updates readme

Author: colinjlacy

README.md

@@ -12,10 +12,11 @@ This repo builds out and runs requests against a NATS SuperCluster running in AW
 - `/eks-setup`: OpenTofu and Kubernetes configuration files specific to the AWS environment running in `us-east-1`
 - `/k8s-configs`: the Kubernetes configuration files used to deploy services into both environments
 - `/services`: the Python code for the various services that are used for the demo
+- `/jetstream`: OpenTofu configurations for managing Streams and Consumers in JetStream
 
 ## Some FYI
 
-This is project meant for demo purposes only. While it employs authenticationa and authorization for all of the exposed endpoints that it creates, the authentication credentials are stored in this repo and are therefore insecure. Deploy this repo only in ad hoc environments that you can stand up and tear down without impacting your production environments. **Do not run this project in its current stat in production.**
+This is project meant for demo purposes only. While it employs authenticationa and authorization for all of the exposed endpoints that it creates, the authentication credentials are stored in this repo and are therefore insecure. Deploy this repo only in ad hoc environments that you can stand up and tear down without impacting your production environments. **Do not run this project in its current state in production.**
 
 ## Setting up the environments
 
@@ -29,7 +30,7 @@ Both the Azure and AWS environments are set up using a Bash script, which can be
 
 To set up the Azure environment, `cd` into the `/aks-setup` folder and run:
 
-```
+```sh
 sh aks-setup.sh
 ```
 
@@ -42,7 +43,7 @@ This will:
 
 To set up the AWS environment, `cd` into the `/eks-setup` folder and run:
 
-```
+```sh
 sh eks-setup.sh
 ```
 
@@ -58,23 +59,13 @@ This will:
 
 When AWS adds a new context to your default kubeconfig, it uses the AWS CLI to authenticate each request made by kubectl. If you want to use a Kubernetes UI like [Lens](https://k8slens.dev/) to interact with your clusters, you'll need to create a separate kubeconfig file. The script and K8s config file necessary to do that have been provided in `/eks-setup/kubeconfig-setup`. Assuming you have the EKS cluster set as your current context, run the following from the `/eks-setup` directory:
 
-```
+```sh
 kubectl apply -f kubeconfig-setup/admin-sa.yaml
 sh kubeconfig-setup/create-sa-token.sh
 ```
 
 That will create a kubeconfig file tied to a ServiceAccount that has cluster-admin priviliges. You can then load that into Lens as a new kubeconfig file.
 
-## Deploying the Services
-
-When configured against either context, you can deploy the services in bulk by running:
-
-```
-kubectl apply -f k8s-configs
-```
-
-This will run all four mathmatical services as Deployments with 3 instances, as well as the requester Job. Note that the requester Job will deploy and possibly run before the other services are ready, so you may need to run it again to see intended results.
-
 ## NATS Gateways and Cluster Connectivity
 
 In a production environment, you'd likely already have a domain name associated with your K8s cluster ingress that you can map to the service used by the NATS servers.
@@ -87,15 +78,15 @@ Again, in production, you likely wouldn't have to do this.
 
 The quickest way to get this information is to run the following against the AWS context:
 
-```
+```sh
 kubectl get svc nats-east -o json | jq .status.loadBalancer.ingress
 ```
 
 That will print out a hostname that you can use as the endpoint for your gateway in AWS.
 
 For Azure:
 
