nats chart provisoning

opencloud/charts/nats/files/config-map.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  {{- include "nats.metadataNamespace" $ | nindent 2 }}
+  name: {{ .Values.configMap.name }}
+  labels:
+    {{- include "nats.labels" $ | nindent 4 }}
+data:
+  nats.conf: |
+    {{- include "nats.formatConfig" .config | nindent 4 }}

opencloud/charts/nats/files/config/cluster.yaml

@@ -0,0 +1,32 @@
+{{- with .Values.config.cluster }}
+name: {{ $.Values.statefulSet.name }}
+port: {{ .port }}
+no_advertise: true
+routes:
+{{- $proto := ternary "tls" "nats" .tls.enabled }}
+{{- $auth := "" }}
+{{- if and .routeURLs.user .routeURLs.password }}
+  {{- $auth = printf "%s:%s@" (urlquery .routeURLs.user) (urlquery .routeURLs.password) -}}
+{{- end }}
+{{- $domain := $.Values.headlessService.name  }}
+{{- if .routeURLs.useFQDN }}
+  {{- $domain = printf "%s.%s.svc.%s" $domain (include "nats.namespace" $) .routeURLs.k8sClusterDomain }}
+{{- end }}
+{{- $port := (int .port) }}
+{{- range $i, $_ := until (int .replicas) }}
+- {{ printf "%s://%s%s-%d.%s:%d" $proto $auth $.Values.statefulSet.name $i $domain $port }}
+{{- end }}
+
+{{- if and .routeURLs.user .routeURLs.password }}
+authorization:
+  user: {{ .routeURLs.user | quote }}
+  password: {{ .routeURLs.password | quote }}
+{{- end }}
+
+{{- with .tls }}
+{{- if .enabled }}
+tls:
+  {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}

opencloud/charts/nats/files/config/config.yaml

@@ -0,0 +1,114 @@
+{{- with .Values.config }}
+
+server_name: << $SERVER_NAME >>
+lame_duck_grace_period: 10s
+lame_duck_duration: 30s
+pid_file: /var/run/nats/nats.pid
+
+########################################
+# NATS
+########################################
+{{- with .nats }}
+port: {{ .port }}
+
+{{- with .tls }}
+{{- if .enabled }}
+tls:
+  {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+########################################
+# leafnodes
+########################################
+{{- with .leafnodes }}
+{{- if .enabled }}
+leafnodes:
+  {{- include "nats.loadMergePatch" (merge (dict "file" "config/leafnodes.yaml" "ctx" $) .) | nindent 2 }}
+{{- end }}
+{{- end }}
+
+########################################
+# websocket
+########################################
+{{- with .websocket }}
+{{- if .enabled }}
+websocket:
+  {{- include "nats.loadMergePatch" (merge (dict "file" "config/websocket.yaml" "ctx" $) .) | nindent 2 }}
+{{- end }}
+{{- end }}
+
+########################################
+# MQTT
+########################################
+{{- with .mqtt }}
+{{- if .enabled }}
+mqtt:
+  {{- include "nats.loadMergePatch" (merge (dict "file" "config/mqtt.yaml" "ctx" $) .) | nindent 2 }}
+{{- end }}
+{{- end }}
+
+########################################
+# cluster
+########################################
+{{- with .cluster }}
+{{- if .enabled }}
+cluster:
+  {{- include "nats.loadMergePatch" (merge (dict "file" "config/cluster.yaml" "ctx" $) .) | nindent 2 }}
+{{- end }}
+{{- end }}
+
+########################################
+# gateway
+########################################
+{{- with .gateway }}
+{{- if .enabled }}
+gateway:
+  {{- include "nats.loadMergePatch" (merge (dict "file" "config/gateway.yaml" "ctx" $) .) | nindent 2 }}
+{{- end }}
+{{- end }}
+
+########################################
+# monitor
+########################################
+{{- with .monitor }}
+{{- if .enabled }}
+{{- if .tls.enabled }}
+https_port: {{ .port }}
+{{- else }}
+http_port: {{ .port }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+########################################
+# profiling
+########################################
+{{- with .profiling }}
+{{- if .enabled }}
+prof_port: {{ .port }}
+{{- end }}
+{{- end }}
+
+########################################
+# jetstream
+########################################
+{{- with $.Values.config.jetstream -}}
+{{- if .enabled }}
+jetstream:
+  {{- include "nats.loadMergePatch" (merge (dict "file" "config/jetstream.yaml" "ctx" $) .) | nindent 2 }}
+{{- end }}
+{{- end }}
+
+########################################
+# resolver
+########################################
+{{- with $.Values.config.resolver -}}
+{{- if .enabled }}
+resolver:
+  {{- include "nats.loadMergePatch" (merge (dict "file" "config/resolver.yaml" "ctx" $) .) | nindent 2 }}
+{{- end }}
+{{- end }}
+
+{{- end }}

