cfg.CommitShareToStorageGrant, + "share_folder": cfg.ShareFolder, // ShareFolder is the location where to create shares in the recipient's storage provider. // other "disable_home_creation_on_login": cfg.DisableHomeCreationOnLogin, "datagateway": strings.TrimRight(cfg.FrontendPublicURL, "/") + "/data", @@ -71,14 +71,17 @@ func GatewayConfigFromStruct(cfg *config.Config, logger log.Logger) map[string]a "cache_auth_password": cfg.Cache.ProviderCacheAuthPassword, }, "create_personal_space_cache_config": map[string]any{ - "cache_store": cfg.Cache.CreateHomeCacheStore, - "cache_nodes": cfg.Cache.CreateHomeCacheNodes, - "cache_database": cfg.Cache.CreateHomeCacheDatabase, - "cache_table": "create_personal_space", - "cache_ttl": cfg.Cache.CreateHomeCacheTTL, - "cache_disable_persistence": cfg.Cache.CreateHomeCacheDisablePersistence, - "cache_auth_username": cfg.Cache.CreateHomeCacheAuthUsername, - "cache_auth_password": cfg.Cache.CreateHomeCacheAuthPassword, + "cache_store": cfg.Cache.CreateHomeCacheStore, + "cache_nodes": cfg.Cache.CreateHomeCacheNodes, + "cache_database": cfg.Cache.CreateHomeCacheDatabase, + "cache_table": "create_personal_space", + "cache_ttl": cfg.Cache.CreateHomeCacheTTL, + "cache_disable_persistence": cfg.Cache.CreateHomeCacheDisablePersistence, + "cache_auth_username": cfg.Cache.CreateHomeCacheAuthUsername, + "cache_auth_password": cfg.Cache.CreateHomeCacheAuthPassword, + "cache_tls_enabled": cfg.Cache.CreateHomeCacheEnableTLS, + "cache_tls_insecure": cfg.Cache.CreateHomeCacheTLSInsecure, + "cache_tls_root_ca_certificate": cfg.Cache.CreateHomeCacheTLSRootCACertificate, }, }, "authregistry": map[string]any{ diff --git a/services/gateway/pkg/server/debug/server.go b/services/gateway/pkg/server/debug/server.go index 9827c3e9b2..1bf19e49b6 100644 --- a/services/gateway/pkg/server/debug/server.go +++ b/services/gateway/pkg/server/debug/server.go @@ -18,6 +18,7 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("nats reachability", func(ctx context.Context) error { if options.Config.Cache.ProviderCacheStore == "nats-js-kv" && len(options.Config.Cache.ProviderCacheNodes) > 0 { + // no secureOption because we cannot yet configure tls for the cache store return checks.NewNatsCheck(options.Config.Cache.ProviderCacheNodes[0])(ctx) } return nil diff --git a/services/graph/pkg/command/server.go b/services/graph/pkg/command/server.go index 5d4dadbe17..b8cdc7f977 100644 --- a/services/graph/pkg/command/server.go +++ b/services/graph/pkg/command/server.go @@ -4,9 +4,11 @@ import ( "context" "fmt" "os/signal" + "strings" "github.com/opencloud-eu/opencloud/pkg/config/configlog" "github.com/opencloud-eu/opencloud/pkg/log" + natspkg "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/runner" "github.com/opencloud-eu/opencloud/pkg/tracing" "github.com/opencloud-eu/opencloud/pkg/version" @@ -50,13 +52,9 @@ func Server(cfg *config.Config) *cobra.Command { var kv jetstream.KeyValue // Allow to run without a NATS store (e.g. for the standalone Education provisioning service) if len(cfg.Store.Nodes) > 0 { - //Connect to NATS servers - natsOptions := nats.Options{ - Servers: cfg.Store.Nodes, - User: cfg.Store.AuthUsername, - Password: cfg.Store.AuthPassword, - } - conn, err := natsOptions.Connect() + // Connect to NATS servers + secureOption := natspkg.Secure(cfg.Store.EnableTLS, cfg.Store.TLSInsecure, cfg.Store.TLSRootCACertificate) + conn, err := nats.Connect(strings.Join(cfg.Store.Nodes, ","), secureOption, nats.UserInfo(cfg.Store.AuthUsername, cfg.Store.AuthPassword)) if err != nil { return err } diff --git a/services/graph/pkg/config/cache.go b/services/graph/pkg/config/cache.go index a5e638185f..ee24675524 100644 --- a/services/graph/pkg/config/cache.go +++ b/services/graph/pkg/config/cache.go @@ -4,12 +4,15 @@ import "time" // Cache defines the available configuration for a cache store type Cache struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;GRAPH_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;GRAPH_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"GRAPH_CACHE_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"GRAPH_CACHE_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;GRAPH_CACHE_TTL" desc:"Time to live for cache records in the graph. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GRAPH_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;GRAPH_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;GRAPH_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;GRAPH_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;GRAPH_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"GRAPH_CACHE_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"GRAPH_CACHE_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;GRAPH_CACHE_TTL" desc:"Time to live for cache records in the graph. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GRAPH_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;GRAPH_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;GRAPH_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;GRAPH_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;GRAPH_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;GRAPH_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/graph/pkg/config/config.go b/services/graph/pkg/config/config.go index 51571c4607..ea8c1c665e 100644 --- a/services/graph/pkg/config/config.go +++ b/services/graph/pkg/config/config.go @@ -172,8 +172,11 @@ type Metadata struct { // Store configures the store to use type Store struct { - Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;GRAPH_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"GRAPH_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;GRAPH_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;GRAPH_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;GRAPH_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"GRAPH_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;GRAPH_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;GRAPH_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;GRAPH_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;GRAPH_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;GRAPH_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/graph/pkg/server/debug/server.go