diff --git a/pkg/nats/options.go b/pkg/nats/options.go new file mode 100644 index 0000000000..43d54be2e6 --- /dev/null +++ b/pkg/nats/options.go @@ -0,0 +1,20 @@ +package nats + +import ( + "crypto/tls" + + "github.com/nats-io/nats.go" +) + +func Secure(enableTLS, insecure bool, rootCA string) nats.Option { + if enableTLS { + if rootCA != "" { + return nats.RootCAs(rootCA) + } + return nats.Secure(&tls.Config{ + MinVersion: tls.VersionTLS12, + InsecureSkipVerify: insecure, + }) + } + return nil +} diff --git a/pkg/shared/shared_types.go b/pkg/shared/shared_types.go index 125f9d78f4..4ae9a2bef7 100644 --- a/pkg/shared/shared_types.go +++ b/pkg/shared/shared_types.go @@ -48,14 +48,17 @@ type HTTPServiceTLS struct { } type Cache struct { - Store string `yaml:"store" env:"OC_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES" desc:"A comma separated list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"OC_CACHE_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"OC_CACHE_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL" desc:"Time to live for events in the store. The duration can be set as number followed by a unit identifier like s, m or h." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"auth_username" env:"OC_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"auth_password" env:"OC_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES" desc:"A comma separated list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"OC_CACHE_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"OC_CACHE_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL" desc:"Time to live for events in the store. The duration can be set as number followed by a unit identifier like s, m or h." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"auth_username" env:"OC_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"auth_password" env:"OC_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided OC_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // Commons holds configuration that are common to all extensions. Each extension can then decide whether diff --git a/services/activitylog/pkg/command/server.go b/services/activitylog/pkg/command/server.go index ec86ee9b4f..dcfba09437 100644 --- a/services/activitylog/pkg/command/server.go +++ b/services/activitylog/pkg/command/server.go @@ -8,9 +8,7 @@ import ( "github.com/opencloud-eu/reva/v2/pkg/events" "github.com/opencloud-eu/reva/v2/pkg/events/stream" "github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool" - "github.com/opencloud-eu/reva/v2/pkg/store" "github.com/spf13/cobra" - microstore "go-micro.dev/v4/store" "github.com/opencloud-eu/opencloud/pkg/config/configlog" "github.com/opencloud-eu/opencloud/pkg/generators" @@ -77,15 +75,6 @@ func Server(cfg *config.Config) *cobra.Command { return err } - evStore := store.Create( - store.Store(cfg.Store.Store), - store.TTL(cfg.Store.TTL), - microstore.Nodes(cfg.Store.Nodes...), - microstore.Database(cfg.Store.Database), - microstore.Table(cfg.Store.Table), - store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword), - ) - tm, err := pool.StringToTLSMode(cfg.GRPCClientTLS.Mode) if err != nil { logger.Error().Err(err).Msg("Failed to parse tls mode") @@ -120,7 +109,6 @@ func Server(cfg *config.Config) *cobra.Command { http.Context(ctx), // NOTE: not passing this "option" leads to a panic in go-micro http.TraceProvider(tracerProvider), http.Stream(evStream), - http.Store(evStore), http.GatewaySelector(gatewaySelector), http.HistoryClient(hClient), http.ValueClient(vClient), diff --git a/services/activitylog/pkg/config/config.go b/services/activitylog/pkg/config/config.go index d518bffcad..5d9a341bc6 100644 --- a/services/activitylog/pkg/config/config.go +++ b/services/activitylog/pkg/config/config.go @@ -49,13 +49,15 @@ type Events struct { // Store configures the store to use type Store struct { - Store string `yaml:"store" env:"OC_PERSISTENT_STORE;ACTIVITYLOG_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;ACTIVITYLOG_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"ACTIVITYLOG_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"ACTIVITYLOG_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;ACTIVITYLOG_STORE_TTL" desc:"Time to live for events in the store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;ACTIVITYLOG_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;ACTIVITYLOG_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_PERSISTENT_STORE;ACTIVITYLOG_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;ACTIVITYLOG_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"ACTIVITYLOG_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;ACTIVITYLOG_STORE_TTL" desc:"Time to live for events in the store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;ACTIVITYLOG_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;ACTIVITYLOG_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;ACTIVITYLOG_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;ACTIVITYLOG_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;ACTIVITYLOG_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided ACTIVITYLOG_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // ServiceAccount is the configuration for the used service account diff --git a/services/activitylog/pkg/config/defaults/defaultconfig.go b/services/activitylog/pkg/config/defaults/defaultconfig.go index a6da0cf297..fb086ad938 100644 --- a/services/activitylog/pkg/config/defaults/defaultconfig.go +++ b/services/activitylog/pkg/config/defaults/defaultconfig.go @@ -37,7 +37,6 @@ func DefaultConfig() *config.Config { Store: "nats-js-kv", Nodes: []string{"127.0.0.1:9233"}, Database: "activitylog", - Table: "", }, RevaGateway: shared.DefaultRevaConfig().Address, DefaultLanguage: "en", diff --git a/services/activitylog/pkg/server/debug/server.go b/services/activitylog/pkg/server/debug/server.go index 4d29a4480f..79a016f421 100644 --- a/services/activitylog/pkg/server/debug/server.go +++ b/services/activitylog/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("http reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/activitylog/pkg/server/http/server.go b/services/activitylog/pkg/server/http/server.go index 1b0b914050..0959b5360d 100644 --- a/services/activitylog/pkg/server/http/server.go +++ b/services/activitylog/pkg/server/http/server.go @@ -81,7 +81,6 @@ func Server(opts ...Option) (http.Service, error) { svc.Logger(options.Logger), svc.Stream(options.Stream), svc.Mux(mux), - svc.Store(options.Store), svc.Config(options.Config), svc.GatewaySelector(options.GatewaySelector), svc.TraceProvider(options.TraceProvider), diff --git a/services/activitylog/pkg/service/options.go b/services/activitylog/pkg/service/options.go index 22c6d6282b..282b1147f1 100644 --- a/services/activitylog/pkg/service/options.go +++ b/services/activitylog/pkg/service/options.go @@ -11,7 +11,6 @@ import ( "github.com/opencloud-eu/opencloud/services/activitylog/pkg/config" "github.com/opencloud-eu/reva/v2/pkg/events" "github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool" - microstore "go-micro.dev/v4/store" "go.opentelemetry.io/otel/trace" ) @@ -25,7 +24,6 @@ type Options struct { TraceProvider trace.TracerProvider Stream events.Stream RegisteredEvents []events.Unmarshaller - Store microstore.Store GatewaySelector pool.Selectable[gateway.GatewayAPIClient] Mux *chi.Mux HistoryClient ehsvc.EventHistoryService @@ -69,13 +67,6 @@ func RegisteredEvents(e []events.Unmarshaller) Option { } } -// Store configures the store to use -func Store(store microstore.Store) Option { - return func(o *Options) { - o.Store = store - } -} - // GatewaySelector adds a grpc client selector for the gateway service func GatewaySelector(gatewaySelector pool.Selectable[gateway.GatewayAPIClient]) Option { return func(o *Options) { diff --git a/services/activitylog/pkg/service/service.go b/services/activitylog/pkg/service/service.go index c97c855b54..9eec13962c 100644 --- a/services/activitylog/pkg/service/service.go +++ b/services/activitylog/pkg/service/service.go @@ -2,6 +2,7 @@ package service import ( "context" + "crypto/tls" "encoding/base32" "encoding/json" "fmt" @@ -166,6 +167,18 @@ func New(opts ...Option) (*ActivitylogService, error) { natsOptions := nats.Options{ Servers: o.Config.Store.Nodes, } + if o.Config.Store.EnableTLS { + if o.Config.Store.TLSRootCACertificate != "" { + // when root ca is configured use it. an insecure flag is ignored. + nats.RootCAs(o.Config.Store.TLSRootCACertificate)(&natsOptions) + } else { + // enable tls and use insecure flag + nats.Secure(&tls.Config{MinVersion: tls.VersionTLS12, InsecureSkipVerify: o.Config.Store.TLSInsecure})(&natsOptions) + } + } + if o.Config.Store.AuthUsername != "" && o.Config.Store.AuthPassword != "" { + nats.UserInfo(o.Config.Store.AuthUsername, o.Config.Store.AuthPassword)(&natsOptions) + } conn, err := natsOptions.Connect() if err != nil { return nil, err diff --git a/services/antivirus/pkg/server/debug/server.go b/services/antivirus/pkg/server/debug/server.go index 7916f6f887..29836059ce 100644 --- a/services/antivirus/pkg/server/debug/server.go +++ b/services/antivirus/pkg/server/debug/server.go @@ -10,6 +10,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -18,9 +19,14 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)). + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)). WithCheck("antivirus reachability", func(ctx context.Context) error { cfg := options.Config switch cfg.Scanner.Type { diff --git a/services/audit/pkg/server/debug/server.go b/services/audit/pkg/server/debug/server.go index eb0f31b16c..0fb247d718 100644 --- a/services/audit/pkg/server/debug/server.go +++ b/services/audit/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -13,9 +14,14 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/clientlog/pkg/server/debug/server.go