Unable to map the account CRD to the nats server's existing account when creating jetstreams with multi-tenants support
aDisplayName opened this issue · comments
What version were you using?
nats-server: v2.10.9
What environment was the server running in?
nats:2.10.9-alpine
natsio/jetstream-controller:0.14.1
Is this defect reproducible?
The nats server is configured using following helm chart:
chart: nats
repo: https://nats-io.github.io/k8s/helm/charts/
version: 1.1.7
with following configuration
fullnameOverride: nats-engine
config:
cluster:
enabled: false
jetstream:
enabled: true # Globally enable jetstream. When accounts is used, the jets
merge:
accounts:
$SYS:
users:
- user: admin123
password: admin123
APP:
jetstream: enabled
users:
- user: app
password: app
CLIENT:
jetstream: enabled
users:
- user: client
password: client
no_auth_user: APP
The nack is deployed using helm chart:
repo: https://nats-io.github.io/k8s/helm/charts/
chart: nack
version: 0.25.1
The configuraiton for nack helm is
jetstream:
nats:
url: nats://nats-engine-headless:4222
Given the capability you are leveraging, describe your expectation?
We still want use the nats server's configuration to manage different account settings and credential. In our example, the plain username / password.
But we want to leverage Nack to manage different jetstream under different accounts. Here is the CRDs we tried to apply:
apiVersion: jetstream.nats.io/v1beta2
kind: Stream
metadata:
name: js-app
spec:
name: js-app
subjects: ["data.>"] # All messages from App Manager
storage: file
maxAge: 30m
account: app
---
apiVersion: jetstream.nats.io/v1beta2
kind: Stream
metadata:
name: js-client
spec:
name: js-client
subjects: ["data.>"] # All messages from App Manager
storage: file
maxAge: 30m
account: client
---
apiVersion: jetstream.nats.io/v1beta2
kind: Account
metadata:
name: app
spec:
name: app
servers:
- nats://app:app@nats-engine-headless:4222
---
apiVersion: jetstream.nats.io/v1beta2
kind: Account
metadata:
name: client
spec:
name: client
servers:
- nats://client:client@nats-engine-headless:4222
We are expecting when using nats stream info
command to check stream status, we will see stream js-app
when using user app
to access, and see stream js-client
when using user client
to access.
And since we are using different accounts, there should be no conflict when both streams are using the same subjects.
Given the expectation, what is the defect you are observing?
Instead, we saw the following error from rancher:
apparently the second stream failed to be created due to the overlapping subject space.
Is there a way in stream.jetstream.nats.io/v1beta2
to directly refer to the account created by nats-server configuration file without using account.jetstream.nats.io/v1beta2
.
If there is a way, what is the correct setup? Is it only possible using certificates? What about nkey or plain user/password?
you need to remove this to be able to use the account CRDs first:
jetstream:
nats:
url: nats://nats-engine-headless:4222
you need to remove this to be able to use the account CRDs first:
jetstream: nats: url: nats://nats-engine-headless:4222
You are right! After removing those lines, it worked!