Fall back to identity AuditTokenRequest API when appscode.com is unreachable

go.mod

@@ -5,7 +5,6 @@ go 1.25.0
 require (
 	github.com/cloudevents/sdk-go/v2 v2.15.2
 	github.com/nats-io/nats.go v1.49.0
-	github.com/pkg/errors v0.9.1
 	go.bytebuilders.dev/license-verifier v0.15.0
 	go.bytebuilders.dev/license-verifier/kubernetes v0.15.0
 	gomodules.xyz/counter v0.0.1
@@ -14,7 +13,7 @@ require (
 	k8s.io/client-go v0.34.3
 	k8s.io/klog/v2 v2.130.1
 	kmodules.xyz/client-go v0.34.3
-	kmodules.xyz/resource-metadata v0.42.4
+	kmodules.xyz/resource-metadata v0.46.1-0.20260604054459-ba20b6454d28
 	sigs.k8s.io/controller-runtime v0.22.4
 )
 
@@ -28,9 +27,10 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.18.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/docker/cli v29.0.3+incompatible // indirect
+	github.com/docker/cli v29.2.0+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.9.4 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
 	github.com/evanphx/json-patch v5.9.11+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
@@ -80,6 +80,7 @@ require (
 	github.com/nats-io/nuid v1.0.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.22.0 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
@@ -99,7 +100,7 @@ require (
 	github.com/yudai/gojsondiff v1.0.0 // indirect
 	github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect
 	github.com/zeebo/xxh3 v1.0.2 // indirect
-	go.bytebuilders.dev/license-proxyserver v0.0.26 // indirect
+	go.bytebuilders.dev/license-proxyserver v0.1.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect

go.sum

@@ -21,12 +21,14 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/docker/cli v29.0.3+incompatible h1:8J+PZIcF2xLd6h5sHPsp5pvvJA+Sr2wGQxHkRl53a1E=
-github.com/docker/cli v29.0.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v29.2.0+incompatible h1:9oBd9+YM7rxjZLfyMGxjraKBKE4/nVyvVfN4qNl9XRM=
+github.com/docker/cli v29.2.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker-credential-helpers v0.9.4 h1:76ItO69/AP/V4yT9V4uuuItG0B1N8hvt0T0c0NN/DzI=
 github.com/docker/docker-credential-helpers v0.9.4/go.mod h1:v1S+hepowrQXITkEfw6o4+BMbGot02wiKpzWhGUZK6c=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes=
 github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb4Z+d1UQi45df52xW8=
@@ -225,8 +227,8 @@ github.com/zeebo/assert v1.3.0 h1:g7C04CbJuIDKNPFHmsk4hwZDO5O+kntRxzaUoNXj+IQ=
 github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
 github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
 github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
-go.bytebuilders.dev/license-proxyserver v0.0.26 h1:NoL8TQOxuquq9KChm0ihLpDTdT/5OljAx7X0Vdlnre4=
-go.bytebuilders.dev/license-proxyserver v0.0.26/go.mod h1:JwdJtBnV93CNXHtdGXQ1BbY8Ma8zQAdS9Ckftor2qH4=
+go.bytebuilders.dev/license-proxyserver v0.1.1 h1:4iq0NYRlsToW6JNFdGus1RiKtY3F7WAAVsp3fEhK268=
+go.bytebuilders.dev/license-proxyserver v0.1.1/go.mod h1:UCnQg0Od/tI0PkClwp6SzIbHVvzo6GWdTx7vh/tGEig=
 go.bytebuilders.dev/license-verifier v0.15.0 h1:9BHJSVpiCztnJMlsn1i36wi0ZeHdr46CrQH2GUzFLBA=
 go.bytebuilders.dev/license-verifier v0.15.0/go.mod h1:aGD3zgEUZ5BnOam9U241ZiOm4Wp8f+EiJeQ+nHTFO5A=
 go.bytebuilders.dev/license-verifier/kubernetes v0.15.0 h1:EQ0RKw45c/BNzx8qF5jabMl+zVDcGqOHXpSqtG2/2as=
@@ -349,8 +351,8 @@ kmodules.xyz/go-containerregistry v0.0.15 h1:PRY5FDOzb6u23KOulQ4SWNdeUkBKmezLyJX
 kmodules.xyz/go-containerregistry v0.0.15/go.mod h1:rO0DEbYYEu1BfVcZ1pXV+3RgzVXr/k5hXcO+BQYVVDI=
 kmodules.xyz/offshoot-api v0.34.0 h1:HnOOp8FrCjTWjtNApRDo6Ahe79tOlLrJmyye4xxO4Kk=
 kmodules.xyz/offshoot-api v0.34.0/go.mod h1:F+B59yYw4CZJ4uD4xu6C+mMLzIXUtuH7E+SbDICl9jE=
-kmodules.xyz/resource-metadata v0.42.4 h1:nFVo+PKmwWdzVwk7U3VZuKBQj3tPo6fyY5BC7gE2OB8=
-kmodules.xyz/resource-metadata v0.42.4/go.mod h1:++18wSB28Wrw3ZxnOd8o8IVg7oMyWPwaPfuLw21QnPc=
+kmodules.xyz/resource-metadata v0.46.1-0.20260604054459-ba20b6454d28 h1:o87MYSd0PQwXQQvfXaG0FifT9PPUU1laDpAUQfhL5Us=
+kmodules.xyz/resource-metadata v0.46.1-0.20260604054459-ba20b6454d28/go.mod h1:2A80iHv+kkkgLBhCBbPRwsRrqhmvjnEo6UDQKFx06xA=
 kmodules.xyz/resource-metrics v0.34.0 h1:cqscgTx3PONxHj6PIySK3sTlKKv8iKTGzRd+S6YSwXg=
 kmodules.xyz/resource-metrics v0.34.0/go.mod h1:R34IKtp5+NqcQz7AQJheBJK6Iem0LqrCbm/55Mn+ECQ=
 moul.io/http2curl/v2 v2.3.1-0.20221024080105-10c404f653f7 h1:NykkTlRB+X40z86cLHdEmuoTxhNKhQebLT379b1EumA=

