Ything-RepoMirrors/litestream
1
0
Fork 0
mirror of https://github.com/benbjohnson/litestream.git synced 2026-01-25 05:06:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: complete NATS TLS configuration with client certificates and RootCA support (#720)
Some checks failed
Commit / Lint (push) Has been cancelled
Commit / Build Windows (push) Has been cancelled
Commit / Build & Unit Test (push) Has been cancelled
Commit / Run S3 Mock Tests (push) Has been cancelled
Commit / Run NATS Integration Tests (push) Has been cancelled
Commit / Run S3 Integration Tests (push) Has been cancelled
Commit / Run GCP Integration Tests (push) Has been cancelled
Commit / Run Azure Blob Store Integration Tests (push) Has been cancelled
Commit / Run SFTP Integration Tests (push) Has been cancelled

Browse Source 
Co-authored-by: Claude <noreply@anthropic.com>
This commit is contained in:
Cory LaNou
2025-08-21 08:44:58 -05:00
committed by GitHub
parent c2e884d4f0
commit feee71f6a9
3 changed files with 25 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
cmd/litestream/main.go
View File

@@ -570,6 +570,8 @@ type ReplicaConfig struct {
Token string `yaml:"token"`
TLS bool `yaml:"tls"`
RootCAs []string `yaml:"root-cas"`
ClientCert string `yaml:"client-cert"`
ClientKey string `yaml:"client-key"`
MaxReconnects *int `yaml:"max-reconnects"`
ReconnectWait *time.Duration `yaml:"reconnect-wait"`
Timeout *time.Duration `yaml:"timeout"`
@@ -903,6 +905,12 @@ func newNATSReplicaClientFromConfig(c *ReplicaConfig, _ *litestream.Replica) (_
return nil, fmt.Errorf("bucket required for NATS replica")
}
// Validate TLS configuration
// Both client cert and key must be specified together
if (c.ClientCert != "") != (c.ClientKey != "") {
return nil, fmt.Errorf("client-cert and client-key must both be specified for mutual TLS authentication")
}
// Build replica client
client := nats.NewReplicaClient()
client.URL = url
@@ -918,8 +926,9 @@ func newNATSReplicaClientFromConfig(c *ReplicaConfig, _ *litestream.Replica) (_
client.Token = c.Token
// Set TLS options
client.TLS = c.TLS
client.RootCAs = c.RootCAs
client.ClientCert = c.ClientCert
client.ClientKey = c.ClientKey
// Set connection options with defaults
if c.MaxReconnects != nil {

7
etc/litestream.yml
View File

@@ -7,3 +7,10 @@
# replicas:
# - path: /path/to/replica # File-based replication
# - url: s3://my.bucket.com/db # S3-based replication
# - type: nats # NATS JetStream replication
# url: nats://nats.example.com:4222
# bucket: litestream-backups
# # Optional TLS configuration:
# # client-cert: /path/to/client.pem
# # client-key: /path/to/client.key
# # root-cas: [/path/to/ca.pem]

14
nats/replica_client.go
View File

@@ -47,6 +47,8 @@ type ReplicaClient struct {
Token string // Token for authentication
TLS bool // Enable TLS
RootCAs []string // Root CA certificates
ClientCert string // Client certificate file path
ClientKey string // Client key file path
// Note: Bucket configuration (replicas, storage, TTL, etc.) should be
// managed externally via NATS CLI or API, not by Litestream
@@ -131,12 +133,12 @@ func (c *ReplicaClient) connect(_ context.Context) error {
}
// TLS configuration
if c.TLS {
opts = append(opts, nats.Secure())
if len(c.RootCAs) > 0 {
// Note: Root CA configuration would need additional setup
// This is a simplified version - real implementation may need more setup
}
if c.ClientCert != "" && c.ClientKey != "" {
opts = append(opts, nats.ClientCert(c.ClientCert, c.ClientKey))
}
if len(c.RootCAs) > 0 {
opts = append(opts, nats.RootCAs(c.RootCAs...))
}
// Note: NATS Connect doesn't directly support context cancellation during connection