Merge pull request opencloud-eu#92 from opencloud-eu/external-nats

support external nats

Author: butonic

charts/opencloud/README.md

@@ -288,6 +288,27 @@ This will prepend `my-registry.com/` to all image references in the chart. For e
 | `opencloud.storage.s3.external.bucket` | External S3 bucket | `""` |
 | `opencloud.storage.s3.external.createBucket` | Create bucket if it doesn't exist | `true` |
 
+### NATS Messaging Configuration
+
+| Parameter  | Description | Default |
+| ---------- | ----------- | ------- |
+| `opencloud.nats.external.enabled` | Use an external NATS server (required for high availability) | `false` |
+| `opencloud.nats.external.endpoint` | Endpoint of the external NATS server | `nats.opencloud-nats.svc.cluster.local:4222` |
+| `opencloud.nats.external.cluster` | NATS cluster name | `opencloud-cluster` |
+| `opencloud.nats.external.tls.enabled` | Enable TLS for communication with NATS | `false` |
+| `opencloud.nats.external.tls.certTrusted` | Set to `false` if the external NATS server's certificate is not trusted by default (e.g. self-signed) | `true` |
+| `opencloud.nats.external.tls.insecure` | Disable certificate validation (not recommended for production) | `false` |
+| `opencloud.nats.external.tls.caSecretName` | Name of the Kubernetes Secret containing the CA certificate (only required if `certTrusted` is `false`) | `opencloud-nats-ca` |
+
+> 💡 The secret referenced by `caSecretName` **must contain a key named `ca.crt`** with the root CA certificate used to verify the external NATS server.
+> Example:
+>
+> ```bash
+> kubectl create secret generic opencloud-nats-ca \
+>   --from-file=ca.crt=./path/to/nats-ca.pem \
+>   --namespace your-namespace
+> ```
+
 ### Keycloak Settings
 
 By default the chart deploys an internal keycloak. It can be disabled and replaced with an external IdP.

charts/opencloud/templates/collaboration/deployment.yaml

@@ -68,8 +68,15 @@ spec:
               value: "0.0.0.0:9300"
             - name: MICRO_REGISTRY
               value: "nats-js-kv"
+            {{- if .Values.opencloud.nats.external.enabled }}
+            - name: OC_PERSISTENT_STORE_NODES
+              value: {{ .Values.opencloud.nats.external.endpoint | quote }}
+            - name: MICRO_REGISTRY_ADDRESS
+              value: {{ .Values.opencloud.nats.external.endpoint | quote }}
+            {{- else }}
             - name: MICRO_REGISTRY_ADDRESS
               value: "{{ include "opencloud.opencloud.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:9233"
+            {{- end }}
             {{- if .Values.onlyoffice.enabled }}
             - name: COLLABORATION_WOPI_SRC
               # onlyoffice has to connect to the wopi server from the web