opencloud/charts/nats/files/config/gateway.yaml

@@ -0,0 +1,11 @@
+{{- with .Values.config.gateway }}
+name: {{ $.Values.statefulSet.name }}
+port: {{ .port }}
+
+{{- with .tls }}
+{{- if .enabled }}
+tls:
+  {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}

opencloud/charts/nats/files/config/jetstream.yaml

@@ -0,0 +1,23 @@
+{{- with .Values.config.jetstream }}
+{{- with .memoryStore }}
+{{- if .enabled }}
+{{- with .maxSize }}
+max_memory_store: << {{ . }} >>
+{{- end }}
+{{- else }}
+max_memory_store: 0
+{{- end }}
+{{- end }}
+{{- with .fileStore }}
+{{- if .enabled }}
+store_dir: {{ .dir }}
+{{- if .maxSize }}
+max_file_store: << {{ .maxSize }} >>
+{{- else if .pvc.enabled }}
+max_file_store: << {{ .pvc.size }} >>
+{{- end }}
+{{- else }}
+max_file_store: 0
+{{- end }}
+{{- end }}
+{{- end }}

opencloud/charts/nats/files/config/leafnodes.yaml

@@ -0,0 +1,11 @@
+{{- with .Values.config.leafnodes }}
+port: {{ .port }}
+no_advertise: true
+
+{{- with .tls }}
+{{- if .enabled }}
+tls:
+  {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}

opencloud/charts/nats/files/config/mqtt.yaml

@@ -0,0 +1,10 @@
+{{- with .Values.config.mqtt }}
+port: {{ .port }}
+
+{{- with .tls }}
+{{- if .enabled }}
+tls:
+  {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}

opencloud/charts/nats/files/config/protocol.yaml

@@ -0,0 +1,10 @@
+{{- with .protocol }}
+port: {{ .port }}
+
+{{- with .tls }}
+{{- if .enabled }}
+tls:
+  {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}

opencloud/charts/nats/files/config/resolver.yaml

@@ -0,0 +1,3 @@
+{{- with .Values.config.resolver }}
+dir: {{ .dir }}
+{{- end }}

opencloud/charts/nats/files/config/tls.yaml

@@ -0,0 +1,16 @@
+# tls
+{{- with .tls }}
+{{- if .secretName }}
+{{- $dir := trimSuffix "/" .dir }}
+cert_file: {{ printf "%s/%s" $dir (.cert | default "tls.crt") | quote }}
+key_file: {{ printf "%s/%s" $dir (.key | default "tls.key") | quote }}
+{{- end }}
+{{- end }}
+
+# tlsCA
+{{- with $.Values.tlsCA }}
+{{- if and .enabled (or .configMapName .secretName) }}
+{{- $dir := trimSuffix "/" .dir }}
+ca_file: {{ printf "%s/%s" $dir (.key | default "ca.crt") | quote }}
+{{- end }}
+{{- end }}

