[GH-ISSUE #906] Feature Request: Allow TLS offloading for NATS #2503

New issue

Closed

opened 2026-03-14 04:17:01 +03:00 by kerem · 3 comments

kerem commented 2026-03-14 04:17:01 +03:00

Owner

Copy link

Originally created by @joeldeteves on GitHub (Dec 28, 2021).
Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/906

Is your feature request related to a problem? Please describe.
Currently, tactical-nats is configured to point to an internal certificate file:

{"tls": {"cert_file": "/opt/tactical/certs/fullchain.pem", "key_file": "/opt/tactical/certs/privkey.pem"}, "authorization": {"users": [{"user": "tacticalrmm", "password": "my-password"}]}, "max_payload": 67108864}

This works fine for localized use cases (traditional Linux server or docker-compose) but not so well for setups that do TLS termination on the proxy side e.g. clustered setups like Kubernetes.

Describe the solution you'd like
See https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls#tls-terminating-reverse-proxies - it would be nice to have a custom dialer that takes input via an environment variable in the container. This way, we can configure "TLS offloading" of sorts for NATS.

Describe alternatives you've considered
A workaround for Kubernetes is to do TLS passthrough on the ingress controller and dump the certificates into the existing environment variables in the container but this is more complex and it's not ideal.

Additional context
I have been trying for a few days to get TacticalRMM working in Kubernetes - I am about 90% there but I have hit a snag with NATS due to the certificate issue. A custom dialer would make it a lot easier to configure

Originally created by @joeldeteves on GitHub (Dec 28, 2021). Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/906 **Is your feature request related to a problem? Please describe.** Currently, tactical-nats is configured to point to an internal certificate file: ``` {"tls": {"cert_file": "/opt/tactical/certs/fullchain.pem", "key_file": "/opt/tactical/certs/privkey.pem"}, "authorization": {"users": [{"user": "tacticalrmm", "password": "my-password"}]}, "max_payload": 67108864} ``` This works fine for localized use cases (traditional Linux server or docker-compose) but not so well for setups that do TLS termination on the proxy side e.g. clustered setups like Kubernetes. **Describe the solution you'd like** See https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls#tls-terminating-reverse-proxies - it would be nice to have a custom dialer that takes input via an environment variable in the container. This way, we can configure "TLS offloading" of sorts for NATS. **Describe alternatives you've considered** A workaround for Kubernetes is to do TLS passthrough on the ingress controller and dump the certificates into the existing environment variables in the container but this is more complex and it's not ideal. **Additional context** I have been trying for a few days to get TacticalRMM working in Kubernetes - I am about 90% there but I have hit a snag with NATS due to the certificate issue. A custom dialer would make it a lot easier to configure

kerem closed this issue 2026-03-14 04:17:06 +03:00

kerem commented 2026-03-14 04:17:12 +03:00

Author

Owner

Copy link

@joeldeteves commented on GitHub (Dec 29, 2021):

Just wanted to add to this, since I found a workaround by mounting secret volumes in Kubernetes (to pass the certificate files into the containers), I discovered that tactical-nats container also uses a hard coded certificate path baked into the container image.

It would be nice to be able to specify the certificate path using an environment variable if the first option (TLS offload) is not feasible.

Currently I am working around it using an init container & sed commands - a hacky solution!

<!-- gh-comment-id:1002369641 --> @joeldeteves commented on GitHub (Dec 29, 2021): Just wanted to add to this, since I found a workaround by mounting secret volumes in Kubernetes (to pass the certificate files into the containers), I discovered that tactical-nats container also uses a hard coded certificate path baked into the container image. It would be nice to be able to specify the certificate path using an environment variable if the first option (TLS offload) is not feasible. Currently I am working around it using an init container & sed commands - a hacky solution!

kerem commented 2026-03-14 04:17:17 +03:00

Author

Owner

Copy link

@silversword411 commented on GitHub (Jan 2, 2022):

So that PR solves this? Can we close?

<!-- gh-comment-id:1003784295 --> @silversword411 commented on GitHub (Jan 2, 2022): So that PR solves this? Can we close?

kerem commented 2026-03-14 04:17:22 +03:00

Author

Owner

Copy link

@joeldeteves commented on GitHub (Jan 2, 2022):

Yes the PR solves it, thank you,

<!-- gh-comment-id:1003784405 --> @joeldeteves commented on GitHub (Jan 2, 2022): Yes the PR solves it, thank you,

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

1.0.0

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.20.1

v0.20.0

v0.19.4

v0.19.3

v0.19.2

v0.19.1

v0.19.0

v0.18.2

v0.18.1

v0.18.0

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.5

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.12

v0.15.11

v0.15.10

v0.15.9

v0.15.8

v0.15.7

v0.15.6

v0.15.5

v0.15.4

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.8

v0.14.7

v0.14.6

v0.14.5

v0.14.4

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.2

v0.9.1

v0.9.0

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.32

v0.4.31

v0.4.30

v0.4.29

v0.4.28

v0.4.27

v0.4.26

v0.4.25

v0.4.24

v0.4.23

v0.4.22

v0.4.21

v0.4.20

v0.4.19

v0.4.18

v0.4.17

v0.4.16

v0.4.15

v0.4.14

v0.4.13

v0.4.12

v0.4.11

v0.4.10

v0.4.9

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.23

v0.2.22

v0.2.21

v0.2.20

v0.2.19

v0.2.18

v0.2.17

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.8

v0.1.7

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

In Process

  

bug

  

bug

  

dev-triage

  

documentation

  

duplicate

  

enhancement

  

fixed

  

good first issue

  

help wanted

  

integration

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

requires agent update

  

security

  

ui tweak

  

wontfix

No labels

In Process

bug

bug

dev-triage

documentation

duplicate

enhancement

fixed

good first issue

help wanted

integration

invalid

pull-request

question

requires agent update

security

ui tweak

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/tacticalrmm#2503

No description provided.