From 291d15b183cd7ff8d7efa663b1d25fe8a2db5ad4 Mon Sep 17 00:00:00 2001 From: Adriano Chiesa Date: Fri, 5 Jul 2024 16:29:51 -0300 Subject: [PATCH] Add TLS to NATS connection --- .../services/acs/internal/config/config.go | 33 ++++++++++++++----- backend/services/acs/internal/nats/nats.go | 6 ++-- .../bulkdata/http/internal/config/config.go | 33 ++++++++++++++----- .../bulkdata/http/internal/nats/nats.go | 6 ++-- .../controller/internal/config/config.go | 33 ++++++++++++++----- .../services/controller/internal/nats/nats.go | 6 ++-- .../mtp/adapter/internal/config/config.go | 33 ++++++++++++++----- .../mtp/adapter/internal/nats/nats.go | 6 ++-- .../mqtt-adapter/internal/config/config.go | 33 ++++++++++++++----- .../mtp/mqtt-adapter/internal/nats/nats.go | 6 ++-- .../mtp/mqtt/internal/config/config.go | 33 ++++++++++++++----- .../services/mtp/mqtt/internal/nats/nats.go | 6 ++-- .../stomp-adapter/internal/config/config.go | 33 ++++++++++++++----- .../mtp/stomp-adapter/internal/nats/nats.go | 7 ++-- .../mtp/ws-adapter/internal/config/config.go | 33 ++++++++++++++----- .../mtp/ws-adapter/internal/nats/nats.go | 6 ++-- .../services/mtp/ws/internal/config/config.go | 33 ++++++++++++++----- backend/services/mtp/ws/internal/nats/nats.go | 6 ++-- 18 files changed, 252 insertions(+), 100 deletions(-) diff --git a/backend/services/acs/internal/config/config.go b/backend/services/acs/internal/config/config.go index e6e6325..1f5fd5e 100644 --- a/backend/services/acs/internal/config/config.go +++ b/backend/services/acs/internal/config/config.go @@ -14,10 +14,11 @@ import ( const LOCAL_ENV = ".env.local" type Nats struct { - Url string - Name string - VerifyCertificates bool - Ctx context.Context + Url string + Name string + EnableTls bool + Cert Tls + Ctx context.Context } type Acs struct { @@ -40,6 +41,12 @@ type Config struct { Nats Nats } +type Tls struct { + CertFile string + KeyFile string + CaFile string +} + func NewConfig() *Config { loadEnvVariables() @@ -47,7 +54,10 @@ func NewConfig() *Config { natsUrl := flag.String("nats_url", lookupEnvOrString("NATS_URL", "nats://localhost:4222"), "url for nats server") natsName := flag.String("nats_name", lookupEnvOrString("NATS_NAME", "adapter"), "name for nats client") - natsVerifyCertificates := flag.Bool("nats_verify_certificates", lookupEnvOrBool("NATS_VERIFY_CERTIFICATES", false), "verify validity of certificates from nats server") + natsEnableTls := flag.Bool("nats_enable_tls", lookupEnvOrBool("NATS_ENABLE_TLS", false), "enbale TLS to nats server") + clientCrt := flag.String("client_crt", lookupEnvOrString("CLIENT_CRT", "cert.pem"), "client certificate file to TLS connection") + clientKey := flag.String("client_key", lookupEnvOrString("CLIENT_KEY", "key.pem"), "client key file to TLS connection") + serverCA := flag.String("server_ca", lookupEnvOrString("SERVER_CA", "rootCA.pem"), "server CA file to TLS connection") acsPort := flag.String("acs_port", lookupEnvOrString("ACS_PORT", ":9292"), "port for acs server") acsRoute := flag.String("acs_route", lookupEnvOrString("ACS_ROUTE", "/acs"), "route for acs server") connReqUser := flag.String("connrq_user", lookupEnvOrString("CONN_RQ_USER", ""), "Connection Request Username") @@ -77,10 +87,15 @@ func NewConfig() *Config { return &Config{ Nats: Nats{ - Url: *natsUrl, - Name: *natsName, - VerifyCertificates: *natsVerifyCertificates, - Ctx: ctx, + Url: *natsUrl, + Name: *natsName, + EnableTls: *natsEnableTls, + Ctx: ctx, + Cert: Tls{ + CertFile: *clientCrt, + KeyFile: *clientKey, + CaFile: *serverCA, + }, }, Acs: Acs{ Port: *acsPort, diff --git a/backend/services/acs/internal/nats/nats.go b/backend/services/acs/internal/nats/nats.go index 0b1e803..d4d8a6e 100644 --- a/backend/services/acs/internal/nats/nats.go +++ b/backend/services/acs/internal/nats/nats.go @@ -141,8 +141,10 @@ func defineOptions(c config.Nats) []nats.Option { opts = append(opts, nats.ClosedHandler(func(nc *nats.Conn) { log.Printf("Connection closed. Reason: %q\n", nc.LastError()) })) - if c.VerifyCertificates { - opts = append(opts, nats.RootCAs()) + if c.EnableTls { + log.Printf("Load certificates: %s and %s\n", c.Cert.CertFile, c.Cert.KeyFile) + opts = append(opts, nats.RootCAs(c.Cert.CaFile)) + opts = append(opts, nats.ClientCert(c.Cert.CertFile, c.Cert.KeyFile)) } return opts diff --git a/backend/services/bulkdata/http/internal/config/config.go b/backend/services/bulkdata/http/internal/config/config.go index 8375aca..fff17d3 100644 --- a/backend/services/bulkdata/http/internal/config/config.go +++ b/backend/services/bulkdata/http/internal/config/config.go @@ -13,10 +13,11 @@ import ( const LOCAL_ENV = ".env.local" type Nats struct { - Url string - Name string - VerifyCertificates bool - Ctx context.Context + Url string + Name string + EnableTls bool + Cert Tls + Ctx context.Context } type RestApi struct { @@ -29,6 +30,12 @@ type Config struct { Nats Nats } +type Tls struct { + CertFile string + KeyFile string + CaFile string +} + func NewConfig() *Config { loadEnvVariables() @@ -36,7 +43,10 @@ func NewConfig() *Config { natsUrl := flag.String("nats_url", lookupEnvOrString("NATS_URL", "nats://localhost:4222"), "url for nats server") natsName := flag.String("nats_name", lookupEnvOrString("NATS_NAME", "adapter"), "name for nats client") - natsVerifyCertificates := flag.Bool("nats_verify_certificates", lookupEnvOrBool("NATS_VERIFY_CERTIFICATES", false), "verify validity of certificates from nats server") + natsEnableTls := flag.Bool("nats_enable_tls", lookupEnvOrBool("NATS_ENABLE_TLS", false), "enbale TLS to nats server") + clientCrt := flag.String("client_crt", lookupEnvOrString("CLIENT_CRT", "cert.pem"), "client certificate file to TLS connection") + clientKey := flag.String("client_key", lookupEnvOrString("CLIENT_KEY", "key.pem"), "client key file to TLS connection") + serverCA := flag.String("server_ca", lookupEnvOrString("SERVER_CA", "rootCA.pem"), "server CA file to TLS connection") flApiPort := flag.String("api_port", lookupEnvOrString("REST_API_PORT", "4000"), "Rest api port") flHelp := flag.Bool("help", false, "Help") @@ -62,10 +72,15 @@ func NewConfig() *Config { Ctx: ctx, }, Nats: Nats{ - Url: *natsUrl, - Name: *natsName, - VerifyCertificates: *natsVerifyCertificates, - Ctx: ctx, + Url: *natsUrl, + Name: *natsName, + EnableTls: *natsEnableTls, + Ctx: ctx, + Cert: Tls{ + CertFile: *clientCrt, + KeyFile: *clientKey, + CaFile: *serverCA, + }, }, } } diff --git a/backend/services/bulkdata/http/internal/nats/nats.go b/backend/services/bulkdata/http/internal/nats/nats.go index 0c77ac4..dd58bf8 100644 --- a/backend/services/bulkdata/http/internal/nats/nats.go +++ b/backend/services/bulkdata/http/internal/nats/nats.go @@ -70,8 +70,10 @@ func defineOptions(c config.Nats) []nats.Option { opts = append(opts, nats.ClosedHandler(func(nc *nats.Conn) { log.Printf("Connection closed. Reason: %q\n", nc.LastError()) })) - if c.VerifyCertificates { - opts = append(opts, nats.RootCAs()) + if c.EnableTls { + log.Printf("Load certificates: %s and %s\n", c.Cert.CertFile, c.Cert.KeyFile) + opts = append(opts, nats.RootCAs(c.Cert.CaFile)) + opts = append(opts, nats.ClientCert(c.Cert.CertFile, c.Cert.KeyFile)) } return opts diff --git a/backend/services/controller/internal/config/config.go b/backend/services/controller/internal/config/config.go index ff97dd6..e90dc5e 100644 --- a/backend/services/controller/internal/config/config.go +++ b/backend/services/controller/internal/config/config.go @@ -13,10 +13,11 @@ import ( const LOCAL_ENV = ".env.local" type Nats struct { - Url string - Name string - VerifyCertificates bool - Ctx context.Context + Url string + Name string + EnableTls bool + Cert Tls + Ctx context.Context } type Mongo struct { @@ -42,6 +43,12 @@ type Config struct { Enterprise Enterprise } +type Tls struct { + CertFile string + KeyFile string + CaFile string +} + func NewConfig() *Config { loadEnvVariables() @@ -49,7 +56,10 @@ func NewConfig() *Config { natsUrl := flag.String("nats_url", lookupEnvOrString("NATS_URL", "nats://localhost:4222"), "url for nats server") natsName := flag.String("nats_name", lookupEnvOrString("NATS_NAME", "controller"), "name for nats client") - natsVerifyCertificates := flag.Bool("nats_verify_certificates", lookupEnvOrBool("NATS_VERIFY_CERTIFICATES", false), "verify validity of certificates from nats server") + natsEnableTls := flag.Bool("nats_enable_tls", lookupEnvOrBool("NATS_ENABLE_TLS", false), "enbale TLS to nats server") + clientCrt := flag.String("client_crt", lookupEnvOrString("CLIENT_CRT", "cert.pem"), "client certificate file to TLS connection") + clientKey := flag.String("client_key", lookupEnvOrString("CLIENT_KEY", "key.pem"), "client key file to TLS connection") + serverCA := flag.String("server_ca", lookupEnvOrString("SERVER_CA", "rootCA.pem"), "server CA file to TLS connection") flApiPort := flag.String("api_port", lookupEnvOrString("REST_API_PORT", "8000"), "Rest api port") mongoUri := flag.String("mongo_uri", lookupEnvOrString("MONGO_URI", "mongodb://localhost:27017"), "uri for mongodb server") enterpise := flag.Bool("enterprise", lookupEnvOrBool("ENTERPRISE", false), "enterprise version enable") @@ -79,10 +89,15 @@ func NewConfig() *Config { Ctx: ctx, }, Nats: Nats{ - Url: *natsUrl, - Name: *natsName, - VerifyCertificates: *natsVerifyCertificates, - Ctx: ctx, + Url: *natsUrl, + Name: *natsName, + EnableTls: *natsEnableTls, + Ctx: ctx, + Cert: Tls{ + CertFile: *clientCrt, + KeyFile: *clientKey, + CaFile: *serverCA, + }, }, Mongo: Mongo{ Uri: *mongoUri, diff --git a/backend/services/controller/internal/nats/nats.go b/backend/services/controller/internal/nats/nats.go index 3786604..394a1f2 100644 --- a/backend/services/controller/internal/nats/nats.go +++ b/backend/services/controller/internal/nats/nats.go @@ -77,8 +77,10 @@ func defineOptions(c config.Nats) []nats.Option { opts = append(opts, nats.ClosedHandler(func(nc *nats.Conn) { log.Printf("Connection closed. Reason: %q\n", nc.LastError()) })) - if c.VerifyCertificates { - opts = append(opts, nats.RootCAs()) + if c.EnableTls { + log.Printf("Load certificates: %s and %s\n", c.Cert.CertFile, c.Cert.KeyFile) + opts = append(opts, nats.RootCAs(c.Cert.CaFile)) + opts = append(opts, nats.ClientCert(c.Cert.CertFile, c.Cert.KeyFile)) } return opts diff --git a/backend/services/mtp/adapter/internal/config/config.go b/backend/services/mtp/adapter/internal/config/config.go index 7562b36..25b0840 100644 --- a/backend/services/mtp/adapter/internal/config/config.go +++ b/backend/services/mtp/adapter/internal/config/config.go @@ -13,10 +13,17 @@ import ( const LOCAL_ENV = ".env.local" type Nats struct { - Url string - Name string - VerifyCertificates bool - Ctx context.Context + Url string + Name string + EnableTls bool + Cert Tls + Ctx context.Context +} + +type Tls struct { + CertFile string + KeyFile string + CaFile string } type Mongo struct { @@ -42,7 +49,10 @@ func NewConfig() *Config { natsUrl := flag.String("nats_url", lookupEnvOrString("NATS_URL", "nats://localhost:4222"), "url for nats server") natsName := flag.String("nats_name", lookupEnvOrString("NATS_NAME", "adapter"), "name for nats client") - natsVerifyCertificates := flag.Bool("nats_verify_certificates", lookupEnvOrBool("NATS_VERIFY_CERTIFICATES", false), "verify validity of certificates from nats server") + natsEnableTls := flag.Bool("nats_enable_tls", lookupEnvOrBool("NATS_ENABLE_TLS", false), "enbale TLS to nats server") + clientCrt := flag.String("client_crt", lookupEnvOrString("CLIENT_CRT", "cert.pem"), "client certificate file to TLS connection") + clientKey := flag.String("client_key", lookupEnvOrString("CLIENT_KEY", "key.pem"), "client key file to TLS connection") + serverCA := flag.String("server_ca", lookupEnvOrString("SERVER_CA", "rootCA.pem"), "server CA file to TLS connection") mongoUri := flag.String("mongo_uri", lookupEnvOrString("MONGO_URI", "mongodb://localhost:27017"), "uri for mongodb server") controllerId := flag.String("controller_id", lookupEnvOrString("CONTROLLER_ID", "oktopusController"), "usp controller endpoint id") controllerPassword := flag.String("controller_passwd", lookupEnvOrString("CONTROLLER_PASSWORD", ""), "usp controller endpoint password to connect to") @@ -66,10 +76,15 @@ func NewConfig() *Config { return &Config{ Nats: Nats{ - Url: *natsUrl, - Name: *natsName, - VerifyCertificates: *natsVerifyCertificates, - Ctx: ctx, + Url: *natsUrl, + Name: *natsName, + EnableTls: *natsEnableTls, + Ctx: ctx, + Cert: Tls{ + CertFile: *clientCrt, + KeyFile: *clientKey, + CaFile: *serverCA, + }, }, Mongo: Mongo{ Uri: *mongoUri, diff --git a/backend/services/mtp/adapter/internal/nats/nats.go b/backend/services/mtp/adapter/internal/nats/nats.go index 7985275..9396d7f 100644 --- a/backend/services/mtp/adapter/internal/nats/nats.go +++ b/backend/services/mtp/adapter/internal/nats/nats.go @@ -150,8 +150,10 @@ func defineOptions(c config.Nats) []nats.Option { opts = append(opts, nats.ClosedHandler(func(nc *nats.Conn) { log.Printf("Connection closed. Reason: %q\n", nc.LastError()) })) - if c.VerifyCertificates { - opts = append(opts, nats.RootCAs()) + if c.EnableTls { + log.Printf("Load certificates: %s and %s\n", c.Cert.CertFile, c.Cert.KeyFile) + opts = append(opts, nats.RootCAs(c.Cert.CaFile)) + opts = append(opts, nats.ClientCert(c.Cert.CertFile, c.Cert.KeyFile)) } return opts diff --git a/backend/services/mtp/mqtt-adapter/internal/config/config.go b/backend/services/mtp/mqtt-adapter/internal/config/config.go index 9bac4a7..0cfd6c6 100644 --- a/backend/services/mtp/mqtt-adapter/internal/config/config.go +++ b/backend/services/mtp/mqtt-adapter/internal/config/config.go @@ -13,10 +13,17 @@ import ( const LOCAL_ENV = ".env.local" type Nats struct { - Url string - Name string - VerifyCertificates bool - Ctx context.Context + Url string + Name string + EnableTls bool + Cert Tls + Ctx context.Context +} + +type Tls struct { + CertFile string + KeyFile string + CaFile string } type Mqtt struct { @@ -42,7 +49,10 @@ func NewConfig() *Config { natsUrl := flag.String("nats_url", lookupEnvOrString("NATS_URL", "nats://localhost:4222"), "url for nats server") natsName := flag.String("nats_name", lookupEnvOrString("NATS_NAME", "mqtt-adapter"), "name for nats client") - natsVerifyCertificates := flag.Bool("nats_verify_certificates", lookupEnvOrBool("NATS_VERIFY_CERTIFICATES", false), "verify validity of certificates from nats server") + natsEnableTls := flag.Bool("nats_enable_tls", lookupEnvOrBool("NATS_ENABLE_TLS", false), "enbale TLS to nats server") + clientCrt := flag.String("client_crt", lookupEnvOrString("CLIENT_CRT", "cert.pem"), "client certificate file to TLS connection") + clientKey := flag.String("client_key", lookupEnvOrString("CLIENT_KEY", "key.pem"), "client key file to TLS connection") + serverCA := flag.String("server_ca", lookupEnvOrString("SERVER_CA", "rootCA.pem"), "server CA file to TLS connection") mqttUrl := flag.String("mqtt_url", lookupEnvOrString("MQTT_URL", "tcp://localhost:1883"), "url for mqtt server") mqttsUrl := flag.String("mqtts_url", lookupEnvOrString("MQTTS_URL", ""), "url for mqtts server") mqttsSkipVerify := flag.Bool("mqtts_skip_verify", lookupEnvOrBool("MQTTS_SKIP_VERIFY", false), "skip verification of server certificate for mqtts") @@ -69,10 +79,15 @@ func NewConfig() *Config { return &Config{ Nats: Nats{ - Url: *natsUrl, - Name: *natsName, - VerifyCertificates: *natsVerifyCertificates, - Ctx: ctx, + Url: *natsUrl, + Name: *natsName, + EnableTls: *natsEnableTls, + Ctx: ctx, + Cert: Tls{ + CertFile: *clientCrt, + KeyFile: *clientKey, + CaFile: *serverCA, + }, }, Mqtt: Mqtt{ Url: *mqttUrl, diff --git a/backend/services/mtp/mqtt-adapter/internal/nats/nats.go b/backend/services/mtp/mqtt-adapter/internal/nats/nats.go index 7698d76..4e96605 100644 --- a/backend/services/mtp/mqtt-adapter/internal/nats/nats.go +++ b/backend/services/mtp/mqtt-adapter/internal/nats/nats.go @@ -92,8 +92,10 @@ func defineOptions(c config.Nats) []nats.Option { opts = append(opts, nats.ClosedHandler(func(nc *nats.Conn) { log.Printf("Connection closed. Reason: %q\n", nc.LastError()) })) - if c.VerifyCertificates { - opts = append(opts, nats.RootCAs()) + if c.EnableTls { + log.Printf("Load certificates: %s and %s\n", c.Cert.CertFile, c.Cert.KeyFile) + opts = append(opts, nats.RootCAs(c.Cert.CaFile)) + opts = append(opts, nats.ClientCert(c.Cert.CertFile, c.Cert.KeyFile)) } return opts diff --git a/backend/services/mtp/mqtt/internal/config/config.go b/backend/services/mtp/mqtt/internal/config/config.go index 805d4ae..e701117 100644 --- a/backend/services/mtp/mqtt/internal/config/config.go +++ b/backend/services/mtp/mqtt/internal/config/config.go @@ -32,10 +32,17 @@ type Config struct { } type Nats struct { - Url string - Name string - VerifyCertificates bool - Ctx context.Context + Url string + Name string + EnableTls bool + Cert Tls + Ctx context.Context +} + +type Tls struct { + CertFile string + KeyFile string + CaFile string } func NewConfig() Config { @@ -66,7 +73,10 @@ func NewConfig() Config { logLevel := flag.Int("log_level", lookupEnvOrInt("LOG_LEVEL", 1), "0=DEBUG, 1=INFO, 2=WARNING, 3=ERROR") natsUrl := flag.String("nats_url", lookupEnvOrString("NATS_URL", "nats://localhost:4222"), "url for nats server") natsName := flag.String("nats_name", lookupEnvOrString("NATS_NAME", "adapter"), "name for nats client") - natsVerifyCertificates := flag.Bool("nats_verify_certificates", lookupEnvOrBool("NATS_VERIFY_CERTIFICATES", false), "verify validity of certificates from nats server") + natsEnableTls := flag.Bool("nats_enable_tls", lookupEnvOrBool("NATS_ENABLE_TLS", false), "enbale TLS to nats server") + clientCrt := flag.String("client_crt", lookupEnvOrString("CLIENT_CRT", "cert.pem"), "client certificate file to TLS connection") + clientKey := flag.String("client_key", lookupEnvOrString("CLIENT_KEY", "key.pem"), "client key file to TLS connection") + serverCA := flag.String("server_ca", lookupEnvOrString("SERVER_CA", "rootCA.pem"), "server CA file to TLS connection") flag.Parse() flHelp := flag.Bool("help", false, "Help") @@ -99,10 +109,15 @@ func NewConfig() Config { HttpPort: *httpPort, LogLevel: *logLevel, Nats: Nats{ - Url: *natsUrl, - Name: *natsName, - VerifyCertificates: *natsVerifyCertificates, - Ctx: ctx, + Url: *natsUrl, + Name: *natsName, + EnableTls: *natsEnableTls, + Ctx: ctx, + Cert: Tls{ + CertFile: *clientCrt, + KeyFile: *clientKey, + CaFile: *serverCA, + }, }, } diff --git a/backend/services/mtp/mqtt/internal/nats/nats.go b/backend/services/mtp/mqtt/internal/nats/nats.go index 1eb51a4..d1548a3 100644 --- a/backend/services/mtp/mqtt/internal/nats/nats.go +++ b/backend/services/mtp/mqtt/internal/nats/nats.go @@ -74,8 +74,10 @@ func defineOptions(c config.Nats) []nats.Option { opts = append(opts, nats.ClosedHandler(func(nc *nats.Conn) { log.Printf("Connection closed. Reason: %q\n", nc.LastError()) })) - if c.VerifyCertificates { - opts = append(opts, nats.RootCAs()) + if c.EnableTls { + log.Printf("Load certificates: %s and %s\n", c.Cert.CertFile, c.Cert.KeyFile) + opts = append(opts, nats.RootCAs(c.Cert.CaFile)) + opts = append(opts, nats.ClientCert(c.Cert.CertFile, c.Cert.KeyFile)) } return opts diff --git a/backend/services/mtp/stomp-adapter/internal/config/config.go b/backend/services/mtp/stomp-adapter/internal/config/config.go index f79de27..2b54a40 100644 --- a/backend/services/mtp/stomp-adapter/internal/config/config.go +++ b/backend/services/mtp/stomp-adapter/internal/config/config.go @@ -13,10 +13,17 @@ import ( const LOCAL_ENV = ".env.local" type Nats struct { - Url string - Name string - VerifyCertificates bool - Ctx context.Context + Url string + Name string + EnableTls bool + Cert Tls + Ctx context.Context +} + +type Tls struct { + CertFile string + KeyFile string + CaFile string } type Stomp struct { @@ -37,7 +44,10 @@ func NewConfig() *Config { natsUrl := flag.String("nats_url", lookupEnvOrString("NATS_URL", "nats://localhost:4222"), "url for nats server") natsName := flag.String("nats_name", lookupEnvOrString("NATS_NAME", "mqtt-adapter"), "name for nats client") - natsVerifyCertificates := flag.Bool("nats_verify_certificates", lookupEnvOrBool("NATS_VERIFY_CERTIFICATES", false), "verify validity of certificates from nats server") + natsEnableTls := flag.Bool("nats_enable_tls", lookupEnvOrBool("NATS_ENABLE_TLS", false), "enbale TLS to nats server") + clientCrt := flag.String("client_crt", lookupEnvOrString("CLIENT_CRT", "cert.pem"), "client certificate file to TLS connection") + clientKey := flag.String("client_key", lookupEnvOrString("CLIENT_KEY", "key.pem"), "client key file to TLS connection") + serverCA := flag.String("server_ca", lookupEnvOrString("SERVER_CA", "rootCA.pem"), "server CA file to TLS connection") stompAddr := flag.String("stomp_server", lookupEnvOrString("STOMP_SERVER", "localhost:61613"), "STOMP server endpoint") stompUser := flag.String("stomp_user", lookupEnvOrString("STOMP_USER", ""), "stomp server user") stompPassword := flag.String("stomp_passsword", lookupEnvOrString("STOMP_PASSWD", ""), "stomp server password") @@ -61,10 +71,15 @@ func NewConfig() *Config { return &Config{ Nats: Nats{ - Url: *natsUrl, - Name: *natsName, - VerifyCertificates: *natsVerifyCertificates, - Ctx: ctx, + Url: *natsUrl, + Name: *natsName, + EnableTls: *natsEnableTls, + Ctx: ctx, + Cert: Tls{ + CertFile: *clientCrt, + KeyFile: *clientKey, + CaFile: *serverCA, + }, }, Stomp: Stomp{ Url: *stompAddr, diff --git a/backend/services/mtp/stomp-adapter/internal/nats/nats.go b/backend/services/mtp/stomp-adapter/internal/nats/nats.go index ad739fd..774ba86 100644 --- a/backend/services/mtp/stomp-adapter/internal/nats/nats.go +++ b/backend/services/mtp/stomp-adapter/internal/nats/nats.go @@ -81,9 +81,10 @@ func defineOptions(c config.Nats) []nats.Option { opts = append(opts, nats.ClosedHandler(func(nc *nats.Conn) { log.Printf("Connection closed. Reason: %q\n", nc.LastError()) })) - if c.VerifyCertificates { - opts = append(opts, nats.RootCAs()) + if c.EnableTls { + log.Printf("Load certificates: %s and %s\n", c.Cert.CertFile, c.Cert.KeyFile) + opts = append(opts, nats.RootCAs(c.Cert.CaFile)) + opts = append(opts, nats.ClientCert(c.Cert.CertFile, c.Cert.KeyFile)) } - return opts } diff --git a/backend/services/mtp/ws-adapter/internal/config/config.go b/backend/services/mtp/ws-adapter/internal/config/config.go index c78e4dd..cf4231b 100644 --- a/backend/services/mtp/ws-adapter/internal/config/config.go +++ b/backend/services/mtp/ws-adapter/internal/config/config.go @@ -13,10 +13,17 @@ import ( const LOCAL_ENV = ".env.local" type Nats struct { - Url string - Name string - VerifyCertificates bool - Ctx context.Context + Url string + Name string + EnableTls bool + Cert Tls + Ctx context.Context +} + +type Tls struct { + CertFile string + KeyFile string + CaFile string } type Ws struct { @@ -42,7 +49,10 @@ func NewConfig() *Config { natsUrl := flag.String("nats_url", lookupEnvOrString("NATS_URL", "nats://localhost:4222"), "url for nats server") natsName := flag.String("nats_name", lookupEnvOrString("NATS_NAME", "ws-adapter"), "name for nats client") - natsVerifyCertificates := flag.Bool("nats_verify_certificates", lookupEnvOrBool("NATS_VERIFY_CERTIFICATES", false), "verify validity of certificates from nats server") + natsEnableTls := flag.Bool("nats_enable_tls", lookupEnvOrBool("NATS_ENABLE_TLS", false), "enbale TLS to nats server") + clientCrt := flag.String("client_crt", lookupEnvOrString("CLIENT_CRT", "cert.pem"), "client certificate file to TLS connection") + clientKey := flag.String("client_key", lookupEnvOrString("CLIENT_KEY", "key.pem"), "client key file to TLS connection") + serverCA := flag.String("server_ca", lookupEnvOrString("SERVER_CA", "rootCA.pem"), "server CA file to TLS connection") wsAuthEnable := flag.Bool("ws_auth_enable", lookupEnvOrBool("WS_AUTH_ENABLE", false), "enable authentication for websocket server") wsAddr := flag.String("ws_addr", lookupEnvOrString("WS_ADDR", "localhost"), "websocket server address (domain or ip)") wsPort := flag.String("ws_port", lookupEnvOrString("WS_PORT", ":8080"), "websocket server port") @@ -68,10 +78,15 @@ func NewConfig() *Config { return &Config{ Nats: Nats{ - Url: *natsUrl, - Name: *natsName, - VerifyCertificates: *natsVerifyCertificates, - Ctx: ctx, + Url: *natsUrl, + Name: *natsName, + EnableTls: *natsEnableTls, + Ctx: ctx, + Cert: Tls{ + CertFile: *clientCrt, + KeyFile: *clientKey, + CaFile: *serverCA, + }, }, Ws: Ws{ AuthEnable: *wsAuthEnable, diff --git a/backend/services/mtp/ws-adapter/internal/nats/nats.go b/backend/services/mtp/ws-adapter/internal/nats/nats.go index c5a1de4..729129c 100644 --- a/backend/services/mtp/ws-adapter/internal/nats/nats.go +++ b/backend/services/mtp/ws-adapter/internal/nats/nats.go @@ -91,8 +91,10 @@ func defineOptions(c config.Nats) []nats.Option { opts = append(opts, nats.ClosedHandler(func(nc *nats.Conn) { log.Printf("Connection closed. Reason: %q\n", nc.LastError()) })) - if c.VerifyCertificates { - opts = append(opts, nats.RootCAs()) + if c.EnableTls { + log.Printf("Load certificates: %s and %s\n", c.Cert.CertFile, c.Cert.KeyFile) + opts = append(opts, nats.RootCAs(c.Cert.CaFile)) + opts = append(opts, nats.ClientCert(c.Cert.CertFile, c.Cert.KeyFile)) } return opts diff --git a/backend/services/mtp/ws/internal/config/config.go b/backend/services/mtp/ws/internal/config/config.go index f79f176..3080571 100644 --- a/backend/services/mtp/ws/internal/config/config.go +++ b/backend/services/mtp/ws/internal/config/config.go @@ -24,10 +24,17 @@ type Config struct { } type Nats struct { - Url string - Name string - VerifyCertificates bool - Ctx context.Context + Url string + Name string + EnableTls bool + Cert Tls + Ctx context.Context +} + +type Tls struct { + CertFile string + KeyFile string + CaFile string } func NewConfig() Config { @@ -47,7 +54,10 @@ func NewConfig() Config { /* ------------------------------ define flags ------------------------------ */ natsUrl := flag.String("nats_url", lookupEnvOrString("NATS_URL", "nats://localhost:4222"), "url for nats server") natsName := flag.String("nats_name", lookupEnvOrString("NATS_NAME", "ws-adapter"), "name for nats client") - natsVerifyCertificates := flag.Bool("nats_verify_certificates", lookupEnvOrBool("NATS_VERIFY_CERTIFICATES", false), "verify validity of certificates from nats server") + natsEnableTls := flag.Bool("nats_enable_tls", lookupEnvOrBool("NATS_ENABLE_TLS", false), "enbale TLS to nats server") + clientCrt := flag.String("client_crt", lookupEnvOrString("CLIENT_CRT", "cert.pem"), "client certificate file to TLS connection") + clientKey := flag.String("client_key", lookupEnvOrString("CLIENT_KEY", "key.pem"), "client key file to TLS connection") + serverCA := flag.String("server_ca", lookupEnvOrString("SERVER_CA", "rootCA.pem"), "server CA file to TLS connection") flPort := flag.String("port", lookupEnvOrString("SERVER_PORT", ":8080"), "Server port") flAuth := flag.Bool("auth", lookupEnvOrBool("SERVER_AUTH_ENABLE", false), "Server auth enable/disable") flControllerEid := flag.String("controller-eid", lookupEnvOrString("CONTROLLER_EID", "oktopusController"), "Controller eid") @@ -81,10 +91,15 @@ func NewConfig() Config { FullChain: *flFullchain, PrivateKey: *flPrivKey, Nats: Nats{ - Url: *natsUrl, - Name: *natsName, - VerifyCertificates: *natsVerifyCertificates, - Ctx: ctx, + Url: *natsUrl, + Name: *natsName, + EnableTls: *natsEnableTls, + Ctx: ctx, + Cert: Tls{ + CertFile: *clientCrt, + KeyFile: *clientKey, + CaFile: *serverCA, + }, }, } } diff --git a/backend/services/mtp/ws/internal/nats/nats.go b/backend/services/mtp/ws/internal/nats/nats.go index a5a557d..2afc947 100644 --- a/backend/services/mtp/ws/internal/nats/nats.go +++ b/backend/services/mtp/ws/internal/nats/nats.go @@ -66,8 +66,10 @@ func defineOptions(c config.Nats) []nats.Option { opts = append(opts, nats.ClosedHandler(func(nc *nats.Conn) { log.Printf("Connection closed. Reason: %q\n", nc.LastError()) })) - if c.VerifyCertificates { - opts = append(opts, nats.RootCAs()) + if c.EnableTls { + log.Printf("Load certificates: %s and %s\n", c.Cert.CertFile, c.Cert.KeyFile) + opts = append(opts, nats.RootCAs(c.Cert.CaFile)) + opts = append(opts, nats.ClientCert(c.Cert.CertFile, c.Cert.KeyFile)) } return opts