-```
+```sh
 kubectl get svc nats-east -o json | jq .status.loadBalancer.ingress
 ```
 
@@ -105,6 +96,88 @@ If you don't have `jq` installed, you can find it here: https://jqlang.org/
 
 Otherwise you can just run `kubectl get svc nats-east -o json` and sift through the output.
 
+## TLS Connections
+
+This project deviates from the [previous one](https://github.com/colinjlacy/nats-cluster-demo) by [using mTLS](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls) to connect services to the NATS resources running in each Kubernetes cluster. 
+
+**Please keep in mind that this approach is for demo purposes, and is not necessarily recommended for production use. Check with your team and business to see what security and compliance requirements exist for using TLS certs within your organization.**
+
+To get started, deploy cert-manager into each Kubernetes cluster. You can find installation instructions [on the cert-manager website](https://cert-manager.io/docs/installation/helm/).
+
+Once you have that installed, you can start creating certs to match your deployment stack. Each Kubernetes cluster requires its own cert heirarchy, since they'll each use TLS for connecting internally. In a production setting, you would use a common Certificate Authority (CA) to create certs within each cluster, so that they could all reference the same heirarchy. For now, and for this demo, cluster-specific CA's will do.
+
+In each setup folder, you'll see a YAML file for setting up certs - `nats-tls-east.yaml` in `eks-setup/` and `nats-tls-west.yaml` in `aks-setup/`. Each one is *almost* ready to use. However they each need the public endpoint of the load balancer used to expose NATS to the public internet. This is important because without this, you won't be able to create a NATS context in the CLI, nor connect locally using OpenTofu to create JetStream resources.
+
+In `eks-setup/nats-tls-east.yaml`, populate line 55 with the hostname of the NLB that was used to expose NATS.
+
+In `aks-setup/nats-tls-west.yaml`, populate line 56 with the IP of the Azure Load Balancer that was used to expose NATS.
+
+Now apply each one to their respective clusters. It should create a series of Secret resources in each cluster. Note that all of the service Deployment and Job YAML files have been updated to reference these Secret resources and pull in their values. You don't have to do anything there.
+
+## JetStream Streams and Consumers
+
+With TLS certs all set up, you can start to set up JetStream. First, you'll need to pull down the values in the `nats-admin-tls` Secret, and store each in the respective cluster's folder. So, for example, for EKS you would pull each entry from `secrets/nats-admin-tls` - `tls.ca`, `tls.crt`, and `tls.key` - and store each one in a file bearing that name in `jetstream/eks/`. The environment folders have a `.gitkeep` to make sure they are there when you pull down this repo. Once your done, there should be three files in each folder, e.g.:
+
+- `jetstream/eks/tls.ca`
+- `jetstream/eks/tls.cert`
+- `jetstream/eks/tls.key`
+
+**You'll also need to populate the different `tfvars` files with the public endpoint of the NATS server, provided by the cloud load balancer - the NLB hostname for EKS, and the IP for Azure.** A placeholder and comment has been added to the top of each `tfvars` file, and needs to be replaced.
+
+With those in place you should be able to run the OpenTofu configs, for example, against EKS:
+
+```sh
+tofu init --var-file=eks.tfvars
+tofu plan --out plan --var-file eks.tfvars
+tofu apply plan
+```
+
+## Deploying the Services
+
+When configured against either context, you can deploy the services in bulk by running:
+
+```sh
+kubectl apply -f k8s-configs
+```
+
+This will run all four mathmatical services as Deployments with 3 instances, as well as the requester Job. Note that the requester Job will deploy and possibly run before the other services are ready, so you may need to run it again to see intended results:
+
+```sh
+kubectl replace -f k8s-configs/requester.yaml --force
+```
+
+## NATS Context
+
+The NATS CLI requires a context to connect to when it needs to communicate with a remote cluster. In order to set it up, we can use the same TLS credentials that we used in OpenTofu. We'll use the absolute paths for the TLS files, so that when you run the NATS CLI against this context, you can run it from anywhere in your file structure. The following is for creating a context against the Azure load balancer:
+
+```sh
+nats context add west --select --tlsca=/absolute/path/to/jetstream/aks/tls.ca --tlscert=/absolute/path/to/jetstream/aks/tls.crt --tlskey=/absolute/path/to/jetstream/aks/tls.key -s <azure-lb-ip> --description=Azure_US_West
+```
+
+You'll want to replace the file paths with your own file paths, and replace the `<azure-lb-ip>` placeholder with the actual IP of the Azure LB. You would then do the same for EKS, pointing to the AWS NLB hostname for the `-s` value, and using the file paths for the EKS TLS files.
+
+## Running the Recorder in Kubernetes
+
+The Recorder service has its own deployment YAML that will work against a properly set up K8s cluster. However you'll have to make sure that there's a MySQL database accessible from he Kubernetes cluster in order to properly run it.
+
+For that I used the [Bitnami MySQL Helm Chart](https://artifacthub.io/packages/helm/bitnami/mysql).
+
+Whatever solution you decide to go with, be sure to update the ConfigMap in `k8s-configs/recorder.yaml`.
+