opencloud/charts/nats/files/config/websocket.yaml

@@ -0,0 +1,12 @@
+{{- with .Values.config.websocket }}
+port: {{ .port }}
+
+{{- if .tls.enabled }}
+{{- with .tls }}
+tls:
+  {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }}
+{{- end }}
+{{- else }}
+no_tls: true
+{{- end }}
+{{- end }}

opencloud/charts/nats/files/headless-service.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Service
+metadata:
+  {{- include "nats.metadataNamespace" $ | nindent 2 }}
+  name: {{ .Values.headlessService.name }}
+  labels:
+    {{- include "nats.labels" $ | nindent 4 }}
+spec:
+  selector:
+    {{- include "nats.selectorLabels" $ | nindent 4 }}
+  clusterIP: None
+  publishNotReadyAddresses: true
+  ports:
+  {{- range $protocol := list "nats" "leafnodes" "websocket" "mqtt" "cluster" "gateway" "monitor" "profiling" }}
+  {{- $configProtocol := get $.Values.config $protocol }}
+  {{- if or (eq $protocol "nats") $configProtocol.enabled }}
+  {{- $tlsEnabled := false }}
+  {{- if hasKey $configProtocol "tls" }}
+    {{- $tlsEnabled = $configProtocol.tls.enabled }}
+  {{- end }}
+  {{- $appProtocol := or (eq $protocol "websocket") (eq $protocol "monitor") | ternary ($tlsEnabled | ternary "https" "http") ($tlsEnabled | ternary "tls" "tcp") }}
+  - {{ dict "name" $protocol "port" $configProtocol.port "targetPort" $protocol "appProtocol" $appProtocol | toYaml | nindent 4 }}
+  {{- end }}
+  {{- end }}

opencloud/charts/nats/files/ingress.yaml

@@ -0,0 +1,34 @@
+{{- with .Values.config.websocket.ingress }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  {{- include "nats.metadataNamespace" $ | nindent 2 }}
+  name: {{ .name }}
+  labels:
+    {{- include "nats.labels" $ | nindent 4 }}
+spec:
+  {{- with .className }}
+  ingressClassName: {{ . | quote }}
+  {{- end }}
+  rules:
+  {{- $path := .path }}
+  {{- $pathType := .pathType }}
+  {{- range .hosts }}
+  - host: {{ . | quote }}
+    http:
+      paths:
+      - path: {{ $path | quote }}
+        pathType: {{ $pathType | quote }}
+        backend:
+          service:
+            name: {{ $.Values.service.name }}
+            port:
+              name: websocket
+  {{- end }}
+  {{- if .tlsSecretName }}
+  tls:
+  - secretName: {{ .tlsSecretName | quote }}
+    hosts:
+    {{- toYaml .hosts | nindent 4 }}
+  {{- end }}
+{{- end }}

opencloud/charts/nats/files/nats-box/contents-secret.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  {{- include "nats.metadataNamespace" $ | nindent 2 }}
+  name: {{ .Values.natsBox.contentsSecret.name }}
+  labels:
+    {{- include "natsBox.labels" $ | nindent 4 }}
+type: Opaque
+stringData:
+  {{- range $ctxKey, $ctxVal := .Values.natsBox.contexts }}
+  {{- range $secretKey, $secretVal := dict "creds" "creds" "nkey" "nk" }}
+  {{- $secret := get $ctxVal $secretKey }}
+  {{- if and $secret $secret.contents }}
+  "{{ $ctxKey }}.{{ $secretVal }}": {{ $secret.contents | quote }}
+  {{- end }}
+  {{- end }}
+  {{- end }}

opencloud/charts/nats/files/nats-box/contexts-secret/context.yaml

@@ -0,0 +1,51 @@
+{{- $contextName := .contextName }}
+
+# url
+{{- if .Values.service.enabled }}
+url: nats://{{ .Values.service.name }}
+{{- else }}
+url: nats://{{ .Values.headlessService.name }}
+{{- end }}
+
+{{- with .context }}
+
+# creds
+{{- with .creds}}
+{{- if .contents }}
+creds: /etc/nats-contents/{{ $contextName }}.creds
+{{- else if .secretName }}
+{{- $dir := trimSuffix "/" .dir }}
+creds: {{ printf "%s/%s" $dir (.key | default "nats.creds") | quote }}
+{{- end }}
+{{- end }}
+
+# nkey
+{{- with .nkey}}
+{{- if .contents }}
+nkey: /etc/nats-contents/{{ $contextName }}.nk
+{{- else if .secretName }}
+{{- $dir := trimSuffix "/" .dir }}
+nkey: {{ printf "%s/%s" $dir (.key | default "nats.nk") | quote }}
+{{- end }}
+{{- end }}
+
+# tls
+{{- with .tls }}
+{{- if .secretName }}
+{{- $dir := trimSuffix "/" .dir }}
+cert: {{ printf "%s/%s" $dir (.cert | default "tls.crt") | quote }}
+key: {{ printf "%s/%s" $dir (.key | default "tls.key") | quote }}
+{{- end }}
+{{- end }}
+
+# tlsCA
+{{- if $.Values.config.nats.tls.enabled }}
+{{- with $.Values.tlsCA }}
+{{- if and .enabled (or .configMapName .secretName) }}
+{{- $dir := trimSuffix "/" .dir }}
+ca: {{ printf "%s/%s" $dir (.key | default "ca.crt") | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- end }}

opencloud/charts/nats/files/nats-box/contexts-secret/contexts-secret.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  {{- include "nats.metadataNamespace" $ | nindent 2 }}
+  name: {{ .Values.natsBox.contextsSecret.name }}
+  labels:
+    {{- include "natsBox.labels" $ | nindent 4 }}
+type: Opaque
+stringData:
+{{- range $ctxKey, $ctxVal := .Values.natsBox.contexts }}
+  "{{ $ctxKey }}.json": |
+    {{- include "toPrettyRawJson" (include "nats.loadMergePatch" (dict "file" "nats-box/contexts-secret/context.yaml" "merge" (.merge | default dict) "patch" (.patch | default list) "ctx" (merge (dict "contextName" $ctxKey "context" $ctxVal) $)) | fromYaml) | nindent 4 }}
+{{- end }}

opencloud/charts/nats/files/nats-box/deployment/container.yaml

@@ -0,0 +1,46 @@
+name: nats-box
+{{ include "nats.image" (merge (pick $.Values "global") .Values.natsBox.container.image) }}
+
+{{- with .Values.natsBox.container.env }}
+env:
+{{- include "nats.env" . }}
+{{- end }}
+
+command:
+- sh
+- -ec
+- |
+  work_dir="$(pwd)"
+  mkdir -p "$XDG_CONFIG_HOME/nats"
+  cd "$XDG_CONFIG_HOME/nats"
+  if ! [ -s context ]; then
+    ln -s /etc/nats-contexts context
+  fi
+  {{- if .Values.natsBox.defaultContextName }}
+  if ! [ -f context.txt ]; then
+    echo -n {{ .Values.natsBox.defaultContextName | quote }} > context.txt
+  fi
+  {{- end }}
+  cd "$work_dir"
+  exec /entrypoint.sh "$@"
+- --
+args:
+- sh
+- -ec
+- trap true INT TERM; sleep infinity & wait
+volumeMounts:
+# contexts secret
+- name: contexts
+  mountPath: /etc/nats-contexts
+# contents secret
+{{- if .hasContentsSecret }}
+- name: contents
+  mountPath: /etc/nats-contents
+{{- end }}
+# tlsCA
+{{- include "nats.tlsCAVolumeMount" $ }}
+# secrets
+{{- range (include "natsBox.secretNames" $ | fromJson).secretNames }}
+- name: {{ .name | quote }}
+  mountPath: {{ .dir | quote }}
+{{- end }}

