From 048e4ccd0ba5f002b3e40ad81f0d8a1d4bed801c Mon Sep 17 00:00:00 2001 From: Matthew DeVenny Date: Mon, 6 Dec 2021 08:46:46 -0700 Subject: [PATCH 1/2] Add nats package Signed-off-by: Matthew DeVenny --- .../generated-changes/overlay/app-readme.md | 3 +++ .../generated-changes/overlay/questions.yaml | 12 +++++++++++ .../generated-changes/patch/Chart.yaml.patch | 20 +++++++++++++++++++ packages/nats/package.yaml | 2 ++ 4 files changed, 37 insertions(+) create mode 100644 packages/nats/generated-changes/overlay/app-readme.md create mode 100644 packages/nats/generated-changes/overlay/questions.yaml create mode 100644 packages/nats/generated-changes/patch/Chart.yaml.patch create mode 100644 packages/nats/package.yaml diff --git a/packages/nats/generated-changes/overlay/app-readme.md b/packages/nats/generated-changes/overlay/app-readme.md new file mode 100644 index 000000000..b4511f4d5 --- /dev/null +++ b/packages/nats/generated-changes/overlay/app-readme.md @@ -0,0 +1,3 @@ +# NATS Server + + [NATS](https://nats.io) is a simple, secure and performant communications system for digital systems, services and devices. NATS is part of the Cloud Native Computing Foundation ([CNCF](https://cncf.io)). NATS has over [30 client language implementations](https://nats.io/download/), and its server can run on-premise, in the cloud, at the edge, and even on a Raspberry Pi. NATS can secure and simplify design and operation of modern distributed systems. diff --git a/packages/nats/generated-changes/overlay/questions.yaml b/packages/nats/generated-changes/overlay/questions.yaml new file mode 100644 index 000000000..a476e440d --- /dev/null +++ b/packages/nats/generated-changes/overlay/questions.yaml @@ -0,0 +1,12 @@ +questions: +- variable: cluster.enabled + default: false + type: boolean + label: Enable Cluster + group: "Cluster Settings" + show_subquestion_if: "true" + subquestions: + - variable: cluster.replicas + default: 3 + type: int + label: Replicas diff --git a/packages/nats/generated-changes/patch/Chart.yaml.patch b/packages/nats/generated-changes/patch/Chart.yaml.patch new file mode 100644 index 000000000..73917fe03 --- /dev/null +++ b/packages/nats/generated-changes/patch/Chart.yaml.patch @@ -0,0 +1,20 @@ +--- charts-original/Chart.yaml ++++ charts/Chart.yaml +@@ -1,7 +1,6 @@ + apiVersion: v2 + appVersion: 2.6.5 +-description: A Helm chart for the NATS.io High Speed Cloud Native Distributed Communications +- Technology. ++description: A Helm chart for the NATS.io High Speed Cloud Native Distributed Communications Technology. + home: http://github.com/nats-io/k8s + icon: https://nats.io/img/nats-icon-color.png + keywords: +@@ -20,3 +19,8 @@ + url: https://github.com/variadico + name: nats + version: 0.10.0 ++kubeVersion: '>=1.16-0' ++annotations: ++ catalog.cattle.io/certified: partner ++ catalog.cattle.io/release-name: nats ++ catalog.cattle.io/display-name: NATS Server diff --git a/packages/nats/package.yaml b/packages/nats/package.yaml new file mode 100644 index 000000000..c022d6ae1 --- /dev/null +++ b/packages/nats/package.yaml @@ -0,0 +1,2 @@ +url: https://github.com/nats-io/k8s/releases/download/v0.10.0/nats-0.10.0.tgz +packageVersion: 00 From 5cab42616260c8e9a829c6c866d2cff6be0e2751 Mon Sep 17 00:00:00 2001 From: Matthew DeVenny Date: Mon, 6 Dec 2021 08:48:50 -0700 Subject: [PATCH 2/2] Add nats chart Signed-off-by: Matthew DeVenny --- assets/nats/nats-0.10.0.tgz | Bin 0 -> 18658 bytes charts/nats/nats/0.10.0/.helmignore | 22 + charts/nats/nats/0.10.0/Chart.yaml | 27 + charts/nats/nats/0.10.0/README.md | 779 ++++++++++++++++++ charts/nats/nats/0.10.0/app-readme.md | 3 + charts/nats/nats/0.10.0/questions.yaml | 12 + charts/nats/nats/0.10.0/templates/NOTES.txt | 26 + .../nats/nats/0.10.0/templates/_helpers.tpl | 131 +++ .../nats/0.10.0/templates/_mem_resolver.yaml | 15 + .../nats/nats/0.10.0/templates/configmap.yaml | 511 ++++++++++++ .../nats/nats/0.10.0/templates/nats-box.yaml | 111 +++ .../nats/0.10.0/templates/networkpolicy.yaml | 80 ++ charts/nats/nats/0.10.0/templates/pdb.yaml | 21 + charts/nats/nats/0.10.0/templates/rbac.yaml | 31 + .../nats/nats/0.10.0/templates/service.yaml | 74 ++ .../nats/0.10.0/templates/serviceMonitor.yaml | 40 + .../nats/0.10.0/templates/statefulset.yaml | 543 ++++++++++++ .../templates/tests/test-request-reply.yaml | 30 + charts/nats/nats/0.10.0/values.yaml | 563 +++++++++++++ index.yaml | 32 + 20 files changed, 3051 insertions(+) create mode 100644 assets/nats/nats-0.10.0.tgz create mode 100644 charts/nats/nats/0.10.0/.helmignore create mode 100644 charts/nats/nats/0.10.0/Chart.yaml create mode 100644 charts/nats/nats/0.10.0/README.md create mode 100644 charts/nats/nats/0.10.0/app-readme.md create mode 100644 charts/nats/nats/0.10.0/questions.yaml create mode 100644 charts/nats/nats/0.10.0/templates/NOTES.txt create mode 100644 charts/nats/nats/0.10.0/templates/_helpers.tpl create mode 100644 charts/nats/nats/0.10.0/templates/_mem_resolver.yaml create mode 100644 charts/nats/nats/0.10.0/templates/configmap.yaml create mode 100644 charts/nats/nats/0.10.0/templates/nats-box.yaml create mode 100644 charts/nats/nats/0.10.0/templates/networkpolicy.yaml create mode 100644 charts/nats/nats/0.10.0/templates/pdb.yaml create mode 100644 charts/nats/nats/0.10.0/templates/rbac.yaml create mode 100644 charts/nats/nats/0.10.0/templates/service.yaml create mode 100644 charts/nats/nats/0.10.0/templates/serviceMonitor.yaml create mode 100644 charts/nats/nats/0.10.0/templates/statefulset.yaml create mode 100644 charts/nats/nats/0.10.0/templates/tests/test-request-reply.yaml create mode 100644 charts/nats/nats/0.10.0/values.yaml diff --git a/assets/nats/nats-0.10.0.tgz b/assets/nats/nats-0.10.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..d3424754745e07360d302a528efa4a4e00502de9 GIT binary patch literal 18658 zcmV)fK&8JQiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POwycH1`AI1JCfAFpCRa-M0@$2$3twE9hFeU9z8b{xmCd}uPO z%Y{ftLQD}X0oqp5{O;+!hWEzag(Ja(M9Fs2&OBzXvBIRfR8u|>8Rx+&O_WHwC&@BlOe%D4`P(?2q%@r0>a`D zO`8##;2s=po%W%Rlj|9!6C7g1ur4j;pod~|juS>`)Pw6a55=+lxz>8#+Vld<{Dj0@ zzS@GHaX0~AOk5b!1o#-sR$GL^&tx=)evEMd+aXN@I6|CUW7r{#CuERv@qtbzX+(V0 zbr0Ya`{Rg)bTn;wV=B-Za~}8F?GfSQbkOqYq%9C_6577{fqBFic!)Br*Op&I$H-)) zOZhZv`ZT0TD~?9q6`tPEBw#(Ssk+;Q31$q9NHp@A;79(@yGjSx_W8Si{?u)CpEo<- zc@sn;j!1+PSshOh343sZ!f^Wk*X?=$ij)^94DbXc@GiyII1nGwB+T%1IwJx6&N7HT z4M|jjxGmm7KMg~2jiNd5WIUe+l68g7(B>%rgVT##T+W_YC|MiW{=OzBX(OG}w|KH+Sng4hzFz=Dy9cB;P zG#Zjonn<>)zt68<)4rIWVq+o`G|~*9C-;LU3S$ys4i9-xGV;sQ^h8q-dK&pFwm@+Om zvlU=5iXsw?V3LNMh#Ifc0Zt;!F*5~O%LCo)5t`s**=7$K4UH5XjY5G69g>hlqn1XM zFu)NSgqX>mHWdVjML~FKi$8;yCVUkbg(*$JM-ecLVMG&}auQ*t@Z`w9VyiI06Piq6 zj8P1Xe8OxMF!x217NDRo=%#}n3{l9id?niH!Shb1qY!70 zG8)TinBd=2lHkBaDUXZjk$uwxo}{`j`x>7C<>Mk5B~ffGKnXU(EUR)c*O8p5#K)oz zO(PCBG!26yRs#$YD^6wA5mEy<#t^52koZ7i7$$TA2*e1O6+nEvrNH)};mqnrwmzeD zGQf$Tr=~U_&haGX4A2OXh;cy@pI&2uikReTe0Av)%oBoH54vl1nugftG=T}?{`e3L zaLDXj)r(3HM&qaE+WrtiJmer6oOV} zi6C_<(6S2rvpxbTLc_X>Y zcl~r=h2&gGp3v}+MA*JNMpH3Wd!Br8lMs$~Fbcw485{+cIf&l^6ZK2}vjRWU8;rg9~ z7orK?N&TxGy=V2H(Ov5>Jvn#OB#@;bNc}4a%-%*KcQO$MYcL^^nVEB2wi7j^qmdsn&!Vkyo+;VFKa}O|JC5Fu|stpOX#5fJ>&LkVIjK z1Ncp<38LU{3bgzOw?-`x+L6yg@Dq$UHdu~ugcIUx+?$fUi0aU6idEPgl2C0<5@-gp zOq8B{ue1|ExR01Ko?tYo+#B^=JTQe|hYB@K4W#_j%-7kXjRG-KGSZ*3CUzq~nZ`!2 zTBP>;wy}k$x+vhCF$`CDYS@|-fjAX{!Ziu797gf^njocspG(cbR=>j29waCV=;ZPW zPrV#mWCkt4L!98q$HitwSO{FA0lkl?3Kj~pBV~H8)Iznb*b!@HJ!?2+C31}`JZ;ns zP3`DZ56~MWX!SWw&bqBmSw-hwiIrr! zR^PY!uE_#oea`AyCWQhpRc41Ia{HY2pdBENvI*ALEKBgR8zSW(!sKpze7U9B102#D7=+Zn67yE`qzKfuYH;9U{h#)YLaKT#0*cgy?H13DATSjDicXyT6TmgG<5Y z2iekXNK1g){AP|?^{DGFr-%Kr5;(Wc>~>VW6?m_8oS_i0CqkwW`v<)dq-U6?v6SU_ zLQ^50vN5Gx;vx1#BO(D(9Nxe*#-@P!tYxfsj&$12?N)82&P1b2X)ocS)Uee4%0s62 z4u?Of{$@t2rjm7|#K9My$Jb%~J`3R_k58RIF8(KXf@nqozPkjhgOhEpr23PDUX!D8fNZ$)gvnaTCa8Ze|SpZcuL z5xZiRUbq?4plKEScASP`Q)1MN6LO6>ZYFp{7*D2cuZU?6{`ITqOUmqENEiD@eD}L{ZR05hqRa z#xs8?t#V~Wk~mHXl_d7XCL*VVw*ZZ2pd;`w5Swv=h3+igub7vz70>)~Hm)cQLqVm! zHa&0}OYh4vq|xd-Yetw0m4ieh^R8*&wLSCKYdp16QBdMkzlVODU=)Zs$9RHB#F;{3 zAsj@zLX&2K7V;n4bdyQIV&WOV88)g>r%j343N)o2e}!*)(3O+RLB9u|XoTh4n=y{g zB8E6&Ln1bU9_-K~%KQEp2WhA#V7AXog*%Yio>k!lzROUXUJKIVo3$}%L@ zjwgQiwV_C_UDY0^Ax`vwibl2ZfvGVU!Y-%M_QsS9%*|x3LuNr{%^Wuo^-eN!H_-VKG zT*}kW8Vk(xzMepR%srOsdEMu<97O z1mDiQCK35P#YVc&@U+c6K_{{)#cTz9l=3l6$R}j14Pww!xrq)b)xTrJ*bPmB9>h0+ ze#glK)0Fq1)7q3Hq|N)r6lREvZ#kCscT2SuZ)tJR`VPDm&;DIW{|br=d=osO99yBW zsr=eP#_P4)8sk(u zabbBYp8m6X+R5&Hr(F}@J>=4IhhA_h6akqi_TjpZf*`?+0f`tFA`=}#%B;&n>`~t_ z*gsY#R%x3@Ayb|s82%na27oBwxU!`EuBH92EuT*2EsC0@ky{{#gmLMnlM6HR6wX;D zwTs1R-@wZjyc!`Y^c&lPWCGH0-EL2&O?1ZXX)=}zTSHGs&W|* zFo{OqO16cHwGjTtu~Z9zckhLNa+tZ*xqnA_7h~D$0pJ2lO__u(VaW64BdUr}d)MSsp<-MwKF( zMgamGhjcnoARbJ!QBr%2Ei>yU9Wld3o*^hFKv8h;h;LEC9to_W0>r&pxb zn^MzO?zEn_*6zUkSKv6I6U@grWeVHf+n6R?ZK&A*v^=ce*W(#mh$?cx*6g%?yvq(% zjN}o6<6v!u)~Nn(Xhg(Mmd2vpR@NgM9N`3Ov0SB@5qm2u(3gJ1sSUu8I|bvR!x!6Wl4F5qInl1KJGz#f_XxGrXdm=%%grYKS41*)tZPj znxuRzb{7?xuOv=S=r|P$k)-bcG2)x8C!(Uhw9e}{D^>>(EQG0GBO%|KNHe+YB@n4f zt=f9BS=?3Uhtl7o-s}(a z)Dk5G7x+#T`fe2h9Ad5mq4kJwO~(AS}v- zHOqB@w8Vmh4rJm_EoQP+pH5z%GLky570wx!%i9vbGBsG6n6A6a(#vh@rbK?So7HgidiT97P@eco zfK$CWR@-UM&Yyp5ZEwFlJ39Sm5B_m*ar#fst_~eABl@q#K=i{<=iuU$SuK=tny4^W z6>noBasncxk+xw)?T(UtsfmhIidriNHOI2SiFK0;$P9)3rULIY z5mc<>!-OB6og7vW_aVX$4N1>V4)t$kE!W5H+3g z)atkxb%tSML%B*$5Bpi{yjag~6EY%^6GkKW84lEI?ZZHEe4J2DeHvEDAuDjC9MGVI z#k@r7Y45ZaB&$$dfgKus$4$7siHw$FmU7r+mgmf2BN!2<3dpL8FO$wHrOC*-m5Ak^ z2PfyFG(>2;j48|dyArJd$<2!}2xUNI4)2gQ%7Kte;YQzk-jh=L^n@7~6u4<>f6 z3|(;o8sbVraHd`EN0kNCQNSwD3cQ1Mj;2PZz2^|^-f4t5eH@<|c4TwXLVc}82ipWARp792;5tNZ7r~=0DH?>abRS! zt8^fQPv#h`myH<;A|?$s`diz(`hn?oRkJ#SGB17V%h=)@^(zGe{doRYxkR}r(q-(8mD472x`+=iC;Nz8j zm?V<*q?myQG|ljmG7OEJGrXQw73G(J`soBm%DM$Y&?HT7Jij!E&e4|N#8#@gDNmzy4^V-#I6 zeO$!Mf&cnz@#Syz6!`z;7>6-VSc}IGmkOeW|3BY&(Jk=*jm`DVNB;jUp3k4#-+Q~a zv361C4{XY`P~P|LFJI*P2~@zYT4id5HM39hplnN}l9Hi<8H39XHozZ3n~QvSzApbH zlYTlJl3QprGhkw!iod;btJ&H%g&j_6KHA1inVAI^!X{)Hq$iR-y`L8Eu!E=OzDz^O zG1v^(+}ouQj1v;^AvFG*HUFD63eZ%$%M8J+zdbo`wp9R}%EBaJi)m!eyd$OpTL#l? zHYt&L)|`?>8Z-Oil3M+((38S6K$iDetLP7XU4)(qM{92F0ZjCPmka3Tpn$`*?rdfZ`R6w z_K&x=cb~P`wciqp@M*rIuB`P8o)~f#_2$bgEUbUC{$kaVboA$W%P0PG`+F^^pv`Xu+x=Qm`5Gr=XnU)EsfyW`nbo$U;0=oNl`l~gTuxBz0?Eo%(Iic-@v(Jv zF-sxw{xZ%!D2P?XE1>F-bOX#rs0$FzH>c)&wt`~8B@-f}^lg4g6(*;wf3Y+~SMeIx zP~FNZ=k^+gC)YUHR_R~S)~2Aecc^kj=J+CJ&P!bMuLOL&AU5ajx%J60-P{F%A~9#Q;dXaG{Tm5#$;{= zcZ=h3s51s85=aA{LO^_Og3>IPi4h;SIBoGURD$>0SyD4XbrZ}I* zc%MOo@q|R92DB9Ndcuf8Vt3bXTe>l@5X?sI7JjNr{{c!Scve*}zaa~h{%pnVfu5rN zKf#kr>qmZ|gpf7*f9H9pQ_%l6U#xW>_5W}26r^SudgfRn^=JHhzJ#42GIFS)q9UYX z)oeENseHTM6^VkLKBw{q#oh#S6d;az_C!O zrJ22%twVnK;u$;*5;C-+2Y)mz3u(O~A!e;T%%PDh)sRwSfFlmiXAAa!_V^dpzYSw~ z$YiiJ`Cr%8Ivd6H-+A=^e4FR4>vgu4_2o;`=8SV9h^svcjwvC(yd~qwwGmo##vc&r zg|*?XQJdzi2Y={@qT~G?nPLjq7$q`@k&g>`=uBX`$v7Bj5x>#CMoBwKBk90V3BF?z zROb$>2#2x(YBqAZIwGwyR!Y8;fl%a6T0R z>a%QPki{;=cZRuBp^>R|4QRA6_mu-rD4wjXbIvwOGGu0kIc zb2x0$GIyVzNwj5x{z?NU%`#b9fSKhMgts7mwuA6l$Bx#K!RAHOlvuomYcMWzQ6vi`j8I@KBZRP3iS zOY86mtPN0=)(JA_G+nH*Y>Q4>!E)DSZ1bfIYMzaO3!#{N&_P3xQSKMZqm|15nCs~R zwTn3lp<)&;3v=cmSH76Zzntz*e&_rfaj7@&PETvfEeLNx{6ya@gVHgHKm4%n&d=OF zC28U8Q>q9&5%1@3Ri(|!R++z9iDHdBkea>90M74K&lg{YvXj{%tgP{fUJAwWQYEHv zmR+$%HB-&CiTta}8=2^^2uEi?ECUhCR8)&iI>chlT(-oSQ@m=9TTA*kndYz3FoZXl zjZIvnK({Z`GJKtBZk#gtnf`oD<*lfo$9x%OCi%3{+)NjvX3Q^EW_9)Ugt_dk#5QwF zxDMCFm}edI3Lc?9Ey*U_T6JQrEV&%BaKPW0Uzk4UlGtQe*(D}fAf`2)+i(w3TZ)>5cLgAbb(kc3@ z{=b$J zq5S|wK^{hyH7WNxeIIU7 zxnWPjg{ERPBvt^WwkCIaEDY_QOQiy$llaN4#)1g&e8ZnV z!xIJPNXLFj-@n`1lib3Vcbg#1Dq?r@8UBE#1Ef1)wOK#IS10>{vm%eVp zSy+?qF?#4`&8y|4Q}yE4dWp*{SiK9^YT)(q%$~^)xx751k+Actq`?|2^U9-Ar%f8j zIh{jg>7XDQ)K{og$86nus$-RK9#9>thX3&DSamyJNgewOi>ZbV74m_By_|U9)|xLJ zm=vqa2?q}R#btw)Z2hZTj$@pdD|2k7*J^>TKqs4L)}0BJOgPUCV1_xV8efoV`vM!|I;py!+o_n?iryR$$W@%mEU*Lgq0)kUB=#P!{vcZcg<+-U%a zcb8eNtb5@slMuOZC+PMbAamEB8VK^`WneBvy*u>c6{D6fpb5SVQvd2Qu$Pb4HR1?s zHtA8l>#0(jwLz z^Oe?uem7gYdw{m`D&0(lZrPU1tDNW*77Ud~(LevW;)&bR7xGEuJX}T7g zH~9=+j{c(F>$c|DRzBB+I#eykV&wE)R^nDp!Mf8*tisCXZ_9OXsjzO-w#~i?Z+73j zJ$Y|GWNL@W%jS$^9=J_yS1|v~REcWP9HwE|C{Ep3G{{|B}h1{R2}qO`paTv_3<)i&YWAJf|t!g zA)DZNf;vf5i;x!