What
Demonstration of how to connect a NATS leafnode to a NATS cluster using secure websockets.
Why
Part of the NATS TLS HandShake is in plain text. This results in a major inconvenience if the NATS cluster has to be exposed via secure ingress, OpenShift secure route etc. There are a couple of ways to alleviate the issue
- Poke a hole in the cluster by exposing an insecure NodePort
- Install TLS enabled proxies (HAProxy, envoy etc) inside and outside the cluster to provide a secure tunnel for NATS traffic
- Employ an edge NATS server (leaf node) that communicates securely with the main NATS cluster
How
The NATS “way” is to to enable websockets + TLS on the main NATS cluster. The main NATS cluster communicates with the leaf node) via Secure WebSocket via TLS / Seure WebSockets
For more details, the source code can be found at https://github.com/balamuru/nats-k8s-leafnode-websocket
Vinay Balamuru's Weblog 