Add leafnode sys bridge example #49

bruth · 2022-08-17T14:05:10Z

@jnmoyne I believe this is what Kevin asked for.. hub user that can bridge the system account in leaf nodes. Here is the output. If you scroll to the bottom the nats server list reports the leaf nodes.

Signed-off-by: Byron Ruth <[email protected]>

bruth · 2022-08-17T14:07:24Z

@matthiashanel One follow-up question is that the single ops user in this example is being used for both leaf nodes, rather than a separate one per leaf node. I not sure if this is desirable or there is another way of handling this. Another question I had was regarding an explicit permissions that can/should be set on the ops user.

bruth · 2022-08-17T15:37:20Z

Just thought of something else.. this is a multi-operator setup, but if the leaf nodes use the same operator, could we instead create separate system accounts per leaf node? (Maybe that was the original, correct idea in the first place).

bruth · 2022-08-17T16:45:56Z

could we instead create separate system accounts per leaf node?

Nope, that doesn't work. When trying to use a different account in a leaf..

nats-server: system_account in config and operator JWT must be identical

bruth · 2022-08-17T17:22:40Z

What did work is this kind of config for a leaf in non-operator mode, which makes sense since its a separate auth model for the leaf.

server_name: leaf1
port: 4223
leafnodes: {
  remotes: [
    {
      url: "nats-leaf://0.0.0.0:7422",
      credentials: "path/to/ops.creds",
      account: "$SYS",
    }
  ]
}

accounts: {}

matthiashanel · 2022-08-18T21:30:12Z

examples/topologies/leafnode-sys-bridge/cli/main.sh

+nsc add user \
+  --account OPS ops


is this using the signing key?

matthiashanel · 2022-08-18T21:37:18Z

examples/topologies/leafnode-sys-bridge/cli/main.sh

+# ### Leaf nodes
+# Create the operators and system accounts for the leaf nodes.
+# No additional accounts or users are required for this example.
+nsc add operator \


I'm not sure if it helps this example if there is another operator.
Most users have one.

I wonder if for separate operators, ngs could serve as a showcase?

matthiashanel · 2022-08-18T21:46:45Z

could we instead create separate system accounts per leaf node?

Nope, that doesn't work. When trying to use a different account in a leaf..
nats-server: system_account in config and operator JWT must be identical

It could work if you clear the system_account from the operator jwt.
But then I'm not sure what that would get us.
Even if you have the same system account, you can always use it with remote credentials pointing to not the system account in the hub.

bruth added 2 commits August 17, 2022 09:56

Add leafnode sys bridge example

82a34f3

Signed-off-by: Byron Ruth <[email protected]>

Clean up a few things

17405f0

Signed-off-by: Byron Ruth <[email protected]>

bruth requested review from jnmoyne and matthiashanel August 17, 2022 14:05

matthiashanel reviewed Aug 18, 2022

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add leafnode sys bridge example #49

Add leafnode sys bridge example #49

bruth commented Aug 17, 2022

bruth commented Aug 17, 2022

bruth commented Aug 17, 2022

bruth commented Aug 17, 2022

bruth commented Aug 17, 2022

matthiashanel Aug 18, 2022

matthiashanel Aug 18, 2022 •

edited

Loading

matthiashanel commented Aug 18, 2022

Add leafnode sys bridge example #49

Are you sure you want to change the base?

Add leafnode sys bridge example #49

Conversation

bruth commented Aug 17, 2022

bruth commented Aug 17, 2022

bruth commented Aug 17, 2022

bruth commented Aug 17, 2022

bruth commented Aug 17, 2022

matthiashanel Aug 18, 2022

Choose a reason for hiding this comment

matthiashanel Aug 18, 2022 • edited Loading

Choose a reason for hiding this comment

matthiashanel commented Aug 18, 2022

matthiashanel Aug 18, 2022 •

edited

Loading