|T^n;IL(p0Q$;G?m2UqZ_%Rr}96?L3EtEJL;vC90aR{Um=V-Dx9 zwHxJENFhmS2FHB3jCK0b0s~$S+FjYj*~wvvTg)E9qF$ZNkF%4*r+U+THgDI=7KF18 zOD57bpGw@u$>CgLIMsVptwbu}R<4q&<+L1FnFrcbsb)(mRWvj-@P=0yv>Fz*1UFlF z^Dg&8=BjqPUg6uT?%vnzg?>|TD1NSTCw`vkOx$pMiHq7{7AKs_TV5_x4h1X+0@kQ_n&VNZ7IR9sot3BlLzq<3kFS@1kzZ=ij zI*;f7zQyyoHW^{@gdmDz*0#q4cd{$DmOm#rptturBxue6FVM*Sj{-wk?lsgZ-V5dy zpOtN>s$SuYSOqI(F_xE|WEa48<<&4*PGTq~I9`%ah8Jj9&X@w^slW6H%%PyY=Bg-} z&m*6$l&9MdbIn+@5pXXd%WOu@)iybxI=9Xho>t}asspR6nM$Bno3KejQ6IlncwweQ zrF3RznzzKKw%bP*$nMAEbsIpb}VlLNMn7gj)Gnf|d+njsZS0?GW7jG@!*fkB) z31)N7cZrrOL!+9r?!i+}c4=Pz%~3IOq@s~RNYzr5DthskF{(E+#-2AH>pM4DQ_*Yj zPUgXsJ5uUG;odFBj9j>o%gYb8JJ$7tD&C5i6)oMDm=pb%np-v-uLY8uGA`TH_m)-6 z3YGiKwPhLv&BbLEm9l%y=GaY5;h7Y#pt%dG4vtB7vi7u5@fRL{2Q?*CleF}#n(22b?JT6 zFTL{PlFLoA#|ppO_s~vR(w6rMv}Kx#wvS{jnF5_-27muMq;Y^aZWg}Gqi(q)O=xgL z!ba{*bD00#4)Aq5N<*iZV(D-6HFR#1%g^r_dm*UXk&e}!ftAzl-ZQD}Fw4AVF!SVO z?)&LsAI_CP0E!;4ME#ofm!0WL@5Qr-Jb!{#(f!eO^B?mR?LWD+h~Fmv+s5;a=LP%E z^GU0__(X|Qs;w<_1uK5$&>#t-uh`c{3h?w#^rut6R+`U-f+=;chZkcs# zZmWZ{o#Pxhn(_fn)!mjh>XK7^Gm|;)uP-#8+0=%~N|kTybo;na@cE(ze^|8Oix)3m zELL!1QHYy01=amxP;~{E-CFNHL%JKY%!~QOm|f?UE5CGB*4bd4?5yyt#u8~S?#j7_DKP-2MwO6d*zpE?9NlZcG_26 zJXaQj`Xl|4#`HTbU^YZ=cOTKiharH)!1Iuz17TgLdFpyI?e`4QWjAC+|o2+Ib zz7t~dO7ouA1Qe6Kgr+g;!M_@fU%i5ZvMFO7gaUkxlYuNW!o2b8J#l_XIXfPDPJI6S=$}~ZDe!+y@Q2+3YWV;9 z`itWI-;ejdeygXBfB$tQ_>$;sm_-(ECrcF~`08yNWjL8~UK_JllI;tDn|V2VIe}Vt zTifXOk9%-LBU~l~r!fubX!_coW^vzWf!>YK$yKNb%h{;tn>FWtUg%i5@mAZ<9xQ%J zym;I!j*qo{O1 zLCl)hACiJuYjPes%{~8`%}vxrDo%4h+_SlA%G&lYPl(T)_N>R?tF&j+thp_2d_{tq zEJbd6n_r>5&vlmqSc?D7-N`G{>3_xL|7UN#e~G7B{?nHhJ&+h!Bmb>!c3u?YKf0aA z`@g=)Q`Z0Styq4}jRvI;g-PP9L06KT*o&`PK20!{mz=kY@}&l{(4~MSIkUhRW+524 zs$oewU9R%yT#|?71l@UDaaQx8<4G$D%Jaq8MIh$Aay8z#g~g~@Eu*4DT{>KI_gzLwpD1Ff%6Dm=`3Z{g zY5quY?&U&=RDj80Ga~{3MbjSeB*lyPH}2=#__NvgouA_V&k@JNG-Q}RoDFFH{=c!l zu~EAJb7SLi|Nkb>{L{UCJstXgWmj&6ioi0w?{5yOg!R=-LJz~5N))NQrYbu{TyfQs z`B)|QW9JLO#>XT|yMd9d$!mU|xPd!5@Z0Io2D_u~YkV4Fsa zCx}Em*T{?_z0w+70_tZclluhS_OI{_xHk5zWE1pv#eq#>XZkwTRGCUR+2XnxS*(wGN*@)-xpgYSEG18<3xdyuaMp7TcP@6Pg|#$kmd>Tc|9nJhMW~07ptcwj;sYNe4mTKR6iy*!SPD?u z&Sw(A0*Sy!42yC%DB{4W1v4b0G{Hbq4mSc6VMwW4x@e@}@JB=ZRTe0B_s zj6^2{)lnRWQ^-k+D_V^arL&I7871hFV8&4*q#XG*rh)B%5L}NFDu(PRGp9?p)9CMg_c^5WDvfPjfwmn<5(ACkW=wn`Z4)N#L}J{v>}fhDgzoK`Sa>2Ck>=yAT z3+0=0%HKET+#FC9;jQx%hAy6T&S|wi?_70Ot>)ZBSawd8bn#g#Dga9d3RDNBuRAD;D3cTX<2cFuQCPWSuO-OBq0^nS2qWKA9CGk1n(R{x3_UTsr% ztN6(@&fin-)?y`Rsp;N9|MKU{(mYlNMC32hGuhUwOQ{`t{K+0 zxua>(ZZ3Pz=JG!BuivZsv9rTejkUa*u^MBE#m5_-^LG}|o$1QYu6(Q$jqW!}#p?|h zbMw~`-PFAo=1cg$D?6~HCwlhC%t1iA!goj_!;_|qcCR-5czpu!`V`{zNyrz1QH#g2 zsmSk?jQpPI$mdMJ8rSth_pr)^UDG{LCk@o0jzXv*AAep^#Glm;pu+pZqD?0 z*L2j@dw{N1I>8^hqqCghHT^Wz7VYM|e$Kq&|6zMt_LJB2vFc*{WjD7uPID+R^Lpob zvCdLXbf|Zv!%{x%+4QqF!&Ex4p?(RJX2L^YRbHWYz;7WTX9W()HI6W2?GuawBL0Fn zp##hSjSz_#mlh1?RJ2zf-%!Ii78PCnZp?YShYR=D=;J8)cU4wb9ox8rLo~H+m2Sr= zp>KV)A2;o{#PsGbfRjUQ>G=`z-xL_9an2D%BZz4L^73>-BcO@$-as0U5)|NS%2(YR zlnA*nuD>;C1uj5rzR`I8bQG##iA60}29ZM!V$+0v2K%E1MZ%C4e$WKul63 zr#2uJG%?@##i_bDz7m>CB2HnHQP2QYksV6*ax=KMitq}*XI`4r(6=Tv%3qp(#Y@Mg z3QZRN6b6%@a`pygHH}FCfB(C_l1Wl=Ss!6zrq6RhA87F@`b4*LmdX;tG(xu~FW zv04~QEmm7=p~dQ?XSm;DoeAh`E>_!U{bEJQC>O^dW^nY$eUZ?VQwoE< zwz|e}Od0P9aW4}C>q0{oaQNp||8;h@+d}nNFJOv(n!B!N!DC9#zS`V4u;;jr@Qr)cOWB0K z{oGj6D!;fdU`9%(d)&yrTtl#E7KO!}w+k$ovTG$11zLCi!`h3&{hw={ z&SU=XZ}U{<{ywHbMY^X(9j7l(o5p>zI+YlGV~oQ|i;df3O0OC{5bfD4O2u&R8CU6R z&52DT6cE%de4Tw6{LgRurw%tzVqvkoHWdtOu00LCX>Hv-@)2H?M33xmT&l9@I>0@f09ECzk2Fo4UQ6Sl-MJDjg$Xq&irj2$^TnoVUbZp z6Z|#WsNw&e&9&nF&ui-&kM}=+lV=5v5$8BjmjJ6dAoB#lASGcyq7lT%zd|F-THcBZ z+GS}h^?6`p9ELCo=|H9aA<<|R5*#8KoaJ)MufNJzY2Y?HTaaY<-g{|c+?jE zn4j!AYG;53$iGTs8BNT*?_2C9_P%co(3SUni%(+j`~T~$z&T0?O&RR(>@u$vC-fus zxz{2AMr~Ctp&z~0HS=kJ+y6#mVdXjuQVUrnyNB*^a zwEZeW*^m68K>3*lI7STUHBR7P>mB3T3{f;n(FlX=&;&d3d?Lnn!unI`I{BbbCsy4pHqC6ltK`b8NB$>i7(TECo z4rL{=$#4n*W@Hq}cPa`~y0nKdp@HC$0bx8LgOuaI5V+-eD=Tn%_b71ql?#2n)$Mu!vE#bfA0APDoM46{ zZW>&HLoy+pl>v+G3PY4m1~?HE(;jUQyUQfzSzty$m@noC4nP|ArNdj7KEXU8nDt=2 z<4Kr5(;JweXbMbwli8T2VE{2=3icmR^t?qnSavfFD7P00r{L< z6D|`L#3UN++YH^RIZZo;xtRG9vrzWeq>H`X&K&hUFfaS*fcXiD3$M3n#1k4Gk_cxn zkI_`jan&NgO+q-{!6*pxrBt7s7XlysGei@-lloUXdfW~6N0#_33sJa1giFRyjx-RT zaTEX=a-5h{2yW1WOd_Ck5gd56XNRA6oM}QwBNB}~@B1Ul@%KI0m#HWs$|1pmd*LWh zXP=bm7q|cjf`Q>dIueUJPH2!yOo5Te$Eu_lX~N-#grUp=L59Rf5f8=Ml>sLioAhz3 zJWoS~m>N*omZqviz)+ZuIGLDVnq<34LX#7$yesO9=t|W$ONP_KzL-ry;;9@0&wEc( z$&H323Sc7UGmT(OZv<&nO~H(KLQ_E{Hl~zIr~-%`NW^=dVJ-pn&9Q3QcAVbr+_AvGBWSkbEmZv+)dG^BT-OV;p8E@Hqz z&(KM~Q+F0f1Z@WVENAn&w-6_oVww0%`gYZ-}YEKz9^Dyj(iL?PM|yj*BbDD1u1 zSX*n@7y~Cvv*!dJi`_yykehWF1v;1s;s&xj^sD|1_{~%Juq6(ttFEU6ap8o!wLW zhl+IkS)T!Cp0}?vKhYr!C?988fRu+yWkfPZ?u4){#3TX3vQQLxq%!r8;iB>^FsCp= z@<_3i3skZw5}UKcUZI+swrGs5#a>O*(HKr%Zf)xe>CW5G{&E~%0CiY9;+yIaj>PLUvD-?f}6Po6@Hoazml^(w_%IvRx%7ey8;xfEJ# zX$^;o zkUd-VbV4sPcT8H+0Ui^{x@Eeo0SblGl)zJ!O{y%gJyU= zxP38mxqc!8O0b#1o({1UazHUJ+Kp5W3Rq>6PFAg&)+z@YlC!Pl6%(2D3i$`*;=Pb_ zvMM>7;1mJ;=2ZDj>K~%)kcJ_>5tMgV#xR@7&eXg6ZQoAQ`FlYEJVa^8AO0F|x5dBg zh25^8^%bt>c4@HiCET?`B`4ddo9A4|*J}ou%%?H# zWt*dl^lL&LHMK>pXm=n_2gxKCXdb)kA#k07Wl!~Kdgv+_A3Q5W40dsOm zxxk#)RT-@2Lfou|xLJT`vric@anHQ)wt%IvSn67!(Mx_v6S3(GrXa7*larWg&B%gl zRTvx4fTlc?M6^v+E}ek-sWsOwt;N|s*h!?{fMHvZ`lxo}Pp0NXXj8nF1OKR-EvB1!jy9dwq)S?K zPC={CpR0A}3ccB^zpa#yRqxeyCx1&sqm99*0V0o1wPp=WH6`KuwyX(sds*@f3{TjGsu>{v;;S9oeIh4PYQBj|}aK~3Ou-=cIA3N=jH@tn_wMlc@83Q@Myf5QqjgQWnee|*r zO!XBBG3XfD#RN^rZW>VpEzJoK%R$5J*}%KJj42*QKH(m$?GaVUiRP`Z)!ifJcOjum z586U9Z0A2a@x(bTCsQO8YmLB!`8%Qa&P68$6VQlU+EA!%M`7FZVzkaUIbj*`dQT{|sJu=TZ6L9-}gf*Xl+@My_xn%t$kj)dY2( z%(+CLEj#3QYVlLN9f+~f3cB9ZEN7WICstDCWd4>;IEE7iCEIpm$>p+lADtT6(76Pi z33y0pHi4wFdg2HH(hHy$^cEAsi7axx)>>P2?}LcwjWo<68Ggx|BvJ*fKtYGL+bwB> z%QhCm)cz!!fl*2VY3I_4(g<@P+-6Y4LCg4KS71BAhznu#h9*}6RAAGeaSB%|O@&HQ z!&=_tDj*4DX&d-pk#eUv2HZc(wV<`|Y>ykAMDfc+@|5zw-+I z@cw|87RvVd$?F$;uU?+KJKKJ_ezd#wa_`-XUyhG7TT`HRi|`J2t1_x+2_t&6uiFMeJ-Iyt-8 zdh_=AFNYsq@9*rLUA*7@W&6Y4=Fan@2cwI(0!Q>lFD0?Wt!qh$q>i|x!m>Se(A|{! z>7d`0Q(5Mo(KVsjRH?M|3t0dM#MUYnfTj^-n&z^=W>>xRX~fbAPV5WCH5oLsb_I)s zCd$BlWKHo-am*up%U5B9Bcb5o%-Uy}p1xE=@s*-acqo2rBcVK&!;J3te(TMl`SLRk zC-$sP%azjg9ivQ$4RmPGP&RkMY}AVAibYZ18QE;Isa3n=jA_cK$fm_y44zeZl^5>y zThFMnJ;2k04*q3}yd?*(&%5u);r79Ju;+{4;fJ05?$PP)=HbO=^5K^&GJMy<(}UlG zy({r~=Om<`PQu;J#o5Wx>6zbs*FF1m)_HYyaUTABaTdHg+c`k*&bsf;KAj((oCQZ0 zuY!xyvx8R`XTkpYCx7i?H+Z>EZV0+~)!F|@Z;w8{nI3%_eR{KVwRX6D5c}(IL_5dt zI^o5e@YP;F3=U4i`25}ZyYBhU!H53U!NJ+pn@{gPet6yQbWbm?_{r(j`)-Sewgzg(P;cTTtW+5Tj6Jh(U$a1T$X`)oft>b@uY&-br>-07dcpPrq4 zczxap-(H00FVA<*&)$UL>vvaS|J|pf?W3#s@bvr$^}Da$o_st%Jn3$APCp(UUIB;* zclUfe**m#9xp;RTe7M*>dL#NYn7r!v)BWd)yf4H3kCY77UxxnVRcEliFUY+1;g^F? z=;Ft8|0A6af9bUF`sn(gx!v7=`6-$V&ccuQ^zvqKcoKHe)%E87-pl@aGPq^WC!ao@ zUJutlg}=Ys-?-U%eZKp{-u2*z--oBaJU`vPq5gI_eEa(mI$FP4-+m`1K;8zSr$PUH z-%}FKB{Cw;U0IFinF)6ps{}GV`0V}v?h5XH)3U=a&OaUOy*p!{&UQC{d3Sp9^5Saz z^J(XY^|RC9!^PS8@w=;o_eVP)(CJzCy#LDYo}O*K>z}pTx!UZXp9e2b z&wg0D*u6#lPPlv0J^$t6?EL+^Zv6An*}Jt(`*HkXd;j_2=`P!!gxufzaVp`c@*)2D<+UFP zSgKC27P1d}M`M2?;dlJ#JUrY!_&8YGOih`=-ud_g5inoqqfmZByg-QZ7@x-myy-uXjZ~yS(0C9DN+DpQnMKXY?WTBT;{Yy#09a>Ti)*DfyJewgeH@X+6W*S%%88~#2Tz4p8Q zhtutwvv~LLeCvJGznUD!8;9)OTNb|@t$JV77P22@9N$J=V8 ztJ}=%d{sv{Odx?h$Dv;Qb*zFL_p=JZ3LL#X-R;5Fg*j0&NO>0OB{tm%;{XT7;FAD} zh6!rj)1G)IYvSX+{8cZ~>!VPHE;ffWxj{*wPHhkl zF=dSClN^|FGzbYBs{k7v1SapKi)@%OGjX_40BNi)=N@Cnz2aE@;*^b*xsT&X-r|>< zNV+WdrOb!Z+yd`k@b)$Qs%mrUMpmost5mC@d#X>*n}!iz~tYZ9(=svkj4Qrfk?{(={^LIwZ(zR1J|5#6p8^~&xN&H zp>dkIhn#~zDZ`FkT?Q8#8B(QnFB8_x6+w2LpD|?6WMIb^n#w^2t#-uxc65cOtgY@% zc>T70(C@ajQCy$aJEG9nmUMLiV_-vf-Vo+Hj>ebt*7LR?B%?9E!SWQ0dlrh1RWZ>I z6@V_m%3vQ(Lc$4VCJj9VI1cGlbTOnlp}mp5RBZN;B<5;Mov3(%-Y>kfW|pH_nC~^6&IhIzGleg6CZa06wZ-0yBrlyRbMz`zSWOol=xrS_ z7zZY2ulSuc=5*O)VXp6TY^y7uimiFK{u+VaoDq1VF5<9WGuwTAgf6bFI-^(0=PaGg z?twf_?IB4d?!~^d0_bYhZDj@eG4{!Ds!k%BvpM=WqSIaLbjr>r>Ig*VKu>lViT>7V zwH)Hn0JgOOjLk4g)u&)OWZ zD`umzaWket)3Uj?$s{gc;alGJDl(A|nLbU`?Q}Xq1x%wYb|%9&+&4!wI-!)iM_6RP zw}wL!5kB?2f6T$tr;(3i&I$qKh%qvXB-RlPaC-%5XiXFaO%!p`G;jXtdB4fLS-ZD! zf*BK}{|zQ7<3+2s@6#mECo80WtpmbsT&{*FLj!4mx18T#Bd2y`WP9Hq;~))5G}@PG zvh?fSTkNOmxP{tf1)RP*QV zlsuitFn30&W!PXAPP`x|q}O65;G4Fd8BHOSHmN#~+IGT||Cx1OuHRhT@)e$Tp$84Q zLb{Dr^=i$&T5C7~cxZy*?KMt_Oxm%HBJjsDv$okcjTY$i*qSQ^dN~8|1PfRKSPvRH z^_A0_Ol$?mX&8#lEy3;}+Uqy;m!4-Y^_ZUE5n();Do9&Fz+}vcIVsWSh~r@z_OTo4 zY$CDCfWf^nBoBOM{x^A?3B_?U!6=yEuaX0>F8}9?wPOCiwav}WWB$Ky@f7m^!D9lz z|A+*D3y;5C|8hT(7rosl&HK!!ZvC&nSSzgm_3qkZ{`YV4*r6Bu(lttm5WafF{97Iv zAs};WDv#NK(hy4lRLaOb*i{OzKBeISjFigNFy}V(K{M&PV`F-A$Mk=1.16-0' +maintainers: +- email: wally@nats.io + name: Waldemar Quevedo + url: https://github.com/wallyqs +- email: colin@nats.io + name: Colin Sullivan + url: https://github.com/ColinSullivan1 +- email: jaime@nats.io + name: Jaime Piña + url: https://github.com/variadico +name: nats +version: 0.10.0 diff --git a/charts/nats/nats/0.10.0/README.md b/charts/nats/nats/0.10.0/README.md new file mode 100644 index 000000000..05d05e5cc --- /dev/null +++ b/charts/nats/nats/0.10.0/README.md @@ -0,0 +1,779 @@ +# NATS Server + +[NATS](https://nats.io) is a simple, secure and performant communications system for digital systems, services and devices. NATS is part of the Cloud Native Computing Foundation ([CNCF](https://cncf.io)). NATS has over [30 client language implementations](https://nats.io/download/), and its server can run on-premise, in the cloud, at the edge, and even on a Raspberry Pi. NATS can secure and simplify design and operation of modern distributed systems. + +## TL;DR; + +```console +helm repo add nats https://nats-io.github.io/k8s/helm/charts/ +helm install my-nats nats/nats +``` + +## Configuration + +### Server Image + +```yaml +nats: + image: nats:2.1.7-alpine3.11 + pullPolicy: IfNotPresent +``` + +### Limits + +```yaml +nats: + # The number of connect attempts against discovered routes. + connectRetries: 30 + + # How many seconds should pass before sending a PING + # to a client that has no activity. + pingInterval: + + # Server settings. + limits: + maxConnections: + maxSubscriptions: + maxControlLine: + maxPayload: + + writeDeadline: + maxPending: + maxPings: + lameDuckDuration: + + # Number of seconds to wait for client connections to end after the pod termination is requested + terminationGracePeriodSeconds: 60 +``` + +### Logging + +*Note*: It is not recommended to enable trace or debug in production since enabling it will significantly degrade performance. + +```yaml +nats: + logging: + debug: + trace: + logtime: + connectErrorReports: + reconnectErrorReports: +``` + +### TLS setup for client connections + +You can find more on how to setup and trouble shoot TLS connnections at: +https://docs.nats.io/nats-server/configuration/securing_nats/tls + +```yaml +nats: + tls: + secret: + name: nats-client-tls + ca: "ca.crt" + cert: "tls.crt" + key: "tls.key" +``` + +## Clustering + +If clustering is enabled, then a 3-node cluster will be setup. More info at: +https://docs.nats.io/nats-server/configuration/clustering#nats-server-clustering + +```yaml +cluster: + enabled: true + replicas: 3 + + tls: + secret: + name: nats-server-tls + ca: "ca.crt" + cert: "tls.crt" + key: "tls.key" +``` + +Example: + +```sh +$ helm install nats nats/nats --set cluster.enabled=true +``` + +## Leafnodes + +Leafnode connections to extend a cluster. More info at: +https://docs.nats.io/nats-server/configuration/leafnodes + +```yaml +leafnodes: + enabled: true + remotes: + - url: "tls://connect.ngs.global:7422" + # credentials: + # secret: + # name: leafnode-creds + # key: TA.creds + # tls: + # secret: + # name: nats-leafnode-tls + # ca: "ca.crt" + # cert: "tls.crt" + # key: "tls.key" + + ####################### + # # + # TLS Configuration # + # # + ####################### + # + # # You can find more on how to setup and trouble shoot TLS connnections at: + # + # # https://docs.nats.io/nats-server/configuration/securing_nats/tls + # + tls: + secret: + name: nats-client-tls + ca: "ca.crt" + cert: "tls.crt" + key: "tls.key" +``` + +## Setting up External Access + +### Using HostPorts + +In case of both external access and advertisements being enabled, an +initializer container will be used to gather the public ips. This +container will required to have enough RBAC policy to be able to make a +look up of the public ip of the node where it is running. + +For example, to setup external access for a cluster and advertise the public ip to clients: + +```yaml +nats: + # Toggle whether to enable external access. + # This binds a host port for clients, gateways and leafnodes. + externalAccess: true + + # Toggle to disable client advertisements (connect_urls), + # in case of running behind a load balancer (which is not recommended) + # it might be required to disable advertisements. + advertise: true + + # In case both external access and advertise are enabled + # then a service account would be required to be able to + # gather the public ip from a node. + serviceAccount: "nats-server" +``` + +Where the service account named `nats-server` has the following RBAC policy for example: + +```yaml +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nats-server + namespace: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: nats-server +rules: +- apiGroups: [""] + resources: + - nodes + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nats-server-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nats-server +subjects: +- kind: ServiceAccount + name: nats-server + namespace: default +``` + +The container image of the initializer can be customized via: + +```yaml +bootconfig: + image: natsio/nats-boot-config:latest + pullPolicy: IfNotPresent +``` + +### Using LoadBalancers + +In case of using a load balancer for external access, it is recommended to disable no advertise +so that internal ips from the NATS Servers are not advertised to the clients connecting through +the load balancer. + +```yaml +nats: + image: nats:alpine + +cluster: + enabled: true + noAdvertise: true + +leafnodes: + enabled: true + noAdvertise: true + +natsbox: + enabled: true +``` + +Then could use an L4 enabled load balancer to connect to NATS, for example: + +```yaml +apiVersion: v1 +kind: Service +metadata: + name: nats-lb +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: nats + ports: + - protocol: TCP + port: 4222 + targetPort: 4222 + name: nats + - protocol: TCP + port: 7422 + targetPort: 7422 + name: leafnodes + - protocol: TCP + port: 7522 + targetPort: 7522 + name: gateways +``` + +## Gateways + +A super cluster can be formed by pointing to remote gateways. +You can find more about gateways in the NATS documentation: +https://docs.nats.io/nats-server/configuration/gateways + +```yaml +gateway: + enabled: false + name: 'default' + + ############################# + # # + # List of remote gateways # + # # + ############################# + # gateways: + # - name: other + # url: nats://my-gateway-url:7522 + + ####################### + # # + # TLS Configuration # + # # + ####################### + # + # # You can find more on how to setup and trouble shoot TLS connnections at: + # + # # https://docs.nats.io/nats-server/configuration/securing_nats/tls + # + # tls: + # secret: + # name: nats-client-tls + # ca: "ca.crt" + # cert: "tls.crt" + # key: "tls.key" +``` + +## Auth setup + +### Auth with a Memory Resolver + +```yaml +auth: + enabled: true + + # Reference to the Operator JWT. + operatorjwt: + configMap: + name: operator-jwt + key: KO.jwt + + # Public key of the System Account + systemAccount: + + resolver: + ############################ + # # + # Memory resolver settings # + # # + ############################## + type: memory + + # + # Use a configmap reference which will be mounted + # into the container. + # + configMap: + name: nats-accounts + key: resolver.conf +``` + +### Auth using an Account Server Resolver + +```yaml +auth: + enabled: true + + # Reference to the Operator JWT. + operatorjwt: + configMap: + name: operator-jwt + key: KO.jwt + + # Public key of the System Account + systemAccount: + + resolver: + ########################## + # # + # URL resolver settings # + # # + ########################## + type: URL + url: "http://nats-account-server:9090/jwt/v1/accounts/" +``` + +## JetStream + +### Setting up Memory and File Storage + +```yaml +nats: + image: nats:alpine + + jetstream: + enabled: true + + memStorage: + enabled: true + size: 2Gi + + fileStorage: + enabled: true + size: 1Gi + storageDirectory: /data/ + storageClassName: default +``` + +### Using with an existing PersistentVolumeClaim + +For example, given the following `PersistentVolumeClaim`: + +```yaml +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: nats-js-disk + annotations: + volume.beta.kubernetes.io/storage-class: "default" +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 3Gi +``` + +You can start JetStream so that one pod is bounded to it: + +```yaml +nats: + image: nats:alpine + + jetstream: + enabled: true + + fileStorage: + enabled: true + storageDirectory: /data/ + existingClaim: nats-js-disk + claimStorageSize: 3Gi +``` + +### Clustering example + +```yaml + +nats: + image: nats:alpine + + jetstream: + enabled: true + + memStorage: + enabled: true + size: "2Gi" + + fileStorage: + enabled: true + size: "1Gi" + storageDirectory: /data/ + storageClassName: default + +cluster: + enabled: true + # Cluster name is required, by default will be release name. + # name: "nats" + replicas: 3 +``` + +### Basic Authentication and JetStream + +```yaml +nats: + image: nats:alpine + + jetstream: + enabled: true + + memStorage: + enabled: true + size: "2Gi" + + fileStorage: + enabled: true + size: "8Gi" + storageDirectory: /data/ + storageClassName: gp2 + +cluster: + enabled: true + # Can set a custom cluster name + # name: "nats" + replicas: 3 + +auth: + enabled: true + + systemAccount: sys + + basic: + accounts: + sys: + users: + - user: sys + pass: sys + js: + jetstream: true + users: + - user: foo +``` + +### NATS Resolver setup example + +As of NATS v2.2, the server now has a built-in NATS resolver of accounts. +The following is an example guide of how to get it configured. + +```sh +# Create a working directory to keep the creds. +mkdir nats-creds +cd nats-creds + +# This just creates some accounts for you to get started. +curl -fSl https://nats-io.github.io/k8s/setup/nsc-setup.sh | sh +source .nsc.env + +# You should have some accounts now, at least the following. +nsc list accounts ++-------------------------------------------------------------------+ +| Accounts | ++--------+----------------------------------------------------------+ +| Name | Public Key | ++--------+----------------------------------------------------------+ +| A | ABJ4OIKBBFCNXZDP25C7EWXCXOVCYYAGBEHFAG7F5XYCOYPHZLNSJYDF | +| B | ACVRK7GFBRQUCB3NEABGQ7XPNED2BSPT27GOX5QBDYW2NOFMQKK755DJ | +| SYS | ADGFH4NYV5V75SVM5DYSW5AWOD7H2NRUWAMO6XLZKIDGUWYEXCZG5D6N | ++--------+----------------------------------------------------------+ + +# Now create an account with JetStream support +export account=JS1 +nsc add account --name $account +nsc edit account --name $account --js-disk-storage -1 --js-consumer -1 --js-streams -1 +nsc add user -a $account js-user +``` + +Next, generate the NATS resolver config. This will be used to fill in the values of the YAML in the Helm template. +For example the result of generating this: + +```sh +nsc generate config --sys-account SYS --nats-resolver + +# Operator named KO +operator: eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJDRlozRlE0WURNTUc1Q1UzU0FUWVlHWUdQUDJaQU1QUzVNRUdNWFdWTUJFWUdIVzc2WEdBIiwiaWF0IjoxNjMyNzgzMDk2LCJpc3MiOiJPQ0lWMlFGSldJTlpVQVQ1VDJZSkJJUkMzQjZKS01TWktRTkY1S0dQNE4zS1o0RkZEVkFXWVhDTCIsIm5hbWUiOiJLTyIsInN1YiI6Ik9DSVYyUUZKV0lOWlVBVDVUMllKQklSQzNCNkpLTVNaS1FORjVLR1A0TjNLWjRGRkRWQVdZWENMIiwibmF0cyI6eyJ0eXBlIjoib3BlcmF0b3IiLCJ2ZXJzaW9uIjoyfX0.e3gvJ-C1IBznmbUljeT_wbLRl1akv5IGBS3rbxs6mzzTvf3zlqQI4wDKVE8Gvb8qfTX6TIwocClfOqNaN3k3CQ + +# System Account named SYS +system_account: ADGFH4NYV5V75SVM5DYSW5AWOD7H2NRUWAMO6XLZKIDGUWYEXCZG5D6N + +resolver_preload: { + ADGFH4NYV5V75SVM5DYSW5AWOD7H2NRUWAMO6XLZKIDGUWYEXCZG5D6N: eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJDR0tWVzJGQUszUE5XQTRBWkhHT083UTdZWUVPQkJYNDZaTU1VSFc1TU5QSUFVSFE0RVRRIiwiaWF0IjoxNjMyNzgzMDk2LCJpc3MiOiJPQ0lWMlFGSldJTlpVQVQ1VDJZSkJJUkMzQjZKS01TWktRTkY1S0dQNE4zS1o0RkZEVkFXWVhDTCIsIm5hbWUiOiJTWVMiLCJzdWIiOiJBREdGSDROWVY1Vjc1U1ZNNURZU1c1QVdPRDdIMk5SVVdBTU82WExaS0lER1VXWUVYQ1pHNUQ2TiIsIm5hdHMiOnsibGltaXRzIjp7InN1YnMiOi0xLCJkYXRhIjotMSwicGF5bG9hZCI6LTEsImltcG9ydHMiOi0xLCJleHBvcnRzIjotMSwid2lsZGNhcmRzIjp0cnVlLCJjb25uIjotMSwibGVhZiI6LTF9LCJkZWZhdWx0X3Blcm1pc3Npb25zIjp7InB1YiI6e30sInN1YiI6e319LCJ0eXBlIjoiYWNjb3VudCIsInZlcnNpb24iOjJ9fQ.J7g73TEn-ZT13owq4cVWl4l0hZnGK4DJtH2WWOZmGbefcCQ1xsx4cIagKc1cZTCwUpELVAYnSkmPp4LsQOspBg, +} +``` + +In the YAML would be configured as follows: + +``` +auth: + enabled: true + + timeout: "5s" + + resolver: + type: full + + operator: eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJDRlozRlE0WURNTUc1Q1UzU0FUWVlHWUdQUDJaQU1QUzVNRUdNWFdWTUJFWUdIVzc2WEdBIiwiaWF0IjoxNjMyNzgzMDk2LCJpc3MiOiJPQ0lWMlFGSldJTlpVQVQ1VDJZSkJJUkMzQjZKS01TWktRTkY1S0dQNE4zS1o0RkZEVkFXWVhDTCIsIm5hbWUiOiJLTyIsInN1YiI6Ik9DSVYyUUZKV0lOWlVBVDVUMllKQklSQzNCNkpLTVNaS1FORjVLR1A0TjNLWjRGRkRWQVdZWENMIiwibmF0cyI6eyJ0eXBlIjoib3BlcmF0b3IiLCJ2ZXJzaW9uIjoyfX0.e3gvJ-C1IBznmbUljeT_wbLRl1akv5IGBS3rbxs6mzzTvf3zlqQI4wDKVE8Gvb8qfTX6TIwocClfOqNaN3k3CQ + + systemAccount: ADGFH4NYV5V75SVM5DYSW5AWOD7H2NRUWAMO6XLZKIDGUWYEXCZG5D6N + + store: + dir: "/etc/nats-config/accounts/jwt" + size: "1Gi" + + resolverPreload: + ADGFH4NYV5V75SVM5DYSW5AWOD7H2NRUWAMO6XLZKIDGUWYEXCZG5D6N: eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJDR0tWVzJGQUszUE5XQTRBWkhHT083UTdZWUVPQkJYNDZaTU1VSFc1TU5QSUFVSFE0RVRRIiwiaWF0IjoxNjMyNzgzMDk2LCJpc3MiOiJPQ0lWMlFGSldJTlpVQVQ1VDJZSkJJUkMzQjZKS01TWktRTkY1S0dQNE4zS1o0RkZEVkFXWVhDTCIsIm5hbWUiOiJTWVMiLCJzdWIiOiJBREdGSDROWVY1Vjc1U1ZNNURZU1c1QVdPRDdIMk5SVVdBTU82WExaS0lER1VXWUVYQ1pHNUQ2TiIsIm5hdHMiOnsibGltaXRzIjp7InN1YnMiOi0xLCJkYXRhIjotMSwicGF5bG9hZCI6LTEsImltcG9ydHMiOi0xLCJleHBvcnRzIjotMSwid2lsZGNhcmRzIjp0cnVlLCJjb25uIjotMSwibGVhZiI6LTF9LCJkZWZhdWx0X3Blcm1pc3Npb25zIjp7InB1YiI6e30sInN1YiI6e319LCJ0eXBlIjoiYWNjb3VudCIsInZlcnNpb24iOjJ9fQ.J7g73TEn-ZT13owq4cVWl4l0hZnGK4DJtH2WWOZmGbefcCQ1xsx4cIagKc1cZTCwUpELVAYnSkmPp4LsQOspBg +``` + +Now we start the server with the NATS Account Resolver (`auth.resolver.type=full`): + +```yaml +nats: + image: nats:2.6.1-alpine + + logging: + debug: false + trace: false + + jetstream: + enabled: true + + memStorage: + enabled: true + size: "2Gi" + + fileStorage: + enabled: true + size: "4Gi" + storageDirectory: /data/ + storageClassName: gp2 # NOTE: AWS setup but customize as needed for your infra. + +cluster: + enabled: true + # Can set a custom cluster name + name: "nats" + replicas: 3 + +auth: + enabled: true + + timeout: "5s" + + resolver: + type: full + + operator: eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJDRlozRlE0WURNTUc1Q1UzU0FUWVlHWUdQUDJaQU1QUzVNRUdNWFdWTUJFWUdIVzc2WEdBIiwiaWF0IjoxNjMyNzgzMDk2LCJpc3MiOiJPQ0lWMlFGSldJTlpVQVQ1VDJZSkJJUkMzQjZKS01TWktRTkY1S0dQNE4zS1o0RkZEVkFXWVhDTCIsIm5hbWUiOiJLTyIsInN1YiI6Ik9DSVYyUUZKV0lOWlVBVDVUMllKQklSQzNCNkpLTVNaS1FORjVLR1A0TjNLWjRGRkRWQVdZWENMIiwibmF0cyI6eyJ0eXBlIjoib3BlcmF0b3IiLCJ2ZXJzaW9uIjoyfX0.e3gvJ-C1IBznmbUljeT_wbLRl1akv5IGBS3rbxs6mzzTvf3zlqQI4wDKVE8Gvb8qfTX6TIwocClfOqNaN3k3CQ + + systemAccount: ADGFH4NYV5V75SVM5DYSW5AWOD7H2NRUWAMO6XLZKIDGUWYEXCZG5D6N + + store: + dir: "/etc/nats-config/accounts/jwt" + size: "1Gi" + + resolverPreload: + ADGFH4NYV5V75SVM5DYSW5AWOD7H2NRUWAMO6XLZKIDGUWYEXCZG5D6N: eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJDR0tWVzJGQUszUE5XQTRBWkhHT083UTdZWUVPQkJYNDZaTU1VSFc1TU5QSUFVSFE0RVRRIiwiaWF0IjoxNjMyNzgzMDk2LCJpc3MiOiJPQ0lWMlFGSldJTlpVQVQ1VDJZSkJJUkMzQjZKS01TWktRTkY1S0dQNE4zS1o0RkZEVkFXWVhDTCIsIm5hbWUiOiJTWVMiLCJzdWIiOiJBREdGSDROWVY1Vjc1U1ZNNURZU1c1QVdPRDdIMk5SVVdBTU82WExaS0lER1VXWUVYQ1pHNUQ2TiIsIm5hdHMiOnsibGltaXRzIjp7InN1YnMiOi0xLCJkYXRhIjotMSwicGF5bG9hZCI6LTEsImltcG9ydHMiOi0xLCJleHBvcnRzIjotMSwid2lsZGNhcmRzIjp0cnVlLCJjb25uIjotMSwibGVhZiI6LTF9LCJkZWZhdWx0X3Blcm1pc3Npb25zIjp7InB1YiI6e30sInN1YiI6e319LCJ0eXBlIjoiYWNjb3VudCIsInZlcnNpb24iOjJ9fQ.J7g73TEn-ZT13owq4cVWl4l0hZnGK4DJtH2WWOZmGbefcCQ1xsx4cIagKc1cZTCwUpELVAYnSkmPp4LsQOspBg +``` + +Finally, using a local port-forward make it possible to establish a connection to one of the servers and upload the accounts. + +```sh +nsc push --system-account SYS -u nats://localhost:4222 -A +[ OK ] push to nats-server "nats://localhost:4222" using system account "SYS": + [ OK ] push JS1 to nats-server with nats account resolver: + [ OK ] pushed "JS1" to nats-server nats-0: jwt updated + [ OK ] pushed "JS1" to nats-server nats-1: jwt updated + [ OK ] pushed "JS1" to nats-server nats-2: jwt updated + [ OK ] pushed to a total of 3 nats-server +``` + +Now you should be able to use JetStream and the NATS based account resolver: + +```sh +nats stream ls -s localhost --creds ./nsc/nkeys/creds/KO/JS1/js-user.creds +No Streams defined +``` + +## Misc + +### NATS Box + +A lightweight container with NATS and NATS Streaming utilities that is deployed along the cluster to confirm the setup. +You can find the image at: https://github.com/nats-io/nats-box + +```yaml +natsbox: + enabled: true + image: nats:alpine + pullPolicy: IfNotPresent + + # credentials: + # secret: + # name: nats-sys-creds + # key: sys.creds +``` + +### Configuration Reload sidecar + +The NATS config reloader image to use: + +```yaml +reloader: + enabled: true + image: natsio/nats-server-config-reloader:latest + pullPolicy: IfNotPresent +``` + +### Prometheus Exporter sidecar + +You can toggle whether to start the sidecar that can be used to feed metrics to Prometheus: + +```yaml +exporter: + enabled: true + image: natsio/prometheus-nats-exporter:latest + pullPolicy: IfNotPresent +``` + +### Prometheus operator ServiceMonitor support + +You can enable prometheus operator ServiceMonitor: + +```yaml +exporter: + # You have to enable exporter first + enabled: true + serviceMonitor: + enabled: true + ## Specify the namespace where Prometheus Operator is running + # namespace: monitoring + # ... +``` + +### Pod Customizations + +#### Security Context + +```yaml + # Toggle whether to use setup a Pod Security Context + # ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +securityContext: + fsGroup: 1000 + runAsUser: 1000 + runAsNonRoot: true +``` + +#### Affinity + + + +`matchExpressions` must be configured according to your setup + +```yaml +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node.kubernetes.io/purpose + operator: In + values: + - nats + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - nats + - stan + topologyKey: "kubernetes.io/hostname" +``` + +#### Service topology + +[Service topology](https://kubernetes.io/docs/concepts/services-networking/service-topology/) is disabled by default, but can be enabled by setting `topologyKeys`. For example: + +```yaml +topologyKeys: + - "kubernetes.io/hostname" + - "topology.kubernetes.io/zone" + - "topology.kubernetes.io/region" +``` + +#### CPU/Memory Resource Requests/Limits +Sets the pods cpu/memory requests/limits + +```yaml +nats: + resources: + requests: + cpu: 2 + memory: 4Gi + limits: + cpu: 4 + memory: 6Gi +``` + +No resources are set by default. + +#### Annotations + + + +```yaml +podAnnotations: + key1 : "value1", + key2 : "value2" +``` + +### Name Overides + +Can change the name of the resources as needed with: + +```yaml +nameOverride: "my-nats" +``` + +### Image Pull Secrets + +```yaml +imagePullSecrets: +- name: myRegistry +``` + +Adds this to the StatefulSet: + +```yaml +spec: + imagePullSecrets: + - name: myRegistry +``` diff --git a/charts/nats/nats/0.10.0/app-readme.md b/charts/nats/nats/0.10.0/app-readme.md new file mode 100644 index 000000000..b4511f4d5 --- /dev/null +++ b/charts/nats/nats/0.10.0/app-readme.md @@ -0,0 +1,3 @@ +# NATS Server + + [NATS](https://nats.io) is a simple, secure and performant communications system for digital systems, services and devices. NATS is part of the Cloud Native Computing Foundation ([CNCF](https://cncf.io)). NATS has over [30 client language implementations](https://nats.io/download/), and its server can run on-premise, in the cloud, at the edge, and even on a Raspberry Pi. NATS can secure and simplify design and operation of modern distributed systems. diff --git a/charts/nats/nats/0.10.0/questions.yaml b/charts/nats/nats/0.10.0/questions.yaml new file mode 100644 index 000000000..a476e440d --- /dev/null +++ b/charts/nats/nats/0.10.0/questions.yaml @@ -0,0 +1,12 @@ +questions: +- variable: cluster.enabled + default: false + type: boolean + label: Enable Cluster + group: "Cluster Settings" + show_subquestion_if: "true" + subquestions: + - variable: cluster.replicas + default: 3 + type: int + label: Replicas diff --git a/charts/nats/nats/0.10.0/templates/NOTES.txt b/charts/nats/nats/0.10.0/templates/NOTES.txt new file mode 100644 index 000000000..313886a7b --- /dev/null +++ b/charts/nats/nats/0.10.0/templates/NOTES.txt @@ -0,0 +1,26 @@ + +{{- if or .Values.nats.logging.debug .Values.nats.logging.trace }} +*WARNING*: Keep in mind that running the server with +debug and/or trace enabled significantly affects the +performance of the server! +{{- end }} + +You can find more information about running NATS on Kubernetes +in the NATS documentation website: + + https://docs.nats.io/nats-on-kubernetes/nats-kubernetes + +{{- if .Values.natsbox.enabled }} + +NATS Box has been deployed into your cluster, you can +now use the NATS tools within the container as follows: + + kubectl exec -n {{ .Release.Namespace }} -it deployment/{{ template "nats.fullname" . }}-box -- /bin/sh -l + + nats-box:~# nats-sub test & + nats-box:~# nats-pub test hi + nats-box:~# nc {{ template "nats.fullname" . }} 4222 + +{{- end }} + +Thanks for using NATS! diff --git a/charts/nats/nats/0.10.0/templates/_helpers.tpl b/charts/nats/nats/0.10.0/templates/_helpers.tpl new file mode 100644 index 000000000..2cdefac72 --- /dev/null +++ b/charts/nats/nats/0.10.0/templates/_helpers.tpl @@ -0,0 +1,131 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "nats.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + + +{{- define "nats.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nats.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "nats.labels" -}} +helm.sh/chart: {{ include "nats.chart" . }} +{{- range $name, $value := .Values.commonLabels }} +{{ $name }}: {{ tpl $value $ }} +{{- end }} +{{ include "nats.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "nats.selectorLabels" -}} +{{- if .Values.nats.selectorLabels }} +{{ tpl (toYaml .Values.nats.selectorLabels) . }} +{{- else }} +app.kubernetes.io/name: {{ include "nats.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} +{{- end }} + + +{{/* +Return the proper NATS image name +*/}} +{{- define "nats.clusterAdvertise" -}} +{{- printf "$(POD_NAME).%s.$(POD_NAMESPACE).svc.%s" (include "nats.fullname" . ) $.Values.k8sClusterDomain }} +{{- end }} + +{{/* +Return the NATS cluster routes. +*/}} +{{- define "nats.clusterRoutes" -}} +{{- $name := (include "nats.fullname" . ) -}} +{{- range $i, $e := until (.Values.cluster.replicas | int) -}} +{{- printf "nats://%s-%d.%s.%s.svc.%s:6222," $name $i $name $.Release.Namespace $.Values.k8sClusterDomain -}} +{{- end -}} +{{- end }} + +{{- define "nats.extraRoutes" -}} +{{- range $i, $url := .Values.cluster.extraRoutes -}} +{{- printf "%s," $url -}} +{{- end -}} +{{- end }} + +{{- define "nats.tlsConfig" -}} +tls { +{{- if .cert }} + cert_file: {{ .secretPath }}/{{ .secret.name }}/{{ .cert }} +{{- end }} +{{- if .key }} + key_file: {{ .secretPath }}/{{ .secret.name }}/{{ .key }} +{{- end }} +{{- if .ca }} + ca_file: {{ .secretPath }}/{{ .secret.name }}/{{ .ca }} +{{- end }} +{{- if .insecure }} + insecure: {{ .insecure }} +{{- end }} +{{- if .verify }} + verify: {{ .verify }} +{{- end }} +{{- if .verifyAndMap }} + verify_and_map: {{ .verifyAndMap }} +{{- end }} +{{- if .curvePreferences }} + curve_preferences: {{ .curvePreferences }} +{{- end }} +{{- if .timeout }} + timeout: {{ .timeout }} +{{- end }} +} +{{- end }} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "networkPolicy.apiVersion" -}} +{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Renders a value that contains template. +Usage: +{{ include "tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "tplvalues.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/charts/nats/nats/0.10.0/templates/_mem_resolver.yaml b/charts/nats/nats/0.10.0/templates/_mem_resolver.yaml new file mode 100644 index 000000000..c58134cb2 --- /dev/null +++ b/charts/nats/nats/0.10.0/templates/_mem_resolver.yaml @@ -0,0 +1,15 @@ +{{- if .Values.auth.enabled }} +{{- if eq .Values.auth.resolver.type "memory" }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "nats.name" . }}-accounts + labels: + app: {{ template "nats.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +data: + accounts.conf: |- + {{- .Files.Get "accounts.conf" | indent 6 }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/0.10.0/templates/configmap.yaml b/charts/nats/nats/0.10.0/templates/configmap.yaml new file mode 100644 index 000000000..a596527a3 --- /dev/null +++ b/charts/nats/nats/0.10.0/templates/configmap.yaml @@ -0,0 +1,511 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nats.fullname" . }}-config + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "nats.labels" . | nindent 4 }} +data: + nats.conf: | + # PID file shared with configuration reloader. + pid_file: "/var/run/nats/nats.pid" + + ############### + # # + # Monitoring # + # # + ############### + http: 8222 + server_name: {{- if .Values.nats.serverNamePrefix }}$SERVER_NAME{{- else }}$POD_NAME{{- end }} + + {{- if .Values.nats.tls }} + ##################### + # # + # TLS Configuration # + # # + ##################### + {{- with .Values.nats.tls }} + {{- $nats_tls := merge (dict) . }} + {{- $_ := set $nats_tls "secretPath" "/etc/nats-certs/clients" }} + {{- tpl (include "nats.tlsConfig" $nats_tls) $ | nindent 4}} + {{- end }} + {{- end }} + + {{- if .Values.nats.jetstream.enabled }} + ################################### + # # + # NATS JetStream # + # # + ################################### + jetstream { + {{- if .Values.nats.jetstream.encryption }} + {{- if .Values.nats.jetstream.encryption.key }} + key: {{ .Values.nats.jetstream.encryption.key | quote }} + {{- else if .Values.nats.jetstream.encryption.secret }} + key: $JS_KEY + {{- end}} + {{- end}} + + {{- if .Values.nats.jetstream.memStorage.enabled }} + max_mem: {{ .Values.nats.jetstream.memStorage.size }} + {{- end }} + + {{- if .Values.nats.jetstream.domain }} + domain: {{ .Values.nats.jetstream.domain }} + {{- end }} + + {{- if .Values.nats.jetstream.fileStorage.enabled }} + store_dir: {{ .Values.nats.jetstream.fileStorage.storageDirectory }} + + max_file: + {{- if .Values.nats.jetstream.fileStorage.existingClaim }} + {{- .Values.nats.jetstream.fileStorage.claimStorageSize }} + {{- else }} + {{- .Values.nats.jetstream.fileStorage.size }} + {{- end }} + {{- end }} + } + {{- end }} + {{- if .Values.mqtt.enabled }} + ################################### + # # + # NATS MQTT # + # # + ################################### + mqtt { + port: 1883 + + {{- with .Values.mqtt.tls }} + {{- $mqtt_tls := merge (dict) . }} + {{- $_ := set $mqtt_tls "secretPath" "/etc/nats-certs/mqtt" }} + {{- tpl (include "nats.tlsConfig" $mqtt_tls) $ | nindent 6}} + {{- end }} + + {{- if .Values.mqtt.noAuthUser }} + no_auth_user: {{ .Values.mqtt.noAuthUser | quote }} + {{- end }} + + ack_wait: {{ .Values.mqtt.ackWait | quote }} + max_ack_pending: {{ .Values.mqtt.maxAckPending }} + } + {{- end }} + + {{- if .Values.cluster.enabled }} + ################################### + # # + # NATS Full Mesh Clustering Setup # + # # + ################################### + cluster { + port: 6222 + + {{- if .Values.nats.jetstream.enabled }} + {{- if .Values.cluster.name }} + name: {{ .Values.cluster.name }} + {{- else }} + name: {{ template "nats.name" . }} + {{- end }} + {{- else }} + {{- with .Values.cluster.name }} + name: {{ . }} + {{- end }} + {{- end }} + + {{- with .Values.cluster.tls }} + {{- $cluster_tls := merge (dict) . }} + {{- $_ := set $cluster_tls "secretPath" "/etc/nats-certs/cluster" }} + {{- tpl (include "nats.tlsConfig" $cluster_tls) $ | nindent 6}} + {{- end }} + + {{- if .Values.cluster.authorization }} + authorization { + {{- with .Values.cluster.authorization.user }} + user: {{ . }} + {{- end }} + {{- with .Values.cluster.authorization.password }} + password: {{ . }} + {{- end }} + {{- with .Values.cluster.authorization.timeout }} + timeout: {{ . }} + {{- end }} + } + {{- end }} + + routes = [ + {{ include "nats.clusterRoutes" . }} + {{ include "nats.extraRoutes" . }} + ] + cluster_advertise: $CLUSTER_ADVERTISE + + {{- with .Values.cluster.noAdvertise }} + no_advertise: {{ . }} + {{- end }} + + connect_retries: {{ .Values.nats.connectRetries }} + } + {{- end }} + + {{- if and .Values.nats.advertise .Values.nats.externalAccess }} + include "advertise/client_advertise.conf" + {{- end }} + + {{- if or .Values.leafnodes.enabled .Values.leafnodes.remotes }} + ################# + # # + # NATS Leafnode # + # # + ################# + leafnodes { + {{- if .Values.leafnodes.enabled }} + listen: "0.0.0.0:7422" + {{- end }} + + {{- if and .Values.nats.advertise .Values.nats.externalAccess }} + include "advertise/gateway_advertise.conf" + {{- end }} + + {{- with .Values.leafnodes.noAdvertise }} + no_advertise: {{ . }} + {{- end }} + + {{- with .Values.leafnodes.authorization }} + authorization: { + {{- with .user }} + user: {{ . }} + {{- end }} + {{- with .password }} + password: {{ . }} + {{- end }} + {{- with .account }} + account: {{ . | quote }} + {{- end }} + {{- with .timeout }} + timeout: {{ . }} + {{- end }} + {{- with .users }} + users: [ + {{- range . }} + {{- toRawJson . | nindent 10 }}, + {{- end }} + ] + {{- end }} + } + {{- end }} + + {{- with .Values.leafnodes.tls }} + {{- $leafnode_tls := merge (dict) . }} + {{- $_ := set $leafnode_tls "secretPath" "/etc/nats-certs/leafnodes" }} + {{- tpl (include "nats.tlsConfig" $leafnode_tls) $ | nindent 6}} + {{- end }} + + remotes: [ + {{- range .Values.leafnodes.remotes }} + { + {{- with .url }} + url: {{ . | quote }} + {{- end }} + + {{- with .urls }} + urls: {{ toRawJson . }} + {{- end }} + + {{- with .account }} + account: {{ . | quote }} + {{- end }} + + {{- with .credentials }} + credentials: "/etc/nats-creds/{{ .secret.name }}/{{ .secret.key }}" + {{- end }} + + {{- with .tls }} + {{ $secretName := tpl .secret.name $ }} + tls: { + {{- with .cert }} + cert_file: /etc/nats-certs/leafnodes/{{ $secretName }}/{{ . }} + {{- end }} + + {{- with .key }} + key_file: /etc/nats-certs/leafnodes/{{ $secretName }}/{{ . }} + {{- end }} + + {{- with .ca }} + ca_file: /etc/nats-certs/leafnodes/{{ $secretName }}/{{ . }} + {{- end }} + } + {{- end }} + } + {{- end }} + ] + } + {{- end }} + + {{- if .Values.gateway.enabled }} + ################# + # # + # NATS Gateways # + # # + ################# + gateway { + name: {{ .Values.gateway.name }} + port: 7522 + + {{- if .Values.gateway.advertise }} + advertise: {{ .Values.gateway.advertise }} + {{- end }} + + {{- if .Values.gateway.authorization }} + authorization { + {{- with .Values.gateway.authorization.user }} + user: {{ . }} + {{- end }} + {{- with .Values.gateway.authorization.password }} + password: {{ . }} + {{- end }} + {{- with .Values.gateway.authorization.timeout }} + timeout: {{ . }} + {{- end }} + } + {{- end }} + + {{- if and .Values.nats.advertise .Values.nats.externalAccess }} + include "advertise/gateway_advertise.conf" + {{- end }} + + {{- with .Values.gateway.tls }} + {{- $gateway_tls := merge (dict) . }} + {{- $_ := set $gateway_tls "secretPath" "/etc/nats-certs/gateways" }} + {{- tpl (include "nats.tlsConfig" $gateway_tls) $ | nindent 6}} + {{- end }} + + # Gateways array here + gateways: [ + {{- range .Values.gateway.gateways }} + { + {{- with .name }} + name: {{ . }} + {{- end }} + + {{- with .url }} + url: {{ . | quote }} + {{- end }} + + {{- with .urls }} + urls: [{{ join "," . }}] + {{- end }} + }, + {{- end }} + ] + } + {{- end }} + + {{- with .Values.nats.logging.debug }} + debug: {{ . }} + {{- end }} + + {{- with .Values.nats.logging.trace }} + trace: {{ . }} + {{- end }} + + {{- with .Values.nats.logging.logtime }} + logtime: {{ . }} + {{- end }} + + {{- with .Values.nats.logging.connectErrorReports }} + connect_error_reports: {{ . }} + {{- end }} + + {{- with .Values.nats.logging.reconnectErrorReports }} + reconnect_error_reports: {{ . }} + {{- end }} + + {{- with .Values.nats.limits.maxConnections }} + max_connections: {{ . }} + {{- end }} + + {{- with .Values.nats.limits.maxSubscriptions }} + max_subscriptions: {{ . }} + {{- end }} + + {{- with .Values.nats.limits.maxPending }} + max_pending: {{ . }} + {{- end }} + + {{- with .Values.nats.limits.maxControlLine }} + max_control_line: {{ . }} + {{- end }} + + {{- with .Values.nats.limits.maxPayload }} + max_payload: {{ . }} + {{- end }} + + {{- with .Values.nats.limits.pingInterval }} + ping_interval: {{ . }} + {{- end }} + + {{- with .Values.nats.limits.maxPings }} + ping_max: {{ . }} + {{- end }} + + {{- with .Values.nats.limits.writeDeadline }} + write_deadline: {{ . }} + {{- end }} + + {{- with .Values.nats.limits.lameDuckDuration }} + lame_duck_duration: {{ . }} + {{- end }} + + {{- if .Values.websocket.enabled }} + ################## + # # + # Websocket # + # # + ################## + websocket { + port: {{ .Values.websocket.port }} + {{- with .Values.websocket.tls }} + {{ $secretName := tpl .secret.name $ }} + tls { + {{- with .cert }} + cert_file: /etc/nats-certs/ws/{{ $secretName }}/{{ . }} + {{- end }} + + {{- with .key }} + key_file: /etc/nats-certs/ws/{{ $secretName }}/{{ . }} + {{- end }} + + {{- with .ca }} + ca_file: /etc/nats-certs/ws/{{ $secretName }}/{{ . }} + {{- end }} + } + {{- else }} + no_tls: {{ .Values.websocket.noTLS }} + {{- end }} + same_origin: {{ .Values.websocket.sameOrigin }} + {{- with .Values.websocket.allowedOrigins }} + allowed_origins: {{ toRawJson . }} + {{- end }} + } + {{- end }} + + {{- if .Values.auth.enabled }} + ################## + # # + # Authorization # + # # + ################## + {{- if .Values.auth.resolver }} + {{- if eq .Values.auth.resolver.type "memory" }} + resolver: MEMORY + include "accounts/{{ .Values.auth.resolver.configMap.key }}" + {{- end }} + + {{- if eq .Values.auth.resolver.type "full" }} + {{- if .Values.auth.resolver.configMap }} + include "accounts/{{ .Values.auth.resolver.configMap.key }}" + {{- else }} + {{- with .Values.auth.resolver }} + {{- if $.Values.auth.timeout }} + authorization { + timeout: {{ $.Values.auth.timeout }} + } + {{- end }} + + {{- if .operator }} + operator: {{ .operator }} + {{- end }} + + {{- if .systemAccount }} + system_account: {{ .systemAccount }} + {{- end }} + {{- end }} + + resolver: { + type: full + {{- with .Values.auth.resolver }} + dir: {{ .store.dir | quote }} + + allow_delete: {{ .allowDelete }} + + interval: {{ .interval | quote }} + {{- end }} + } + {{- end }} + {{- end }} + + {{- if .Values.auth.resolver.resolverPreload }} + resolver_preload: {{ toRawJson .Values.auth.resolver.resolverPreload }} + {{- end }} + + {{- if eq .Values.auth.resolver.type "URL" }} + {{- with .Values.auth.resolver.url }} + resolver: URL({{ . }}) + {{- end }} + operator: /etc/nats-config/operator/{{ .Values.auth.operatorjwt.configMap.key }} + {{- end }} + {{- end }} + + {{- with .Values.auth.systemAccount }} + system_account: {{ . }} + {{- end }} + + {{- with .Values.auth.token }} + authorization { + token: "{{ . }}" + + + {{- if $.Values.auth.timeout }} + timeout: {{ $.Values.auth.timeout }} + {{- end }} + } + {{- end }} + + {{- with .Values.auth.nkeys }} + {{- with .users }} + authorization { + {{- if $.Values.auth.timeout }} + timeout: {{ $.Values.auth.timeout }} + {{- end }} + + users: [ + {{- range . }} + {{- toRawJson . | nindent 4 }}, + {{- end }} + ] + } + {{- end }} + {{- end }} + + {{- with .Values.auth.basic }} + + {{- with .noAuthUser }} + no_auth_user: {{ . }} + {{- end }} + + {{- with .users }} + authorization { + {{- if $.Values.auth.timeout }} + timeout: {{ $.Values.auth.timeout }} + {{- end }} + + users: [ + {{- range . }} + {{- toRawJson . | nindent 4 }}, + {{- end }} + ] + } + {{- end }} + + {{- with .accounts }} + authorization { + {{- if $.Values.auth.timeout }} + timeout: {{ $.Values.auth.timeout }} + {{- end }} + } + + accounts: {{- toRawJson . }} + {{- end }} + + {{- end }} + + {{- end }} diff --git a/charts/nats/nats/0.10.0/templates/nats-box.yaml b/charts/nats/nats/0.10.0/templates/nats-box.yaml new file mode 100644 index 000000000..4ba9c5b95 --- /dev/null +++ b/charts/nats/nats/0.10.0/templates/nats-box.yaml @@ -0,0 +1,111 @@ +{{- if .Values.natsbox.enabled }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "nats.fullname" . }}-box + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "nats.fullname" . }}-box + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + {{- if .Values.natsbox.additionalLabels }} + {{- tpl (toYaml .Values.natsbox.additionalLabels) $ | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ include "nats.fullname" . }}-box + template: + metadata: + labels: + app: {{ include "nats.fullname" . }}-box + {{- if .Values.natsbox.podLabels }} + {{- tpl (toYaml .Values.natsbox.podLabels) $ | nindent 8 }} + {{- end }} + {{- if .Values.natsbox.podAnnotations }} + annotations: + {{- range $key, $value := .Values.natsbox.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + spec: + {{- with .Values.natsbox.affinity }} + affinity: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.natsbox.nodeSelector }} + nodeSelector: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.natsbox.tolerations }} + tolerations: {{ toYaml . | nindent 8 }} + {{- end }} + volumes: + {{- if .Values.natsbox.credentials }} + - name: nats-sys-creds + secret: + secretName: {{ .Values.natsbox.credentials.secret.name }} + {{- end }} + {{- with .Values.nats.tls }} + {{ $secretName := tpl .secret.name $ }} + - name: {{ $secretName }}-clients-volume + secret: + secretName: {{ $secretName }} + {{- end }} +{{- with .Values.securityContext }} + securityContext: +{{ toYaml . | indent 8 }} +{{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: nats-box + image: {{ .Values.natsbox.image }} + imagePullPolicy: {{ .Values.natsbox.pullPolicy }} + {{- if .Values.natsbox.securityContext }} + securityContext: + {{- .Values.natsbox.securityContext | toYaml | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.natsbox.resources | nindent 10 }} + env: + - name: NATS_URL + value: {{ template "nats.fullname" . }} + {{- if .Values.natsbox.credentials }} + - name: USER_CREDS + value: /etc/nats-config/creds/{{ .Values.natsbox.credentials.secret.key }} + - name: USER2_CREDS + value: /etc/nats-config/creds/{{ .Values.natsbox.credentials.secret.key }} + {{- end }} + {{- with .Values.nats.tls }} + {{ $secretName := tpl .secret.name $ }} + lifecycle: + postStart: + exec: + command: + - /bin/sh + - -c + - cp /etc/nats-certs/clients/{{ $secretName }}/* /usr/local/share/ca-certificates && update-ca-certificates + {{- end }} + command: + - "tail" + - "-f" + - "/dev/null" + volumeMounts: + {{- if .Values.natsbox.credentials }} + - name: nats-sys-creds + mountPath: /etc/nats-config/creds + {{- end }} + {{- with .Values.nats.tls }} + ####################### + # # + # TLS Volumes Mounts # + # # + ####################### + {{ $secretName := tpl .secret.name $ }} + - name: {{ $secretName }}-clients-volume + mountPath: /etc/nats-certs/clients/{{ $secretName }} + {{- end }} +{{- end }} diff --git a/charts/nats/nats/0.10.0/templates/networkpolicy.yaml b/charts/nats/nats/0.10.0/templates/networkpolicy.yaml new file mode 100644 index 000000000..a8a2ee894 --- /dev/null +++ b/charts/nats/nats/0.10.0/templates/networkpolicy.yaml @@ -0,0 +1,80 @@ +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ template "networkPolicy.apiVersion" . }} +metadata: + name: {{ include "nats.