2. About me
● Waldemar Quevedo / @wallyqs
● Software Engineer at
● NATS Core maintainer
● Using NATS since 2012
● Author of Practical NATS (Apress, 2018)
3. In this talk
● Deep Dive into some of the NATS features
● Example: Building Chat App Walkthrough
● Complete application can be found at:
https://github.com/wallyqs/kubecon2020/
6. Core of NATS
● Streams
○ A “flow”
○ A sequence of messages that can be consumed. Fan out.
● Service
○ A subscription that takes request messages and can respond (RPC)
○ “Do something and return a result”
○ Load Balanced
7. Core of NATS: Subjects
A subject is simply a string representing an interest in data.
● Simple subject: foo or weather
● Hierarchically Tokenized: foo.bar, weather.us.co.denver
● Wildcard subscriptions
✓ foo.* matches foo.bar and foo.baz.
✓ foo.*.bar matches foo.a.bar and foo.b.bar.
✓ foo.> matches any of the above
✓ > matches everything in NATS
● Unique subjects for 1:1 addressability
12. Accounts Isolation
● We have 3 types of users, all part of the same account KUBECON
✓ Chat Credentials Requestor
./nats-req chat.req.access <username>
✓ Credential Provisioners
./chat-access -creds chat.creds
✓ Chat Users
./chat -creds my.creds
13. Using NSC
● NSC is the command line tool to manage users and accounts
https://github.com/nats-io/nsc
curl https://nats-io.github.io/k8s/setup/nsc-setup.sh | sh
● nsc add account --name KUBECON
[ OK ] generated and stored account key
"ADKN46NONOAOEPWUPFB47MOEBNOXRNJFRAKVOAQA7Q4JPVSFAPVHAW4T"
[ OK ] added account "KUBECON"
14. Creating the account
● The chat application will exist in the KUBECON account
> nsc add account --name KUBECON
[ OK ] generated and stored account key
"ADKN46NONOAOEPWUPFB47MOEBNOXRNJFRAKVOAQA7Q4JPVSFAPVHAW4T"
[ OK ] added account "KUBECON"
15. Adding a signing key
● Since chat users will be created on the fly, we will use a special
signing key for that purpose: https://docs.nats.io/nats-
tools/nsc/signing_keys
> nsc generate nkey --account --store
> nsc edit account --sk
AABKQTMBNP74VWKMA64PERDYH6ZYB45Y5JINQKG5MEKJZ5M45JDV57KI
[ OK ] added signing key
"AABKQTMBNP74VWKMA64PERDYH6ZYB45Y5JINQKG5MEKJZ5M45JDV57KI"
[ OK ] edited account "KUBECON"
17. Starting the NATS Server
● We will use the NATS Server Trusted Operator setup for a
decentralized setup.
● NSC can generate the server config:
> nsc generate config --mem-resolver > nats.conf
> nats-server -c nats.conf
[INF] Starting nats-server version 2.2.0-beta.20
[DBG] Go build version go1.14.4
[INF] Git commit [not set]
[INF] Using configuration file: nats.conf
[INF] Trusted Operators
18. Create the Creds Provisioner
● The chat-access tool will use the account JWT and the signing key to issue
new credentials to users.
> nsc add user chat-access
-K $NKEYS_PATH/keys/A/AB/AABKQTMBNP74VWKMA64PERDYH6ZYB45Y5JINQKG5MEKJZ5M45JDV57KI.nk
> cd chat-access
> go run main.go --acc $NSC_HOME/nats/KO/accounts/KUBECON/KUBECON.jwt
--sk $NKEYS_PATH/keys/A/AB/AABKQTMBNP74VWKMA64PERDYH6ZYB45Y5JINQKG5MEKJZ5M45JDV57KI.nk
--creds $NKEYS_PATH/creds/KO/KUBECON/chat-access.creds
20. Create the Creds Provisioner
QueueSubscription
makes this a load
balanced service.
21. Requesting Access
● In order to request access, we need to create a special user with very
limited permissions, that can only request for access.