opencloud/charts/nats/files/nats-box/deployment/deployment.yaml

@@ -0,0 +1,16 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  {{- include "nats.metadataNamespace" $ | nindent 2 }}
+  name: {{ .Values.natsBox.deployment.name }}
+  labels:
+    {{- include "natsBox.labels" $ | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "natsBox.selectorLabels" $ | nindent 6 }}
+  replicas: 1
+  template:
+    {{- with .Values.natsBox.podTemplate }}
+    {{ include "nats.loadMergePatch" (merge (dict "file" "nats-box/deployment/pod-template.yaml" "ctx" $) .) | nindent 4 }}
+    {{- end }}

opencloud/charts/nats/files/nats-box/deployment/pod-template.yaml

@@ -0,0 +1,44 @@
+metadata:
+  labels:
+    {{- include "natsBox.labels" $ | nindent 4 }}
+spec:
+  containers:
+  {{- with .Values.natsBox.container }}
+  - {{ include "nats.loadMergePatch" (merge (dict "file" "nats-box/deployment/container.yaml" "ctx" $) .) | nindent 4 }}
+  {{- end }}
+
+  # service discovery uses DNS; don't need service env vars
+  enableServiceLinks: false
+  
+  {{- with .Values.global.image.pullSecretNames }}
+  imagePullSecrets:
+  {{- range . }}
+  - name: {{ . | quote }}
+  {{- end }}
+  {{- end }}
+
+  {{- with .Values.natsBox.serviceAccount }}
+  {{- if .enabled }}
+  serviceAccountName: {{ .name | quote }}
+  {{- end }}
+  {{- end }}
+
+  volumes:
+  # contexts secret
+  - name: contexts
+    secret:
+      secretName: {{ .Values.natsBox.contextsSecret.name }}
+  # contents secret
+  {{- if .hasContentsSecret }}
+  - name: contents
+    secret:
+      secretName: {{ .Values.natsBox.contentsSecret.name }}
+  {{- end }}
+  # tlsCA
+  {{- include "nats.tlsCAVolume" $ | nindent 2 }}
+  # secrets
+  {{- range (include "natsBox.secretNames" $ | fromJson).secretNames }}
+  - name: {{ .name | quote }}
+    secret:
+      secretName: {{ .secretName | quote }}
+  {{- end }}

opencloud/charts/nats/files/nats-box/service-account.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  {{- include "nats.metadataNamespace" $ | nindent 2 }}
+  name: {{ .Values.natsBox.serviceAccount.name }}
+  labels:
+    {{- include "natsBox.labels" $ | nindent 4 }}

opencloud/charts/nats/files/pod-disruption-budget.yaml

@@ -0,0 +1,12 @@
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  {{- include "nats.metadataNamespace" $ | nindent 2 }}
+  name: {{ .Values.podDisruptionBudget.name }}
+  labels:
+    {{- include "nats.labels" $ | nindent 4 }}
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      {{- include "nats.selectorLabels" $ | nindent 6 }}

opencloud/charts/nats/files/pod-monitor.yaml

@@ -0,0 +1,13 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  {{- include "nats.metadataNamespace" $ | nindent 2 }}
+  name: {{ .Values.promExporter.podMonitor.name }}
+  labels:
+    {{- include "nats.labels" $ | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "nats.selectorLabels" $ | nindent 6 }}
+  podMetricsEndpoints:
+  - port: prom-metrics

opencloud/charts/nats/files/service-account.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  {{- include "nats.metadataNamespace" $ | nindent 2 }}
+  name: {{ .Values.serviceAccount.name }}
+  labels:
+    {{- include "nats.labels" $ | nindent 4 }}

