Helm Chart
A Helm chart for deploying the nats-iam-broker application on Kubernetes.
Installation
To install the chart with the release name my-iam-broker:
helm repo add jr200 https://jr200.github.io/helm-charts/
helm install my-iam-broker jr200/nats-iam-brokerKubernetes Secrets
A set of credentials (secrets) must be mounted into the nats-iam-broker pod. These credentials are:
- signing key for the MINT account
- user-creds for the MINT account’s auth-callout user
- (optional) xkey for the auth-callout service to communicate with nats-server
- for each application account:
- the public key
- the signing key
Given a folder of secrets, the script below will create a K8s Secrets yaml in the expected format:
echo Creating kubernetes secrets...
curl -fsSL https://raw.githubusercontent.com/jr200/nats-infra/refs/heads/main/scripts/k8s-make-nats-secrets.sh \
| bash -s -- <<secrets_folder>>The generated nats-secrets.yaml can be uploaded to the nats-iam-broker target namespace.
Configuration
The chart renders the complete application config as a single ConfigMap mounted at /config/config.yaml. All application settings are configured under config: and server: in values.yaml.
Server Settings
| Parameter | Description | Default |
|---|---|---|
server.log_level |
Log level (disabled, panic, fatal, error, warn, info, debug, trace) | info |
server.log_format |
Log format (json, human) | json |
server.log_sensitive |
Enable sensitive logging for debugging | false |
server.metrics |
Enable Prometheus metrics endpoint | false |
server.metrics_port |
Port for the metrics HTTP server | 8080 |
server.watch |
Enable hot-reload of config files | false |
server.serviceMonitor.enabled |
Create a Prometheus ServiceMonitor resource | false |
server.serviceMonitor.interval |
Prometheus scrape interval | 30s |
server.serviceMonitor.labels |
Additional labels for the ServiceMonitor | {} |
Application Config
| Parameter | Description | Default |
|---|---|---|
config.nats.url |
NATS server URL | nats://nats:4222 |
config.nats.jwt_expiry_bounds.min |
Minimum lifetime for minted NATS JWTs | 1m |
config.nats.jwt_expiry_bounds.max |
Maximum lifetime for minted NATS JWTs | 24h |
config.service.name |
Service name (required) | "" |
config.service.version |
Service version, semver (required) | 0.1.0 |
config.service.description |
Service description (required) | "" |
config.service.creds_file |
Path to NATS user credentials file | /secrets/user.creds |
config.service.account.name |
Account name (metadata) | "" |
config.service.account.signing_nkey |
Signing nkey (supports Go templates) | "" |
config.service.account.xkey_seed |
xkey seed for encrypted communication (supports Go templates) | "" |
config.idp |
List of IDP configurations | [] |
config.rbac.token_max_expiration |
Default max expiry for minted NATS JWTs | 8h |
config.rbac.role_binding_matching_strategy |
Role binding matching strategy | best_match |
config.rbac.auto_accounts_dir |
Directory to scan for auto-discovered accounts | - |
config.rbac.user_accounts |
List of user accounts | [] |
config.rbac.roles |
List of roles | [] |
config.rbac.role_binding |
List of role bindings | [] |
Deployment Settings
| Parameter | Description | Default |
|---|---|---|
replicaCount |
Number of replicas | 1 |
image.repository |
Docker image repository | ghcr.io/jr200/nats-iam-broker |
image.pullPolicy |
Image pull policy | IfNotPresent |
image.tag |
Override the image tag (default: chart appVersion) | "" |
imagePullSecrets |
Docker registry secrets | [] |
nameOverride |
Override the chart name | "" |
fullnameOverride |
Override the full release name | "" |
serviceAccount.create |
Create a service account | true |
serviceAccount.automount |
Automount service account API credentials | true |
serviceAccount.annotations |
Annotations for the service account | {} |
serviceAccount.name |
Service account name | "" |
podAnnotations |
Additional pod annotations | {} |
podLabels |
Additional pod labels | {} |
podSecurityContext |
Pod security context | {} |
securityContext |
Container security context | {} |
resources |
Resource requests and limits | {} |
nodeSelector |
Node selector | {} |
tolerations |
Tolerations | [] |
affinity |
Affinity rules | {} |
envFrom |
Inject env vars from Secrets/ConfigMaps | [] |
env |
Additional env vars | [] |
volumes |
Additional volumes | [] |
volumeMounts |
Additional volume mounts | [] |
For a complete list of configuration options, see the values.yaml file.