From aabb1eaf86c2b39045700a640e0ae89f5b7f3418 Mon Sep 17 00:00:00 2001 From: Alex Vanin Date: Wed, 9 Feb 2022 19:58:35 +0300 Subject: [PATCH] [#159] Add NATS service Signed-off-by: Alex Vanin --- .basic_services | 1 + .env | 4 +++ Makefile | 2 +- services/nats/.env | 1 + services/nats/.hosts | 1 + services/nats/artifacts.mk | 7 ++++ services/nats/docker-compose.yml | 31 +++++++++++++++++ services/nats/generate_cert.sh | 60 ++++++++++++++++++++++++++++++++ services/nats/nats.conf | 15 ++++++++ 9 files changed, 121 insertions(+), 1 deletion(-) create mode 120000 services/nats/.env create mode 100644 services/nats/.hosts create mode 100644 services/nats/artifacts.mk create mode 100644 services/nats/docker-compose.yml create mode 100755 services/nats/generate_cert.sh create mode 100644 services/nats/nats.conf diff --git a/.basic_services b/.basic_services index b9134b7..c497972 100644 --- a/.basic_services +++ b/.basic_services @@ -3,5 +3,6 @@ basenet chain morph_chain +nats ir storage diff --git a/.env b/.env index 2ec22cb..70609ad 100644 --- a/.env +++ b/.env @@ -18,6 +18,10 @@ IR_IMAGE=nspccdev/neofs-ir NODE_VERSION=0.27.5 NODE_IMAGE=nspccdev/neofs-storage +# NATS Server +NATS_VERSION=2.7.2 +NATS_IMAGE=nats + # HTTP Gate HTTP_GW_VERSION=0.18.0 HTTP_GW_IMAGE=nspccdev/neofs-http-gw diff --git a/Makefile b/Makefile index 79cfb08..b31be8b 100644 --- a/Makefile +++ b/Makefile @@ -113,7 +113,7 @@ hosts: vendor/hosts .PHONY: clean .ONESHELL: clean: - @rm -rf vendor/* services/storage/s04tls.* + @rm -rf vendor/* services/storage/s04tls.* services/nats/*.pem @for svc in $(START_SVCS) do vols=`docker-compose -f services/$${svc}/docker-compose.yml config --volumes` diff --git a/services/nats/.env b/services/nats/.env new file mode 120000 index 0000000..c7360fb --- /dev/null +++ b/services/nats/.env @@ -0,0 +1 @@ +../../.env \ No newline at end of file diff --git a/services/nats/.hosts b/services/nats/.hosts new file mode 100644 index 0000000..6ed5417 --- /dev/null +++ b/services/nats/.hosts @@ -0,0 +1 @@ +IPV4_PREFIX.101 nats.LOCAL_DOMAIN diff --git a/services/nats/artifacts.mk b/services/nats/artifacts.mk new file mode 100644 index 0000000..c68c57e --- /dev/null +++ b/services/nats/artifacts.mk @@ -0,0 +1,7 @@ +# Create new tls certs + +NATS_DIR=$(abspath services/nats) + +get.nats: + @echo "⇒ Creating certs for NATS server and clients" + ${NATS_DIR}/generate_cert.sh ${LOCAL_DOMAIN} diff --git a/services/nats/docker-compose.yml b/services/nats/docker-compose.yml new file mode 100644 index 0000000..cfc26b2 --- /dev/null +++ b/services/nats/docker-compose.yml @@ -0,0 +1,31 @@ +--- + +version: "2.4" +services: + nats: + image: ${NATS_IMAGE}:${NATS_VERSION} + domainname: ${LOCAL_DOMAIN} + hostname: nats + container_name: nats + restart: on-failure + dns: + - ${IPV4_PREFIX}.101 + networks: + nats_int: + internet: + ipv4_address: ${IPV4_PREFIX}.101 + volumes: + - ./../../vendor/hosts:/etc/hosts + - ./nats.conf:/etc/nats/neofs-nats-server.conf + - ./server-cert.pem:/certs/server-cert.pem + - ./server-key.pem:/certs/server-key.pem + - ./ca-cert.pem:/certs/ca-cert.pem + stop_signal: SIGKILL + env_file: [ ".env" ] + command: ["-c", "/etc/nats/neofs-nats-server.conf"] + +networks: + nats_int: + internet: + external: true + name: basenet_internet diff --git a/services/nats/generate_cert.sh b/services/nats/generate_cert.sh new file mode 100755 index 0000000..a6e057c --- /dev/null +++ b/services/nats/generate_cert.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +WORKDIR=$(dirname "$0") +LOCAL_DOMAIN=$1 + +CA_KEY=$WORKDIR/ca-key.pem +CA_CRT=$WORKDIR/ca-cert.pem + +SRV_KEY=$WORKDIR/server-key.pem +SRV_REQ=$WORKDIR/server-req.csr +SRV_CRT=$WORKDIR/server-cert.pem + +CLI_KEY=$WORKDIR/client-key.pem +CLI_REQ=$WORKDIR/client-req.csr +CLI_CRT=$WORKDIR/client-cert.pem + +SUBJ="/O=NSPCC" + +if [[ ! -f $CA_KEY || ! -f $CA_CRT ]]; then + OUT=$(openssl req -newkey rsa:4096 -x509 -days 365 -nodes -keyout $CA_KEY -out $CA_CRT -subj $SUBJ 2>&1) || { + echo "CA certificate was not created" + echo $OUT + exit 1 + } +fi + +if [[ ! -f $SRV_KEY || ! -f $SRV_CRT ]]; then + OUT=$(openssl req -newkey rsa:4096 -nodes --keyout $SRV_KEY -out $SRV_REQ -subj $SUBJ 2>&1 ) || { + echo "Server certificate was not created" + echo $OUT + exit 1 + } + + OUT=$(openssl x509 -req -days 365 -set_serial 01 -in $SRV_REQ -out $SRV_CRT -CA $CA_CRT -CAkey $CA_KEY \ + -extensions san -extfile <(printf "[san]\nsubjectAltName=DNS:nats.$LOCAL_DOMAIN") 2>&1)|| { + echo "Server certificate was not signed by CA" + echo $OUT + rm $SRV_REQ + exit 1 + } + + rm $SRV_REQ +fi + +if [[ ! -f $CLI_KEY || ! -f $CLI_CRT ]]; then + OUT=$(openssl req -newkey rsa:4096 -nodes --keyout $CLI_KEY -out $CLI_REQ -subj $SUBJ 2>&1) || { + echo "Client certificate was not created" + echo $OUT + exit 1 + } + + OUT=$(openssl x509 -req -days 365 -set_serial 01 -in $CLI_REQ -out $CLI_CRT -CA $CA_CRT -CAkey $CA_KEY 2>&1) || { + echo "Client certificate was not signed by CA" + echo $OUT + rm $CLI_REQ + exit 1 + } + + rm $CLI_REQ +fi diff --git a/services/nats/nats.conf b/services/nats/nats.conf new file mode 100644 index 0000000..0c7af0a --- /dev/null +++ b/services/nats/nats.conf @@ -0,0 +1,15 @@ +port: 4222 +monitor_port: 8222 + +jetstream { + store_dir=nats + max_memory_store: 1GB + max_file_store: 2GB +} + +tls { + cert_file: /certs/server-cert.pem + key_file: /certs/server-key.pem + ca_file: /certs/ca-cert.pem + verify: true +}