opencloud/charts/nats/files/service.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  {{- include "nats.metadataNamespace" $ | nindent 2 }}
+  name: {{ .Values.service.name }}
+  labels:
+    {{- include "nats.labels" $ | nindent 4 }}
+spec:
+  selector:
+    {{- include "nats.selectorLabels" $ | nindent 4 }}
+  ports:
+  {{- range $protocol := list "nats" "leafnodes" "websocket" "mqtt" "cluster" "gateway" "monitor" "profiling" }}
+  {{- $configProtocol := get $.Values.config $protocol }}
+  {{- $servicePort := get $.Values.service.ports $protocol }}
+  {{- if and (or (eq $protocol "nats") $configProtocol.enabled) $servicePort.enabled }}
+  {{- $tlsEnabled := false }}
+  {{- if hasKey $configProtocol "tls" }}
+    {{- $tlsEnabled = $configProtocol.tls.enabled }}
+  {{- end }}
+  {{- $appProtocol := or (eq $protocol "websocket") (eq $protocol "monitor") | ternary ($tlsEnabled | ternary "https" "http") ($tlsEnabled | ternary "tls" "tcp") }}
+  - {{ merge (dict "name" $protocol "targetPort" $protocol "appProtocol" $appProtocol) (omit $servicePort "enabled") (dict "port" $configProtocol.port) | toYaml | nindent 4 }}
+  {{- end }}
+  {{- end }}

opencloud/charts/nats/files/stateful-set/jetstream-pvc.yaml

@@ -0,0 +1,13 @@
+{{- with .Values.config.jetstream.fileStore.pvc }}
+metadata:
+  name: {{ .name }}
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .size | quote }}
+  {{- with .storageClassName }}
+  storageClassName: {{ . | quote }}
+  {{- end }}
+{{- end }}

opencloud/charts/nats/files/stateful-set/nats-container.yaml

@@ -0,0 +1,106 @@
+name: nats
+{{ include "nats.image" (merge (pick $.Values "global") .Values.container.image) }}
+
+ports:
+{{- range $protocol := list "nats" "leafnodes" "websocket" "mqtt" "cluster" "gateway" "monitor" "profiling" }}
+{{- $configProtocol := get $.Values.config $protocol }}
+{{- $containerPort := get $.Values.container.ports $protocol }}
+{{- if or (eq $protocol "nats") $configProtocol.enabled }}
+- {{ merge (dict "name" $protocol "containerPort" $configProtocol.port) $containerPort | toYaml | nindent 2 }}
+{{- end }}
+{{- end }}
+
+args:
+- --config
+- /etc/nats-config/nats.conf
+
+env:
+- name: POD_NAME
+  valueFrom:
+    fieldRef:
+      fieldPath: metadata.name
+- name: SERVER_NAME
+  value: {{ printf "%s$(POD_NAME)" .Values.config.serverNamePrefix | quote }}
+{{- with .Values.container.env }}
+{{- include "nats.env" . }}
+{{- end }}
+
+lifecycle:
+  preStop:
+    exec:
+      # send the lame duck shutdown signal to trigger a graceful shutdown
+      command:
+      - nats-server
+      - -sl=ldm=/var/run/nats/nats.pid
+
+{{- with .Values.config.monitor }}
+{{- if .enabled }}
+startupProbe:
+  httpGet:
+    path: /healthz
+    port: monitor
+    {{- if .tls.enabled }}
+    scheme: HTTPS
+    {{- end}}
+  initialDelaySeconds: 10
+  timeoutSeconds: 5
+  periodSeconds: 10
+  successThreshold: 1
+  failureThreshold: 90
+readinessProbe:
+  httpGet:
+    path: /healthz?js-server-only=true
+    port: monitor
+    {{- if .tls.enabled }}
+    scheme: HTTPS
+    {{- end}}
+  initialDelaySeconds: 10
+  timeoutSeconds: 5
+  periodSeconds: 10
+  successThreshold: 1
+  failureThreshold: 3
+livenessProbe:
+  httpGet:
+    path: /healthz?js-enabled-only=true
+    port: monitor
+    {{- if .tls.enabled }}
+    scheme: HTTPS
+    {{- end}}
+  initialDelaySeconds: 10
+  timeoutSeconds: 5
+  periodSeconds: 30
+  successThreshold: 1
+  failureThreshold: 3
+{{- end }}
+{{- end }}
+
+volumeMounts:
+# nats config
+- name: config
+  mountPath: /etc/nats-config
+# PID volume
+- name: pid
+  mountPath: /var/run/nats
+# JetStream PVC
+{{- with .Values.config.jetstream }}
+{{- if and .enabled .fileStore.enabled .fileStore.pvc.enabled }}
+{{- with .fileStore }}
+- name: {{ .pvc.name }}
+  mountPath: {{ .dir | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+# resolver PVC
+{{- with .Values.config.resolver }}
+{{- if and .enabled .pvc.enabled }}
+- name: {{ .pvc.name }}
+  mountPath: {{ .dir | quote }}
+{{- end }}
+{{- end }}
+# tlsCA
+{{- include "nats.tlsCAVolumeMount" $ }}
+# secrets
+{{- range (include "nats.secretNames" $ | fromJson).secretNames }}
+- name: {{ .name | quote }}
+  mountPath: {{ .dir | quote }}
+{{- end }}

