nats-io · wallyqs · Mar 29, 2019 · Mar 29, 2019
diff --git a/pkg/apis/nats/v1alpha2/cluster.go b/pkg/apis/nats/v1alpha2/cluster.go
@@ -165,6 +165,14 @@ type TLSConfig struct {
 
 	// EnableHttps makes the monitoring endpoint use https.
 	EnableHttps bool `json:"enableHttps,omitempty"`
+
+	// ClientsTLSTimeout is the time in seconds that the NATS server will
+	// allow to clients to finish the TLS handshake.
+	ClientsTLSTimeout float64 `json:"clientsTLSTimeout,omitempty"`
+
+	// RoutesTLSTimeout is the time in seconds that the NATS server will
+	// allow to routes to finish the TLS handshake.
+	RoutesTLSTimeout float64 `json:"routesTLSTimeout,omitempty"`
 }
 
 // PodPolicy defines the policy to create pod for the NATS container.

diff --git a/pkg/util/kubernetes/kubernetes.go b/pkg/util/kubernetes/kubernetes.go
@@ -160,13 +160,20 @@ func addTLSConfig(sconfig *natsconf.ServerConfig, cs v1alpha2.ClusterSpec) {
 			CertFile: constants.ServerCertFilePath,
 			KeyFile:  constants.ServerKeyFilePath,
 		}
+
+		if cs.TLS.ClientsTLSTimeout > 0 {
+			sconfig.TLS.Timeout = cs.TLS.ClientsTLSTimeout
+		}
 	}
 	if cs.TLS.RoutesSecret != "" {
 		sconfig.Cluster.TLS = &natsconf.TLSConfig{
 			CAFile:   constants.RoutesCAFilePath,
 			CertFile: constants.RoutesCertFilePath,
 			KeyFile:  constants.RoutesKeyFilePath,
 		}
+		if cs.TLS.RoutesTLSTimeout > 0 {
+			sconfig.Cluster.TLS.Timeout = cs.TLS.RoutesTLSTimeout
+		}
 	}
 	if cs.Auth != nil && cs.Auth.TLSVerifyAndMap {
 		sconfig.TLS.VerifyAndMap = true

diff --git a/test/e2e/tls_test.go b/test/e2e/tls_test.go
@@ -196,3 +196,66 @@ func TestCreateClusterWithVerifyAndMap(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+
+func TestCreateClusterWithCustomTLSTimeout(t *testing.T) {
+	natsCluster, err := f.CreateCluster(f.Namespace, "", 1, "", func(natsCluster *natsv1alpha2.NatsCluster) {
+		// The NatsCluster resource must be called "nats" in
+		// order for the pre-provisioned certificates to work.
+		natsCluster.Name = "nats-tls-timeout"
+		natsCluster.Spec.ServerImage = "nats"
+		natsCluster.Spec.Version = "1.4.1"
+
+		// Enable TLS using pre-provisioned certificates.
+		natsCluster.Spec.TLS = &natsv1alpha2.TLSConfig{
+			ServerSecret:      "nats-certs",
+			RoutesSecret:      "nats-routes-tls",
+			ClientsTLSTimeout: 5,
+			RoutesTLSTimeout:  5,
+		}
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	// Make sure we cleanup the NatsCluster resource after we're done testing.
+	defer func() {
+		if err = f.DeleteCluster(natsCluster); err != nil {
+			t.Error(err)
+		}
+	}()
+
+	// Wait until the full mesh is formed.
+	ctx1, fn := context.WithTimeout(context.Background(), waitTimeout)
+	defer fn()
+	err = f.WaitUntilSecretCondition(ctx1, natsCluster, func(event watchapi.Event) (bool, error) {
+		secret := event.Object.(*v1.Secret)
+		conf, ok := secret.Data[constants.ConfigFileName]
+		if !ok {
+			return false, nil
+		}
+		config, err := natsconf.Unmarshal(conf)
+		if err != nil {
+			return false, nil
+		}
+		if config.TLS == nil {
+			return false, nil
+		}
+		if config.TLS.Timeout != 5 {
+			return false, nil
+		}
+		if config.Cluster.TLS.Timeout != 5 {
+			return false, nil
+		}
+
+		pods, err := f.PodsForNatsCluster(natsCluster)
+		if err != nil {
+			return false, nil
+		}
+		if len(pods) < 1 {
+			return false, nil
+		}
+		return true, nil
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+}