b/services/clientlog/pkg/server/debug/server.go index eb0f31b16c..0fb247d718 100644 --- a/services/clientlog/pkg/server/debug/server.go +++ b/services/clientlog/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -13,9 +14,14 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/collaboration/pkg/command/server.go b/services/collaboration/pkg/command/server.go index ea47dabe33..a36be2abca 100644 --- a/services/collaboration/pkg/command/server.go +++ b/services/collaboration/pkg/command/server.go @@ -100,6 +100,9 @@ func Server(cfg *config.Config) *cobra.Command { microstore.Database(cfg.Store.Database), microstore.Table(cfg.Store.Table), store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword), + store.TLSEnabled(cfg.Store.EnableTLS), + store.TLSInsecure(cfg.Store.TLSInsecure), + store.TLSRootCA(cfg.Store.TLSRootCACertificate), ) gr := runner.NewGroup() diff --git a/services/collaboration/pkg/config/store.go b/services/collaboration/pkg/config/store.go index ab2f5e4e2e..5386fa43f5 100644 --- a/services/collaboration/pkg/config/store.go +++ b/services/collaboration/pkg/config/store.go @@ -4,11 +4,14 @@ import "time" // Store configures the store to use type Store struct { - Store string `yaml:"store" env:"OC_PERSISTENT_STORE;COLLABORATION_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;COLLABORATION_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"COLLABORATION_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"COLLABORATION_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;COLLABORATION_STORE_TTL" desc:"Time to live for events in the store. Defaults to '30m' (30 minutes). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;COLLABORATION_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;COLLABORATION_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_PERSISTENT_STORE;COLLABORATION_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;COLLABORATION_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"COLLABORATION_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"COLLABORATION_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;COLLABORATION_STORE_TTL" desc:"Time to live for events in the store. Defaults to '30m' (30 minutes). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;COLLABORATION_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;COLLABORATION_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;COLLABORATION_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;COLLABORATION_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;COLLABORATION_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided COLLABORATION_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/eventhistory/pkg/command/server.go b/services/eventhistory/pkg/command/server.go index 94cdfc927d..2dd85fe0c8 100644 --- a/services/eventhistory/pkg/command/server.go +++ b/services/eventhistory/pkg/command/server.go @@ -71,6 +71,9 @@ func Server(cfg *config.Config) *cobra.Command { microstore.Database(cfg.Store.Database), microstore.Table(cfg.Store.Table), store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword), + store.TLSEnabled(cfg.Store.EnableTLS), + store.TLSInsecure(cfg.Store.TLSInsecure), + store.TLSRootCA(cfg.Store.TLSRootCACertificate), ) service := grpc.NewService( diff --git a/services/eventhistory/pkg/config/config.go b/services/eventhistory/pkg/config/config.go index 18a69b3ac5..9ba5dab325 100644 --- a/services/eventhistory/pkg/config/config.go +++ b/services/eventhistory/pkg/config/config.go @@ -36,13 +36,16 @@ type GRPCConfig struct { // Store configures the store to use type Store struct { - Store string `yaml:"store" env:"OC_PERSISTENT_STORE;EVENTHISTORY_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;EVENTHISTORY_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"EVENTHISTORY_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"EVENTHISTORY_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;EVENTHISTORY_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;EVENTHISTORY_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;EVENTHISTORY_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_PERSISTENT_STORE;EVENTHISTORY_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;EVENTHISTORY_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"EVENTHISTORY_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"EVENTHISTORY_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;EVENTHISTORY_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;EVENTHISTORY_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;EVENTHISTORY_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;EVENTHISTORY_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;EVENTHISTORY_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;EVENTHISTORY_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided EVENTHISTORY_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // Events combines the configuration options for the event bus. diff --git a/services/eventhistory/pkg/server/debug/server.go b/services/eventhistory/pkg/server/debug/server.go index 57a232dd05..664ff2558a 100644 --- a/services/eventhistory/pkg/server/debug/server.go +++ b/services/eventhistory/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/frontend/pkg/config/config.go b/services/frontend/pkg/config/config.go index 57495d3e5c..9a9380a2f7 100644 --- a/services/frontend/pkg/config/config.go +++ b/services/frontend/pkg/config/config.go @@ -129,18 +129,21 @@ type DataGateway struct { } type OCS struct { - Prefix string `yaml:"prefix" env:"FRONTEND_OCS_PREFIX" desc:"URL path prefix for the OCS service. Note that the string must not start with '/'." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` - SharePrefix string `yaml:"share_prefix" env:"FRONTEND_OCS_SHARE_PREFIX" desc:"Path prefix for shares as part of a CS3 resource. Note that the path must start with '/'." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` - HomeNamespace string `yaml:"home_namespace" env:"FRONTEND_OCS_PERSONAL_NAMESPACE" desc:"Home namespace identifier." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` - AdditionalInfoAttribute string `yaml:"additional_info_attribute" env:"FRONTEND_OCS_ADDITIONAL_INFO_ATTRIBUTE" desc:"Additional information attribute for the user like {{.Mail}}." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` - StatCacheType string `yaml:"stat_cache_type" env:"OC_CACHE_STORE;FRONTEND_OCS_STAT_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_STORE, the OCS API is deprecated" deprecationReplacement:""` - StatCacheNodes []string `yaml:"stat_cache_nodes" env:"OC_CACHE_STORE_NODES;FRONTEND_OCS_STAT_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_STORE_NODES, the OCS API is deprecated" deprecationReplacement:""` - StatCacheDatabase string `yaml:"stat_cache_database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - StatCacheTable string `yaml:"stat_cache_table" env:"FRONTEND_OCS_STAT_CACHE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` - StatCacheTTL time.Duration `yaml:"stat_cache_ttl" env:"OC_CACHE_TTL;FRONTEND_OCS_STAT_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_TTL, the OCS API is deprecated" deprecationReplacement:""` - StatCacheDisablePersistence bool `yaml:"stat_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE" desc:"Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE, the OCS API is deprecated" deprecationReplacement:""` - StatCacheAuthUsername string `yaml:"stat_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when using the 'nats-js-kv' store type." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME, the OCS API is deprecated" deprecationReplacement:""` - StatCacheAuthPassword string `yaml:"stat_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when using the 'nats-js-kv' store type." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD, the OCS API is deprecated" deprecationReplacement:""` + Prefix string `yaml:"prefix" env:"FRONTEND_OCS_PREFIX" desc:"URL path prefix for the OCS service. Note that the string must not start with '/'." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` + SharePrefix string `yaml:"share_prefix" env:"FRONTEND_OCS_SHARE_PREFIX" desc:"Path prefix for shares as part of a CS3 resource. Note that the path must start with '/'." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` + HomeNamespace string `yaml:"home_namespace" env:"FRONTEND_OCS_PERSONAL_NAMESPACE" desc:"Home namespace identifier." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` + AdditionalInfoAttribute string `yaml:"additional_info_attribute" env:"FRONTEND_OCS_ADDITIONAL_INFO_ATTRIBUTE" desc:"Additional information attribute for the user like {{.Mail}}." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` + StatCacheType string `yaml:"stat_cache_type" env:"OC_CACHE_STORE;FRONTEND_OCS_STAT_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_STORE, the OCS API is deprecated" deprecationReplacement:""` + StatCacheNodes []string `yaml:"stat_cache_nodes" env:"OC_CACHE_STORE_NODES;FRONTEND_OCS_STAT_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_STORE_NODES, the OCS API is deprecated" deprecationReplacement:""` + StatCacheDatabase string `yaml:"stat_cache_database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + StatCacheTable string `yaml:"stat_cache_table" env:"FRONTEND_OCS_STAT_CACHE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""` + StatCacheTTL time.Duration `yaml:"stat_cache_ttl" env:"OC_CACHE_TTL;FRONTEND_OCS_STAT_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_TTL, the OCS API is deprecated" deprecationReplacement:""` + StatCacheDisablePersistence bool `yaml:"stat_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE" desc:"Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE, the OCS API is deprecated" deprecationReplacement:""` + StatCacheAuthUsername string `yaml:"stat_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when using the 'nats-js-kv' store type." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME, the OCS API is deprecated" deprecationReplacement:""` + StatCacheAuthPassword string `yaml:"stat_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when using the 'nats-js-kv' store type." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD, the OCS API is deprecated" deprecationReplacement:""` + StatCacheEnableTLS bool `yaml:"stat_cache_enable_tls" env:"OC_CACHE_ENABLE_TLS;FRONTEND_OCS_STAT_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + StatCacheTLSInsecure bool `yaml:"stat_cache_tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;FRONTEND_OCS_STAT_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + StatCacheTLSRootCACertificate string `yaml:"stat_cache_tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;FRONTEND_OCS_STAT_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided FRONTEND_OCS_STAT_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` CacheWarmupDriver string `yaml:"cache_warmup_driver,omitempty"` // not supported by the OpenCloud product, therefore not part of docs CacheWarmupDrivers CacheWarmupDrivers `yaml:"cache_warmup_drivers,omitempty"` // not supported by the OpenCloud product, therefore not part of docs diff --git a/services/frontend/pkg/revaconfig/config.go b/services/frontend/pkg/revaconfig/config.go index 9ba5a2ce7c..4760089229 100644 --- a/services/frontend/pkg/revaconfig/config.go +++ b/services/frontend/pkg/revaconfig/config.go @@ -164,14 +164,17 @@ func FrontendConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string "share_prefix": cfg.OCS.SharePrefix, "home_namespace": cfg.OCS.HomeNamespace, "stat_cache_config": map[string]interface{}{ - "cache_store": cfg.OCS.StatCacheType, - "cache_nodes": cfg.OCS.StatCacheNodes, - "cache_database": cfg.OCS.StatCacheDatabase, - "cache_table": cfg.OCS.StatCacheTable, - "cache_ttl": cfg.OCS.StatCacheTTL, - "cache_disable_persistence": cfg.OCS.StatCacheDisablePersistence, - "cache_auth_username": cfg.OCS.StatCacheAuthUsername, - "cache_auth_password": cfg.OCS.StatCacheAuthPassword, + "cache_store": cfg.OCS.StatCacheType, + "cache_nodes": cfg.OCS.StatCacheNodes, + "cache_database": cfg.OCS.StatCacheDatabase, + "cache_table": cfg.OCS.StatCacheTable, + "cache_ttl": cfg.OCS.StatCacheTTL, + "cache_disable_persistence": cfg.OCS.StatCacheDisablePersistence, + "cache_auth_username": cfg.OCS.StatCacheAuthUsername, + "cache_auth_password": cfg.OCS.StatCacheAuthPassword, + "cache_tls_enabled": cfg.OCS.StatCacheEnableTLS, + "cache_tls_insecure": cfg.OCS.StatCacheTLSInsecure, + "cache_tls_root_ca_certificate": cfg.OCS.StatCacheTLSRootCACertificate, }, "prefix": cfg.OCS.Prefix, "additional_info_attribute": cfg.OCS.AdditionalInfoAttribute, diff --git a/services/frontend/pkg/server/debug/server.go b/services/frontend/pkg/server/debug/server.go index afdc2bc6aa..47a6f84555 100644 --- a/services/frontend/pkg/server/debug/server.go +++ b/services/frontend/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("web reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/gateway/pkg/config/config.go b/services/gateway/pkg/config/config.go index 4f6a50f15f..4e9977fb06 100644 --- a/services/gateway/pkg/config/config.go +++ b/services/gateway/pkg/config/config.go @@ -91,11 +91,18 @@ type Cache struct { ProviderCacheDisablePersistence bool `yaml:"provider_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GATEWAY_PROVIDER_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the provider cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` ProviderCacheAuthUsername string `yaml:"provider_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;GATEWAY_PROVIDER_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` ProviderCacheAuthPassword string `yaml:"provider_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;GATEWAY_PROVIDER_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - CreateHomeCacheStore string `yaml:"create_home_cache_store" env:"OC_CACHE_STORE;GATEWAY_CREATE_HOME_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - CreateHomeCacheNodes []string `yaml:"create_home_cache_nodes" env:"OC_CACHE_STORE_NODES;GATEWAY_CREATE_HOME_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - CreateHomeCacheDatabase string `yaml:"create_home_cache_database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - CreateHomeCacheTTL time.Duration `yaml:"create_home_cache_ttl" env:"OC_CACHE_TTL;GATEWAY_CREATE_HOME_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - CreateHomeCacheDisablePersistence bool `yaml:"create_home_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the create home cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - CreateHomeCacheAuthUsername string `yaml:"create_home_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - CreateHomeCacheAuthPassword string `yaml:"create_home_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + ProviderCacheEnableTLS bool `yaml:"provider_cache_enable_tls" env:"OC_CACHE_ENABLE_TLS;GATEWAY_PROVIDER_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + ProviderCacheTLSInsecure bool `yaml:"provider_cache_tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;GATEWAY_PROVIDER_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + ProviderCacheTLSRootCACertificate string `yaml:"provider_cache_tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;GATEWAY_PROVIDER_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GATEWAY_PROVIDER_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` + + CreateHomeCacheStore string `yaml:"create_home_cache_store" env:"OC_CACHE_STORE;GATEWAY_CREATE_HOME_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + CreateHomeCacheNodes []string `yaml:"create_home_cache_nodes" env:"OC_CACHE_STORE_NODES;GATEWAY_CREATE_HOME_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + CreateHomeCacheDatabase string `yaml:"create_home_cache_database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + CreateHomeCacheTTL time.Duration `yaml:"create_home_cache_ttl" env:"OC_CACHE_TTL;GATEWAY_CREATE_HOME_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + CreateHomeCacheDisablePersistence bool `yaml:"create_home_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the create home cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + CreateHomeCacheAuthUsername string `yaml:"create_home_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + CreateHomeCacheAuthPassword string `yaml:"create_home_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + CreateHomeCacheEnableTLS bool `yaml:"create_home_cache_enable_tls" env:"OC_CACHE_ENABLE_TLS;GATEWAY_CREATE_HOME_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + CreateHomeCacheTLSInsecure bool `yaml:"create_home_cache_tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;GATEWAY_CREATE_HOME_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + CreateHomeCacheTLSRootCACertificate string `yaml:"create_home_cache_tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;GATEWAY_CREATE_HOME_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GATEWAY_CREATE_HOME_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/gateway/pkg/revaconfig/config.go b/services/gateway/pkg/revaconfig/config.go index 8bd8e20806..725da04f80 100644 --- a/services/gateway/pkg/revaconfig/config.go +++ b/services/gateway/pkg/revaconfig/config.go @@ -70,14 +70,17 @@ func GatewayConfigFromStruct(cfg *config.Config, logger log.Logger) map[string]i "cache_auth_password": cfg.Cache.ProviderCacheAuthPassword, }, "create_personal_space_cache_config": map[string]interface{}{ - "cache_store": cfg.Cache.CreateHomeCacheStore, - "cache_nodes": cfg.Cache.CreateHomeCacheNodes, - "cache_database": cfg.Cache.CreateHomeCacheDatabase, - "cache_table": "create_personal_space", - "cache_ttl": cfg.Cache.CreateHomeCacheTTL, - "cache_disable_persistence": cfg.Cache.CreateHomeCacheDisablePersistence, - "cache_auth_username": cfg.Cache.CreateHomeCacheAuthUsername, - "cache_auth_password": cfg.Cache.CreateHomeCacheAuthPassword, + "cache_store": cfg.Cache.CreateHomeCacheStore, + "cache_nodes": cfg.Cache.CreateHomeCacheNodes, + "cache_database": cfg.Cache.CreateHomeCacheDatabase, + "cache_table": "create_personal_space", + "cache_ttl": cfg.Cache.CreateHomeCacheTTL, + "cache_disable_persistence": cfg.Cache.CreateHomeCacheDisablePersistence, + "cache_auth_username": cfg.Cache.CreateHomeCacheAuthUsername, + "cache_auth_password": cfg.Cache.CreateHomeCacheAuthPassword, + "cache_tls_enabled": cfg.IDCache.EnableTLS, + "cache_tls_insecure": cfg.IDCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate, }, }, "authregistry": map[string]interface{}{ diff --git a/services/gateway/pkg/server/debug/server.go b/services/gateway/pkg/server/debug/server.go index 9827c3e9b2..1bf19e49b6 100644 --- a/services/gateway/pkg/server/debug/server.go +++ b/services/gateway/pkg/server/debug/server.go @@ -18,6 +18,7 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("nats reachability", func(ctx context.Context) error { if options.Config.Cache.ProviderCacheStore == "nats-js-kv" && len(options.Config.Cache.ProviderCacheNodes) > 0 { + // no secureOption because we cannot yet configure tls for the cache store return checks.NewNatsCheck(options.Config.Cache.ProviderCacheNodes[0])(ctx) } return nil diff --git a/services/graph/pkg/command/server.go b/services/graph/pkg/command/server.go index fb61fadd70..14e5c3019d 100644 --- a/services/graph/pkg/command/server.go +++ b/services/graph/pkg/command/server.go @@ -4,8 +4,10 @@ import ( "context" "fmt" "os/signal" + "strings" "github.com/opencloud-eu/opencloud/pkg/config/configlog" + natspkg "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/runner" "github.com/opencloud-eu/opencloud/pkg/tracing" "github.com/opencloud-eu/opencloud/pkg/version" @@ -50,13 +52,9 @@ func Server(cfg *config.Config) *cobra.Command { var kv jetstream.KeyValue // Allow to run without a NATS store (e.g. for the standalone Education provisioning service) if len(cfg.Store.Nodes) > 0 { - //Connect to NATS servers - natsOptions := nats.Options{ - Servers: cfg.Store.Nodes, - User: cfg.Store.AuthUsername, - Password: cfg.Store.AuthPassword, - } - conn, err := natsOptions.Connect() + // Connect to NATS servers + secureOption := natspkg.Secure(cfg.Store.EnableTLS, cfg.Store.TLSInsecure, cfg.Store.TLSRootCACertificate) + conn, err := nats.Connect(strings.Join(cfg.Store.Nodes, ","), secureOption, nats.UserInfo(cfg.Store.AuthUsername, cfg.Store.AuthPassword)) if err != nil { return err } diff --git a/services/graph/pkg/config/cache.go b/services/graph/pkg/config/cache.go index a5e638185f..ee24675524 100644 --- a/services/graph/pkg/config/cache.go +++ b/services/graph/pkg/config/cache.go @@ -4,12 +4,15 @@ import "time" // Cache defines the available configuration for a cache store type Cache struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;GRAPH_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;GRAPH_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"GRAPH_CACHE_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"GRAPH_CACHE_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;GRAPH_CACHE_TTL" desc:"Time to live for cache records in the graph. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GRAPH_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;GRAPH_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;GRAPH_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;GRAPH_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;GRAPH_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"GRAPH_CACHE_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"GRAPH_CACHE_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;GRAPH_CACHE_TTL" desc:"Time to live for cache records in the graph. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GRAPH_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;GRAPH_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;GRAPH_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;GRAPH_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;GRAPH_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;GRAPH_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/graph/pkg/config/config.go b/services/graph/pkg/config/config.go index 6386025a84..071c18ec20 100644 --- a/services/graph/pkg/config/config.go +++ b/services/graph/pkg/config/config.go @@ -172,8 +172,11 @@ type Metadata struct { // Store configures the store to use type Store struct { - Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;GRAPH_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"GRAPH_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;GRAPH_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;GRAPH_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;GRAPH_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"GRAPH_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;GRAPH_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;GRAPH_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;GRAPH_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;GRAPH_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;GRAPH_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/graph/pkg/server/debug/server.go b/services/graph/pkg/server/debug/server.go index 100c7987cd..83e3dbb0f1 100644 --- a/services/graph/pkg/server/debug/server.go +++ b/services/graph/pkg/server/debug/server.go @@ -6,6 +6,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -32,8 +33,13 @@ func Server(opts ...Option) (*http.Server, error) { // only check nats if really needed if options.Config.Events.Endpoint != "" { + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration = readyHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) } return debug.NewService( diff --git a/services/nats/pkg/server/debug/server.go b/services/nats/pkg/server/debug/server.go index 5939241662..c44c941289 100644 --- a/services/nats/pkg/server/debug/server.go +++ b/services/nats/pkg/server/debug/server.go @@ -6,6 +6,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -14,12 +15,17 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Nats.EnableTLS, + options.Config.Nats.TLSSkipVerifyClientCert, + options.Config.Nats.TLSCert, + ) // For nats readiness and liveness checks are identical // the nats server will neither be healthy nor ready when it can not reach the nats server/cluster checkHandler := handlers.NewCheckHandler( handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Nats.Host+":"+strconv.Itoa(options.Config.Nats.Port))), + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Nats.Host+":"+strconv.Itoa(options.Config.Nats.Port), secureOption)), ) return debug.NewService( diff --git a/services/notifications/pkg/command/server.go b/services/notifications/pkg/command/server.go index 7c2896abed..d1dffe3bd5 100644 --- a/services/notifications/pkg/command/server.go +++ b/services/notifications/pkg/command/server.go @@ -130,6 +130,9 @@ func Server(cfg *config.Config) *cobra.Command { microstore.Database(cfg.Store.Database), microstore.Table(cfg.Store.Table), store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword), + store.TLSEnabled(cfg.Store.EnableTLS), + store.TLSInsecure(cfg.Store.TLSInsecure), + store.TLSRootCA(cfg.Store.TLSRootCACertificate), ) svc := service.NewEventsNotifier(evts, channel, logger, gatewaySelector, valueService, diff --git a/services/notifications/pkg/config/config.go b/services/notifications/pkg/config/config.go index afc8253847..796783bdf9 100644 --- a/services/notifications/pkg/config/config.go +++ b/services/notifications/pkg/config/config.go @@ -70,11 +70,14 @@ type ServiceAccount struct { // Store configures the store to use type Store struct { - Store string `yaml:"store" env:"OC_PERSISTENT_STORE;NOTIFICATIONS_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;NOTIFICATIONS_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"NOTIFICATIONS_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"NOTIFICATIONS_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;NOTIFICATIONS_STORE_TTL" desc:"Time to live for notifications in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;NOTIFICATIONS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;NOTIFICATIONS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_PERSISTENT_STORE;NOTIFICATIONS_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;NOTIFICATIONS_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"NOTIFICATIONS_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"NOTIFICATIONS_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;NOTIFICATIONS_STORE_TTL" desc:"Time to live for notifications in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;NOTIFICATIONS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;NOTIFICATIONS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;NOTIFICATIONS_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;NOTIFICATIONS_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;NOTIFICATIONS_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/notifications/pkg/server/debug/server.go b/services/notifications/pkg/server/debug/server.go index bc9fb202dc..99b75a57e6 100644 --- a/services/notifications/pkg/server/debug/server.go +++ b/services/notifications/pkg/server/debug/server.go @@ -6,6 +6,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -14,9 +15,14 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Notifications.Events.EnableTLS, + options.Config.Notifications.Events.TLSInsecure, + options.Config.Notifications.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Notifications.Events.Endpoint)). + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Notifications.Events.Endpoint, secureOption)). WithCheck("smtp-check", checks.NewTCPCheck(options.Config.Notifications.SMTP.Host+":"+strconv.Itoa(options.Config.Notifications.SMTP.Port))) return debug.NewService( diff --git a/services/ocm/pkg/revaconfig/config.go b/services/ocm/pkg/revaconfig/config.go index db784883d2..d3715b07cb 100644 --- a/services/ocm/pkg/revaconfig/config.go +++ b/services/ocm/pkg/revaconfig/config.go @@ -80,6 +80,7 @@ func OCMConfigFromStruct(cfg *config.Config, logger log.Logger) map[string]inter "events": map[string]interface{}{ "natsaddress": cfg.Events.Endpoint, "natsclusterid": cfg.Events.Cluster, + "enabletls": cfg.Events.EnableTLS, "tlsinsecure": cfg.Events.TLSInsecure, "tlsrootcacertificate": cfg.Events.TLSRootCACertificate, "authusername": cfg.Events.AuthUsername, diff --git a/services/ocm/pkg/server/debug/server.go b/services/ocm/pkg/server/debug/server.go index cb738fcd21..492224d24e 100644 --- a/services/ocm/pkg/server/debug/server.go +++ b/services/ocm/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("web reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)). + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)). WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr)) return debug.NewService( diff --git a/services/ocs/pkg/config/config.go b/services/ocs/pkg/config/config.go index 46c4e440b5..7598908ae7 100644 --- a/services/ocs/pkg/config/config.go +++ b/services/ocs/pkg/config/config.go @@ -31,9 +31,12 @@ type Config struct { // SigningKeys is a store configuration. type SigningKeys struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE" desc:"The type of the signing key store. Supported values are: 'redis-sentinel' and 'nats-js-kv'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES" desc:"A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL" desc:"Default time to live for signing keys. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE" desc:"The type of the signing key store. Supported values are: 'redis-sentinel' and 'nats-js-kv'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES" desc:"A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL" desc:"Default time to live for signing keys. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/ocs/pkg/server/debug/server.go b/services/ocs/pkg/server/debug/server.go index 848a6032ef..c428bb5f1d 100644 --- a/services/ocs/pkg/server/debug/server.go +++ b/services/ocs/pkg/server/debug/server.go @@ -21,6 +21,7 @@ func Server(opts ...Option) (*http.Server, error) { readyHandlerConfiguration := healthHandlerConfiguration. WithCheck("nats reachability", func(ctx context.Context) error { if len(options.Config.SigningKeys.Nodes) > 0 { + // no secureOption because we cannot configure it return checks.NewNatsCheck(options.Config.SigningKeys.Nodes[0])(ctx) } return nil diff --git a/services/ocs/pkg/server/http/server.go b/services/ocs/pkg/server/http/server.go index 0f9a50a465..74c42b43c4 100644 --- a/services/ocs/pkg/server/http/server.go +++ b/services/ocs/pkg/server/http/server.go @@ -44,6 +44,9 @@ func Server(opts ...Option) (http.Service, error) { microstore.Database("proxy"), microstore.Table("signing-keys"), store.Authentication(options.Config.SigningKeys.AuthUsername, options.Config.SigningKeys.AuthPassword), + store.TLSEnabled(options.Config.SigningKeys.EnableTLS), + store.TLSInsecure(options.Config.SigningKeys.TLSInsecure), + store.TLSRootCA(options.Config.SigningKeys.TLSRootCACertificate), ) handle := svc.NewService( diff --git a/services/policies/pkg/server/debug/server.go b/services/policies/pkg/server/debug/server.go index 57a232dd05..664ff2558a 100644 --- a/services/policies/pkg/server/debug/server.go +++ b/services/policies/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/postprocessing/pkg/command/server.go b/services/postprocessing/pkg/command/server.go index 575bc40cf4..b3ac47e12e 100644 --- a/services/postprocessing/pkg/command/server.go +++ b/services/postprocessing/pkg/command/server.go @@ -56,6 +56,9 @@ func Server(cfg *config.Config) *cobra.Command { microstore.Database(cfg.Store.Database), microstore.Table(cfg.Store.Table), store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword), + store.TLSEnabled(cfg.Store.EnableTLS), + store.TLSInsecure(cfg.Store.TLSInsecure), + store.TLSRootCA(cfg.Store.TLSRootCACertificate), ) svc, err := service.NewPostprocessingService(ctx, logger, st, traceProvider, cfg) diff --git a/services/postprocessing/pkg/config/config.go b/services/postprocessing/pkg/config/config.go index d651d602a4..9b57025a0a 100644 --- a/services/postprocessing/pkg/config/config.go +++ b/services/postprocessing/pkg/config/config.go @@ -59,11 +59,14 @@ type Debug struct { // Store configures the store to use type Store struct { - Store string `yaml:"store" env:"OC_PERSISTENT_STORE;POSTPROCESSING_STORE" desc:"The type of the store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;POSTPROCESSING_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"POSTPROCESSING_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"POSTPROCESSING_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;POSTPROCESSING_STORE_TTL" desc:"Time to live for events in the store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;POSTPROCESSING_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;POSTPROCESSING_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_PERSISTENT_STORE;POSTPROCESSING_STORE" desc:"The type of the store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;POSTPROCESSING_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"POSTPROCESSING_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"POSTPROCESSING_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;POSTPROCESSING_STORE_TTL" desc:"Time to live for events in the store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;POSTPROCESSING_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;POSTPROCESSING_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;POSTPROCESSING_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;POSTPROCESSING_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;POSTPROCESSING_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided POSTPROCESSING_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/postprocessing/pkg/server/debug/server.go b/services/postprocessing/pkg/server/debug/server.go index e512688d1d..b0d0050cec 100644 --- a/services/postprocessing/pkg/server/debug/server.go +++ b/services/postprocessing/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -13,9 +14,14 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Postprocessing.Events.EnableTLS, + options.Config.Postprocessing.Events.TLSInsecure, + options.Config.Postprocessing.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Postprocessing.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Postprocessing.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/proxy/pkg/command/server.go b/services/proxy/pkg/command/server.go index 418dfc0e49..54f296a23a 100644 --- a/services/proxy/pkg/command/server.go +++ b/services/proxy/pkg/command/server.go @@ -65,6 +65,9 @@ func Server(cfg *config.Config) *cobra.Command { microstore.Table(cfg.OIDC.UserinfoCache.Table), store.DisablePersistence(cfg.OIDC.UserinfoCache.DisablePersistence), store.Authentication(cfg.OIDC.UserinfoCache.AuthUsername, cfg.OIDC.UserinfoCache.AuthPassword), + store.TLSEnabled(cfg.OIDC.UserinfoCache.EnableTLS), + store.TLSInsecure(cfg.OIDC.UserinfoCache.TLSInsecure), + store.TLSRootCA(cfg.OIDC.UserinfoCache.TLSRootCACertificate), ) signingKeyStore := store.Create( @@ -74,6 +77,9 @@ func Server(cfg *config.Config) *cobra.Command { microstore.Database("proxy"), microstore.Table("signing-keys"), store.Authentication(cfg.PreSignedURL.SigningKeys.AuthUsername, cfg.PreSignedURL.SigningKeys.AuthPassword), + store.TLSEnabled(cfg.PreSignedURL.SigningKeys.EnableTLS), + store.TLSInsecure(cfg.PreSignedURL.SigningKeys.TLSInsecure), + store.TLSRootCA(cfg.PreSignedURL.SigningKeys.TLSRootCACertificate), ) logger := logging.Configure(cfg.Service.Name, cfg.Log) diff --git a/services/proxy/pkg/config/config.go b/services/proxy/pkg/config/config.go index 37143132b1..42d93704df 100644 --- a/services/proxy/pkg/config/config.go +++ b/services/proxy/pkg/config/config.go @@ -130,14 +130,17 @@ type JWKS struct { // Cache is a TTL cache configuration. type Cache struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;PROXY_OIDC_USERINFO_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;PROXY_OIDC_USERINFO_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"PROXY_OIDC_USERINFO_CACHE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;PROXY_OIDC_USERINFO_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;PROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;PROXY_OIDC_USERINFO_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;PROXY_OIDC_USERINFO_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"PROXY_OIDC_USERINFO_CACHE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;PROXY_OIDC_USERINFO_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;PROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;PROXY_OIDC_USERINFO_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;PROXY_OIDC_USERINFO_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;PROXY_OIDC_USERINFO_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided PROXY_OIDC_USERINFO_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // RoleAssignment contains the configuration for how to assign roles to users during login @@ -187,12 +190,15 @@ type PreSignedURL struct { // SigningKeys is a store configuration. type SigningKeys struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE" desc:"The type of the signing key store. Supported values are: 'redis-sentinel', 'nats-js-kv' and 'opencloudstoreservice' (deprecated). See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES" desc:"A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL" desc:"Default time to live for signing keys. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE" desc:"Disables persistence of the store. Only applies when store type 'nats-js-kv' is configured. Defaults to true." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE" desc:"The type of the signing key store. Supported values are: 'redis-sentinel', 'nats-js-kv' and 'opencloudstoreservice' (deprecated). See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES" desc:"A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL" desc:"Default time to live for signing keys. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE" desc:"Disables persistence of the store. Only applies when store type 'nats-js-kv' is configured. Defaults to true." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // ClaimsSelectorConf is the config for the claims-selector diff --git a/services/proxy/pkg/server/debug/server.go b/services/proxy/pkg/server/debug/server.go index 2a76c506d4..1420ee0226 100644 --- a/services/proxy/pkg/server/debug/server.go +++ b/services/proxy/pkg/server/debug/server.go @@ -8,6 +8,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" "github.com/opencloud-eu/opencloud/services/proxy/pkg/config" @@ -21,8 +22,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("web reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) var configDumpFunc http.HandlerFunc = configDump(options.Config) return debug.NewService( diff --git a/services/search/pkg/server/debug/server.go b/services/search/pkg/server/debug/server.go index 49d087cf58..2aae46e07c 100644 --- a/services/search/pkg/server/debug/server.go +++ b/services/search/pkg/server/debug/server.go @@ -7,6 +7,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -19,8 +20,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)). + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)). WithCheck("tika-check", func(ctx context.Context) error { if options.Config.Extractor.Type == "tika" { u, err := url.Parse(options.Config.Extractor.Tika.TikaURL) diff --git a/services/settings/pkg/config/config.go b/services/settings/pkg/config/config.go index 17305a390a..09d7141142 100644 --- a/services/settings/pkg/config/config.go +++ b/services/settings/pkg/config/config.go @@ -55,13 +55,16 @@ type Metadata struct { // Cache configures the cache of the Metadata store type Cache struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;SETTINGS_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;SETTINGS_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - FileTable string `yaml:"files_table" env:"SETTINGS_FILE_CACHE_TABLE" desc:"The database table the store should use for the file cache." introductionVersion:"1.0.0"` - DirectoryTable string `yaml:"directories_table" env:"SETTINGS_DIRECTORY_CACHE_TABLE" desc:"The database table the store should use for the directory cache." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;SETTINGS_CACHE_TTL" desc:"Default time to live for entries in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;SETTINGS_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;SETTINGS_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;SETTINGS_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;SETTINGS_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"addresses" env:"OC_CACHE_STORE_NODES;SETTINGS_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + FileTable string `yaml:"files_table" env:"SETTINGS_FILE_CACHE_TABLE" desc:"The database table the store should use for the file cache." introductionVersion:"1.0.0"` + DirectoryTable string `yaml:"directories_table" env:"SETTINGS_DIRECTORY_CACHE_TABLE" desc:"The database table the store should use for the directory cache." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;SETTINGS_CACHE_TTL" desc:"Default time to live for entries in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;SETTINGS_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;SETTINGS_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;SETTINGS_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;SETTINGS_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;SETTINGS_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;SETTINGS_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided SETTINGS_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/settings/pkg/store/metadata/cache.go b/services/settings/pkg/store/metadata/cache.go index bdd632eb29..e7b55c5c9e 100644 --- a/services/settings/pkg/store/metadata/cache.go +++ b/services/settings/pkg/store/metadata/cache.go @@ -140,6 +140,9 @@ func (c *CachedMDC) Init(ctx context.Context, id string) error { microstore.Table(c.cfg.Metadata.Cache.DirectoryTable), store.DisablePersistence(c.cfg.Metadata.Cache.DisablePersistence), store.Authentication(c.cfg.Metadata.Cache.AuthUsername, c.cfg.Metadata.Cache.AuthPassword), + store.TLSEnabled(c.cfg.Metadata.Cache.EnableTLS), + store.TLSInsecure(c.cfg.Metadata.Cache.TLSInsecure), + store.TLSRootCA(c.cfg.Metadata.Cache.TLSRootCACertificate), ) c.filesCache = store.Create( store.Store(c.cfg.Metadata.Cache.Store), @@ -149,6 +152,9 @@ func (c *CachedMDC) Init(ctx context.Context, id string) error { microstore.Table(c.cfg.Metadata.Cache.FileTable), store.DisablePersistence(c.cfg.Metadata.Cache.DisablePersistence), store.Authentication(c.cfg.Metadata.Cache.AuthUsername, c.cfg.Metadata.Cache.AuthPassword), + store.TLSEnabled(c.cfg.Metadata.Cache.EnableTLS), + store.TLSInsecure(c.cfg.Metadata.Cache.TLSInsecure), + store.TLSRootCA(c.cfg.Metadata.Cache.TLSRootCACertificate), ) return c.next.Init(ctx, id) } diff --git a/services/sharing/pkg/config/config.go b/services/sharing/pkg/config/config.go index db279b98a6..66178c9075 100644 --- a/services/sharing/pkg/config/config.go +++ b/services/sharing/pkg/config/config.go @@ -154,6 +154,7 @@ type Events struct { EnableTLS bool `yaml:"enable_tls" env:"OC_EVENTS_ENABLE_TLS;SHARING_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services." introductionVersion:"1.0.0"` AuthUsername string `yaml:"auth_username" env:"OC_EVENTS_AUTH_USERNAME;SHARING_EVENTS_AUTH_USERNAME" desc:"Username for the events broker." introductionVersion:"1.0.0"` AuthPassword string `yaml:"auth_password" env:"OC_EVENTS_AUTH_PASSWORD;SHARING_EVENTS_AUTH_PASSWORD" desc:"Password for the events broker." introductionVersion:"1.0.0"` + // TODO use TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;SHARING_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided SHARING_EVENTS_TLS_INSECURE will be seen as false." introductionVersion:"1.0.0"` } // PasswordPolicy configures reva password policy diff --git a/services/sharing/pkg/revaconfig/config.go b/services/sharing/pkg/revaconfig/config.go index 59aed828a6..54e9e7da17 100644 --- a/services/sharing/pkg/revaconfig/config.go +++ b/services/sharing/pkg/revaconfig/config.go @@ -81,6 +81,7 @@ func SharingConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string] "events": map[string]interface{}{ "natsaddress": cfg.Events.Addr, "natsclusterid": cfg.Events.ClusterID, + "enabletls": cfg.Events.EnableTLS, "tlsinsecure": cfg.Events.TLSInsecure, "tlsrootcacertificate": cfg.Events.TLSRootCaCertPath, "authusername": cfg.Events.AuthUsername, diff --git a/services/sharing/pkg/server/debug/server.go b/services/sharing/pkg/server/debug/server.go index 1c5f26ae30..c1cfbcfe7c 100644 --- a/services/sharing/pkg/server/debug/server.go +++ b/services/sharing/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -13,9 +14,14 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCaCertPath, + ) readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Addr)). + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Addr, secureOption)). WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr)) return debug.NewService( diff --git a/services/sse/pkg/server/debug/server.go b/services/sse/pkg/server/debug/server.go index 83e14bcecb..26e785c319 100644 --- a/services/sse/pkg/server/debug/server.go +++ b/services/sse/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("web reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger), diff --git a/services/storage-system/pkg/config/config.go b/services/storage-system/pkg/config/config.go index a8404c1dc9..aee454b66f 100644 --- a/services/storage-system/pkg/config/config.go +++ b/services/storage-system/pkg/config/config.go @@ -85,11 +85,14 @@ type DecomposedDriver struct { // Cache holds cache config type Cache struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;STORAGE_SYSTEM_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_SYSTEM_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;STORAGE_SYSTEM_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_SYSTEM_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"auth_username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_SYSTEM_CACHE_AUTH_USERNAME" desc:"Username for the configured store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"auth_password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_SYSTEM_CACHE_AUTH_PASSWORD" desc:"Password for the configured store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;STORAGE_SYSTEM_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_SYSTEM_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;STORAGE_SYSTEM_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_SYSTEM_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"auth_username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_SYSTEM_CACHE_AUTH_USERNAME" desc:"Username for the configured store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"auth_password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_SYSTEM_CACHE_AUTH_PASSWORD" desc:"Password for the configured store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;STORAGE_SYSTEM_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;STORAGE_SYSTEM_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;STORAGE_SYSTEM_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_SYSTEM_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } diff --git a/services/storage-system/pkg/revaconfig/config.go b/services/storage-system/pkg/revaconfig/config.go index e5183a7a5a..9d4ab1b047 100644 --- a/services/storage-system/pkg/revaconfig/config.go +++ b/services/storage-system/pkg/revaconfig/config.go @@ -164,13 +164,16 @@ func metadataDrivers(localEndpoint string, cfg *config.Config) map[string]interf "cache_database": "system", }, "filemetadatacache": map[string]interface{}{ - "cache_store": cfg.FileMetadataCache.Store, - "cache_nodes": cfg.FileMetadataCache.Nodes, - "cache_database": cfg.FileMetadataCache.Database, - "cache_ttl": cfg.FileMetadataCache.TTL, - "cache_disable_persistence": cfg.FileMetadataCache.DisablePersistence, - "cache_auth_username": cfg.FileMetadataCache.AuthUsername, - "cache_auth_password": cfg.FileMetadataCache.AuthPassword, + "cache_store": cfg.FileMetadataCache.Store, + "cache_nodes": cfg.FileMetadataCache.Nodes, + "cache_database": cfg.FileMetadataCache.Database, + "cache_ttl": cfg.FileMetadataCache.TTL, + "cache_disable_persistence": cfg.FileMetadataCache.DisablePersistence, + "cache_auth_username": cfg.FileMetadataCache.AuthUsername, + "cache_auth_password": cfg.FileMetadataCache.AuthPassword, + "cache_tls_enabled": cfg.FileMetadataCache.EnableTLS, + "cache_tls_insecure": cfg.FileMetadataCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.FileMetadataCache.TLSRootCACertificate, }, } diff --git a/services/storage-users/pkg/config/config.go b/services/storage-users/pkg/config/config.go