nsc add user chat-creds-request -K $SIGNING_KEY
> --allow-pubsub 'chat.req.access'
> --allow-pubsub '_INBOX.>'
> --allow-pubsub '_R_'
> --allow-pubsub '_R_.>'
[ OK ] generated and stored user key "UAP7HBB4U7P6NIJTSYFHLU6AXS4KRSYGTLQDSFBQKVHYXFA26LPJH6AF"
[ OK ] generated user creds file "$NKEYS_PATH/creds/KO/KUBECON/chat-creds-request.creds"
[ OK ] added user "chat-creds-request" to account "KUBECON"
Required for requests
22. Requesting Access
./nats-req -s localhost -creds $NKEYS_PATH/creds/KO/KUBECON/chat-creds-request.creds chat.req.access foo
Published [chat.req.access] : 'foo'
Received [_INBOX.GoMGWmwpbPnwRSSpiXFeKd.2NumbUrd] : '
-----BEGIN NATS USER JWT-----
eyJ0eXAiOiJqd3QiLCJhbGciOiJlZDI1NTE5In0.eyJleHAiOjE2Mjc3NTc2NzYsImp0aSI6Ik43VEdNM0FRVFRaQVFWUElNRDNURlRZRUVYVkNWU1hPWEFIR0U3Q0g2UFJRWlpBUkFTSFEiLCJpYXQiOjE1OTYyMjE2NzYsImlzcyI6IkFBQ
ktRVE1CTlA3NFZXS01BNjRQRVJEWUg2WllCNDVZNUpJTlFLRzVNRUtKWjVNNDVKRFY1N0tJIiwibmFtZSI6ImZvbyIsInN1YiI6IlVEN0pRTkNUSlFKVUpEVTJLNUxUNVlRSVlWSk9MTElXRVlOTUs1UUxUQ1hCMkNQQTVJTllNUEo1Ii
widHlwZSI6InVzZXIiLCJuYXRzIjp7InB1YiI6eyJhbGxvdyI6WyJjaGF0LktVQkVDT04ub25saW5lIiwiY2hhdC5LVUJFQ09OLnBvc3RzLioiLCJjaGF0LktVQkVDT04uZG1zLioiXX0sInN1YiI6eyJhbGxvdyI6WyJjaGF0LktVQkVDT04ub25saW5
lIiwiY2hhdC5LVUJFQ09OLnBvc3RzLioiLCJjaGF0LktVQkVDT04uZG1zLlVEN0pRTkNUSlFKVUpEVTJLNUxUNVlRSVlWSk9MTElXRVlOTUs1UUxUQ1hCMkNQQTVJTllNUEo1IiwiX0lOQk9YLlx1MDAzZSJdfSwicGF5bG9hZCI6MTAyN
H0sImlzc3Vlcl9hY2NvdW50IjoiQURLTjQ2Tk9OT0FPRVBXVVBGQjQ3TU9FQk5PWFJOSkZSQUtWT0FRQTdRNEpQVlNGQVBWSEFXNFQifQ.d1tr9RFHFqqLQ4Ed-
Oncuu43l843rS5FLq6MhA8ocj2qj2ZcvD_UE1SoKKnRMoJxUdZVMty8GhT8RA3Qpo85AA
------END NATS USER JWT------
************************* IMPORTANT *************************
Private NKEYs are sensitive and should be treated as secrets.
-----BEGIN USER PRIVATE KEY-----
SUAN7DPWZXEXUFAG3QEZIU6WQIUECAEHXHFBD6NA62ALPCGTVESWPGBRUQ
------END USER PRIVATE KEY------
*************************************************************
24. Entering the chat
● A user can now connect with this credentials and join a chat.
./chat -s localhost -creds foo.creds
25. Entering the chat
● We can use the same credentials to listen to online events.
> nats-sub -creds userA.creds 'chat.KUBECON.online'
Listening on [chat.KUBECON.online]
[#1] Received on [chat.KUBECON.online]:
'eyJ0eXAiOiJqd3QiLCJhbGciOiJlZDI1NTE5In0.eyJleHAiOjE1OTYyMjMwMTAsImp0aSI6IjNZSlpHUjROQVE3VTJJVFFFSU41WlBCRlBPV
1A3QVZDRTRISTZLRElMUzVKRkZVSFg1WlEiLCJpYXQiOjE1OTYyMjI5NTAsImlzcyI6IlVCQUNSWURRWlZUVFFONE9ITlRESEdPTDZS
V0VTWlNMM0tBR1hYSDJaWU5HTUNZRTVWVVcyNkpZIiwibmFtZSI6ImZvbyIsInN1YiI6IlVCQUNSWURRWlZUVFFONE9ITlRESEdPTDZ
SV0VTWlNMM0tBR1hYSDJaWU5HTUNZRTVWVVcyNkpZIiwidHlwZSI6Im5ncy1jaGF0LW9ubGluZSJ9.tu8Q8x88FpDmFhYQbSLiKDKiz4q
P9yy7c0S23zIRQzhBHlxBLX9wpduQaF9HOcEYivMSu538cesPDP2EVyy8Bg'
26. Entering the chat
● But can only subscribe to personal DMs
> nats-sub -creds userA.creds
‘chat.KUBECON.dms.UBGAWHHSU2CKNIHYWSCXA53HLYCCKRH5TB6HWW3QSJGGA652WSANDCG5'
> nats-sub -creds userA.creds 'chat.KUBECON.dms.*'
nats: Permissions Violation for Subscription to "chat.KUBECON.dms.*"