lib/nats.go

@@ -17,25 +17,25 @@ limitations under the License.
 package lib
 
 import (
-	"bytes"
 	"context"
-	"encoding/json"
+	"errors"
 	"fmt"
-	"io"
 	"net/http"
 	"os"
 	"strings"
 	"sync"
 	"time"
 
 	"github.com/nats-io/nats.go"
-	"github.com/pkg/errors"
-	verifier "go.bytebuilders.dev/license-verifier"
 	"go.bytebuilders.dev/license-verifier/apis/licenses/v1alpha1"
 	"go.bytebuilders.dev/license-verifier/info"
 	"go.bytebuilders.dev/license-verifier/kubernetes"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/rest"
 	"k8s.io/klog/v2"
+	identityapi "kmodules.xyz/resource-metadata/apis/identity/v1alpha1"
+	identityclient "kmodules.xyz/resource-metadata/client/clientset/versioned/typed/identity/v1alpha1"
+	identitylib "kmodules.xyz/resource-metadata/pkg/identity"
 )
 
 const (
@@ -155,51 +155,104 @@ func (c *NatsClient) connect() error {
 		return fmt.Errorf("license status is %s", license.Status)
 	}
 
-	opts := verifier.Options{
-		ClusterUID: c.clusterID,
-		Features:   info.ProductName,
-		CACert:     []byte(info.LicenseCA),
-		License:    licenseBytes,
-	}
-	data, err := json.Marshal(opts)
+	natscred, err := c.fetchNatsCredential(licenseBytes)
 	if err != nil {
 		return err
 	}
 
-	resp, err := http.Post(info.MustRegistrationAPIEndpoint(), "application/json", bytes.NewReader(data))
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close() // nolint:errcheck
+	klog.V(5).InfoS("using event receiver", "address", natscred.Server, "subject", natscred.Subject, "licenseID", license.ID)
 