index f6327df022..4e450fc8ba 100644 --- a/services/storage-users/pkg/config/config.go +++ b/services/storage-users/pkg/config/config.go @@ -230,28 +230,35 @@ type Events struct { NumConsumers int `yaml:"num_consumers" env:"STORAGE_USERS_EVENTS_NUM_CONSUMERS" desc:"The amount of concurrent event consumers to start. Event consumers are used for post-processing files. Multiple consumers increase parallelisation, but will also increase CPU and memory demands. The setting has no effect when the OC_ASYNC_UPLOADS is set to false. The default and minimum value is 1." introductionVersion:"1.0.0"` AuthUsername string `yaml:"username" env:"OC_EVENTS_AUTH_USERNAME;STORAGE_USERS_EVENTS_AUTH_USERNAME" desc:"The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services." introductionVersion:"1.0.0"` AuthPassword string `yaml:"password" env:"OC_EVENTS_AUTH_PASSWORD;STORAGE_USERS_EVENTS_AUTH_PASSWORD" desc:"The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services." introductionVersion:"1.0.0"` + // TODO use TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;STORAGE_USERS_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_EVENTS_TLS_INSECURE will be seen as false." introductionVersion:"1.0.0"` } // FilemetadataCache holds cache config type FilemetadataCache struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;STORAGE_USERS_FILEMETADATA_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_USERS_FILEMETADATA_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;STORAGE_USERS_FILEMETADATA_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_FILEMETADATA_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_USERS_FILEMETADATA_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_USERS_FILEMETADATA_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;STORAGE_USERS_FILEMETADATA_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_USERS_FILEMETADATA_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"OC_CACHE_DATABASE;STORAGE_USERS_FILEMETADATA_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;STORAGE_USERS_FILEMETADATA_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_FILEMETADATA_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_USERS_FILEMETADATA_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_USERS_FILEMETADATA_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;STORAGE_USERS_FILEMETADATA_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;STORAGE_USERS_FILEMETADATA_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;STORAGE_USERS_FILEMETADATA_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_FILEMETADATA_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // IDCache holds cache config type IDCache struct { - Store string `yaml:"store" env:"OC_CACHE_STORE;STORAGE_USERS_ID_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_USERS_ID_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;STORAGE_USERS_ID_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens have no expiration. Defaults to 300s which is derived from the underlaying package though not explicitly set as default. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_ID_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_USERS_ID_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_USERS_ID_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_CACHE_STORE;STORAGE_USERS_ID_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_USERS_ID_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;STORAGE_USERS_ID_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens have no expiration. Defaults to 300s which is derived from the underlaying package though not explicitly set as default. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + DisablePersistence bool `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_ID_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_USERS_ID_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_USERS_ID_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;STORAGE_USERS_ID_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;STORAGE_USERS_ID_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;STORAGE_USERS_ID_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_ID_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // EOSDriver is the storage driver configuration when using 'eos' storage driver diff --git a/services/storage-users/pkg/revaconfig/drivers.go b/services/storage-users/pkg/revaconfig/drivers.go index 56fa18bf0f..f13c4e9793 100644 --- a/services/storage-users/pkg/revaconfig/drivers.go +++ b/services/storage-users/pkg/revaconfig/drivers.go @@ -108,22 +108,28 @@ func Posix(cfg *config.Config, enableFSScan, enableFSWatch bool) map[string]inte "lock_cycle_duration_factor": cfg.Drivers.Posix.LockCycleDurationFactor, "max_concurrency": cfg.Drivers.Posix.MaxConcurrency, "idcache": map[string]interface{}{ - "cache_store": cfg.IDCache.Store, - "cache_nodes": cfg.IDCache.Nodes, - "cache_database": cfg.IDCache.Database, - "cache_ttl": cfg.IDCache.TTL, - "cache_disable_persistence": cfg.IDCache.DisablePersistence, - "cache_auth_username": cfg.IDCache.AuthUsername, - "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_store": cfg.IDCache.Store, + "cache_nodes": cfg.IDCache.Nodes, + "cache_database": cfg.IDCache.Database, + "cache_ttl": cfg.IDCache.TTL, + "cache_disable_persistence": cfg.IDCache.DisablePersistence, + "cache_auth_username": cfg.IDCache.AuthUsername, + "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_tls_enabled": cfg.IDCache.EnableTLS, + "cache_tls_insecure": cfg.IDCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate, }, "filemetadatacache": map[string]interface{}{ - "cache_store": cfg.FilemetadataCache.Store, - "cache_nodes": cfg.FilemetadataCache.Nodes, - "cache_database": cfg.FilemetadataCache.Database, - "cache_ttl": cfg.FilemetadataCache.TTL, - "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, - "cache_auth_username": cfg.FilemetadataCache.AuthUsername, - "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_store": cfg.FilemetadataCache.Store, + "cache_nodes": cfg.FilemetadataCache.Nodes, + "cache_database": cfg.FilemetadataCache.Database, + "cache_ttl": cfg.FilemetadataCache.TTL, + "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, + "cache_auth_username": cfg.FilemetadataCache.AuthUsername, + "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_tls_enabled": cfg.FilemetadataCache.EnableTLS, + "cache_tls_insecure": cfg.FilemetadataCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.FilemetadataCache.TLSRootCACertificate, }, "events": map[string]interface{}{ "numconsumers": cfg.Events.NumConsumers, @@ -204,22 +210,28 @@ func Decomposed(cfg *config.Config) map[string]interface{} { "max_quota": cfg.Drivers.Decomposed.MaxQuota, "disable_versioning": cfg.Drivers.Decomposed.DisableVersioning, "filemetadatacache": map[string]interface{}{ - "cache_store": cfg.FilemetadataCache.Store, - "cache_nodes": cfg.FilemetadataCache.Nodes, - "cache_database": cfg.FilemetadataCache.Database, - "cache_ttl": cfg.FilemetadataCache.TTL, - "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, - "cache_auth_username": cfg.FilemetadataCache.AuthUsername, - "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_store": cfg.FilemetadataCache.Store, + "cache_nodes": cfg.FilemetadataCache.Nodes, + "cache_database": cfg.FilemetadataCache.Database, + "cache_ttl": cfg.FilemetadataCache.TTL, + "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, + "cache_auth_username": cfg.FilemetadataCache.AuthUsername, + "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_tls_enabled": cfg.FilemetadataCache.EnableTLS, + "cache_tls_insecure": cfg.FilemetadataCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.FilemetadataCache.TLSRootCACertificate, }, "idcache": map[string]interface{}{ - "cache_store": cfg.IDCache.Store, - "cache_nodes": cfg.IDCache.Nodes, - "cache_database": cfg.IDCache.Database, - "cache_ttl": cfg.IDCache.TTL, - "cache_disable_persistence": cfg.IDCache.DisablePersistence, - "cache_auth_username": cfg.IDCache.AuthUsername, - "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_store": cfg.IDCache.Store, + "cache_nodes": cfg.IDCache.Nodes, + "cache_database": cfg.IDCache.Database, + "cache_ttl": cfg.IDCache.TTL, + "cache_disable_persistence": cfg.IDCache.DisablePersistence, + "cache_auth_username": cfg.IDCache.AuthUsername, + "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_tls_enabled": cfg.IDCache.EnableTLS, + "cache_tls_insecure": cfg.IDCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate, }, "events": map[string]interface{}{ "numconsumers": cfg.Events.NumConsumers, @@ -258,22 +270,28 @@ func DecomposedNoEvents(cfg *config.Config) map[string]interface{} { "max_quota": cfg.Drivers.Decomposed.MaxQuota, "disable_versioning": cfg.Drivers.Decomposed.DisableVersioning, "filemetadatacache": map[string]interface{}{ - "cache_store": cfg.FilemetadataCache.Store, - "cache_nodes": cfg.FilemetadataCache.Nodes, - "cache_database": cfg.FilemetadataCache.Database, - "cache_ttl": cfg.FilemetadataCache.TTL, - "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, - "cache_auth_username": cfg.FilemetadataCache.AuthUsername, - "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_store": cfg.FilemetadataCache.Store, + "cache_nodes": cfg.FilemetadataCache.Nodes, + "cache_database": cfg.FilemetadataCache.Database, + "cache_ttl": cfg.FilemetadataCache.TTL, + "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, + "cache_auth_username": cfg.FilemetadataCache.AuthUsername, + "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_tls_enabled": cfg.FilemetadataCache.EnableTLS, + "cache_tls_insecure": cfg.FilemetadataCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.FilemetadataCache.TLSRootCACertificate, }, "idcache": map[string]interface{}{ - "cache_store": cfg.IDCache.Store, - "cache_nodes": cfg.IDCache.Nodes, - "cache_database": cfg.IDCache.Database, - "cache_ttl": cfg.IDCache.TTL, - "cache_disable_persistence": cfg.IDCache.DisablePersistence, - "cache_auth_username": cfg.IDCache.AuthUsername, - "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_store": cfg.IDCache.Store, + "cache_nodes": cfg.IDCache.Nodes, + "cache_database": cfg.IDCache.Database, + "cache_ttl": cfg.IDCache.TTL, + "cache_disable_persistence": cfg.IDCache.DisablePersistence, + "cache_auth_username": cfg.IDCache.AuthUsername, + "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_tls_enabled": cfg.IDCache.EnableTLS, + "cache_tls_insecure": cfg.IDCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate, }, } } @@ -314,22 +332,28 @@ func DecomposedS3(cfg *config.Config) map[string]interface{} { "disable_versioning": cfg.Drivers.DecomposedS3.DisableVersioning, "asyncfileuploads": cfg.Drivers.DecomposedS3.AsyncUploads, "filemetadatacache": map[string]interface{}{ - "cache_store": cfg.FilemetadataCache.Store, - "cache_nodes": cfg.FilemetadataCache.Nodes, - "cache_database": cfg.FilemetadataCache.Database, - "cache_ttl": cfg.FilemetadataCache.TTL, - "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, - "cache_auth_username": cfg.FilemetadataCache.AuthUsername, - "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_store": cfg.FilemetadataCache.Store, + "cache_nodes": cfg.FilemetadataCache.Nodes, + "cache_database": cfg.FilemetadataCache.Database, + "cache_ttl": cfg.FilemetadataCache.TTL, + "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, + "cache_auth_username": cfg.FilemetadataCache.AuthUsername, + "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_tls_enabled": cfg.FilemetadataCache.EnableTLS, + "cache_tls_insecure": cfg.FilemetadataCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.FilemetadataCache.TLSRootCACertificate, }, "idcache": map[string]interface{}{ - "cache_store": cfg.IDCache.Store, - "cache_nodes": cfg.IDCache.Nodes, - "cache_database": cfg.IDCache.Database, - "cache_ttl": cfg.IDCache.TTL, - "cache_disable_persistence": cfg.IDCache.DisablePersistence, - "cache_auth_username": cfg.IDCache.AuthUsername, - "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_store": cfg.IDCache.Store, + "cache_nodes": cfg.IDCache.Nodes, + "cache_database": cfg.IDCache.Database, + "cache_ttl": cfg.IDCache.TTL, + "cache_disable_persistence": cfg.IDCache.DisablePersistence, + "cache_auth_username": cfg.IDCache.AuthUsername, + "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_tls_enabled": cfg.IDCache.EnableTLS, + "cache_tls_insecure": cfg.IDCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate, }, "events": map[string]interface{}{ "numconsumers": cfg.Events.NumConsumers, @@ -372,22 +396,28 @@ func DecomposedS3NoEvents(cfg *config.Config) map[string]interface{} { "disable_versioning": cfg.Drivers.DecomposedS3.DisableVersioning, "lock_cycle_duration_factor": cfg.Drivers.DecomposedS3.LockCycleDurationFactor, "filemetadatacache": map[string]interface{}{ - "cache_store": cfg.FilemetadataCache.Store, - "cache_nodes": cfg.FilemetadataCache.Nodes, - "cache_database": cfg.FilemetadataCache.Database, - "cache_ttl": cfg.FilemetadataCache.TTL, - "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, - "cache_auth_username": cfg.FilemetadataCache.AuthUsername, - "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_store": cfg.FilemetadataCache.Store, + "cache_nodes": cfg.FilemetadataCache.Nodes, + "cache_database": cfg.FilemetadataCache.Database, + "cache_ttl": cfg.FilemetadataCache.TTL, + "cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence, + "cache_auth_username": cfg.FilemetadataCache.AuthUsername, + "cache_auth_password": cfg.FilemetadataCache.AuthPassword, + "cache_tls_enabled": cfg.FilemetadataCache.EnableTLS, + "cache_tls_insecure": cfg.FilemetadataCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.FilemetadataCache.TLSRootCACertificate, }, "idcache": map[string]interface{}{ - "cache_store": cfg.IDCache.Store, - "cache_nodes": cfg.IDCache.Nodes, - "cache_database": cfg.IDCache.Database, - "cache_ttl": cfg.IDCache.TTL, - "cache_disable_persistence": cfg.IDCache.DisablePersistence, - "cache_auth_username": cfg.IDCache.AuthUsername, - "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_store": cfg.IDCache.Store, + "cache_nodes": cfg.IDCache.Nodes, + "cache_database": cfg.IDCache.Database, + "cache_ttl": cfg.IDCache.TTL, + "cache_disable_persistence": cfg.IDCache.DisablePersistence, + "cache_auth_username": cfg.IDCache.AuthUsername, + "cache_auth_password": cfg.IDCache.AuthPassword, + "cache_tls_enabled": cfg.IDCache.EnableTLS, + "cache_tls_insecure": cfg.IDCache.TLSInsecure, + "cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate, }, } } diff --git a/services/storage-users/pkg/server/debug/server.go b/services/storage-users/pkg/server/debug/server.go index 33a7b8e8fc..9c22609340 100644 --- a/services/storage-users/pkg/server/debug/server.go +++ b/services/storage-users/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -13,9 +14,14 @@ import ( func Server(opts ...Option) (*http.Server, error) { options := newOptions(opts...) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCaCertPath, + ) readyHandler := handlers.NewCheckHandler(handlers.NewCheckHandlerConfiguration(). WithLogger(options.Logger). - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Addr)). + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Addr, secureOption)). WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr)), ) diff --git a/services/userlog/pkg/command/server.go b/services/userlog/pkg/command/server.go index 3021fddc3a..d51942f9f0 100644 --- a/services/userlog/pkg/command/server.go +++ b/services/userlog/pkg/command/server.go @@ -92,6 +92,9 @@ func Server(cfg *config.Config) *cobra.Command { microstore.Database(cfg.Persistence.Database), microstore.Table(cfg.Persistence.Table), store.Authentication(cfg.Persistence.AuthUsername, cfg.Persistence.AuthPassword), + store.TLSEnabled(cfg.Persistence.EnableTLS), + store.TLSInsecure(cfg.Persistence.TLSInsecure), + store.TLSRootCA(cfg.Persistence.TLSRootCACertificate), ) tm, err := pool.StringToTLSMode(cfg.GRPCClientTLS.Mode) diff --git a/services/userlog/pkg/config/config.go b/services/userlog/pkg/config/config.go index ac3ff16089..ccd3a9f75d 100644 --- a/services/userlog/pkg/config/config.go +++ b/services/userlog/pkg/config/config.go @@ -39,13 +39,16 @@ type Config struct { // Persistence configures the store to use type Persistence struct { - Store string `yaml:"store" env:"OC_PERSISTENT_STORE;USERLOG_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` - Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;USERLOG_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - Database string `yaml:"database" env:"USERLOG_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` - Table string `yaml:"table" env:"USERLOG_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` - TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;USERLOG_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` - AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;USERLOG_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` - AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;USERLOG_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + Store string `yaml:"store" env:"OC_PERSISTENT_STORE;USERLOG_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"` + Nodes []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;USERLOG_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + Database string `yaml:"database" env:"USERLOG_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"` + Table string `yaml:"table" env:"USERLOG_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"` + TTL time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;USERLOG_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"` + AuthUsername string `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;USERLOG_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + AuthPassword string `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;USERLOG_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"` + EnableTLS bool `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;USERLOG_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"` + TLSInsecure bool `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;USERLOG_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"` + TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;USERLOG_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided USERLOG_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"` } // Events combines the configuration options for the event bus. diff --git a/services/userlog/pkg/server/debug/server.go b/services/userlog/pkg/server/debug/server.go index 83e14bcecb..26e785c319 100644 --- a/services/userlog/pkg/server/debug/server.go +++ b/services/userlog/pkg/server/debug/server.go @@ -5,6 +5,7 @@ import ( "github.com/opencloud-eu/opencloud/pkg/checks" "github.com/opencloud-eu/opencloud/pkg/handlers" + "github.com/opencloud-eu/opencloud/pkg/nats" "github.com/opencloud-eu/opencloud/pkg/service/debug" "github.com/opencloud-eu/opencloud/pkg/version" ) @@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) { WithLogger(options.Logger). WithCheck("web reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr)) + secureOption := nats.Secure( + options.Config.Events.EnableTLS, + options.Config.Events.TLSInsecure, + options.Config.Events.TLSRootCACertificate, + ) readyHandlerConfiguration := healthHandlerConfiguration. - WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)) + WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)) return debug.NewService( debug.Logger(options.Logger),