charts/opencloud/templates/opencloud/deployment.yaml

@@ -147,9 +147,13 @@ spec:
             - name: OC_ADD_RUN_SERVICES
               value: {{ join "," . | quote }}
             {{- end }}
-            {{- with .Values.opencloud.excludeServices }}
+            {{- $exclude := .Values.opencloud.excludeServices | default (list) }}
+            {{- if .Values.opencloud.nats.external.enabled }}
+              {{- $exclude = append $exclude "nats" }}
+            {{- end }}
+            {{- if gt (len $exclude) 0 }}
             - name: OC_EXCLUDE_RUN_SERVICES
-              value: {{ join "," . | quote }}
+              value: {{ join "," $exclude | quote }}
             {{- end }}
             # Do not use SSL between proxy and OpenCloud
             - name: PROXY_TLS
@@ -269,13 +273,37 @@ spec:
             # Demo users
             - name: IDM_CREATE_DEMO_USERS
               value: {{ .Values.opencloud.createDemoUsers | quote }}
-            # Make the registry available to the app provider containers
+            {{- if .Values.opencloud.nats.external.enabled }}
+            # Use the external nats as the service registry
+            - name: MICRO_REGISTRY_ADDRESS
+              value: {{ .Values.opencloud.nats.external.endpoint | quote }}
+            # Use the external nats as the cache and persistent store
+            - name: OC_CACHE_STORE_NODES
+              value: {{ .Values.opencloud.nats.external.endpoint | quote }}
+            - name: OC_PERSISTENT_STORE_NODES
+              value: {{ .Values.opencloud.nats.external.endpoint | quote }}
+            # Use the external nats as the messaging system
+            - name: OC_EVENTS_ENDPOINT
+              value: {{ .Values.opencloud.nats.external.endpoint | quote }}
+            - name: OC_EVENTS_CLUSTER
+              value: {{ .Values.opencloud.nats.external.cluster | quote }}
+            - name: OC_EVENTS_ENABLE_TLS
+              value: {{ .Values.opencloud.nats.external.tls.enabled | quote }}
+            - name: OC_EVENTS_TLS_INSECURE
+              value: {{ .Values.opencloud.nats.external.tls.insecure | quote }}
+            {{- if not .Values.opencloud.nats.external.tls.certTrusted }}
+            - name: OC_EVENTS_TLS_ROOT_CA_CERTIFICATE
+              value: /etc/opencloud/nats-ca/ca.crt
+            {{- end }}
+            {{- else }}
             - name: MICRO_REGISTRY_ADDRESS
               value: "127.0.0.1:9233"
+            # Make the registry available to the app provider containers
             - name: NATS_NATS_HOST
               value: "0.0.0.0"
             - name: NATS_NATS_PORT
               value: "9233"
+            {{- end }}
             # CSP configuration
             - name: PROXY_CSP_CONFIG_FILE_LOCATION
               value: "/etc/opencloud/csp.yaml"
@@ -374,6 +402,11 @@ spec:
             - name: config-files
               mountPath: /etc/opencloud/banned-password-list.txt
               subPath: banned-password-list.txt
+            {{- if and (.Values.opencloud.nats.external.enabled) (not .Values.opencloud.nats.external.tls.certTrusted) }}
+            - name: nats-ca
+              mountPath: /etc/opencloud/nats-ca
+              readOnly: true
+            {{- end }}
           resources:
             {{- toYaml .Values.opencloud.resources | nindent 12 }}
       volumes:
@@ -400,6 +433,11 @@ spec:
         - name: proxy-config
           configMap:
             name: {{ include "opencloud.opencloud.fullname" . }}-proxy-config
+        {{ if and (.Values.opencloud.nats.external.enabled) (not .Values.opencloud.nats.external.tls.certTrusted) }}
+        - name: nats-ca
+          secret:
+            secretName: {{ .Values.opencloud.nats.external.tls.caSecretName }}
+        {{ end }}
         {{- if .Values.webExtensions.enabled }}
         - name: extensions
           emptyDir: {}

charts/opencloud/templates/opencloud/service.yaml

@@ -13,10 +13,12 @@ spec:
       targetPort: http
       protocol: TCP
       name: http
+    {{- if not .Values.opencloud.nats.external.enabled }}
     - port: 9233
       targetPort: 9233
       protocol: TCP
       name: nats
+    {{- end }}
   selector:
     {{- include "opencloud.selectorLabels" . | nindent 4 }}
     app.kubernetes.io/component: opencloud

charts/opencloud/values.yaml

@@ -477,6 +477,38 @@ opencloud:
     # For very long lists override the file 'files/opencloud/banned-password-list.txt'
     bannedPasswordList: |-
 
+  nats:
+    external:
+      # -- Use an external NATS messaging system instead of the internal one.
+      # Recommended for all production instances.
+      # Needs to be used if HighAvailability is needed.
+      # Needs to be used if OpenCloud shall be used by more than a 2-digit user count.
+      enabled: false
+
+      # -- Endpoint of the messaging system.
+      endpoint: nats.opencloud-nats.svc.cluster.local:4222
+
+      # -- Cluster name to use with the messaging system.
+      cluster: opencloud-cluster
+
+      tls:
+        # -- Enables TLS encrypted communication with the messaging system.
+        # Recommended for production installations.
+        enabled: false
+        
+        # -- Set only to false, if the certificate of your messaging system service is not trusted.
+        # If set to false, you need to put the CA cert of the messaging system server into the secret referenced by "caSecretName"
+        certTrusted: true
+
+        # -- Disables SSL certificate checking for connections to the messaging system server.
+        # -- For self signed certificates, consider to put the CA cert of the messaging system secure server into the secret referenced by "caSecretName"
+        # Not recommended for production installations.
+        insecure: false
+
+        # Use existing CA secret for nats credentials (Note: secretKeyName must be 'ca.crt' with the root CA certificate for NATS)
+        # Only used if certTrusted is false
+        caSecretName : opencloud-nats-ca
+
   # =====================================================================
   # EMAIL (SMTP)
   # =====================================================================

deployments/nats/README.md

@@ -0,0 +1,38 @@
+# OpenCloud with NATS deployment example
+
+## Introduction
+
+This example shows how to deploy OpenCloud with NATS as message bus and store.
+It will deploy an OpenCloud instance and NATS, preconfigured to work together.
+
+***Note***: This example is not intended for production use. It is intended to get a working OpenCloud
+with NATS running in Kubernetes as quickly as possible. It is not hardened in any way.
+
+## Getting started
+
+### Prerequisites
+
+This example requires the following things to be installed:
+
+- [Kubernetes](https://kubernetes.io/) cluster, with an ingress controller installed.
+- [Helm](https://helm.sh/) v3
+- [Helmfile](https://github.com/helmfile/helmfile)
+
+### End result
+
+After following the steps in this guide, you should be able to access the following endpoint, you
+may want to add these to your `/etc/hosts` file pointing to your ingress controller IP:
+
+- https://cloud.opencloud.test
+
+Note that if you want to use your own hostname and domain, you will have to change the `global.domain.opencloud` value.
+
+### Deploying
+
+In this directory, run the following commands:
+
+```bash
+$ helmfile sync
+```
+
+This will deploy OpenCloud and NATS.

deployments/nats/helmfile.yaml

@@ -0,0 +1,120 @@
+repositories:
+  - name: nats
+    url: https://nats-io.github.io/k8s/helm/charts
+
+
+releases:
+  - name: nats
+    namespace: opencloud-nats
+    chart: nats/nats
+    version: 1.3.7
+    labels:
+      ci-lint-skip: true # skip linting this chart in CI
+    values:
+      - config:
+          cluster:
+            enabled: true
+            replicas: 3
+            name: "opencloud-cluster"
+          jetstream:
+            enabled: true
+            memoryStore:
+              enabled: true
+              maxSize: 2Gi
+          merge:
+            00$include: auth.conf
+      - configMap:
+          merge:
+            data:
+              # bcrypted password generated with `nats server passwd`:
+              # nats-sys: O0Z1O5WG2SIisXUToxUPxQUx
+              # opencloud-admin: pwnnH3S42D5dZL90paHEsQop
+              auth.conf: |
+                accounts {
+                  $SYS {
+                    users = [
+                      { user: "nats-sys",
+                        pass: "$2a$11$5BJO2C7WJLjuOm8FBjGjCugs//lL.Sp9gVIBWzU.fITE5MfCbHCMK"
+                      }
+                    ]
+                  }
+                  $OPENCLOUD {
+                    jetstream: enabled
+                    users = [
+                      { user: "opencloud"
+                      },
+                      { user: "opencloud-admin",
+                        pass: "$2a$11$6SAHUpN.m2TXOMSdSZVWsOjQ69VCQOBUmxD8FZ/aJpdvzSEOfRodC"
+                      }
+                    ]
+                  }
+                }
+                no_auth_user: opencloud
+
+  - name: nack-crds
+    namespace: opencloud-nack
+    chart: ./nack
+    labels:
+      ci-lint-skip: true # skip linting this chart in CI
+
+  - name: nack-streams
+    namespace: opencloud-nats
+    chart: ./streams
+    labels:
+      ci-lint-skip: true # skip linting this chart in CI
+    needs:
+      - opencloud-nats/nats
+      - opencloud-nack/nack-crds
+
+  - name: nack
+    namespace: opencloud-nack
+    chart: nats/nack
+    version: 0.29.0
+    labels:
+      ci-lint-skip: true # skip linting this chart in CI
+    values:
+      - namespaced: false
+      - readOnly: false
+    needs:
+      - opencloud-nack/nack-crds
+
+  - name: opencloud
+    chart: ../../charts/opencloud
+    namespace: opencloud
+    values:
+      - global:
+          # TLS settings
+          tls:
+            # Enable TLS
+            enabled: true
+            secretName: opencloud-wildcard-tls
+            # Use self-signed certificates
+            selfSigned: true
+      - opencloud:
+          nats:
+            # Use an external NATS server (required for high availability)
+            external:
+              enabled: true
+              # these are the default values, you can change them if needed
+              #endpoint: nats.opencloud-nats.svc.cluster.local:4222
+              #cluster: opencloud-cluster
+              tls:
+                # we disable TLS verification for this example
+                # for production, you should set this to true and provide a CA certificate
+                enabled: false
+
+      - collabora:
+          # Enable Collabora
+          enabled: true
+          ssl:
+            enabled: false
+            verification: false
+
+      - onlyoffice:
+          enabled: false
+
+      - ingress:
+          # Enable Ingress
+          enabled: true
+          # Ingress class name
+          annotationsPreset: traefik

deployments/nats/nack/README.md

@@ -0,0 +1,3 @@
+Contains the CustomResourceDefinitions for NATS Controllers for Kubernetes (NACK)
+
+Taken from https://github.com/nats-io/nack/blob/v0.18.2/deploy/crds.yml