-	body, err := io.ReadAll(resp.Body)
+	nc, err := NewConnection(license.ID, *natscred)
 	if err != nil {
 		return err
 	}
 
-	if resp.StatusCode != http.StatusOK {
-		return errors.New(resp.Status + ", " + string(body))
+	c.le = le
+	c.l = &license
+	c.nc = nc
+	c.Subject = natscred.Subject
+	c.Server = natscred.Server
+	return nil
+}
+
+// fetchNatsCredential obtains a NATS credential by first calling the public
+// appscode.com Register endpoint. If that call fails because the cluster
+// cannot reach appscode.com (DNS failure, connection refused, timeout, etc.),
+// it falls back to the in-cluster identity.k8s.appscode.com extended API.
+func (c *NatsClient) fetchNatsCredential(licenseBytes []byte) (*NatsCredential, error) {
+	natscred, err := registerWithAppsCode(c.clusterID, licenseBytes)
+	if err == nil {
+		return natscred, nil
 	}
+	if !isNoConnectivityErr(err) {
+		return nil, err
+	}
+	klog.V(5).InfoS("appscode.com unreachable; falling back to extended API",
+		"error", err.Error())
+	return registerViaExtendedAPI(c.cfg, licenseBytes)
+}
 
-	var natscred NatsCredential
-	err = json.Unmarshal(body, &natscred)
+func registerWithAppsCode(clusterID string, licenseBytes []byte) (*NatsCredential, error) {
+	resp, err := identitylib.NewDefaultClient().GetAuditTokenForCluster(clusterID, info.ProductName, licenseBytes)
 	if err != nil {
-		return err
+		return nil, err
 	}
+	return &NatsCredential{
+		NatsConfig: NatsConfig{
+			Subject: resp.Subject,
+			Server:  resp.Server,
+		},
+		Credential: resp.Credential,
+	}, nil
+}
 
-	klog.V(5).InfoS("using event receiver", "address", natscred.Server, "subject", natscred.Subject, "licenseID", license.ID)
-
-	nc, err := NewConnection(license.ID, natscred)
+func registerViaExtendedAPI(cfg *rest.Config, licenseBytes []byte) (*NatsCredential, error) {
+	ic, err := identityclient.NewForConfig(cfg)
 	if err != nil {
-		return err
+		return nil, err
+	}
+	req := &identityapi.AuditTokenRequest{
+		Request: &identityapi.AuditTokenRequestRequest{
+			Features: info.ProductName,
+			License:  licenseBytes,
+		},
+	}
+	result, err := ic.AuditTokenRequests().Create(context.TODO(), req, metav1.CreateOptions{})
+	if err != nil {
+		return nil, err
 	}
+	if result.Response == nil {
+		return nil, errors.New("extended api returned empty AuditTokenRequest response")
+	}
+	return &NatsCredential{
+		NatsConfig: NatsConfig{
+			Subject: result.Response.Subject,
+			Server:  result.Response.Server,
+		},
+		Credential: result.Response.Credential,
+	}, nil
+}
 
-	c.le = le
-	c.l = &license
-	c.nc = nc
-	c.Subject = natscred.Subject
-	c.Server = natscred.Server
-	return nil
+// isNoConnectivityErr reports whether the cluster cannot reach
+// https://appscode.com at all (DNS lookup failure, connection refused,
+// timeout, etc.). It actively probes the host with a short-timeout HEAD
+// request rather than guessing from the registration error, so HTTP error
+// responses from appscode.com (auth failures, 4xx, 5xx) don't accidentally
+// trigger the fallback. The err argument is accepted for future use but
+// currently ignored.
+func isNoConnectivityErr(_ error) bool {
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+	req, err := http.NewRequestWithContext(ctx, http.MethodHead, "https://appscode.com", nil)
+	if err != nil {
+		return false
+	}
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return true
+	}
+	resp.Body.Close() // nolint:errcheck
+	return false
 }
 
 // NewConnection creates a new NATS connection