Request for Review and Response #453: allow configuration of nats-tls hostname #454
Description
Thank you for submitting an issue to the diego-release repository. We appreciate the feedback. To help us address your issue, please fill out the sections in the following template to the best of your ability:
Summary
We are looking for a review of our PR: #453
We've added configuration to the spec for the nats-tls hostname. This property is preferred over the nats-tls link instances.address. We need this to support TLS between route-emitter and nats-tls.
Expected Result
The route-emitter can validate the hostname on the certificate presented by the nats-tls job.
Actual Result
route-emitter fails to start and logs an error when using a bosh-dns-alias for nats-tls
route-emitter.nats-runner.connecting-to-nats-failed","data":{"error":"x509: cannot validate certificate {...}
Context
GCP
Diego 2.42
NATS v32
Steps to Reproduce
Add a bosh-dns-alias for nats in your deployment manifest:
- domain: nats.service.cf.internal
targets:
- query: '*'
instance_group: nats
deployment: cf
network: default
domain: bosh
Use the following ops-file to deploy with route-emitter talking to nats-tls:
- type: replace
path: /variables?/name=nats_internal_ca?
value:
name: nats_internal_ca
type: certificate
options:
is_ca: true
common_name: nats_internal
- type: replace
path: /variables?/name=nats_internal_cert?
value:
name: nats_internal_cert
type: certificate
options:
ca: nats_internal_ca
common_name: "nats.service.cf.internal"
alternative_names:
- "nats.service.cf.internal"
extended_key_usage:
- client_auth
- server_auth
- type: replace
path: /instance_groups/name=nats/jobs/name=nats/properties/nats?/internal?/tls?/enabled
value: true
- type: replace
path: /instance_groups/name=nats/jobs/name=nats/consumes?
value:
nats:
ip_addresses: false
nats-tls:
ip_addresses: false
- type: replace
path: /instance_groups/name=nats/jobs/name=nats/properties/nats?/internal?/tls?/ca
value: "((nats_internal_cert.ca))"
- type: replace
path: /instance_groups/name=nats/jobs/name=nats/properties/nats?/internal?/tls?/certificate
value: "((nats_internal_cert.certificate))"
- type: replace
path: /instance_groups/name=nats/jobs/name=nats/properties/nats?/internal?/tls?/private_key
value: "((nats_internal_cert.private_key))"
- type: replace
path: /variables?/name=nats_ca?
value:
name: nats_ca
type: certificate
options:
is_ca: true
common_name: nats
- type: replace
path: /variables?/name=nats_client_cert?
value:
name: nats_client_cert
type: certificate
options:
ca: nats_ca
common_name: "nats_client"
extended_key_usage:
- client_auth
- type: replace
path: /variables?/name=nats_server_cert?
value:
name: nats_server_cert
type: certificate
options:
ca: nats_ca
common_name: "nats.service.cf.internal"
alternative_names:
- "nats.service.cf.internal"
extended_key_usage:
- server_auth
- type: replace
path: /instance_groups/name=nats/jobs/-
value:
name: nats-tls
release: nats
consumes:
nats:
ip_addresses: false
nats-tls:
ip_addresses: false
properties:
nats:
user: nats
password: "((nats_password))"
internal:
tls:
ca: "((nats_internal_cert.ca))"
private_key: "((nats_internal_cert.private_key))"
certificate: "((nats_internal_cert.certificate))"
enabled: true
external:
tls:
ca: "((nats_client_cert.ca))"
private_key: "((nats_server_cert.private_key))"
certificate: "((nats_server_cert.certificate))"
- type: replace
path: /instance_groups/-
value:
name: nats-smoke-tests
azs: [z1]
vm_type: default
stemcell: default
instances: 1
lifecycle: errand
networks:
- name: default
jobs:
- name: smoke-tests
release: nats
consumes:
nats:
ip_addresses: false
nats-tls:
ip_addresses: false
properties:
nats:
client:
tls:
certificate: "((nats_client_cert.certificate))"
private_key: "((nats_client_cert.private_key))"
- type: replace
path: /instance_groups/name=diego-cell/jobs/name=route_emitter/properties/diego?/route_emitter?/nats
value:
tls:
enabled: true
client_cert: "((nats_client_cert.certificate))"
client_key: "((nats_client_cert.private_key))"
See route-emitter fail to deploy.