add nats.fail_if_using_nats_without_tls flag to route registrar (#370)

ameowlia · web-flow · commit 76f32c658c9d · 2023-12-05T13:40:41.000-08:00
diff --git a/jobs/route_registrar/spec b/jobs/route_registrar/spec
@@ -53,6 +53,13 @@ properties:
     description: "PEM-encoded certificate for the route-registrar to present to NATS for verification when connecting via TLS."
   nats.tls.client_key:
     description: "PEM-encoded private key for the route-registrar to present to NATS for verification when connecting via TLS."
+  nats.fail_if_using_nats_without_tls:
+    description: |
+        Connecting to nats (instead of nats-tls) is deprecated. The nats
+        process will be removed soon. Please migrate to using nats-tls as soon
+        as possible. If you must continue using nats for a short time you can
+        set this flag to false.
+    default: true
 
   host:
     description: (string, optional) By default, route_registrar will detect the IP of the VM and use it, in combination with port as the backend destination for each uri being registered. This property enables overriding the destination hostname or IP.
diff --git a/jobs/route_registrar/templates/registrar_settings.json.erb b/jobs/route_registrar/templates/registrar_settings.json.erb
@@ -1,9 +1,20 @@
 <%=
   require 'json'
 
+nats_err_msg = <<-TEXT
+Using nats (instead of nats-tls) is deprecated. The nats process will
+be removed soon. Please migrate to using nats-tls as soon as possible.
+If you must continue using nats for a short time you can set the
+nats.fail_if_using_nats_without_tls property on route_registrar to
+false.
+TEXT
   nats_link_name = 'nats'
   if p('nats.tls.enabled')
     nats_link_name = 'nats-tls'
+  else
+    if p('nats.fail_if_using_nats_without_tls')
+      raise nats_err_msg
+    end
   end
 
   nats_machines = nil
diff --git a/spec/route_registar_templates_spec.rb b/spec/route_registar_templates_spec.rb
@@ -34,7 +34,10 @@
             ]
           }
         ],
-        'routing_api' => {}
+        'routing_api' => {},
+        'nats' => {
+          'fail_if_using_nats_without_tls' => false
+        }
       }
     }
   end
@@ -215,6 +218,7 @@
 
     describe 'nats properties' do
       it 'renders with the default' do
+        merged_manifest_properties['nats'] = {'fail_if_using_nats_without_tls' => false }
         rendered_hash = JSON.parse(template.render(merged_manifest_properties, consumes: links))
         expect(rendered_hash['message_bus_servers'][0]['host']).to eq('nats-host:8080')
         expect(rendered_hash['message_bus_servers'][0]['user']).to eq('nats-user')
@@ -260,13 +264,31 @@
       end
 
       context 'when mTLS is not enabled for NATS' do
-        it 'renders with the default nat properties' do
-          rendered_hash = JSON.parse(template.render(merged_manifest_properties, consumes: links))
-          expect(rendered_hash['nats_mtls_config']['enabled']).to be false
-          expect(rendered_hash['message_bus_servers'].length).to eq(1)
-          expect(rendered_hash['message_bus_servers'][0]['host']).to eq('nats-host:8080')
-          expect(rendered_hash['message_bus_servers'][0]['user']).to eq('nats-user')
-          expect(rendered_hash['message_bus_servers'][0]['password']).to eq('nats-password')
+        context 'when nats.fail_if_using_nats_without_tls is false' do
+          it 'renders with the default nat properties' do
+            merged_manifest_properties['nats'] = {'fail_if_using_nats_without_tls' => false }
+            rendered_hash = JSON.parse(template.render(merged_manifest_properties, consumes: links))
+            expect(rendered_hash['nats_mtls_config']['enabled']).to be false
+            expect(rendered_hash['message_bus_servers'].length).to eq(1)
+            expect(rendered_hash['message_bus_servers'][0]['host']).to eq('nats-host:8080')
+            expect(rendered_hash['message_bus_servers'][0]['user']).to eq('nats-user')
+            expect(rendered_hash['message_bus_servers'][0]['password']).to eq('nats-password')
+          end
+        end
+        context 'when nats.fail_if_using_nats_without_tls is true' do
+          it 'fails' do
+            nats_err_msg = <<-TEXT
+Using nats (instead of nats-tls) is deprecated. The nats process will
+be removed soon. Please migrate to using nats-tls as soon as possible.
+If you must continue using nats for a short time you can set the
+nats.fail_if_using_nats_without_tls property on route_registrar to
+false.
+TEXT
+            merged_manifest_properties['nats'] = {'fail_if_using_nats_without_tls' => true }
+            expect { template.render(merged_manifest_properties, consumes: links) }.to raise_error(
+              RuntimeError, nats_err_msg
+            )
+          end
         end
       end
     end
@@ -313,15 +335,19 @@
               }
             ),
             Bosh::Template::Test::Link.new(
-              name: 'nats',
+              name: 'nats-tls',
               properties: {
                 'nats' => {
-                  'hostname' => '', 'user' => '', 'password' => '', 'port' => 8080
+                  'hostname' => 'nats-tls-host', 'user' => 'nats-tls-user', 'password' => 'nats-tls-password', 'port' => 9090
                 }
-              }
+              },
+              instances: [Bosh::Template::Test::LinkInstance.new(address: 'my-nats-tls-ip')]
             )
           ]
         end
+        before do
+          merged_manifest_properties['nats'] = { 'tls' => { 'enabled' => true } }
+        end
         context 'when routing_api_url is not provided' do
           it 'renders with the default' do
             rendered_hash = JSON.parse(template.render(merged_manifest_properties, consumes: links))
@@ -360,6 +386,7 @@
 
     describe 'when given a valid set of properties' do
       it 'renders the template' do
+        merged_manifest_properties['nats'] = {'fail_if_using_nats_without_tls' => false }
         rendered_hash = JSON.parse(template.render(merged_manifest_properties, consumes: links))
         expect(rendered_hash).to eq(
           'host' => '192.168.0.0',
@@ -399,6 +426,7 @@
     describe 'when skip_ssl_validation is enabled' do
       before do
         merged_manifest_properties['route_registrar']['routing_api'] = { 'skip_ssl_validation' => true }
+        merged_manifest_properties['nats'] = {'fail_if_using_nats_without_tls' => false }
       end
 
       it 'renders skip_ssl_validation as true' do
@@ -410,6 +438,7 @@
     describe 'when tls is enabled and the san is not provided' do
       before do
         merged_manifest_properties['route_registrar']['routes'][0].delete('server_cert_domain_san')
+        merged_manifest_properties['nats'] = {'fail_if_using_nats_without_tls' => false }
       end
       it 'should required san if tls_port is provided' do
         expect { template.render(merged_manifest_properties, consumes: links) }.to raise_error(
@@ -421,6 +450,7 @@
     describe 'when tls is enabled and the san is not provided' do
       before do
         merged_manifest_properties['route_registrar']['routes'][0]['server_cert_domain_san'] = ''
+        merged_manifest_properties['nats'] = {'fail_if_using_nats_without_tls' => false }
       end
       it 'should required san if tls_port is provided' do
         expect { template.render(merged_manifest_properties, consumes: links) }.to raise_error(
@@ -433,6 +463,7 @@
       before do
         merged_manifest_properties['route_registrar']['routes'][0].delete('tls_port')
         merged_manifest_properties['route_registrar']['routes'][0].delete('server_cert_domain_san')
+        merged_manifest_properties['nats'] = {'fail_if_using_nats_without_tls' => false }
       end
 
       it 'renders the template' do
@@ -441,6 +472,10 @@
     end
 
     describe 'when protocol is provided' do
+      before do
+        merged_manifest_properties['nats'] = {'fail_if_using_nats_without_tls' => false }
+      end
+
       it 'uses configured protocol http1' do
         merged_manifest_properties['route_registrar']['routes'][0]['protocol'] = 'http1'
         rendered_hash = JSON.parse(template.render(merged_manifest_properties, consumes: links))