b/services/graph/pkg/server/debug/server.go index 100c7987cd..83e3dbb0f1 100644 --- a/services/graph/pkg/server/debug/server.go +++ b/services/graph/pkg/server/debug/server.go @@ -6,6 +6,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -32,8 +33,13 @@ func Server(opts ...Option) (*http.Server, error) { // only check nats if really needed if options.Config.Events.Endpoint != "" { + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration = readyHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) } return debug.NewService( diff --git a/services/nats/pkg/server/debug/server.go b/services/nats/pkg/server/debug/server.go index 5939241662..c44c941289 100644 --- a/services/nats/pkg/server/debug/server.go +++ b/services/nats/pkg/server/debug/server.go @@ -6,6 +6,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -14,12 +15,17 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Nats.EnableTLS, + options.Config.Nats.TLSSkipVerifyClientCert, + options.Config.Nats.TLSCert, + ) // For nats readiness and liveness checks are identical // the nats server will neither be healthy nor ready when it can not reach the nats server/cluster checkHandler := handlers.NewCheckHandler( handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Nats.Host+":"+strconv.Itoa(options.Config.Nats.Port))), + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Nats.Host+":"+strconv.Itoa(options.Config.Nats.Port), secureOption)), ) return debug.NewService( diff --git a/services/notifications/pkg/command/server.go b/services/notifications/pkg/command/server.go index e512286a6a..3bec9a15f8 100644 --- a/services/notifications/pkg/command/server.go +++ b/services/notifications/pkg/command/server.go @@ -130,6 +130,9 @@ func Server(cfg *config.Config) *cobra.Command { microstore.Database(cfg.Store.Database), microstore.Table(cfg.Store.Table), store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword), + store.TLSEnabled(cfg.Store.EnableTLS), + store.TLSInsecure(cfg.Store.TLSInsecure), + store.TLSRootCA(cfg.Store.TLSRootCACertificate), ) svc := service.NewEventsNotifier(evts, channel, logger, gatewaySelector, valueService, diff --git a/services/notifications/pkg/config/config.go b/services/notifications/pkg/config/config.go index 5206eae5ff..84550c13c1 100644 --- a/services/notifications/pkg/config/config.go +++ b/services/notifications/pkg/config/config.go @@ -70,11 +70,14 @@ type ServiceAccount struct { // Store configures the store to use type Store struct { - Store string `yaml:"store" env:"OC_PERSISTENT_STORE;NOTIFICATIONS_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;NOTIFICATIONS_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"NOTIFICATIONS_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"NOTIFICATIONS_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;NOTIFICATIONS_STORE_TTL" desc:"Time to live for notifications in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;NOTIFICATIONS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;NOTIFICATIONS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_PERSISTENT_STORE;NOTIFICATIONS_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;NOTIFICATIONS_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"NOTIFICATIONS_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"NOTIFICATIONS_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;NOTIFICATIONS_STORE_TTL" desc:"Time to live for notifications in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;NOTIFICATIONS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;NOTIFICATIONS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;NOTIFICATIONS_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;NOTIFICATIONS_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;NOTIFICATIONS_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/notifications/pkg/server/debug/server.go b/services/notifications/pkg/server/debug/server.go index bc9fb202dc..99b75a57e6 100644 --- a/services/notifications/pkg/server/debug/server.go +++ b/services/notifications/pkg/server/debug/server.go @@ -6,6 +6,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -14,9 +15,14 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Notifications.Events.EnableTLS, + options.Config.Notifications.Events.TLSInsecure, + options.Config.Notifications.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Notifications.Events.Endpoint)). + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Notifications.Events.Endpoint, secureOption)). WithCheck("smtp-check", checks.NewTCPCheck(options.Config.Notifications.SMTP.Host+":"+strconv.Itoa(options.Config.Notifications.SMTP.Port))) return debug.NewService( diff --git a/services/ocm/pkg/revaconfig/config.go b/services/ocm/pkg/revaconfig/config.go index 46fcb7f3a7..cdc562d7a4 100644 --- a/services/ocm/pkg/revaconfig/config.go +++ b/services/ocm/pkg/revaconfig/config.go @@ -81,6 +81,7 @@ func OCMConfigFromStruct(cfg *config.Config, logger log.Logger) map[string]any { "events": map[string]any{ "natsaddress": cfg.Events.Endpoint, "natsclusterid": cfg.Events.Cluster, + "enabletls": cfg.Events.EnableTLS, "tlsinsecure": cfg.Events.TLSInsecure, "tlsrootcacertificate": cfg.Events.TLSRootCACertificate, "authusername": cfg.Events.AuthUsername, diff --git a/services/ocm/pkg/server/debug/server.go b/services/ocm/pkg/server/debug/server.go index cb738fcd21..492224d24e 100644 --- a/services/ocm/pkg/server/debug/server.go +++ b/services/ocm/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("web reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)). + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)). WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr)) return debug.NewService( diff --git a/services/ocs/pkg/config/config.go b/services/ocs/pkg/config/config.go index bbfbe587e3..732382ccd9 100644 --- a/services/ocs/pkg/config/config.go +++ b/services/ocs/pkg/config/config.go @@ -31,9 +31,12 @@ type Config struct { // SigningKeys is a store configuration. type SigningKeys struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE" desc:"The type of the signing key store. Supported values are: 'redis-sentinel' and 'nats-js-kv'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES" desc:"A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL" desc:"Default time to live for signing keys. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE" desc:"The type of the signing key store. Supported values are: 'redis-sentinel' and 'nats-js-kv'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES" desc:"A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL" desc:"Default time to live for signing keys. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/ocs/pkg/server/debug/server.go b/services/ocs/pkg/server/debug/server.go index 848a6032ef..c428bb5f1d 100644 --- a/services/ocs/pkg/server/debug/server.go +++ b/services/ocs/pkg/server/debug/server.go @@ -21,6 +21,7 @@ func Server(opts ...Option) (*http.Server, error) { readyHandlerConfiguration := healthHandlerConfiguration. WithCheck("nats reachability", func(ctx context.Context) error { if len(options.Config.SigningKeys.Nodes) > 0 { + // no secureOption because we cannot configure it return checks.NewNatsCheck(options.Config.SigningKeys.Nodes[0])(ctx) } return nil diff --git a/services/ocs/pkg/server/http/server.go b/services/ocs/pkg/server/http/server.go index 0f9a50a465..74c42b43c4 100644 --- a/services/ocs/pkg/server/http/server.go +++ b/services/ocs/pkg/server/http/server.go @@ -44,6 +44,9 @@ func Server(opts ...Option) (http.Service, error) { microstore.Database("proxy"), microstore.Table("signing-keys"), store.Authentication(options.Config.SigningKeys.AuthUsername, options.Config.SigningKeys.AuthPassword), + store.TLSEnabled(options.Config.SigningKeys.EnableTLS), + store.TLSInsecure(options.Config.SigningKeys.TLSInsecure), + store.TLSRootCA(options.Config.SigningKeys.TLSRootCACertificate), ) handle := svc.NewService( diff --git a/services/policies/pkg/server/debug/server.go b/services/policies/pkg/server/debug/server.go index 57a232dd05..664ff2558a 100644 --- a/services/policies/pkg/server/debug/server.go +++ b/services/policies/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/postprocessing/pkg/command/server.go b/services/postprocessing/pkg/command/server.go index c80e00f9f2..738a493f81 100644 --- a/services/postprocessing/pkg/command/server.go +++ b/services/postprocessing/pkg/command/server.go @@ -56,6 +56,9 @@ func Server(cfg *config.Config) *cobra.Command { microstore.Database(cfg.Store.Database), microstore.Table(cfg.Store.Table), store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword), + store.TLSEnabled(cfg.Store.EnableTLS), + store.TLSInsecure(cfg.Store.TLSInsecure), + store.TLSRootCA(cfg.Store.TLSRootCACertificate), ) svc, err := service.NewPostprocessingService(ctx, logger, st, traceProvider, cfg) diff --git a/services/postprocessing/pkg/config/config.go b/services/postprocessing/pkg/config/config.go index 858f6e5148..d6a28c4581 100644 --- a/services/postprocessing/pkg/config/config.go +++ b/services/postprocessing/pkg/config/config.go @@ -59,11 +59,14 @@ type Debug struct { // Store configures the store to use type Store struct { - Store string `yaml:"store" env:"OC_PERSISTENT_STORE;POSTPROCESSING_STORE" desc:"The type of the store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;POSTPROCESSING_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"POSTPROCESSING_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"POSTPROCESSING_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;POSTPROCESSING_STORE_TTL" desc:"Time to live for events in the store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;POSTPROCESSING_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;POSTPROCESSING_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_PERSISTENT_STORE;POSTPROCESSING_STORE" desc:"The type of the store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;POSTPROCESSING_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"POSTPROCESSING_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"POSTPROCESSING_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;POSTPROCESSING_STORE_TTL" desc:"Time to live for events in the store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;POSTPROCESSING_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;POSTPROCESSING_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;POSTPROCESSING_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;POSTPROCESSING_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;POSTPROCESSING_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided POSTPROCESSING_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/postprocessing/pkg/server/debug/server.go b/services/postprocessing/pkg/server/debug/server.go index e512688d1d..b0d0050cec 100644 --- a/services/postprocessing/pkg/server/debug/server.go +++ b/services/postprocessing/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -13,9 +14,14 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Postprocessing.Events.EnableTLS, + options.Config.Postprocessing.Events.TLSInsecure, + options.Config.Postprocessing.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Postprocessing.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Postprocessing.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/proxy/pkg/command/server.go b/services/proxy/pkg/command/server.go index 01e485733c..3c0406671e 100644 --- a/services/proxy/pkg/command/server.go +++ b/services/proxy/pkg/command/server.go @@ -66,6 +66,9 @@ func Server(cfg *config.Config) *cobra.Command { microstore.Table(cfg.OIDC.UserinfoCache.Table), store.DisablePersistence(cfg.OIDC.UserinfoCache.DisablePersistence), store.Authentication(cfg.OIDC.UserinfoCache.AuthUsername, cfg.OIDC.UserinfoCache.AuthPassword), + store.TLSEnabled(cfg.OIDC.UserinfoCache.EnableTLS), + store.TLSInsecure(cfg.OIDC.UserinfoCache.TLSInsecure), + store.TLSRootCA(cfg.OIDC.UserinfoCache.TLSRootCACertificate), ) signingKeyStore := store.Create( @@ -76,6 +79,9 @@ func Server(cfg *config.Config) *cobra.Command { microstore.Table("signing-keys"), store.DisablePersistence(cfg.PreSignedURL.SigningKeys.DisablePersistence), store.Authentication(cfg.PreSignedURL.SigningKeys.AuthUsername, cfg.PreSignedURL.SigningKeys.AuthPassword), + store.TLSEnabled(cfg.PreSignedURL.SigningKeys.EnableTLS), + store.TLSInsecure(cfg.PreSignedURL.SigningKeys.TLSInsecure), + store.TLSRootCA(cfg.PreSignedURL.SigningKeys.TLSRootCACertificate), ) logger := log.Configure(cfg.Service.Name, cfg.Commons, cfg.LogLevel) diff --git a/services/proxy/pkg/config/config.go b/services/proxy/pkg/config/config.go index cdaa3e81e7..efa4a9886f 100644 --- a/services/proxy/pkg/config/config.go +++ b/services/proxy/pkg/config/config.go @@ -132,14 +132,17 @@ type JWKS struct { // Cache is a TTL cache configuration. type Cache struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;PROXY_OIDC_USERINFO_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;PROXY_OIDC_USERINFO_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"PROXY_OIDC_USERINFO_CACHE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;PROXY_OIDC_USERINFO_CACHE_TTL" desc:"Default time to live for user info in the user info cache. This value is only applied when the token expiration cannot be extracted from the access tokens (e.g. when non-JWT access tokes are used). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;PROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;PROXY_OIDC_USERINFO_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;PROXY_OIDC_USERINFO_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"PROXY_OIDC_USERINFO_CACHE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;PROXY_OIDC_USERINFO_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;PROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;PROXY_OIDC_USERINFO_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;PROXY_OIDC_USERINFO_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;PROXY_OIDC_USERINFO_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided PROXY_OIDC_USERINFO_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // RoleAssignment contains the configuration for how to assign roles to users during login @@ -189,12 +192,15 @@ type PreSignedURL struct { // SigningKeys is a store configuration. type SigningKeys struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE" desc:"The type of the signing key store. Supported values are: 'redis-sentinel', 'nats-js-kv' and 'opencloudstoreservice' (deprecated). See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES" desc:"A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL" desc:"Default time to live for signing keys. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE" desc:"Disables persistence of the store. Only applies when store type 'nats-js-kv' is configured. Defaults to true." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE" desc:"The type of the signing key store. Supported values are: 'redis-sentinel', 'nats-js-kv' and 'opencloudstoreservice' (deprecated). See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES" desc:"A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL" desc:"Default time to live for signing keys. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE" desc:"Disables persistence of the store. Only applies when store type 'nats-js-kv' is configured. Defaults to true." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // ClaimsSelectorConf is the config for the claims-selector diff --git a/services/proxy/pkg/server/debug/server.go b/services/proxy/pkg/server/debug/server.go index 2a76c506d4..1420ee0226 100644 --- a/services/proxy/pkg/server/debug/server.go +++ b/services/proxy/pkg/server/debug/server.go @@ -8,6 +8,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" "github.com/opencloud-eu/opencloud/services/proxy/pkg/config" @@ -21,8 +22,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("web reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) var configDumpFunc http.HandlerFunc = configDump(options.Config) return debug.NewService( diff --git a/services/search/pkg/server/debug/server.go b/services/search/pkg/server/debug/server.go index 49d087cf58..2aae46e07c 100644 --- a/services/search/pkg/server/debug/server.go +++ b/services/search/pkg/server/debug/server.go @@ -7,6 +7,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -19,8 +20,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)). + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)). WithCheck("tika-check", func(ctx context.Context) error { if options.Config.Extractor.Type == "tika" { u, err := url.Parse(options.Config.Extractor.Tika.TikaURL) diff --git a/services/settings/pkg/config/config.go b/services/settings/pkg/config/config.go index d4ba71e3c4..607c14fd69 100644 --- a/services/settings/pkg/config/config.go +++ b/services/settings/pkg/config/config.go @@ -55,13 +55,16 @@ type Metadata struct { // Cache configures the cache of the Metadata store type Cache struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;SETTINGS_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;SETTINGS_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - FileTable string `yaml:"files_table" env:"SETTINGS_FILE_CACHE_TABLE" desc:"The database table the store should use for the file cache." introductionVersion:"1.0.0"` - DirectoryTable string `yaml:"directories_table" env:"SETTINGS_DIRECTORY_CACHE_TABLE" desc:"The database table the store should use for the directory cache." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;SETTINGS_CACHE_TTL" desc:"Default time to live for entries in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;SETTINGS_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;SETTINGS_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;SETTINGS_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;SETTINGS_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;SETTINGS_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + FileTable string `yaml:"files_table" env:"SETTINGS_FILE_CACHE_TABLE" desc:"The database table the store should use for the file cache." introductionVersion:"1.0.0"` + DirectoryTable string `yaml:"directories_table" env:"SETTINGS_DIRECTORY_CACHE_TABLE" desc:"The database table the store should use for the directory cache." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;SETTINGS_CACHE_TTL" desc:"Default time to live for entries in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;SETTINGS_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;SETTINGS_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;SETTINGS_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;SETTINGS_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;SETTINGS_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;SETTINGS_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided SETTINGS_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/settings/pkg/store/metadata/cache.go b/services/settings/pkg/store/metadata/cache.go index bdd632eb29..e7b55c5c9e 100644 --- a/services/settings/pkg/store/metadata/cache.go +++ b/services/settings/pkg/store/metadata/cache.go @@ -140,6 +140,9 @@ func (c *CachedMDC) Init(ctx context.Context, id string) error { microstore.Table(c.cfg.Metadata.Cache.DirectoryTable), store.DisablePersistence(c.cfg.Metadata.Cache.DisablePersistence), store.Authentication(c.cfg.Metadata.Cache.AuthUsername, c.cfg.Metadata.Cache.AuthPassword), + store.TLSEnabled(c.cfg.Metadata.Cache.EnableTLS), + store.TLSInsecure(c.cfg.Metadata.Cache.TLSInsecure), + store.TLSRootCA(c.cfg.Metadata.Cache.TLSRootCACertificate), ) c.filesCache = store.Create( store.Store(c.cfg.Metadata.Cache.Store), @@ -149,6 +152,9 @@ func (c *CachedMDC) Init(ctx context.Context, id string) error { microstore.Table(c.cfg.Metadata.Cache.FileTable), store.DisablePersistence(c.cfg.Metadata.Cache.DisablePersistence), store.Authentication(c.cfg.Metadata.Cache.AuthUsername, c.cfg.Metadata.Cache.AuthPassword), + store.TLSEnabled(c.cfg.Metadata.Cache.EnableTLS), + store.TLSInsecure(c.cfg.Metadata.Cache.TLSInsecure), + store.TLSRootCA(c.cfg.Metadata.Cache.TLSRootCACertificate), ) return c.next.Init(ctx, id) } diff --git a/services/sharing/pkg/config/config.go b/services/sharing/pkg/config/config.go index 8f76ff81a8..e376e07f36 100644 --- a/services/sharing/pkg/config/config.go +++ b/services/sharing/pkg/config/config.go @@ -155,6 +155,7 @@ type Events struct { EnableTLS bool `yaml:"enable_tls" env:"OC_EVENTS_ENABLE_TLS;SHARING_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services." introductionVersion:"1.0.0"` AuthUsername string `yaml:"auth_username" env:"OC_EVENTS_AUTH_USERNAME;SHARING_EVENTS_AUTH_USERNAME" desc:"Username for the events broker." introductionVersion:"1.0.0"` AuthPassword string `yaml:"auth_password" env:"OC_EVENTS_AUTH_PASSWORD;SHARING_EVENTS_AUTH_PASSWORD" desc:"Password for the events broker." introductionVersion:"1.0.0"` + // TODO use TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;SHARING_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided SHARING_EVENTS_TLS_INSECURE will be seen as false." introductionVersion:"1.0.0"` } // PasswordPolicy configures reva password policy diff --git a/services/sharing/pkg/revaconfig/config.go b/services/sharing/pkg/revaconfig/config.go index b7244e37b8..278d4359c3 100644 --- a/services/sharing/pkg/revaconfig/config.go +++ b/services/sharing/pkg/revaconfig/config.go @@ -83,6 +83,7 @@ func SharingConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string] "events": map[string]any{ "natsaddress": cfg.Events.Addr, "natsclusterid": cfg.Events.ClusterID, + "enabletls": cfg.Events.EnableTLS, "tlsinsecure": cfg.Events.TLSInsecure, "tlsrootcacertificate": cfg.Events.TLSRootCaCertPath, "authusername": cfg.Events.AuthUsername, diff --git a/services/sharing/pkg/server/debug/server.go b/services/sharing/pkg/server/debug/server.go index 1c5f26ae30..c1cfbcfe7c 100644 --- a/services/sharing/pkg/server/debug/server.go +++ b/services/sharing/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -13,9 +14,14 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCaCertPath, + ) readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Addr)). + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Addr, secureOption)). WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr)) return debug.NewService( diff --git a/services/sse/pkg/server/debug/server.go b/services/sse/pkg/server/debug/server.go index 83e14bcecb..26e785c319 100644 --- a/services/sse/pkg/server/debug/server.go +++ b/services/sse/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("web reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/storage-system/pkg/config/config.go b/services/storage-system/pkg/config/config.go index 98f2ef0c82..261b2f3376 100644 --- a/services/storage-system/pkg/config/config.go +++ b/services/storage-system/pkg/config/config.go @@ -77,11 +77,14 @@ type DecomposedDriver struct { // Cache holds cache config type Cache struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;STORAGE_SYSTEM_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_SYSTEM_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;STORAGE_SYSTEM_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_SYSTEM_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"auth_username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_SYSTEM_CACHE_AUTH_USERNAME" desc:"Username for the configured store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"auth_password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_SYSTEM_CACHE_AUTH_PASSWORD" desc:"Password for the configured store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;STORAGE_SYSTEM_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_SYSTEM_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;STORAGE_SYSTEM_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_SYSTEM_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"auth_username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_SYSTEM_CACHE_AUTH_USERNAME" desc:"Username for the configured store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"auth_password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_SYSTEM_CACHE_AUTH_PASSWORD" desc:"Password for the configured store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;STORAGE_SYSTEM_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;STORAGE_SYSTEM_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;STORAGE_SYSTEM_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_SYSTEM_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/storage-system/pkg/revaconfig/config.go