NATS Operator
Installing
Docker Image:
docker run natsio/nats-operator:0.8.3
kubectl apply -f https://github.com/nats-io/nats-operator/releases/download/v0.8.3/00-prereqs.yaml
kubectl apply -f https://github.com/nats-io/nats-operator/releases/download/v0.8.3/10-deployment.yaml
Docker Image:
docker run connecteverything/nats-operator:0.7.4
kubectl apply -f https://github.com/nats-io/nats-operator/releases/download/v0.7.4/00-prereqs.yaml
kubectl apply -f https://github.com/nats-io/nats-operator/releases/download/v0.7.4/10-deployment.yaml
---
apiVersion: nats.io/v1alpha2
kind: NatsCluster
metadata:
name: example-nats-cluster
spec:
size: 3
version: "2.1.7"
pod:
volumeMounts:
- name: user-credentials
mountPath: /etc/nats-creds
readOnly: true
leafnodeConfig:
remotes:
- url: nats://1.2.3.4:7422
credentials: /etc/nats-creds/user.ncreds
template:
spec:
volumes:
- name: user-credentials
secret:
secretName: user-credentials
Fixed config reloader sidecar also watches TLS certs (https://github.com/nats-io/nats-operator/pull/281)
Fixed support for using gateways when no external ip access is enabled (https://github.com/nats-io/nats-operator/pull/282)
nats:2.1.8
Docker Image:
connecteverything/nats-operator:0.7.2
kubectl apply -f https://github.com/nats-io/nats-operator/releases/download/v0.7.2/00-prereqs.yaml
kubectl apply -f https://github.com/nats-io/nats-operator/releases/download/v0.7.2/10-deployment.yaml
reject_unknown
option from gatewaysDocker Image:
connecteverything/nats-operator:0.7.0
kubectl apply -f https://github.com/nats-io/nats-operator/releases/download/v0.7.0/00-prereqs.yaml
kubectl apply -f https://github.com/nats-io/nats-operator/releases/download/v0.7.0/10-deployment.yaml
$ minikube start \
--extra-config=apiserver.service-account-signing-key-file=/var/lib/minikube/certs/sa.key \
--extra-config=apiserver.service-account-key-file=/var/lib/minikube/certs/sa.pub \
--extra-config=apiserver.service-account-issuer=api \
--extra-config=apiserver.service-account-api-audiences=api,spire-server \
--extra-config=apiserver.authorization-mode=Node,RBAC \
--extra-config=kubelet.authentication-token-webhook=true
$ kubectl apply -f example/nats-operator-cluster-scoped-rbac.yaml
$ kubectl apply -f example/nats-operator-cluster-scoped.yaml
$ kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-66bff467f8-7fqmb 1/1 Running 0 5m57s
kube-system coredns-66bff467f8-s9q4q 1/1 Running 0 5m57s
kube-system etcd-minikube 1/1 Running 0 5m58s
kube-system kube-apiserver-minikube 1/1 Running 0 5m58s
kube-system kube-controller-manager-minikube 1/1 Running 0 5m58s
kube-system kube-proxy-7s8w5 1/1 Running 0 5m57s
kube-system kube-scheduler-minikube 1/1 Running 0 5m58s
kube-system storage-provisioner 1/1 Running 0 5m56s
my-admin-app-ns nats-admin-user-pod 1/1 Running 0 92s
my-app-ns nats-user-pod 1/1 Running 0 92s
nats-io nats-operator-6f545874b4-hvl75 1/1 Running 0 2m52s
nats-system nats-cluster-1 2/2 Running 0 84s
nats-system nats-cluster-2 2/2 Running 0 74s
nats-system nats-cluster-3 2/2 Running 0 68s
$ kubectl exec -n my-app-ns -it nats-user-pod -- /bin/sh
$ nats-sub -s nats://nats-user:`cat /var/run/secrets/nats.io/token`@nats-cluster.nats-system foo.bar
$ nats-sub -s nats://nats-user:`cat /var/run/secrets/nats.io/token`@nats-cluster.nats-system foo.asdf
Added support to define tls ciphers
Example:
---
apiVersion: "nats.io/v1alpha2"
kind: "NatsCluster"
metadata:
name: "tls-nats"
spec:
# Number of nodes in the cluster
size: 3
tls:
# Certificates to secure the NATS client connections
serverSecret: "nats-server-tls"
# Name of the CA in serverSecret
serverSecretCAFileName: "ca.crt"
# Name of the key in serverSecret
serverSecretKeyFileName: "tls.key"
# Name of the certificate in serverSecret
serverSecretCertFileName: "tls.crt"
cipherSuites:
- TLS_...
curvePreferences:
- example...
Docker Image:
connecteverything/nats-operator:0.6.0
kubectl apply -f https://github.com/nats-io/nats-operator/releases/download/v0.6.0/00-prereqs.yaml
kubectl apply -f https://github.com/nats-io/nats-operator/releases/download/v0.6.0/10-deployment.yaml
nats-server
(#194 )Docker Image:
connecteverything/nats-operator:0.5.0-v1alpha2
kubectl apply -f https://github.com/nats-io/nats-operator/releases/download/v0.5.0/00-prereqs.yaml
kubectl apply -f https://github.com/nats-io/nats-operator/releases/download/v0.5.0/10-deployment.yaml
This version adds support for NATS v2 new decentralized auth features, and super clusters using gateway and leafnodes. Full example below:
---
apiVersion: "nats.io/v1alpha2"
kind: "NatsCluster"
metadata:
name: "nats-super-cluster"
spec:
size: 3
version: "edge-v2.0.0-RC12"
serverImage: "synadia/nats-server"
natsConfig:
debug: true
trace: true
tls:
# TLS timeout for client connections
clientsTLSTimeout: 5
# TLS timeout for gateway connections
gatewaysTLSTimeout: 5
# Certificates to secure the NATS client connections:
serverSecret: "nats-server-tls"
serverSecretCAFileName: "ca.crt"
serverSecretKeyFileName: "tls.key"
serverSecretCertFileName: "tls.crt"
# Certificates to secure the routes.
gatewaySecret: "nats-gateways-tls"
gatewaySecretCAFileName: "ca.crt"
gatewaySecretKeyFileName: "tls.key"
gatewaySecretCertFileName: "tls.crt"
# Certificates to secure the leafnode.
leafnodeSecret: "nats-leafnodes-tls"
leafnodeSecretCAFileName: "ca.crt"
leafnodeSecretKeyFileName: "tls.key"
leafnodeSecretCertFileName: "tls.crt"
pod:
enableClientsHostPort: true
advertiseExternalIP: true
gatewayConfig:
name: example
hostPort: 32328
gateways:
- name: example
url: nats://example.com:32328
leafnodeConfig:
hostPort: 4224
operatorConfig:
secret: operator-jwt
systemAccount: "AASYS..."
resolver: URL(https://example.com/jwt/v1/accounts/)
template:
spec:
# Required to be able to lookup public ip address from a server.
serviceAccountName: "nats-server"
Docker Image:
connecteverything/nats-operator:0.4.5-v1alpha2
kubectl apply -f https://github.com/nats-io/nats-operator/releases/download/v0.4.5/00-prereqs.yaml
kubectl apply -f https://github.com/nats-io/nats-operator/releases/download/v0.4.5/10-deployment.yaml
ClientsAuthFile
for user authorization data
(https://github.com/nats-io/nats-operator/pull/159 || https://github.com/nats-io/nats-operator/pull/179)apiVersion: "nats.io/v1alpha2"
kind: "NatsCluster"
metadata:
name: nats-auth-file-example
namespace: default
spec:
size: 1
version: "1.4.1"
natsConfig:
maxPayload: 20971520
pod:
enableConfigReload: true
volumeMounts:
- name: authconfig
mountPath: /etc/nats-config/authconfig
auth:
# Needs to be under /etc/nats-config where nats looks
# for its config file, or it won't be able to be included
# by /etc/nats-config/gnatsd.conf
clientsAuthFile: "authconfig/auth.json"
template:
spec:
initContainers:
- name: secret-getter
image: "busybox"
command: ["sh", "-c", "echo 'users = [ { user: 'foo', pass: 'bar' } ]' > /etc/nats-config/authconfig/auth.json"]
volumeMounts:
- name: authconfig
mountPath: /etc/nats-config/authconfig
volumes:
- name: authconfig
emptyDir: {}
apiVersion: "nats.io/v1alpha2"
kind: "NatsCluster"
metadata:
name: "nats"
spec:
size: 3
serverImage: "nats"
version: "1.4.1"
tls:
verify: true
serverSecret: "nats-certs"
Updated default reloader sidecar version to connecteverything/nats-server-config-reloader:0.4.5-v1alpha2
Updated RBAC to use less permissions (https://github.com/nats-io/nats-operator/pull/143)
Docker Image:
connecteverything/nats-operator:0.4.4-v1alpha2
kubectl apply -f https://github.com/nats-io/nats-operator/releases/download/v0.4.4/00-prereqs.yaml
kubectl apply -f https://github.com/nats-io/nats-operator/releases/download/v0.4.4/10-deployment.yaml
apiVersion: "nats.io/v1alpha2"
kind: "NatsCluster"
metadata:
name: "nats"
spec:
size: 3
tls:
serverSecret: "nats-clients-tls"
routesSecret: "nats-routes-tls"
clientsTLSTimeout: 5
routesTLSTimeout: 5
Reversed order of CRD init operations (https://github.com/nats-io/nats-operator/pull/155)
Updated metrics prometheus-nats-exporter to version 0.2.0, add channelz and serverz to the arguments of the metrics container (#151)
Docker Image: connecteverything/nats-operator:0.4.3-v1alpha2
kubectl apply -f https://github.com/nats-io/nats-operator/releases/download/v0.4.3/00-prereqs.yaml
kubectl apply -f https://github.com/nats-io/nats-operator/releases/download/v0.4.3/10-deployment.yaml
---
apiVersion: "nats.io/v1alpha2"
kind: "NatsCluster"
metadata:
name: "nats-custom"
spec:
size: 3
version: "1.4.1"
natsConfig:
debug: true
trace: true
# Duration within quotes
writeDeadline: "5s"
# In bytes, in this case 5MB
maxPayload: 5242880
maxConnections: 10
maxSubscriptions: 10
maxPending: 1024 # In bytes
disableLogtime: true
maxControlLine: 2048
pod:
# NOTE: Only supported in Kubernetes v1.12+.
enableConfigReload: true
# Defaults but can be customized to be a different image
reloaderImage: "connecteverything/nats-server-config-reloader"
reloaderImageTag: "0.2.2-v1alpha2"
reloaderImagePullPolicy: "IfNotPresent"