Ensure all containers are password protected #6155
Comments
davidfowl
added
the
area-integrations
|
For NATS I would like to contribute the password implementation, I already have explored and started work on this |
Sounds great! Looking forward to the PR. |
This adds parameter support to NATS. The postgres implementation was used as inspiration for the implementation. It uses the user info of the connection string URL to add user name and password, so the connections string looks like nats://nats:MGBKxjTAjX2stg2wzzjtVW@localhost:52166. Some NATS clients support this form natively but the .NET one unfortunately does not. It would be nice if this support would be added directly to NATS.Net then that code could be removed from here again. Contributes to: #6155 * Add password protection to NATS * fix redacting of password * restore name only NatsServerResource constructor to remove breaking change + added more tests * fix duplicated namespace * authentication tests use same wait mechanic as other tests * restore xml comment for resource name * Update src/Aspire.Hosting.Nats/NatsServerResource.cs Co-authored-by: Eric Erhardt <[email protected]> * Update src/Aspire.Hosting.Nats/NatsServerResource.cs Co-authored-by: Eric Erhardt <[email protected]> * Update tests/Aspire.Hosting.Nats.Tests/NatsFunctionalTests.cs Co-authored-by: Eric Erhardt <[email protected]> * Update tests/Aspire.Hosting.Nats.Tests/AddNatsTests.cs Co-authored-by: Eric Erhardt <[email protected]> * addressed some review comments * updated to Nats.NET 2.5.3, use authentication in connection string that is now built in * re-add original AddNats overload (without optional parameter) * Trigger build --------- Co-authored-by: Eric Erhardt <[email protected]>
|
@liammclennan @nblumhardt - any interest in adding password support for Seq? |
|
@eerhardt sounds good! The Seq container supports a couple of environment variables that would make this pretty easy. One possible wrinkle; the variables are:
But, these only apply when the container's storage is first created, so modifying them once the Seq container has been initialized/has persistent data will have no effect. Would this be surprising/break expectations compared with the way other containers are doing it? |
I don't think it would be surprising since it is consistent with other containers. Other containers (postgres, mongodb, etc) use the password in the stored data as well. Changing the password after the data was created basically invalidates the existing data. See the Warning at: https://learn.microsoft.com/en-us/dotnet/aspire/database/sql-server-integration?tabs=dotnet-cli%2Cssms#add-sql-server-resource-with-data-volume
|
Where possible, we should be enabling passwords on our containers.
The goal here is to provide a layer of redundancy. If ACA firewalling (or other system to from external access) fails, an external client will still not be able to access the container without knowledge of the authentication password.
The following containers don't have password protection:
The text was updated successfully, but these errors were encountered: