Broker credentials + TLS for the ElpioTask dispatcher#38
Merged
Conversation
The Redis/RabbitMQ/NATS brokers connected with bare URLs, no auth, no TLS. Add optional connection settings on BrokerConfig: - auth: username (+ usernameEnv), passwordEnv, token (+ tokenEnv). Secrets are sourced from env var names, never inline plaintext in the CR. Precedence per value: the *Env var name wins over the inline literal; passwords are env-only by design. - tls: enabled, caCert (PEM path), insecureSkipVerify (dev only). The reconciler maps these to ELPIO_BROKER_* env on the dispatcher pod, passing secret references by name. The dispatcher resolves them at connect time and threads them into each client: - Redis: ssl / ssl_ca_certs + username / password. - RabbitMQ: PlainCredentials + SSLOptions. - NATS: tls context + user / password / token, tls:// scheme. Library imports stay lazy and guarded so the registry is importable without redis/pika/nats. CRD schema (both the deploy and Helm copies) and the Pydantic model are kept in sync, with an example manifest and unit tests that assert the kwargs/URL are built correctly from a fake client without opening sockets.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
The dispatcher brokers (Redis/RabbitMQ/NATS) connected with bare URLs and no auth or TLS. This adds optional connection settings to
BrokerConfigand threads them into each broker's connect call.Spec (
models/task.py+ both CRD copies)broker.auth:username/usernameEnv,passwordEnv,token/tokenEnv.broker.tls:enabled,caCert(PEM path),insecureSkipVerify.Secret handling
Nothing sensitive lives in the CR. The
*Envfields name an env var the dispatcher pod gets from a Secret. Precedence per value: the*Envvar name wins over the inline literal. Passwords are env-only (no inline field). The reconciler maps the spec toELPIO_BROKER_*env, passing secret references by name; the dispatcher resolves them at connect time.Wiring
ssl/ssl_ca_certs+username/password.PlainCredentials+SSLOptions.tlscontext +user/password/token,tls://scheme.Client imports stay lazy and guarded, so the registry is still importable without redis/pika/nats.
insecureSkipVerifydefaults off and is documented as dev-only.Tests
tests/unit/test_brokers.pyasserts the connection kwargs/URL are built correctly from creds+TLS using fake/monkeypatched clients (no sockets).tests/unit/test_task_render.pyasserts the reconciler emits the right env and never the password value. Existing NATS lifecycle tests untouched. Full unit suite green, ruff clean.Also adds
examples/task-secure-broker.yamldocumenting the precedence.Closes #33.