+## Running the Recorder Locally
+
+This is a bit more involved. You'll need to have a MySQL database stood up locally for the Recorder to connect to. I used a simple local installation of MySQL Server, which allowed for unauthenticated connectivity. Whatever solution you choose, be sure to update the default values in `services/recorder/main.py`.
+
+**Remember to create the schema and tables that will be used for storing data!**
+
+You'll also need to pull down the TLS credentials that the Recorder service uses, which are stored in `secrets/nats-recorder-tls` in your Kubernetes cluster. Those are expected to be stored in their respective files alongside the `main.py` in the `services/recorder` folder, so:
+
+- services/recorder/tls.ca
+- services/recorder/tls.cert
+- services/recorder/tls.key
+
+With those all set up, you can run the Recorder
+
 ## Environment teardown
 
 The Azure environment can be entirely torn down by `cd`ing into the `aks-setup/tofu-aks` folder and running:
@@ -124,6 +197,7 @@ sh eks-teardown.sh
 
 - NATS Helm Chart: https://github.com/nats-io/k8s/blob/main/helm/charts/nats/README.md
 - NATS By Example: https://natsbyexample.com/examples/services/intro/go
-- Services Framwork documentation: https://docs.nats.io/using-nats/nex/getting-started/building-service
-- Cluster documentation: https://docs.nats.io/running-a-nats-service/configuration/clustering
-- SuperCluster documentation: https://docs.nats.io/running-a-nats-service/configuration/gateways
+- NATS TLS Setup Example: https://github.com/nats-io/nack/tree/main/examples/secure
+- NATS docs on JetStream: https://docs.nats.io/nats-concepts/jetstream
+- NATS JetStream OpenTofu provider: https://search.opentofu.org/provider/nats-io/jetstream/latest
+

aks-setup/aks-nats-values.yaml

@@ -34,7 +34,8 @@ config:
     name: "nats-west"
     enabled: true
     merge:
-      advertise: "172.178.141.38:7222"
+      # populate with your NATS server address in Azure
+      advertise: ""
       authorization:
         user: natsgate
         password: NATSC!u5t3rGa73way
@@ -45,9 +46,11 @@ config:
       # and updated the values entries with the correct endpoints.
       gateways: 
       - name: "nats-east"
-        url: nats://natsgate:NATSC!u5t3rGa73way@k8s-default-natseast-d3a2cc2411-682b3011270d1d56.elb.us-east-1.amazonaws.com:7222
+        # populate with your NATS server address in EKS
+        url: ""
       - name: "nats-west"
-        url: nats://natsgate:NATSC!u5t3rGa73way@172.178.141.38:7222
+        # populate with your NATS server address in Azure
+        url: ""
   merge:
     accounts:
       SYS:

aks-setup/nats-tls-west.yaml

@@ -52,7 +52,8 @@ spec:
   - '*.nats-west.default.svc'
   - '*.nats-west.default.svc.cluster.local'
   ipAddresses:
-  - '172.178.141.38'
+  # populate with your NATS server IP in Azure
+  - ''
 ---
 # NATS system user TLS certificate
 apiVersion: cert-manager.io/v1

eks-setup/eks-nats-values.yaml

@@ -31,6 +31,7 @@ config:
     name: "nats-east"
     enabled: true
     merge:
+      # populate with your NATS server address in EKS
       advertise: "k8s-default-natseast-d3a2cc2411-682b3011270d1d56.elb.us-east-1.amazonaws.com:7222"
       authorization:
         user: natsgate
@@ -42,9 +43,11 @@ config:
       # and updated the values entries with the correct endpoints.
       gateways: 
       - name: "nats-east"
-        url: nats://natsgate:NATSC!u5t3rGa73way@k8s-default-natseast-d3a2cc2411-682b3011270d1d56.elb.us-east-1.amazonaws.com:7222
+        # populate with your NATS server address in EKS
+        url: ""
       - name: "nats-west"
-        url: nats://natsgate:NATSC!u5t3rGa73way@172.178.141.38:7222
+        # populate with your NATS server address in Azure
+        url: ""
   merge:
     accounts:
       SYS:

eks-setup/nats-tls-east.yaml

@@ -51,7 +51,8 @@ spec:
   - '*.nats-east.default'
   - '*.nats-east.default.svc'
   - '*.nats-east.default.svc.cluster.local'
-  - 'k8s-default-natseast-d3a2cc2411-682b3011270d1d56.elb.us-east-1.amazonaws.com'
+  # populate with your NATS server address in EKS
+  - ''
 ---
 # NATS system user TLS certificate
 apiVersion: cert-manager.io/v1

jetstream/aks.tfvars

@@ -1,4 +1,5 @@
-nats_servers = "172.178.141.38:4222"
+# populate with your NATS server address
+nats_servers = ""
 nats_tls_ca_file = "aks/tls.ca"
 nats_tls_cert_file = "aks/tls.crt"
 nats_tls_key_file = "aks/tls.key"

jetstream/aks/.gitkeep

@@ -1,4 +1,5 @@
-nats_servers = "k8s-default-natseast-d3a2cc2411-682b3011270d1d56.elb.us-east-1.amazonaws.com:4222"
+# populate with your NATS server address
+nats_servers = ""
 nats_tls_ca_file = "eks/tls.ca"
 nats_tls_cert_file = "eks/tls.crt"
 nats_tls_key_file = "eks/tls.key"

jetstream/eks.tfvars

@@ -4,16 +4,16 @@ resource "jetstream_stream" "answers" {
   subjects = ["answers.significant", "answers.throwaway"]
   storage  = "file"
   # max_bytes  = 1028
-  # max_msgs   = 30
+  # max_msgs   = 5
   # max_age  = 20
   # duplicate_window = 10
-  # max_age  = 60 * 60 * 24 * 5
+  max_age  = 60 * 60 * 24 * 5
 }
 
-# resource "jetstream_consumer" "recorder" {
-#   stream_id      = jetstream_stream.answers.id
-#   durable_name   = "answers-consumer"
-#   deliver_all    = true
-#   filter_subjects = ["answers.significant"]
-#   sample_freq    = 100
-# }
+resource "jetstream_consumer" "recorder" {
+  stream_id      = jetstream_stream.answers.id
+  durable_name   = "answers-consumer"
+  deliver_all    = true
+  filter_subjects = ["answers.significant"]
+  sample_freq    = 100
+}