fix: use account ref for user creation

api/v1alpha1/nats_user_types.go

@@ -47,6 +47,8 @@ type NatsUserSpec struct {
 	PrivateKey NatsKeyReference `json:"privateKey,omitempty"`
 	// SignerKeyRef is a reference to a secret that contains the account signing key
 	SignerKeyRef NatsKeyReference `json:"signerKeyRef"`
+	// AccountRef is a reference to the account
+	AccountRef NatsReference `json:"accountRef"`
 	// Permissions define the permissions for the user
 	Permissions Permissions `json:"permissions,omitempty"`
 	// Limits define the limits for the user

controllers/natsaccount_controller.go

@@ -178,29 +178,29 @@ func (r *NatsAccountReconciler) reconcileAccount(ctx context.Context, account *n
 	token.Name = account.Name
 	token.Account = account.Spec.ToJWTAccount()
 
-	// for _, key := range account.Spec.SigningKeys {
-	// 	sk := &corev1.Secret{}
-	// 	skName := client.ObjectKey{
-	// 		Namespace: account.Namespace,
-	// 		Name:      key.Name,
-	// 	}
-
-	// 	if err := r.Get(ctx, skName, sk); err != nil {
-	// 		return err
-	// 	}
-
-	// 	skSigner, err := nkeys.FromSeed(sk.Data[OPERATOR_SEED_KEY])
-	// 	if err != nil {
-	// 		return err
-	// 	}
-
-	// 	pkSigner, err := skSigner.PublicKey()
-	// 	if err != nil {
-	// 		return err
-	// 	}
-
-	// 	token.SigningKeys.Add(pkSigner)
-	// }
+	for _, key := range account.Spec.SigningKeys {
+		sk := &corev1.Secret{}
+		skName := client.ObjectKey{
+			Namespace: account.Namespace,
+			Name:      key.Name,
+		}
+
+		if err := r.Get(ctx, skName, sk); err != nil {
+			return err
+		}
+
+		skSigner, err := nkeys.FromSeed(sk.Data[OPERATOR_SEED_KEY])
+		if err != nil {
+			return err
+		}
+
+		pkSigner, err := skSigner.PublicKey()
+		if err != nil {
+			return err
+		}
+
+		token.SigningKeys.Add(pkSigner)
+	}
 
 	t, err := token.Encode(signerKp)
 	if err != nil {

controllers/natsuser_controller.go

@@ -177,15 +177,15 @@ func (r *NatsUserReconciler) reconcileUser(ctx context.Context, user *natsv1alph
 		return err
 	}
 
-	// skAccount := &natsv1alpha1.NatsAccount{}
-	// skAccountName := client.ObjectKey{
-	// 	Namespace: user.Namespace,
-	// 	Name:      user.Spec.AccountRef.Name,
-	// }
+	skAccount := &natsv1alpha1.NatsAccount{}
+	skAccountName := client.ObjectKey{
+		Namespace: user.Namespace,
+		Name:      user.Spec.AccountRef.Name,
+	}
 
-	// if err := r.Get(ctx, skAccountName, skAccount); err != nil {
-	// 	return err
-	// }
+	if err := r.Get(ctx, skAccountName, skAccount); err != nil {
+		return err
+	}
 
 	pk := &natsv1alpha1.NatsKey{}
 	pkName := client.ObjectKey{
@@ -225,7 +225,7 @@ func (r *NatsUserReconciler) reconcileUser(ctx context.Context, user *natsv1alph
 	token := jwt.NewUserClaims(public)
 	token.User = user.Spec.ToNatsJWT()
 	// by default sigining key is the account public key
-	// token.IssuerAccount = skAccount.Status.PublicKey
+	token.IssuerAccount = skAccount.Status.PublicKey
 
 	t, err := token.Encode(signerKp)
 	if err != nil {

examples/sample_user.yaml

@@ -8,7 +8,7 @@ spec:
 apiVersion: natz.zeiss.com/v1alpha1
 kind: NatsKey
 metadata:
-  name: natsaccount-demo-signing-key
+  name: natsaccount-sample-signing-key
 spec:
   type: Account
 ---
@@ -22,7 +22,7 @@ spec:
   privateKey:
     name: natsaccount-sample-private-key
   signingKeys:
-    - name: natsaccount-demo-signing-key
+    - name: natsaccount-sample-signing-key
   imports: []
   exports: []
   limits:
@@ -45,10 +45,12 @@ kind: NatsUser
 metadata:
   name: natsuser-sample
 spec:
+  accountRef:
+    name: natsaccount-sample
   privateKey:
     name: natsuser-sample-private-key
   signerKeyRef:
-    name: natsaccount-sample-private-key
+    name: natsaccount-sample-signing-key
   permissions:
     sub:
       allow:

examples/system_user.yaml

@@ -10,6 +10,8 @@ kind: NatsUser
 metadata:
   name: natsuser-system
 spec:
+  accountRef:
+    name: natsoperator-system
   privateKey:
     name: natsuser-system-private-key
   signerKeyRef:

helm/charts/natz-operator/templates/crds/natsusers.yaml

@@ -39,6 +39,18 @@ spec:
           spec:
             description: NatsUserSpec defines the desired state of NatsUser
             properties:
+              accountRef:
+                description: AccountRef is a reference to the account
+                properties:
+                  name:
+                    description: Name is the name of the
+                    type: string
+                  namespace:
+                    description: Namespace is the namespace of the private
+                    type: string
+                required:
+                - name
+                type: object
               allowed_connection_types:
                 description: AllowedConnectionTypes is a list of allowed connection
                   types
@@ -153,6 +165,7 @@ spec:
                 - name
                 type: object
             required:
+            - accountRef
             - signerKeyRef
             type: object
           status:

manifests/crd/bases/natz.zeiss.com_natsusers.yaml

@@ -39,6 +39,18 @@ spec:
           spec:
             description: NatsUserSpec defines the desired state of NatsUser
             properties:
+              accountRef:
+                description: AccountRef is a reference to the account
+                properties:
+                  name:
+                    description: Name is the name of the
+                    type: string
+                  namespace:
+                    description: Namespace is the namespace of the private
+                    type: string
+                required:
+                - name
+                type: object
               allowed_connection_types:
                 description: AllowedConnectionTypes is a list of allowed connection
                   types
@@ -153,6 +165,7 @@ spec:
                 - name
                 type: object
             required:
+            - accountRef
             - signerKeyRef
             type: object
           status: