diff --git a/helm/charts/index.yaml b/helm/charts/index.yaml index 1dfcec06..99be1702 100644 --- a/helm/charts/index.yaml +++ b/helm/charts/index.yaml @@ -1,6 +1,27 @@ apiVersion: v1 entries: nats: + - apiVersion: v2 + appVersion: 2.1.6 + created: "2020-04-03T08:25:32.302616-07:00" + description: A Helm chart for the NATS.io High Speed Cloud Native Distributed + Communications Technology. + digest: 633b48eb980b00659579739ff6b32c7576c7ecc339533b92d70a062ea4c85961 + home: http://github.com/nats-io/k8s + icon: https://nats.io/img/logo.png + keywords: + - nats + - messaging + - cncf + maintainers: + - email: wally@nats.io + name: Waldemar Quevedo + - email: colin@nats.io + name: Colin Sullivan + name: nats + urls: + - https://github.com/nats-io/k8s/releases/download/v0.3.2/nats-0.3.2.tgz + version: 0.3.2 - apiVersion: v2 appVersion: 2.1.6 created: "2020-04-02T21:20:08.662671-07:00" @@ -63,6 +84,31 @@ entries: - https://github.com/nats-io/k8s/releases/download/v0.2.0/nats-0.2.0.tgz version: 0.2.0 stan: + - apiVersion: v2 + appVersion: 0.17.0 + created: "2020-04-03T08:25:32.310714-07:00" + description: A Helm chart for NATS Streaming + digest: 341236096cbef84987ce68373d27a3ec020fa5d4c5d5e3883dd40a65c30c9cab + icon: https://nats.io/img/logo.png + keywords: + - nats + - streaming + - stan + - delivery + - ratelimit + - replay + - statefulset + - cncf + maintainers: + - email: wally@nats.io + name: Waldemar Quevedo + - email: colin@nats.io + name: Colin Sullivan + - name: rchenzheng + name: stan + urls: + - https://github.com/nats-io/k8s/releases/download/v0.3.2/stan-0.3.2.tgz + version: 0.3.2 - apiVersion: v2 appVersion: 0.17.0 created: "2020-04-02T21:22:25.946345-07:00" @@ -137,6 +183,28 @@ entries: - https://github.com/nats-io/k8s/releases/download/v0.2.0/stan-0.2.0.tgz version: 0.2.0 nats-account-server: + - apiVersion: v2 + appVersion: 0.8.6 + created: "2020-04-03T08:25:32.304898-07:00" + description: A Helm chart for the NATS.io JWT Account Server + digest: cc47d5cdca9247d7d13c1a8fc239b630b62b7015c2255ef46797953bd67170e6 + home: http://github.com/nats-io/k8s + icon: https://nats.io/img/logo.png + keywords: + - nats + - messaging + - cncf + - jwt + - auth + maintainers: + - email: wally@nats.io + name: Waldemar Quevedo + - email: colin@nats.io + name: Colin Sullivan + name: nats-account-server + urls: + - https://github.com/nats-io/k8s/releases/download/v0.3.2/nats-account-server-0.3.2.tgz + version: 0.3.2 - apiVersion: v2 appVersion: 0.8.6 created: "2020-04-02T21:57:47.563808-07:00" diff --git a/helm/charts/nats-account-server/Chart.yaml b/helm/charts/nats-account-server/Chart.yaml index 2d824633..b37a6305 100644 --- a/helm/charts/nats-account-server/Chart.yaml +++ b/helm/charts/nats-account-server/Chart.yaml @@ -8,7 +8,7 @@ keywords: - cncf - jwt - auth -version: 0.3.0 +version: 0.3.2 home: http://github.com/nats-io/k8s maintainers: - name: Waldemar Quevedo diff --git a/helm/charts/nats/Chart.yaml b/helm/charts/nats/Chart.yaml index e5fd3c3a..b10ae855 100644 --- a/helm/charts/nats/Chart.yaml +++ b/helm/charts/nats/Chart.yaml @@ -6,7 +6,7 @@ keywords: - nats - messaging - cncf -version: 0.3.0 +version: 0.3.2 home: http://github.com/nats-io/k8s maintainers: - name: Waldemar Quevedo diff --git a/helm/charts/nats/templates/configmap.yaml b/helm/charts/nats/templates/configmap.yaml index 2d93ac18..46554740 100644 --- a/helm/charts/nats/templates/configmap.yaml +++ b/helm/charts/nats/templates/configmap.yaml @@ -19,6 +19,50 @@ data: http: 8222 server_name: $POD_NAME + {{- if .Values.nats.tls }} + ##################### + # # + # TLS Configuration # + # # + ##################### + {{- with .Values.nats.tls }} + {{ $secretName := .secret.name }} + tls { + {{- with .cert }} + cert_file: /etc/nats-certs/clients/{{ $secretName }}/{{ . }} + {{- end }} + + {{- with .key }} + key_file: /etc/nats-certs/clients/{{ $secretName }}/{{ . }} + {{- end }} + + {{- with .ca }} + ca_file: /etc/nats-certs/clients/{{ $secretName }}/{{ . }} + {{- end }} + + {{- with .insecure }} + insecure: {{ . }} + {{- end }} + + {{- with .verify }} + verify: {{ . }} + {{- end }} + + {{- with .verifyAndMap }} + verify_and_map: {{ . }} + {{- end }} + + {{- with .curvePreferences }} + curve_preferences: {{ . }} + {{- end }} + + {{- with .timeout }} + timeout: {{ . }} + {{- end }} + } + {{- end }} + {{- end }} + {{ if .Values.cluster.enabled }} ################################### # # @@ -28,6 +72,43 @@ data: cluster { port: 6222 + {{- with .Values.cluster.tls }} + {{ $secretName := .secret.name }} + tls { + {{- with .cert }} + cert_file: /etc/nats-certs/cluster/{{ $secretName }}/{{ . }} + {{- end }} + + {{- with .key }} + key_file: /etc/nats-certs/cluster/{{ $secretName }}/{{ . }} + {{- end }} + + {{- with .ca }} + ca_file: /etc/nats-certs/cluster/{{ $secretName }}/{{ . }} + {{- end }} + + {{- with .insecure }} + insecure: {{ . }} + {{- end }} + + {{- with .verify }} + verify: {{ . }} + {{- end }} + + {{- with .verifyAndMap }} + verify_and_map: {{ . }} + {{- end }} + + {{- with .curvePreferences }} + curve_preferences: {{ . }} + {{- end }} + + {{- with .timeout }} + timeout: {{ . }} + {{- end }} + } + {{- end }} + routes = [ {{ template "nats.clusterRoutes" . }} ] @@ -52,7 +133,44 @@ data: {{ if and .Values.nats.advertise .Values.nats.externalAccess }} include "advertise/gateway_advertise.conf" {{ end }} - + + {{- with .Values.leafnodes.tls }} + {{ $secretName := .secret.name }} + tls { + {{- with .cert }} + cert_file: /etc/nats-certs/leafnodes/{{ $secretName }}/{{ . }} + {{- end }} + + {{- with .key }} + key_file: /etc/nats-certs/leafnodes/{{ $secretName }}/{{ . }} + {{- end }} + + {{- with .ca }} + ca_file: /etc/nats-certs/leafnodes/{{ $secretName }}/{{ . }} + {{- end }} + + {{- with .insecure }} + insecure: {{ . }} + {{- end }} + + {{- with .verify }} + verify: {{ . }} + {{- end }} + + {{- with .verifyAndMap }} + verify_and_map: {{ . }} + {{- end }} + + {{- with .curvePreferences }} + curve_preferences: {{ . }} + {{- end }} + + {{- with .timeout }} + timeout: {{ . }} + {{- end }} + } + {{- end }} + remotes: [ {{- range .Values.leafnodes.remotes }} { @@ -83,6 +201,43 @@ data: include "advertise/gateway_advertise.conf" {{ end }} + {{- with .Values.gateway.tls }} + {{ $secretName := .secret.name }} + tls { + {{- with .cert }} + cert_file: /etc/nats-certs/gateways/{{ $secretName }}/{{ . }} + {{- end }} + + {{- with .key }} + key_file: /etc/nats-certs/gateways/{{ $secretName }}/{{ . }} + {{- end }} + + {{- with .ca }} + ca_file: /etc/nats-certs/gateways/{{ $secretName }}/{{ . }} + {{- end }} + + {{- with .insecure }} + insecure: {{ . }} + {{- end }} + + {{- with .verify }} + verify: {{ . }} + {{- end }} + + {{- with .verifyAndMap }} + verify_and_map: {{ . }} + {{- end }} + + {{- with .curvePreferences }} + curve_preferences: {{ . }} + {{- end }} + + {{- with .timeout }} + timeout: {{ . }} + {{- end }} + } + {{- end }} + # Gateways array here gateways: [ {{- range .Values.gateway.gateways }} diff --git a/helm/charts/nats/templates/nats-box.yaml b/helm/charts/nats/templates/nats-box.yaml index 09ac9306..a2f63a13 100644 --- a/helm/charts/nats/templates/nats-box.yaml +++ b/helm/charts/nats/templates/nats-box.yaml @@ -14,6 +14,12 @@ spec: secret: secretName: {{ .Values.natsbox.credentials.secret.name }} {{- end }} + {{- with .Values.nats.tls }} + {{ $secretName := .secret.name }} + - name: {{ $secretName }}-clients-volume + secret: + secretName: {{ $secretName }} + {{- end }} containers: - name: nats-box @@ -28,6 +34,16 @@ spec: - name: USER2_CREDS value: /etc/nats-config/creds/{{ .Values.natsbox.credentials.secret.key }} {{- end }} + {{- with .Values.nats.tls }} + {{ $secretName := .secret.name }} + lifecycle: + postStart: + exec: + command: + - /bin/sh + - -c + - cp /etc/nats-certs/clients/{{ $secretName }}/* /usr/local/share/ca-certificates && update-ca-certificates + {{- end }} command: - "tail" - "-f" @@ -37,4 +53,14 @@ spec: - name: nats-sys-creds mountPath: /etc/nats-config/creds {{- end }} + ####################### + # # + # TLS Volumes Mounts # + # # + ####################### + {{- with .Values.nats.tls }} + {{ $secretName := .secret.name }} + - name: {{ $secretName }}-clients-volume + mountPath: /etc/nats-certs/clients/{{ $secretName }} + {{- end }} {{- end }} diff --git a/helm/charts/nats/templates/statefulset.yaml b/helm/charts/nats/templates/statefulset.yaml index ea88de88..41f02dd9 100644 --- a/helm/charts/nats/templates/statefulset.yaml +++ b/helm/charts/nats/templates/statefulset.yaml @@ -57,6 +57,36 @@ spec: emptyDir: {} {{ end }} + ################# + # # + # TLS Volumes # + # # + ################# + {{- with .Values.nats.tls }} + {{ $secretName := .secret.name }} + - name: {{ $secretName }}-clients-volume + secret: + secretName: {{ $secretName }} + {{- end }} + {{- with .Values.cluster.tls }} + {{ $secretName := .secret.name }} + - name: {{ $secretName }}-cluster-volume + secret: + secretName: {{ $secretName }} + {{- end }} + {{- with .Values.leafnodes.tls }} + {{ $secretName := .secret.name }} + - name: {{ $secretName }}-leafnodes-volume + secret: + secretName: {{ $secretName }} + {{- end }} + {{- with .Values.gateway.tls }} + {{ $secretName := .secret.name }} + - name: {{ $secretName }}-gateways-volume + secret: + secretName: {{ $secretName }} + {{- end }} + {{- if .Values.leafnodes.enabled }} # # Leafnode credential volumes @@ -179,6 +209,32 @@ spec: mountPath: /etc/nats-config/operator {{- end }} + ####################### + # # + # TLS Volumes Mounts # + # # + ####################### + {{- with .Values.nats.tls }} + {{ $secretName := .secret.name }} + - name: {{ $secretName }}-clients-volume + mountPath: /etc/nats-certs/clients/{{ $secretName }} + {{- end }} + {{- with .Values.cluster.tls }} + {{ $secretName := .secret.name }} + - name: {{ $secretName }}-cluster-volume + mountPath: /etc/nats-certs/cluster/{{ $secretName }} + {{- end }} + {{- with .Values.leafnodes.tls }} + {{ $secretName := .secret.name }} + - name: {{ $secretName }}-leafnodes-volume + mountPath: /etc/nats-certs/leafnodes/{{ $secretName }} + {{- end }} + {{- with .Values.gateway.tls }} + {{ $secretName := .secret.name }} + - name: {{ $secretName }}-gateways-volume + mountPath: /etc/nats-certs/gateways/{{ $secretName }} + {{- end }} + {{- if .Values.leafnodes.enabled }} # # Leafnode credential volumes diff --git a/helm/charts/nats/values.yaml b/helm/charts/nats/values.yaml index dc130828..d106889e 100644 --- a/helm/charts/nats/values.yaml +++ b/helm/charts/nats/values.yaml @@ -47,6 +47,24 @@ nats: connectErrorReports: reconnectErrorReports: + ####################### + # # + # TLS Configuration # + # # + ####################### + # + # # You can find more on how to setup and trouble shoot TLS connnections at: + # + # # https://docs.nats.io/nats-server/configuration/securing_nats/tls + # + + # tls: + # secret: + # name: nats-client-tls + # ca: "ca.crt" + # cert: "tls.crt" + # key: "tls.key" + # Toggle whether to use setup a Pod Security Context # ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ securityContext: @@ -66,6 +84,25 @@ leafnodes: # remotes: # - url: "tls://connect.ngs.global:7422" + ####################### + # # + # TLS Configuration # + # # + ####################### + # + # # You can find more on how to setup and trouble shoot TLS connnections at: + # + # # https://docs.nats.io/nats-server/configuration/securing_nats/tls + # + + # + # tls: + # secret: + # name: nats-client-tls + # ca: "ca.crt" + # cert: "tls.crt" + # key: "tls.key" + # Gateway connections to create a super cluster # # https://docs.nats.io/nats-server/configuration/gateways @@ -73,10 +110,32 @@ leafnodes: gateway: enabled: false name: 'default' - # List of remote gateways + + ############################# + # # + # List of remote gateways # + # # + ############################# # gateways: # - name: other # url: nats://my-gateway-url:7522 + + ####################### + # # + # TLS Configuration # + # # + ####################### + # + # # You can find more on how to setup and trouble shoot TLS connnections at: + # + # # https://docs.nats.io/nats-server/configuration/securing_nats/tls + # + # tls: + # secret: + # name: nats-client-tls + # ca: "ca.crt" + # cert: "tls.crt" + # key: "tls.key" # In case of both external access and advertisements being # enabled, an initializer container will be used to gather diff --git a/helm/charts/stan/Chart.yaml b/helm/charts/stan/Chart.yaml index 79fdcf2f..8a1149be 100755 --- a/helm/charts/stan/Chart.yaml +++ b/helm/charts/stan/Chart.yaml @@ -11,7 +11,7 @@ keywords: - replay - statefulset - cncf -version: 0.3.0 +version: 0.3.2 maintainers: - name: Waldemar Quevedo github: https://github.com/wallyqs