b/services/storage-system/pkg/revaconfig/config.go index a18413f5db..fbdcf0ceea 100644 --- a/services/storage-system/pkg/revaconfig/config.go +++ b/services/storage-system/pkg/revaconfig/config.go @@ -165,13 +165,16 @@ func metadataDrivers(localEndpoint string, cfg *config.Config) map[string]any { "cache_database": "system", }, "filemetadatacache": map[string]any{ - "cache_store": cfg.FileMetadataCache.Store, - "cache_nodes": cfg.FileMetadataCache.Nodes, - "cache_database": cfg.FileMetadataCache.Database, - "cache_ttl": cfg.FileMetadataCache.TTL, - "cache_disable_persistence": cfg.FileMetadataCache.DisablePersistence, - "cache_auth_username": cfg.FileMetadataCache.AuthUsername, - "cache_auth_password": cfg.FileMetadataCache.AuthPassword, + "cache_store": cfg.FileMetadataCache.Store, + "cache_nodes": cfg.FileMetadataCache.Nodes, + "cache_database": cfg.FileMetadataCache.Database, + "cache_ttl": cfg.FileMetadataCache.TTL, + "cache_disable_persistence": cfg.FileMetadataCache.DisablePersistence, + "cache_auth_username": cfg.FileMetadataCache.AuthUsername, + "cache_auth_password": cfg.FileMetadataCache.AuthPassword, + "cache_tls_enabled": cfg.FileMetadataCache.EnableTLS, + "cache_tls_insecure": cfg.FileMetadataCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.FileMetadataCache.TLSRootCACertificate, }, } diff --git a/services/storage-users/pkg/config/config.go b/services/storage-users/pkg/config/config.go index dae6d371bc..3c363cb18d 100644 --- a/services/storage-users/pkg/config/config.go +++ b/services/storage-users/pkg/config/config.go @@ -223,27 +223,35 @@ type Events struct { NumConsumers int `yaml:"num_consumers" env:"STORAGE_USERS_EVENTS_NUM_CONSUMERS" desc:"The amount of concurrent event consumers to start. Event consumers are used for post-processing files. Multiple consumers increase parallelisation, but will also increase CPU and memory demands. The setting has no effect when the OC_ASYNC_UPLOADS is set to false. The default and minimum value is 1." introductionVersion:"1.0.0"` AuthUsername string `yaml:"username" env:"OC_EVENTS_AUTH_USERNAME;STORAGE_USERS_EVENTS_AUTH_USERNAME" desc:"The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services." introductionVersion:"1.0.0"` AuthPassword string `yaml:"password" env:"OC_EVENTS_AUTH_PASSWORD;STORAGE_USERS_EVENTS_AUTH_PASSWORD" desc:"The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services." introductionVersion:"1.0.0"` + // TODO use TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;STORAGE_USERS_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_EVENTS_TLS_INSECURE will be seen as false." introductionVersion:"1.0.0"` } // FilemetadataCache holds cache config type FilemetadataCache struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;STORAGE_USERS_FILEMETADATA_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_USERS_FILEMETADATA_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;STORAGE_USERS_FILEMETADATA_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_FILEMETADATA_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_USERS_FILEMETADATA_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_USERS_FILEMETADATA_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;STORAGE_USERS_FILEMETADATA_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_USERS_FILEMETADATA_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"OC_CACHE_DATABASE;STORAGE_USERS_FILEMETADATA_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;STORAGE_USERS_FILEMETADATA_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_FILEMETADATA_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_USERS_FILEMETADATA_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_USERS_FILEMETADATA_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;STORAGE_USERS_FILEMETADATA_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;STORAGE_USERS_FILEMETADATA_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;STORAGE_USERS_FILEMETADATA_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_FILEMETADATA_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // IDCache holds cache config type IDCache struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;STORAGE_USERS_ID_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_USERS_ID_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_ID_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_USERS_ID_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_USERS_ID_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;STORAGE_USERS_ID_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_USERS_ID_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;STORAGE_USERS_ID_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens have no expiration. Defaults to 300s which is derived from the underlaying package though not explicitly set as default. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_ID_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_USERS_ID_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_USERS_ID_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;STORAGE_USERS_ID_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;STORAGE_USERS_ID_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;STORAGE_USERS_ID_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_ID_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // EOSDriver is the storage driver configuration when using 'eos' storage driver diff --git a/services/storage-users/pkg/revaconfig/drivers.go b/services/storage-users/pkg/revaconfig/drivers.go index 01c3cc7101..03e57f6041 100644 --- a/services/storage-users/pkg/revaconfig/drivers.go +++ b/services/storage-users/pkg/revaconfig/drivers.go @@ -109,21 +109,28 @@ func Posix(cfg *config.Config, enableFSScan, enableFSWatch bool) map[string]any "lock_cycle_duration_factor": cfg.Drivers.Posix.LockCycleDurationFactor, "max_concurrency": cfg.Drivers.Posix.MaxConcurrency, "idcache": map[string]any{ - "cache_store": cfg.IDCache.Store, - "cache_nodes": cfg.IDCache.Nodes, - "cache_database": cfg.IDCache.Database, - "cache_disable_persistence": cfg.IDCache.DisablePersistence, - "cache_auth_username": cfg.IDCache.AuthUsername, - "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_store": cfg.IDCache.Store, + "cache_nodes": cfg.IDCache.Nodes, + "cache_database": cfg.IDCache.Database, + "cache_ttl": cfg.IDCache.TTL, + "cache_disable_persistence": cfg.IDCache.DisablePersistence, + "cache_auth_username": cfg.IDCache.AuthUsername, + "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_tls_enabled": cfg.IDCache.EnableTLS, + "cache_tls_insecure": cfg.IDCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate, }, "filemetadatacache": map[string]any{ - "cache_store": cfg.FilemetadataCache.Store, - "cache_nodes": cfg.FilemetadataCache.Nodes, - "cache_database": cfg.FilemetadataCache.Database, - "cache_ttl": cfg.FilemetadataCache.TTL, - "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, - "cache_auth_username": cfg.FilemetadataCache.AuthUsername, - "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_store": cfg.FilemetadataCache.Store, + "cache_nodes": cfg.FilemetadataCache.Nodes, + "cache_database": cfg.FilemetadataCache.Database, + "cache_ttl": cfg.FilemetadataCache.TTL, + "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, + "cache_auth_username": cfg.FilemetadataCache.AuthUsername, + "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_tls_enabled": cfg.FilemetadataCache.EnableTLS, + "cache_tls_insecure": cfg.FilemetadataCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.FilemetadataCache.TLSRootCACertificate, }, "events": map[string]any{ "numconsumers": cfg.Events.NumConsumers, @@ -205,21 +212,28 @@ func Decomposed(cfg *config.Config) map[string]any { "disable_versioning": cfg.Drivers.Decomposed.DisableVersioning, "multi_tenant_enabled": cfg.Commons.MultiTenantEnabled, "filemetadatacache": map[string]any{ - "cache_store": cfg.FilemetadataCache.Store, - "cache_nodes": cfg.FilemetadataCache.Nodes, - "cache_database": cfg.FilemetadataCache.Database, - "cache_ttl": cfg.FilemetadataCache.TTL, - "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, - "cache_auth_username": cfg.FilemetadataCache.AuthUsername, - "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_store": cfg.FilemetadataCache.Store, + "cache_nodes": cfg.FilemetadataCache.Nodes, + "cache_database": cfg.FilemetadataCache.Database, + "cache_ttl": cfg.FilemetadataCache.TTL, + "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, + "cache_auth_username": cfg.FilemetadataCache.AuthUsername, + "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_tls_enabled": cfg.FilemetadataCache.EnableTLS, + "cache_tls_insecure": cfg.FilemetadataCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.FilemetadataCache.TLSRootCACertificate, }, "idcache": map[string]any{ - "cache_store": cfg.IDCache.Store, - "cache_nodes": cfg.IDCache.Nodes, - "cache_database": cfg.IDCache.Database, - "cache_disable_persistence": cfg.IDCache.DisablePersistence, - "cache_auth_username": cfg.IDCache.AuthUsername, - "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_store": cfg.IDCache.Store, + "cache_nodes": cfg.IDCache.Nodes, + "cache_database": cfg.IDCache.Database, + "cache_ttl": cfg.IDCache.TTL, + "cache_disable_persistence": cfg.IDCache.DisablePersistence, + "cache_auth_username": cfg.IDCache.AuthUsername, + "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_tls_enabled": cfg.IDCache.EnableTLS, + "cache_tls_insecure": cfg.IDCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate, }, "events": map[string]any{ "numconsumers": cfg.Events.NumConsumers, @@ -259,21 +273,28 @@ func DecomposedNoEvents(cfg *config.Config) map[string]any { "disable_versioning": cfg.Drivers.Decomposed.DisableVersioning, "multi_tenant_enabled": cfg.Commons.MultiTenantEnabled, "filemetadatacache": map[string]any{ - "cache_store": cfg.FilemetadataCache.Store, - "cache_nodes": cfg.FilemetadataCache.Nodes, - "cache_database": cfg.FilemetadataCache.Database, - "cache_ttl": cfg.FilemetadataCache.TTL, - "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, - "cache_auth_username": cfg.FilemetadataCache.AuthUsername, - "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_store": cfg.FilemetadataCache.Store, + "cache_nodes": cfg.FilemetadataCache.Nodes, + "cache_database": cfg.FilemetadataCache.Database, + "cache_ttl": cfg.FilemetadataCache.TTL, + "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, + "cache_auth_username": cfg.FilemetadataCache.AuthUsername, + "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_tls_enabled": cfg.FilemetadataCache.EnableTLS, + "cache_tls_insecure": cfg.FilemetadataCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.FilemetadataCache.TLSRootCACertificate, }, "idcache": map[string]any{ - "cache_store": cfg.IDCache.Store, - "cache_nodes": cfg.IDCache.Nodes, - "cache_database": cfg.IDCache.Database, - "cache_disable_persistence": cfg.IDCache.DisablePersistence, - "cache_auth_username": cfg.IDCache.AuthUsername, - "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_store": cfg.IDCache.Store, + "cache_nodes": cfg.IDCache.Nodes, + "cache_database": cfg.IDCache.Database, + "cache_ttl": cfg.IDCache.TTL, + "cache_disable_persistence": cfg.IDCache.DisablePersistence, + "cache_auth_username": cfg.IDCache.AuthUsername, + "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_tls_enabled": cfg.IDCache.EnableTLS, + "cache_tls_insecure": cfg.IDCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate, }, } } @@ -315,21 +336,28 @@ func DecomposedS3(cfg *config.Config) map[string]any { "multi_tenant_enabled": cfg.Commons.MultiTenantEnabled, "asyncfileuploads": cfg.Drivers.DecomposedS3.AsyncUploads, "filemetadatacache": map[string]any{ - "cache_store": cfg.FilemetadataCache.Store, - "cache_nodes": cfg.FilemetadataCache.Nodes, - "cache_database": cfg.FilemetadataCache.Database, - "cache_ttl": cfg.FilemetadataCache.TTL, - "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, - "cache_auth_username": cfg.FilemetadataCache.AuthUsername, - "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_store": cfg.FilemetadataCache.Store, + "cache_nodes": cfg.FilemetadataCache.Nodes, + "cache_database": cfg.FilemetadataCache.Database, + "cache_ttl": cfg.FilemetadataCache.TTL, + "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, + "cache_auth_username": cfg.FilemetadataCache.AuthUsername, + "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_tls_enabled": cfg.FilemetadataCache.EnableTLS, + "cache_tls_insecure": cfg.FilemetadataCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.FilemetadataCache.TLSRootCACertificate, }, "idcache": map[string]any{ - "cache_store": cfg.IDCache.Store, - "cache_nodes": cfg.IDCache.Nodes, - "cache_database": cfg.IDCache.Database, - "cache_disable_persistence": cfg.IDCache.DisablePersistence, - "cache_auth_username": cfg.IDCache.AuthUsername, - "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_store": cfg.IDCache.Store, + "cache_nodes": cfg.IDCache.Nodes, + "cache_database": cfg.IDCache.Database, + "cache_ttl": cfg.IDCache.TTL, + "cache_disable_persistence": cfg.IDCache.DisablePersistence, + "cache_auth_username": cfg.IDCache.AuthUsername, + "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_tls_enabled": cfg.IDCache.EnableTLS, + "cache_tls_insecure": cfg.IDCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate, }, "events": map[string]any{ "numconsumers": cfg.Events.NumConsumers, @@ -373,21 +401,28 @@ func DecomposedS3NoEvents(cfg *config.Config) map[string]any { "multi_tenant_enabled": cfg.Commons.MultiTenantEnabled, "lock_cycle_duration_factor": cfg.Drivers.DecomposedS3.LockCycleDurationFactor, "filemetadatacache": map[string]any{ - "cache_store": cfg.FilemetadataCache.Store, - "cache_nodes": cfg.FilemetadataCache.Nodes, - "cache_database": cfg.FilemetadataCache.Database, - "cache_ttl": cfg.FilemetadataCache.TTL, - "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, - "cache_auth_username": cfg.FilemetadataCache.AuthUsername, - "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_store": cfg.FilemetadataCache.Store, + "cache_nodes": cfg.FilemetadataCache.Nodes, + "cache_database": cfg.FilemetadataCache.Database, + "cache_ttl": cfg.FilemetadataCache.TTL, + "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, + "cache_auth_username": cfg.FilemetadataCache.AuthUsername, + "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_tls_enabled": cfg.FilemetadataCache.EnableTLS, + "cache_tls_insecure": cfg.FilemetadataCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.FilemetadataCache.TLSRootCACertificate, }, "idcache": map[string]any{ - "cache_store": cfg.IDCache.Store, - "cache_nodes": cfg.IDCache.Nodes, - "cache_database": cfg.IDCache.Database, - "cache_disable_persistence": cfg.IDCache.DisablePersistence, - "cache_auth_username": cfg.IDCache.AuthUsername, - "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_store": cfg.IDCache.Store, + "cache_nodes": cfg.IDCache.Nodes, + "cache_database": cfg.IDCache.Database, + "cache_ttl": cfg.IDCache.TTL, + "cache_disable_persistence": cfg.IDCache.DisablePersistence, + "cache_auth_username": cfg.IDCache.AuthUsername, + "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_tls_enabled": cfg.IDCache.EnableTLS, + "cache_tls_insecure": cfg.IDCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate, }, } } diff --git a/services/storage-users/pkg/server/debug/server.go b/services/storage-users/pkg/server/debug/server.go index 33a7b8e8fc..9c22609340 100644 --- a/services/storage-users/pkg/server/debug/server.go +++ b/services/storage-users/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -13,9 +14,14 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCaCertPath, + ) readyHandler := handlers.NewCheckHandler(handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Addr)). + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Addr, secureOption)). WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr)), ) diff --git a/services/userlog/pkg/command/server.go b/services/userlog/pkg/command/server.go index 445bb6810e..0a7c9587f9 100644 --- a/services/userlog/pkg/command/server.go +++ b/services/userlog/pkg/command/server.go @@ -92,6 +92,9 @@ func Server(cfg *config.Config) *cobra.Command { microstore.Database(cfg.Persistence.Database), microstore.Table(cfg.Persistence.Table), store.Authentication(cfg.Persistence.AuthUsername, cfg.Persistence.AuthPassword), + store.TLSEnabled(cfg.Persistence.EnableTLS), + store.TLSInsecure(cfg.Persistence.TLSInsecure), + store.TLSRootCA(cfg.Persistence.TLSRootCACertificate), ) tm, err := pool.StringToTLSMode(cfg.GRPCClientTLS.Mode) diff --git a/services/userlog/pkg/config/config.go b/services/userlog/pkg/config/config.go index ff2d440e09..73860fa340 100644 --- a/services/userlog/pkg/config/config.go +++ b/services/userlog/pkg/config/config.go @@ -39,13 +39,16 @@ type Config struct { // Persistence configures the store to use type Persistence struct { - Store string `yaml:"store" env:"OC_PERSISTENT_STORE;USERLOG_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;USERLOG_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"USERLOG_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"USERLOG_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;USERLOG_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;USERLOG_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;USERLOG_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_PERSISTENT_STORE;USERLOG_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;USERLOG_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"USERLOG_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"USERLOG_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;USERLOG_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;USERLOG_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;USERLOG_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;USERLOG_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;USERLOG_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;USERLOG_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided USERLOG_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // Events combines the configuration options for the event bus. diff --git a/services/userlog/pkg/server/debug/server.go b/services/userlog/pkg/server/debug/server.go index 83e14bcecb..26e785c319 100644 --- a/services/userlog/pkg/server/debug/server.go +++ b/services/userlog/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("web reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger),