Cluster scoped install, NATS Service Role across namespaces

Question

Cluster scoped install, NATS Service Role across namespaces

stephenrob opened this issue 5 years ago · 0 comments

We have deployed the operator in a cluster install and used this to create a new cluster as follows:

apiVersion: nats.io/v1alpha2
kind: NatsCluster
metadata:
  name: nats-cluster
  namespace: core
spec:
  size: 3
  version: "2.0.0"
  auth:
    enableServiceAccounts: true
  pod:
    enableConfigReload: true

We've been trying to create a NatsServiceRole that's in a different namespace but has permissions on this cluster, whilst the kubernetes service account is created the nats bound token secret is not. If we create the service roles in the same namespace as the cluster then they are created fine.

Is what we want to achieve possible with service roles or are we best switching to TLS Client certs as we want to also make the NATS cluster accessible via our edge gateway.

Config for the service accounts:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: nats-admin-user
  namespace: default
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nats-user
  namespace: default
---
apiVersion: nats.io/v1alpha2
kind: NatsServiceRole
metadata:
  name: nats-user
  namespace: default

  # Specifies which NATS cluster will be mapping this account.
  labels:
    nats_cluster: "nats-cluster"
spec:
  permissions:
    publish: ["foo.*", "foo.bar.quux"]
    subscribe: ["foo.bar"]
---
apiVersion: nats.io/v1alpha2
kind: NatsServiceRole
metadata:
  name: nats-admin-user
  namespace: default
  labels:
    nats_cluster: "nats-cluster"
spec:
  permissions:
    publish: [">"]
    subscribe: [">"]