opencloud/charts/nats/files/stateful-set/pod-template.yaml

@@ -0,0 +1,71 @@
+metadata:
+  labels:
+    {{- include "nats.labels" $ | nindent 4 }}
+  annotations:
+    {{- if .Values.podTemplate.configChecksumAnnotation }}
+    {{- $configMap := include "nats.loadMergePatch" (merge (dict "file" "config-map.yaml" "ctx" $) $.Values.configMap) }}
+    checksum/config: {{ sha256sum $configMap }}
+    {{- end }}
+spec:
+  containers:
+  # nats
+  {{- $nats := dict }}
+  {{- with .Values.container }}
+  {{- $nats = include "nats.loadMergePatch" (merge (dict "file" "stateful-set/nats-container.yaml" "ctx" $) .) | fromYaml }}
+  - {{ toYaml $nats | nindent 4 }}
+  {{- end }}
+  # reloader
+  {{- with .Values.reloader }}
+  {{- if .enabled }}
+  - {{ include "nats.loadMergePatch" (merge (dict "file" "stateful-set/reloader-container.yaml" "ctx" (merge (dict "natsVolumeMounts" $nats.volumeMounts) $)) .) | nindent 4 }}
+  {{- end }}
+  {{- end }}
+  {{- with .Values.promExporter }}
+  {{- if .enabled }}
+  - {{ include "nats.loadMergePatch" (merge (dict "file" "stateful-set/prom-exporter-container.yaml" "ctx" $) .) | nindent 4 }}
+  {{- end }}
+  {{- end }}
+
+  # service discovery uses DNS; don't need service env vars
+  enableServiceLinks: false
+  
+  {{- with .Values.global.image.pullSecretNames }}
+  imagePullSecrets:
+  {{- range . }}
+  - name: {{ . | quote }}
+  {{- end }}
+  {{- end }}
+
+  {{- with .Values.serviceAccount }}
+  {{- if .enabled }}
+  serviceAccountName: {{ .name | quote }}
+  {{- end }}
+  {{- end }}
+
+  {{- if .Values.reloader.enabled }}
+  shareProcessNamespace: true
+  {{- end }}
+
+  volumes:
+  # nats config
+  - name: config
+    configMap:
+      name: {{ .Values.configMap.name }}
+  # PID volume
+  - name: pid
+    emptyDir: {}
+  # tlsCA
+  {{- include "nats.tlsCAVolume" $ | nindent 2 }}
+  # secrets
+  {{- range (include "nats.secretNames" $ | fromJson).secretNames }}
+  - name: {{ .name | quote }}
+    secret:
+      secretName: {{ .secretName | quote }}
+  {{- end }}
+
+  {{- with .Values.podTemplate.topologySpreadConstraints }}
+  topologySpreadConstraints:
+  {{- range $k, $v := . }}
+  - {{ merge (dict "topologyKey" $k "labelSelector" (dict "matchLabels" (include "nats.selectorLabels" $ | fromYaml))) $v | toYaml | nindent 4 }}
+  {{- end }}
+  {{- end}}

