From 3b91dfd3b0ffeefd90e021e33d164299a8e8355b Mon Sep 17 00:00:00 2001 From: Waldemar Quevedo Date: Sat, 30 Mar 2019 08:17:05 +0900 Subject: [PATCH] Add fields to extend TLS timeout (#154) Signed-off-by: Waldemar Quevedo --- pkg/apis/nats/v1alpha2/cluster.go | 8 ++++ pkg/util/kubernetes/kubernetes.go | 7 ++++ test/e2e/tls_test.go | 63 +++++++++++++++++++++++++++++++ 3 files changed, 78 insertions(+) diff --git a/pkg/apis/nats/v1alpha2/cluster.go b/pkg/apis/nats/v1alpha2/cluster.go index 62c2aca4..a0273f4d 100644 --- a/pkg/apis/nats/v1alpha2/cluster.go +++ b/pkg/apis/nats/v1alpha2/cluster.go @@ -165,6 +165,14 @@ type TLSConfig struct { // EnableHttps makes the monitoring endpoint use https. EnableHttps bool `json:"enableHttps,omitempty"` + + // ClientsTLSTimeout is the time in seconds that the NATS server will + // allow to clients to finish the TLS handshake. + ClientsTLSTimeout float64 `json:"clientsTLSTimeout,omitempty"` + + // RoutesTLSTimeout is the time in seconds that the NATS server will + // allow to routes to finish the TLS handshake. + RoutesTLSTimeout float64 `json:"routesTLSTimeout,omitempty"` } // PodPolicy defines the policy to create pod for the NATS container. diff --git a/pkg/util/kubernetes/kubernetes.go b/pkg/util/kubernetes/kubernetes.go index aa9accdb..f7fe1e09 100644 --- a/pkg/util/kubernetes/kubernetes.go +++ b/pkg/util/kubernetes/kubernetes.go @@ -160,6 +160,10 @@ func addTLSConfig(sconfig *natsconf.ServerConfig, cs v1alpha2.ClusterSpec) { CertFile: constants.ServerCertFilePath, KeyFile: constants.ServerKeyFilePath, } + + if cs.TLS.ClientsTLSTimeout > 0 { + sconfig.TLS.Timeout = cs.TLS.ClientsTLSTimeout + } } if cs.TLS.RoutesSecret != "" { sconfig.Cluster.TLS = &natsconf.TLSConfig{ @@ -167,6 +171,9 @@ func addTLSConfig(sconfig *natsconf.ServerConfig, cs v1alpha2.ClusterSpec) { CertFile: constants.RoutesCertFilePath, KeyFile: constants.RoutesKeyFilePath, } + if cs.TLS.RoutesTLSTimeout > 0 { + sconfig.Cluster.TLS.Timeout = cs.TLS.RoutesTLSTimeout + } } if cs.Auth != nil && cs.Auth.TLSVerifyAndMap { sconfig.TLS.VerifyAndMap = true diff --git a/test/e2e/tls_test.go b/test/e2e/tls_test.go index 05719894..34df05fc 100644 --- a/test/e2e/tls_test.go +++ b/test/e2e/tls_test.go @@ -196,3 +196,66 @@ func TestCreateClusterWithVerifyAndMap(t *testing.T) { t.Fatal(err) } } + +func TestCreateClusterWithCustomTLSTimeout(t *testing.T) { + natsCluster, err := f.CreateCluster(f.Namespace, "", 1, "", func(natsCluster *natsv1alpha2.NatsCluster) { + // The NatsCluster resource must be called "nats" in + // order for the pre-provisioned certificates to work. + natsCluster.Name = "nats-tls-timeout" + natsCluster.Spec.ServerImage = "nats" + natsCluster.Spec.Version = "1.4.1" + + // Enable TLS using pre-provisioned certificates. + natsCluster.Spec.TLS = &natsv1alpha2.TLSConfig{ + ServerSecret: "nats-certs", + RoutesSecret: "nats-routes-tls", + ClientsTLSTimeout: 5, + RoutesTLSTimeout: 5, + } + }) + if err != nil { + t.Fatal(err) + } + // Make sure we cleanup the NatsCluster resource after we're done testing. + defer func() { + if err = f.DeleteCluster(natsCluster); err != nil { + t.Error(err) + } + }() + + // Wait until the full mesh is formed. + ctx1, fn := context.WithTimeout(context.Background(), waitTimeout) + defer fn() + err = f.WaitUntilSecretCondition(ctx1, natsCluster, func(event watchapi.Event) (bool, error) { + secret := event.Object.(*v1.Secret) + conf, ok := secret.Data[constants.ConfigFileName] + if !ok { + return false, nil + } + config, err := natsconf.Unmarshal(conf) + if err != nil { + return false, nil + } + if config.TLS == nil { + return false, nil + } + if config.TLS.Timeout != 5 { + return false, nil + } + if config.Cluster.TLS.Timeout != 5 { + return false, nil + } + + pods, err := f.PodsForNatsCluster(natsCluster) + if err != nil { + return false, nil + } + if len(pods) < 1 { + return false, nil + } + return true, nil + }) + if err != nil { + t.Fatal(err) + } +}