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "nats.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: {{- include "nats.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + - Egress + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + # Allow outbound connections to other cluster pods + - ports: + - port: 4222 + protocol: TCP + - port: 6222 + protocol: TCP + - port: 8222 + protocol: TCP + - port: 7777 + protocol: TCP + - port: 7422 + protocol: TCP + - port: 7522 + protocol: TCP + to: + - podSelector: + matchLabels: {{- include "nats.selectorLabels" . | nindent 14 }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + ingress: + # Allow inbound connections + - ports: + - port: 4222 + protocol: TCP + - port: 6222 + protocol: TCP + - port: 8222 + protocol: TCP + - port: 7777 + protocol: TCP + - port: 7422 + protocol: TCP + - port: 7522 + protocol: TCP + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ include "nats.fullname" . }}-client: "true" + - podSelector: + matchLabels: {{- include "nats.selectorLabels" . | nindent 14 }} + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/nats/nats/0.10.0/templates/pdb.yaml b/charts/nats/nats/0.10.0/templates/pdb.yaml new file mode 100644 index 000000000..7a2641a3f --- /dev/null +++ b/charts/nats/nats/0.10.0/templates/pdb.yaml @@ -0,0 +1,21 @@ +{{- if .Values.podDisruptionBudget }} +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ include "nats.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "nats.labels" . | nindent 4 }} +spec: + {{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + {{- end }} + selector: + matchLabels: + {{- include "nats.selectorLabels" . | nindent 6 }} +{{- end }} + diff --git a/charts/nats/nats/0.10.0/templates/rbac.yaml b/charts/nats/nats/0.10.0/templates/rbac.yaml new file mode 100644 index 000000000..0b596f157 --- /dev/null +++ b/charts/nats/nats/0.10.0/templates/rbac.yaml @@ -0,0 +1,31 @@ +{{ if and .Values.nats.externalAccess .Values.nats.advertise }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.nats.serviceAccount }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.nats.serviceAccount }} +rules: +- apiGroups: [""] + resources: + - nodes + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Values.nats.serviceAccount }}-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.nats.serviceAccount }} +subjects: +- kind: ServiceAccount + name: {{ .Values.nats.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{ end }} diff --git a/charts/nats/nats/0.10.0/templates/service.yaml b/charts/nats/nats/0.10.0/templates/service.yaml new file mode 100644 index 000000000..9ae930083 --- /dev/null +++ b/charts/nats/nats/0.10.0/templates/service.yaml @@ -0,0 +1,74 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nats.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "nats.labels" . | nindent 4 }} + {{- if .Values.serviceAnnotations}} + annotations: + {{- range $key, $value := .Values.serviceAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: + selector: + {{- include "nats.selectorLabels" . | nindent 4 }} + clusterIP: None + {{- if .Values.topologyKeys }} + topologyKeys: + {{- .Values.topologyKeys | toYaml | nindent 4 }} + {{- end }} + ports: + {{- if .Values.websocket.enabled }} + - name: websocket + port: {{ .Values.websocket.port }} + {{- if .Values.appProtocol.enabled }} + appProtocol: tcp + {{- end }} + {{- end }} + {{- if .Values.nats.profiling.enabled }} + - name: profiling + port: {{ .Values.nats.profiling.port }} + {{- if .Values.appProtocol.enabled }} + appProtocol: http + {{- end }} + {{- end }} + - name: client + port: 4222 + {{- if .Values.appProtocol.enabled }} + appProtocol: tcp + {{- end }} + - name: cluster + port: 6222 + {{- if .Values.appProtocol.enabled }} + appProtocol: tcp + {{- end }} + - name: monitor + port: 8222 + {{- if .Values.appProtocol.enabled }} + appProtocol: http + {{- end }} + - name: metrics + port: 7777 + {{- if .Values.appProtocol.enabled }} + appProtocol: http + {{- end }} + - name: leafnodes + port: 7422 + {{- if .Values.appProtocol.enabled }} + appProtocol: tcp + {{- end }} + - name: gateways + port: 7522 + {{- if .Values.appProtocol.enabled }} + appProtocol: tcp + {{- end }} + {{- if .Values.mqtt.enabled }} + - name: mqtt + port: 1883 + {{- if .Values.appProtocol.enabled }} + appProtocol: tcp + {{- end }} + {{- end }} diff --git a/charts/nats/nats/0.10.0/templates/serviceMonitor.yaml b/charts/nats/nats/0.10.0/templates/serviceMonitor.yaml new file mode 100644 index 000000000..1b4a626fa --- /dev/null +++ b/charts/nats/nats/0.10.0/templates/serviceMonitor.yaml @@ -0,0 +1,40 @@ +{{ if and .Values.exporter.enabled .Values.exporter.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "nats.fullname" . }} + {{- if .Values.exporter.serviceMonitor.namespace }} + namespace: {{ .Values.exporter.serviceMonitor.namespace }} + {{- else }} + namespace: {{ .Release.Namespace | quote }} + {{- end }} + {{- if .Values.exporter.serviceMonitor.labels }} + labels: + {{- range $key, $value := .Values.exporter.serviceMonitor.labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- if .Values.exporter.serviceMonitor.annotations }} + annotations: + {{- range $key, $value := .Values.exporter.serviceMonitor.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: + endpoints: + - port: metrics + {{- if .Values.exporter.serviceMonitor.path }} + path: {{ .Values.exporter.serviceMonitor.path }} + {{- end }} + {{- if .Values.exporter.serviceMonitor.interval }} + interval: {{ .Values.exporter.serviceMonitor.interval }} + {{- end }} + {{- if .Values.exporter.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.exporter.serviceMonitor.scrapeTimeout }} + {{- end }} + namespaceSelector: + any: true + selector: + matchLabels: + {{- include "nats.selectorLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/nats/nats/0.10.0/templates/statefulset.yaml b/charts/nats/nats/0.10.0/templates/statefulset.yaml new file mode 100644 index 000000000..25be0ed68 --- /dev/null +++ b/charts/nats/nats/0.10.0/templates/statefulset.yaml @@ -0,0 +1,543 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "nats.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "nats.labels" . | nindent 4 }} + {{- if .Values.statefulSetAnnotations}} + annotations: + {{- range $key, $value := .Values.statefulSetAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "nats.selectorLabels" . | nindent 6 }} + {{- if .Values.cluster.enabled }} + replicas: {{ .Values.cluster.replicas }} + {{- else }} + replicas: 1 + {{- end }} + serviceName: {{ include "nats.fullname" . }} + template: + metadata: + {{- if or .Values.podAnnotations .Values.exporter.enabled }} + annotations: + {{- if .Values.exporter.enabled }} + prometheus.io/path: /metrics + prometheus.io/port: "7777" + prometheus.io/scrape: "true" + {{- end }} + {{- range $key, $value := .Values.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + labels: + {{- include "nats.selectorLabels" . | nindent 8 }} + {{- if .Values.statefulSetPodLabels }} + {{- tpl (toYaml .Values.statefulSetPodLabels) . | nindent 8 }} + {{- end }} + spec: +{{- with .Values.imagePullSecrets }} + imagePullSecrets: +{{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.securityContext }} + securityContext: +{{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: +{{- tpl (toYaml .) $ | nindent 8 }} +{{- end }} +{{- with .Values.nodeSelector }} + nodeSelector: {{ toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.tolerations }} + tolerations: {{ toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- range .Values.topologySpreadConstraints }} + {{- if and .maxSkew .topologyKey }} + - maxSkew: {{ .maxSkew }} + topologyKey: {{ .topologyKey }} + {{- if .whenUnsatisfiable }} + whenUnsatisfiable: {{ .whenUnsatisfiable }} + {{- end }} + labelSelector: + matchLabels: + {{- include "nats.selectorLabels" $ | nindent 12 }} + {{- end}} + {{- end }} +{{- end }} +{{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} +{{- end }} + # Common volumes for the containers. + volumes: + - name: config-volume + {{ if .Values.nats.customConfigSecret }} + secret: + secretName: {{ .Values.nats.customConfigSecret.name }} + {{ else }} + configMap: + name: {{ include "nats.fullname" . }}-config + {{ end }} + + # Local volume shared with the reloader. + - name: pid + emptyDir: {} + + {{- if and .Values.auth.enabled .Values.auth.resolver }} + {{- if .Values.auth.resolver.configMap }} + - name: resolver-volume + configMap: + name: {{ .Values.auth.resolver.configMap.name }} + {{- end }} + + {{- if eq .Values.auth.resolver.type "URL" }} + - name: operator-jwt-volume + configMap: + name: {{ .Values.auth.operatorjwt.configMap.name }} + {{- end }} + {{- end }} + + {{- if and .Values.nats.externalAccess .Values.nats.advertise }} + # Local volume shared with the advertise config initializer. + - name: advertiseconfig + emptyDir: {} + {{- end }} + + {{- if and .Values.nats.jetstream.fileStorage.enabled .Values.nats.jetstream.fileStorage.existingClaim }} + # Persistent volume for jetstream running with file storage option + - name: {{ include "nats.fullname" . }}-js-pvc + persistentVolumeClaim: + claimName: {{ .Values.nats.jetstream.fileStorage.existingClaim | quote }} + {{- end }} + + ################# + # # + # TLS Volumes # + # # + ################# + {{- with .Values.nats.tls }} + {{ $secretName := tpl .secret.name $ }} + - name: {{ $secretName }}-clients-volume + secret: + secretName: {{ $secretName }} + {{- end }} + {{- with .Values.mqtt.tls }} + {{ $secretName := tpl .secret.name $ }} + - name: {{ $secretName }}-mqtt-volume + secret: + secretName: {{ $secretName }} + {{- end }} + {{- with .Values.cluster.tls }} + {{ $secretName := tpl .secret.name $ }} + - name: {{ $secretName }}-cluster-volume + secret: + secretName: {{ $secretName }} + {{- end }} + {{- with .Values.leafnodes.tls }} + {{ $secretName := tpl .secret.name $ }} + - name: {{ $secretName }}-leafnodes-volume + secret: + secretName: {{ $secretName }} + {{- end }} + {{- with .Values.gateway.tls }} + {{ $secretName := tpl .secret.name $ }} + - name: {{ $secretName }}-gateways-volume + secret: + secretName: {{ $secretName }} + {{- end }} + {{- with .Values.websocket.tls }} + {{ $secretName := tpl .secret.name $ }} + - name: {{ $secretName }}-ws-volume + secret: + secretName: {{ $secretName }} + {{- end }} + {{- if .Values.leafnodes.enabled }} + # + # Leafnode credential volumes + # + {{- range .Values.leafnodes.remotes }} + {{- with .credentials }} + - name: {{ .secret.name }}-volume + secret: + secretName: {{ .secret.name }} + {{- end }} + {{- with .tls }} + - name: {{ .secret.name }}-volume + secret: + secretName: {{ .secret.name }} + {{- end }} + {{- end }} + {{- end }} + + {{ if and .Values.nats.externalAccess .Values.nats.advertise }} + # Assume that we only use the service account in case we want to + # figure out what is the current external public IP from the server + # in order to be able to advertise correctly. + serviceAccountName: {{ .Values.nats.serviceAccount }} + {{ end }} + + # Required to be able to HUP signal and apply config + # reload to the server without restarting the pod. + shareProcessNamespace: true + + {{- if and .Values.nats.externalAccess .Values.nats.advertise }} + # Initializer container required to be able to lookup + # the external ip on which this node is running. + initContainers: + - name: bootconfig + command: + - nats-pod-bootconfig + - -f + - /etc/nats-config/advertise/client_advertise.conf + - -gf + - /etc/nats-config/advertise/gateway_advertise.conf + env: + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + image: {{ .Values.bootconfig.image }} + imagePullPolicy: {{ .Values.bootconfig.pullPolicy }} + {{- if .Values.bootconfig.securityContext }} + securityContext: + {{- .Values.bootconfig.securityContext | toYaml | nindent 8 }} + {{- end }} + resources: + {{- toYaml .Values.bootconfig.resources | nindent 10 }} + volumeMounts: + - mountPath: /etc/nats-config/advertise + name: advertiseconfig + subPath: advertise + {{- end }} + + ################# + # # + # NATS Server # + # # + ################# + terminationGracePeriodSeconds: {{ .Values.nats.terminationGracePeriodSeconds }} + containers: + - name: nats + image: {{ .Values.nats.image }} + imagePullPolicy: {{ .Values.nats.pullPolicy }} + {{- if .Values.nats.securityContext }} + securityContext: + {{- .Values.nats.securityContext | toYaml | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.nats.resources | nindent 10 }} + ports: + - containerPort: 4222 + name: client + {{- if .Values.nats.externalAccess }} + hostPort: 4222 + {{- end }} + - containerPort: 7422 + name: leafnodes + {{- if .Values.nats.externalAccess }} + hostPort: 7422 + {{- end }} + - containerPort: 7522 + name: gateways + {{- if .Values.nats.externalAccess }} + hostPort: 7522 + {{- end }} + - containerPort: 6222 + name: cluster + - containerPort: 8222 + name: monitor + - containerPort: 7777 + name: metrics + {{- if .Values.mqtt.enabled }} + - containerPort: 1883 + name: mqtt + {{- if .Values.nats.externalAccess }} + hostPort: 1883 + {{- end }} + {{- end }} + {{- if .Values.websocket.enabled }} + - containerPort: {{ .Values.websocket.port }} + name: websocket + {{- if .Values.nats.externalAccess }} + hostPort: {{ .Values.websocket.port }} + {{- end }} + {{- end }} + {{- if .Values.nats.profiling.enabled }} + - containerPort: {{ .Values.nats.profiling.port }} + name: profiling + {{- end }} + + command: + - "nats-server" + - "--config" + - "/etc/nats-config/nats.conf" + {{- if .Values.nats.profiling.enabled }} + - "--profile={{ .Values.nats.profiling.port }}" + {{- end }} + + # Required to be able to define an environment variable + # that refers to other environment variables. This env var + # is later used as part of the configuration file. + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: SERVER_NAME + value: {{ .Values.nats.serverNamePrefix }}$(POD_NAME) + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CLUSTER_ADVERTISE + value: {{ include "nats.clusterAdvertise" . }} + + {{- if .Values.nats.jetstream.enabled }} + {{- with .Values.nats.jetstream.encryption }} + {{- with .secret }} + - name: JS_KEY + valueFrom: + secretKeyRef: + name: {{ .name }} + key: {{ .key }} + {{- end }} + {{- end }} + {{- end }} + volumeMounts: + - name: config-volume + mountPath: /etc/nats-config + - name: pid + mountPath: /var/run/nats + {{- if and .Values.nats.externalAccess .Values.nats.advertise }} + - mountPath: /etc/nats-config/advertise + name: advertiseconfig + subPath: advertise + {{- end }} + + {{- if and .Values.auth.enabled .Values.auth.resolver }} + {{- if eq .Values.auth.resolver.type "memory" }} + - name: resolver-volume + mountPath: /etc/nats-config/accounts + {{- end }} + + {{- if eq .Values.auth.resolver.type "full" }} + {{- if .Values.auth.resolver.configMap }} + - name: resolver-volume + mountPath: /etc/nats-config/accounts + {{- end }} + {{- if and .Values.auth.resolver .Values.auth.resolver.store }} + - name: nats-jwt-pvc + mountPath: {{ .Values.auth.resolver.store.dir }} + {{- end }} + {{- end }} + + {{- if eq .Values.auth.resolver.type "URL" }} + - name: operator-jwt-volume + mountPath: /etc/nats-config/operator + {{- end }} + {{- end }} + + {{- if .Values.nats.jetstream.fileStorage.enabled }} + - name: {{ include "nats.fullname" . }}-js-pvc + mountPath: {{ .Values.nats.jetstream.fileStorage.storageDirectory }} + {{- end }} + + {{- with .Values.nats.tls }} + ####################### + # # + # TLS Volumes Mounts # + # # + ####################### + {{ $secretName := tpl .secret.name $ }} + - name: {{ $secretName }}-clients-volume + mountPath: /etc/nats-certs/clients/{{ $secretName }} + {{- end }} + {{- with .Values.mqtt.tls }} + {{ $secretName := tpl .secret.name $ }} + - name: {{ $secretName }}-mqtt-volume + mountPath: /etc/nats-certs/mqtt/{{ $secretName }} + {{- end }} + {{- with .Values.cluster.tls }} + {{ $secretName := tpl .secret.name $ }} + - name: {{ $secretName }}-cluster-volume + mountPath: /etc/nats-certs/cluster/{{ $secretName }} + {{- end }} + {{- with .Values.leafnodes.tls }} + {{ $secretName := tpl .secret.name $ }} + - name: {{ $secretName }}-leafnodes-volume + mountPath: /etc/nats-certs/leafnodes/{{ $secretName }} + {{- end }} + {{- with .Values.gateway.tls }} + {{ $secretName := tpl .secret.name $ }} + - name: {{ $secretName }}-gateways-volume + mountPath: /etc/nats-certs/gateways/{{ $secretName }} + {{- end }} + + {{- with .Values.websocket.tls }} + {{ $secretName := tpl .secret.name $ }} + - name: {{ $secretName }}-ws-volume + mountPath: /etc/nats-certs/ws/{{ $secretName }} + {{- end }} + + {{- if .Values.leafnodes.enabled }} + # + # Leafnode credential volumes + # + {{- range .Values.leafnodes.remotes }} + {{- with .credentials }} + - name: {{ .secret.name }}-volume + mountPath: /etc/nats-creds/{{ .secret.name }} + {{- end }} + {{- with .tls }} + - name: {{ .secret.name }}-volume + mountPath: /etc/nats-certs/leafnodes/{{ .secret.name }} + {{- end }} + {{- end }} + {{- end }} + + # Liveness/Readiness probes against the monitoring. + # + livenessProbe: + httpGet: + path: / + port: 8222 + initialDelaySeconds: 10 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: / + port: 8222 + initialDelaySeconds: 10 + timeoutSeconds: 5 + + # Gracefully stop NATS Server on pod deletion or image upgrade. + # + lifecycle: + preStop: + exec: + # Using the alpine based NATS image, we add an extra sleep that is + # the same amount as the terminationGracePeriodSeconds to allow + # the NATS Server to gracefully terminate the client connections. + # + command: + - "/bin/sh" + - "-c" + - "nats-server -sl=ldm=/var/run/nats/nats.pid && /bin/sleep {{ .Values.nats.terminationGracePeriodSeconds }}" + + ################################# + # # + # NATS Configuration Reloader # + # # + ################################# + {{ if .Values.reloader.enabled }} + - name: reloader + image: {{ .Values.reloader.image }} + imagePullPolicy: {{ .Values.reloader.pullPolicy }} + {{- if .Values.reloader.securityContext }} + securityContext: + {{- .Values.reloader.securityContext | toYaml | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.reloader.resources | nindent 10 }} + command: + - "nats-server-config-reloader" + - "-pid" + - "/var/run/nats/nats.pid" + - "-config" + - "/etc/nats-config/nats.conf" + volumeMounts: + - name: config-volume + mountPath: /etc/nats-config + - name: pid + mountPath: /var/run/nats + {{ end }} + + ############################## + # # + # NATS Prometheus Exporter # + # # + ############################## + {{ if .Values.exporter.enabled }} + - name: metrics + image: {{ .Values.exporter.image }} + imagePullPolicy: {{ .Values.exporter.pullPolicy }} + {{- if .Values.exporter.securityContext }} + securityContext: + {{- .Values.exporter.securityContext | toYaml | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.exporter.resources | nindent 10 }} + args: + - -connz + - -routez + - -subz + - -varz + - -prefix=nats + - -use_internal_server_id + {{- if .Values.nats.jetstream.enabled }} + - -jsz=all + {{- end }} + {{- if .Values.leafnodes.enabled }} + - -leafz + {{- end }} + - http://localhost:8222/ + ports: + - containerPort: 7777 + name: metrics + {{ end }} + + volumeClaimTemplates: + {{- if eq .Values.auth.resolver.type "full" }} + {{- if and .Values.auth.resolver .Values.auth.resolver.store }} + ##################################### + # # + # Account Server Embedded JWT # + # # + ##################################### + - metadata: + name: nats-jwt-pvc + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.auth.resolver.store.size }} + {{- end }} + {{- end }} + + {{- if and .Values.nats.jetstream.fileStorage.enabled (not .Values.nats.jetstream.fileStorage.existingClaim) }} + ##################################### + # # + # Jetstream New Persistent Volume # + # # + ##################################### + - metadata: + name: {{ include "nats.fullname" . }}-js-pvc + {{- if .Values.nats.jetstream.fileStorage.annotations }} + annotations: + {{- range $key, $value := .Values.nats.jetstream.fileStorage.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + spec: + accessModes: + {{- range .Values.nats.jetstream.fileStorage.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.nats.jetstream.fileStorage.size }} + {{- if .Values.nats.jetstream.fileStorage.storageClassName }} + storageClassName: {{ .Values.nats.jetstream.fileStorage.storageClassName | quote }} + {{- end }} + {{- end }} diff --git a/charts/nats/nats/0.10.0/templates/tests/test-request-reply.yaml b/charts/nats/nats/0.10.0/templates/tests/test-request-reply.yaml new file mode 100644 index 000000000..785ce53b2 --- /dev/null +++ b/charts/nats/nats/0.10.0/templates/tests/test-request-reply.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "nats.fullname" . }}-test-request-reply" + labels: + {{- include "nats.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: nats-box + image: synadia/nats-box + env: + - name: NATS_HOST + value: {{ template "nats.fullname" . }} + command: + - /bin/sh + - -ec + - | + nats reply -s nats://$NATS_HOST:4222 'name.>' --command "echo {{1}}" & + - | + "&&" + - | + name=$(nats request -s nats://$NATS_HOST:4222 name.test '' 2>/dev/null) + - | + "&&" + - | + [ $name = test ] + + restartPolicy: Never diff --git a/charts/nats/nats/0.10.0/values.yaml b/charts/nats/nats/0.10.0/values.yaml new file mode 100644 index 000000000..29e8218dd --- /dev/null +++ b/charts/nats/nats/0.10.0/values.yaml @@ -0,0 +1,563 @@ +############################### +# # +# NATS Server Configuration # +# # +############################### +nats: + image: nats:2.6.5-alpine + pullPolicy: IfNotPresent + + # The servers name prefix, must be used for example when we want a NATS cluster + # spanning multiple Kubernetes clusters. + serverNamePrefix: "" + + # Toggle profiling. + # This enables nats-server pprof (profiling) port, so you can see goroutines + # stacks, memory heap sizes, etc. + profiling: + enabled: false + port: 6000 + + # securityContext for the nats container + securityContext: {} + + # Toggle whether to enable external access. + # This binds a host port for clients, gateways and leafnodes. + externalAccess: false + + # Toggle to disable client advertisements (connect_urls), + # in case of running behind a load balancer (which is not recommended) + # it might be required to disable advertisements. + advertise: true + + # In case both external access and advertise are enabled + # then a service account would be required to be able to + # gather the public ip from a node. + serviceAccount: "nats-server" + + # The number of connect attempts against discovered routes. + connectRetries: 120 + + # selector matchLabels for the server and service. + # If left empty defaults are used. + # This is helpful if you are updating from Chart version <=7.4 + selectorLabels: {} + + resources: {} + + # Server settings. + limits: + maxConnections: + maxSubscriptions: + maxControlLine: + maxPayload: + + writeDeadline: + maxPending: + maxPings: + + # How many seconds should pass before sending a PING + # to a client that has no activity. + pingInterval: + + # NOTE: this should be at least the same as 'terminationGracePeriodSeconds' + lameDuckDuration: "120s" + + # Default lame duck duration in the server is 2 minutes. + terminationGracePeriodSeconds: 120 + + logging: + debug: + trace: + logtime: + connectErrorReports: + reconnectErrorReports: + + # customConfigSecret can be used to use an custom secret for the config + # of the NATS Server. + # NOTE: For this to work the name of the configuration has to be + # called `nats.conf`. + # + # e.g. kubectl create secret generic custom-nats-conf --from-file nats.conf + # + # customConfigSecret: + # name: + + jetstream: + enabled: false + + # Jetstream Domain + domain: + + ########################## + # # + # Jetstream Encryption # + # # + ########################## + encryption: + # Use key if you want to provide the key via Helm Values + # key: random_key + + # Use a secret reference if you want to get a key from a secret + # secret: + # name: "nats-jetstream-encryption" + # key: "key" + + ############################# + # # + # Jetstream Memory Storage # + # # + ############################# + memStorage: + enabled: true + size: 1Gi + + ############################ + # # + # Jetstream File Storage # + # # + ############################ + fileStorage: + enabled: false + storageDirectory: /data + + # Set for use with existing PVC + # existingClaim: jetstream-pvc + # claimStorageSize: 1Gi + + # Use below block to create new persistent volume + # only used if existingClaim is not specified + size: 1Gi + # storageClassName: "" + accessModes: + - ReadWriteOnce + annotations: + # key: "value" + + ####################### + # # + # TLS Configuration # + # # + ####################### + # + # # You can find more on how to setup and trouble shoot TLS connnections at: + # + # # https://docs.nats.io/nats-server/configuration/securing_nats/tls + # + + # tls: + # secret: + # name: nats-client-tls + # ca: "ca.crt" + # cert: "tls.crt" + # key: "tls.key" + +mqtt: + enabled: false + ackWait: 1m + maxAckPending: 100 + + ####################### + # # + # TLS Configuration # + # # + ####################### + # + # # You can find more on how to setup and trouble shoot TLS connnections at: + # + # # https://docs.nats.io/nats-server/configuration/securing_nats/tls + # + + # + # tls: + # secret: + # name: nats-mqtt-tls + # ca: "ca.crt" + # cert: "tls.crt" + # key: "tls.key" + +nameOverride: "" + +# An array of imagePullSecrets, and they have to be created manually in the same namespace +# ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] + +# Toggle whether to use setup a Pod Security Context +# ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +securityContext: {} +# securityContext: +# fsGroup: 1000 +# runAsUser: 1000 +# runAsNonRoot: true + +# Affinity for pod assignment +# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +affinity: {} + +## Pod priority class name +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass +priorityClassName: null + +# Service topology +# ref: https://kubernetes.io/docs/concepts/services-networking/service-topology/ +topologyKeys: [] + +# Pod Topology Spread Constraints +# ref https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +topologySpreadConstraints: [] +# - maxSkew: 1 +# topologyKey: zone +# whenUnsatisfiable: DoNotSchedule + +# Annotations to add to the NATS pods +# ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +podAnnotations: {} +# key: "value" + +# Define a Pod Disruption Budget for the stateful set +# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ +podDisruptionBudget: + # minAvailable: 1 + # maxUnavailable: 1 + +# Node labels for pod assignment +# Ref: https://kubernetes.io/docs/user-guide/node-selection/ +nodeSelector: {} + +# Node tolerations for server scheduling to nodes with taints +# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ +# +tolerations: [] +# - key: "key" +# operator: "Equal|Exists" +# value: "value" +# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + +# Annotations to add to the NATS StatefulSet +statefulSetAnnotations: {} + +# Labels to add to the pods of the NATS StatefulSet +statefulSetPodLabels: {} + +# Annotations to add to the NATS Service +serviceAnnotations: {} + +cluster: + enabled: false + replicas: 3 + noAdvertise: false + + # Explicitly set routes for clustering. + # When JetStream is enabled, the serverName must be unique in the cluster. + extraRoutes: [] + + # authorization: + # user: foo + # password: pwd + # timeout: 0.5 + +# Leafnode connections to extend a cluster: +# +# https://docs.nats.io/nats-server/configuration/leafnodes +# +leafnodes: + enabled: false + noAdvertise: false + # remotes: + # - url: "tls://connect.ngs.global:7422" + + ####################### + # # + # TLS Configuration # + # # + ####################### + # + # # You can find more on how to setup and trouble shoot TLS connnections at: + # + # # https://docs.nats.io/nats-server/configuration/securing_nats/tls + # + + # + # tls: + # secret: + # name: nats-client-tls + # ca: "ca.crt" + # cert: "tls.crt" + # key: "tls.key" + +# Gateway connections to create a super cluster +# +# https://docs.nats.io/nats-server/configuration/gateways +# +gateway: + enabled: false + name: 'default' + # authorization: + # user: foo + # password: pwd + # timeout: 0.5 + + # You can add an implicit advertise address instead of using from Node's IP + # could also be a fqdn address + #advertise: "nats.example.com" + + ############################# + # # + # List of remote gateways # + # # + ############################# + # gateways: + # - name: other + # url: nats://my-gateway-url:7522 + + ####################### + # # + # TLS Configuration # + # # + ####################### + # + # # You can find more on how to setup and trouble shoot TLS connnections at: + # + # # https://docs.nats.io/nats-server/configuration/securing_nats/tls + # + # tls: + # secret: + # name: nats-client-tls + # ca: "ca.crt" + # cert: "tls.crt" + # key: "tls.key" + +# In case of both external access and advertisements being +# enabled, an initializer container will be used to gather +# the public ips. +bootconfig: + image: natsio/nats-boot-config:0.5.4 + pullPolicy: IfNotPresent + securityContext: {} + +# NATS Box +# +# https://github.com/nats-io/nats-box +# +natsbox: + enabled: true + image: natsio/nats-box:0.7.0 + pullPolicy: IfNotPresent + securityContext: {} + + # Labels to add to the natsbox deployment + # ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + additionalLabels: {} + + # An array of imagePullSecrets, and they have to be created manually in the same namespace + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imagePullSecrets: [] + # - name: dockerhub + + # credentials: + # secret: + # name: nats-sys-creds + # key: sys.creds + + # Annotations to add to the box pods + # ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: "value" + + # Labels to add to the box pods + # ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: "value" + + # Affinity for nats box pod assignment + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + # Node labels for pod assignment + # Ref: https://kubernetes.io/docs/user-guide/node-selection/ + nodeSelector: {} + + # Node tolerations for server scheduling to nodes with taints + # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + # + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + +# The NATS config reloader image to use. +reloader: + enabled: true + image: natsio/nats-server-config-reloader:0.6.2 + pullPolicy: IfNotPresent + securityContext: {} + +# Prometheus NATS Exporter configuration. +exporter: + enabled: true + image: natsio/prometheus-nats-exporter:0.9.0 + pullPolicy: IfNotPresent + securityContext: {} + resources: {} + # Prometheus operator ServiceMonitor support. Exporter has to be enabled + serviceMonitor: + enabled: false + ## Specify the namespace where Prometheus Operator is running + ## + # namespace: monitoring + labels: {} + annotations: {} + path: /metrics + # interval: + # scrapeTimeout: + +# Authentication setup +auth: + enabled: false + + # basic: + # noAuthUser: + # # List of users that can connect with basic auth, + # # that belong to the global account. + # users: + + # # List of accounts with users that can connect + # # using basic auth. + # accounts: + + # Reference to the Operator JWT. + # operatorjwt: + # configMap: + # name: operator-jwt + # key: KO.jwt + + # Token authentication + # token: + + # NKey authentication + # nkeys: + # users: + + # Public key of the System Account + # systemAccount: + + resolver: + # Disables the resolver by default + type: none + + ########################################## + # # + # Embedded NATS Account Server Resolver # + # # + ########################################## + # type: full + + # If the resolver type is 'full', delete when enabled will rename the jwt. + allowDelete: false + + # Interval at which a nats-server with a nats based account resolver will compare + # it's state with one random nats based account resolver in the cluster and if needed, + # exchange jwt and converge on the same set of jwt. + interval: 2m + + # Operator JWT + operator: + + # System Account Public NKEY + systemAccount: + + # resolverPreload: + # : + + # Directory in which the account JWTs will be stored. + store: + dir: "/accounts/jwt" + + # Size of the account JWT storage. + size: 1Gi + + ############################## + # # + # Memory resolver settings # + # # + ############################## + # type: memory + # + # Use a configmap reference which will be mounted + # into the container. + # + # configMap: + # name: nats-accounts + # key: resolver.conf + + ########################## + # # + # URL resolver settings # + # # + ########################## + # type: URL + # url: "http://nats-account-server:9090/jwt/v1/accounts/" + +websocket: + enabled: false + port: 443 + noTLS: true + + sameOrigin: false + allowedOrigins: [] + +appProtocol: + enabled: false + +# Network Policy configuration +networkPolicy: + enabled: false + # Don't require client label for connections + # When set to false, only pods with the correct client label will have network access to the ports + # NATS is listening on. When true, NATS will accept connections from any source + # (with the correct destination port). + allowExternal: true + # Add extra ingress rules to the NetworkPolicy + # e.g: + # extraIngress: + # - ports: + # - port: 1234 + # from: + # - podSelector: + # - matchLabels: + # - role: frontend + # - podSelector: + # - matchExpressions: + # - key: role + # operator: In + # values: + # - frontend + extraIngress: [] + # Add extra ingress rules to the NetworkPolicy + # e.g: + # extraEgress: + # - ports: + # - port: 1234 + # to: + # - podSelector: + # - matchLabels: + # - role: frontend + # - podSelector: + # - matchExpressions: + # - key: role + # operator: In + # values: + # - frontend + extraEgress: [] + # Labels to match to allow traffic from other namespaces + ingressNSMatchLabels: {} + # Pod labels to match to allow traffic from other namespaces + ingressNSPodMatchLabels: {} + +# Cluster Domain configured on the kubelets +# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +k8sClusterDomain: cluster.local + +# Add labels to all the deployed resources +commonLabels: {} diff --git a/index.yaml b/index.yaml index 4f8159ed1..418a03d81 100755 --- a/index.yaml +++ b/index.yaml @@ -1764,6 +1764,38 @@ entries: urls: - assets/linkerd/linkerd2-2.11.0.tgz version: 2.11.0 + nats: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NATS Server + catalog.cattle.io/release-name: nats + apiVersion: v2 + appVersion: 2.6.5 + created: "2021-12-06T08:47:22.862837-07:00" + description: A Helm chart for the NATS.io High Speed Cloud Native Distributed + Communications Technology. + digest: 9c155d7ae0795d11435fb9e398866bf48b412aaea342d186bc856bf68b10154e + home: http://github.com/nats-io/k8s + icon: https://nats.io/img/nats-icon-color.png + keywords: + - nats + - messaging + - cncf + kubeVersion: '>=1.16-0' + maintainers: + - email: wally@nats.io + name: Waldemar Quevedo + url: https://github.com/wallyqs + - email: colin@nats.io + name: Colin Sullivan + url: https://github.com/ColinSullivan1 + - email: jaime@nats.io + name: Jaime Piña + url: https://github.com/variadico + name: nats + urls: + - assets/nats/nats-0.10.0.tgz + version: 0.10.0 neuvector: - annotations: catalog.cattle.io/certified: partner