opencloud/charts/nats/files/stateful-set/prom-exporter-container.yaml

@@ -0,0 +1,30 @@
+name: prom-exporter
+{{ include "nats.image" (merge (pick $.Values "global") .Values.promExporter.image) }}
+
+ports:
+- name: prom-metrics
+  containerPort: {{ .Values.promExporter.port }}
+
+{{- with .Values.promExporter.env }}
+env:
+{{- include "nats.env" . }}
+{{- end }}
+
+args:
+- -port={{ .Values.promExporter.port }}
+- -connz
+- -routez
+- -subz
+- -varz
+- -prefix=nats
+- -use_internal_server_id
+{{- if .Values.config.jetstream.enabled }}
+- -jsz=all
+{{- end }}
+{{- if .Values.config.leafnodes.enabled }}
+- -leafz
+{{- end }}
+{{- if .Values.config.gateway.enabled }}
+- -gatewayz
+{{- end }}
+- http://localhost:{{ .Values.config.monitor.port }}/

opencloud/charts/nats/files/stateful-set/reloader-container.yaml

@@ -0,0 +1,27 @@
+name: reloader
+{{ include "nats.image" (merge (pick $.Values "global") .Values.reloader.image) }}
+
+{{- with .Values.reloader.env }}
+env:
+{{- include "nats.env" . }}
+{{- end }}
+
+args:
+- -pid
+- /var/run/nats/nats.pid
+- -config
+- /etc/nats-config/nats.conf
+{{ include "nats.reloaderConfig" (dict "config" .config "dir" "/etc/nats-config") }}
+
+volumeMounts:
+- name: pid
+  mountPath: /var/run/nats
+{{- range $mnt := .natsVolumeMounts }}
+{{- $found := false }}
+{{- range $.Values.reloader.natsVolumeMountPrefixes }}
+{{- if and (not $found) (hasPrefix . $mnt.mountPath) }}
+{{- $found = true }}
+- {{ toYaml $mnt | nindent 2}}
+{{- end }}
+{{- end }}
+{{- end }}

opencloud/charts/nats/files/stateful-set/resolver-pvc.yaml

@@ -0,0 +1,13 @@
+{{- with .Values.config.resolver.pvc }}
+metadata:
+  name: {{ .name }}
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .size | quote }}
+  {{- with .storageClassName }}
+  storageClassName: {{ . | quote }}
+  {{- end }}
+{{- end }}

opencloud/charts/nats/files/stateful-set/stateful-set.yaml

@@ -0,0 +1,37 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  {{- include "nats.metadataNamespace" $ | nindent 2 }}
+  name: {{ .Values.statefulSet.name }}
+  labels:
+    {{- include "nats.labels" $ | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "nats.selectorLabels" $ | nindent 6 }}
+  {{- if .Values.config.cluster.enabled }}
+  replicas: {{ .Values.config.cluster.replicas }}
+  {{- else }}
+  replicas: 1
+  {{- end }}
+  serviceName: {{ .Values.headlessService.name }}
+  podManagementPolicy: Parallel
+  template:
+    {{- with .Values.podTemplate }}
+    {{ include "nats.loadMergePatch" (merge (dict "file" "stateful-set/pod-template.yaml" "ctx" $) .) | nindent 4 }}
+    {{- end }}
+  volumeClaimTemplates:
+  {{- with .Values.config.jetstream }}
+  {{- if and .enabled .fileStore.enabled .fileStore.pvc.enabled }}
+  {{- with .fileStore.pvc }}
+  - {{ include "nats.loadMergePatch" (merge (dict "file" "stateful-set/jetstream-pvc.yaml" "ctx" $) .) | nindent 4 }}
+  {{- end }}
+  {{- end }}
+    {{- end }}
+  {{- with .Values.config.resolver }}
+  {{- if and .enabled .pvc.enabled }}
+  {{- with .pvc }}
+  - {{ include "nats.loadMergePatch" (merge (dict "file" "stateful-set/resolver-pvc.yaml" "ctx" $) .) | nindent 4 }}
+  {{- end }}
+  {{- end }}
+  {{- end }}