Add nats-operator

packages/system/nats-operator/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-nats-operator
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/nats-operator/Makefile

@@ -0,0 +1,10 @@
+export NAME=nats-operator
+export NAMESPACE=cozy-$(NAME)
+
+include ../../../scripts/package-system.mk
+
+update:
+	rm -rf charts
+	helm repo add nats https://nats-io.github.io/k8s/helm/charts/
+	helm repo update nats
+	helm pull nats/nats-operator --untar --untardir charts

packages/system/nats-operator/charts/nats-operator/.helmignore

@@ -0,0 +1,24 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+
+# Chart specific files
+README.md

packages/system/nats-operator/charts/nats-operator/Chart.yaml

@@ -0,0 +1,22 @@
+apiVersion: v2
+appVersion: 0.8.3
+description: NATS operator creates/configures/manages nats clusters atop Kubernetes
+home: https://github.com/nats-io/nats-operator
+icon: https://nats.io/img/nats-icon-color.png
+keywords:
+- addressing
+- discovery
+- messaging
+- nats
+- operator
+- pubsub
+maintainers:
+- email: richerlariviere@gmail.com
+  name: richerlariviere
+- email: wally@nats.io
+  name: Waldemar Quevedo
+  url: https://github.com/wallyqs
+name: nats-operator
+sources:
+- https://github.com/nats-io/nats-operator
+version: 0.8.3

packages/system/nats-operator/charts/nats-operator/config/client-auth.json

@@ -0,0 +1,25 @@
+{
+  "users": [
+    {{- if and (.Values.cluster.auth.username) (not .Values.cluster.auth.users) }}
+    {
+      "username": "{{ .Values.cluster.auth.username }}",
+      "password": "{{ .Values.cluster.auth.password }}"
+    }
+    {{- end }}
+
+    {{- if .Values.cluster.auth.users }}
+    {{ $length := len .Values.cluster.auth.users }}
+    {{- range $index, $user := .Values.cluster.auth.users }}
+    {
+      "username": "{{ $user.username }}",
+      "password": "{{ $user.password }}"
+      {{- if $user.permissions }},
+      "permissions": {{ toJson $user.permissions | replace "\\u003e" ">"}}
+      {{- end}}
+    }{{- if lt (add1 $index) $length }},{{ end }}
+    {{- end}}
+    {{- end }}
+  ]{{- if .Values.cluster.auth.defaultPermissions }},
+  "default_permissions": {{ toJson .Values.cluster.auth.defaultPermissions | replace "\\u003e" ">" }}
+  {{- end}}
+}

packages/system/nats-operator/charts/nats-operator/crds/customresourcedefinition.yaml

@@ -0,0 +1,305 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: natsclusters.nats.io
+  annotations:
+    "helm.sh/hook": "crd-install"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+spec:
+  group: nats.io
+  scope: Namespaced
+  names:
+    kind: NatsCluster
+    listKind: NatsClusterList
+    plural: natsclusters
+    singular: natscluster
+    shortNames:
+    - nats
+  versions:
+  - name: v1alpha2
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            properties:
+              size:
+                type: integer
+              version:
+                type: string
+              serverImage:
+                type: string
+              natsConfig:
+                type: object
+                properties:
+                  debug:
+                    type: boolean
+                  trace:
+                    type: boolean
+                  write_deadline:
+                    type: string
+                  maxConnections:
+                    type: integer
+                  maxPayload:
+                    type: integer
+                  maxPending:
+                    type: integer
+                  maxSubscriptions:
+                    type: integer
+                  maxControlLine:
+                    type: integer
+                  disableLogtime:
+                    type: boolean
+              useServerName:
+                type: boolean
+              paused:
+                type: boolean
+              pod:
+                type: object
+                properties:
+                  labels:
+                    x-kubernetes-preserve-unknown-fields: true
+                    type: object
+                  annotations:
+                    x-kubernetes-preserve-unknown-fields: true
+                    type: object
+                  nodeSelector:
+                    x-kubernetes-preserve-unknown-fields: true
+                    type: object
+                  antiAffinity:
+                    type: boolean
+                  resources:
+                    x-kubernetes-preserve-unknown-fields: true
+                    type: object
+                  tolerations:
+                    type: array
+                    items:
+                      x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                  natsEnv:
+                    type: array
+                    items:
+                      x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                  enableConfigReload:
+                    type: boolean
+                  reloaderImage:
+                    type: string
+                  reloaderImageTag:
+                    type: string
+                  reloaderImagePullPolicy:
+                    type: string
+                  reloaderResources:
+                    x-kubernetes-preserve-unknown-fields: true
+                    type: object
+                  enableMetrics:
+                    type: boolean
+                  metricsImage:
+                    type: string
+                  metricsImageTag:
+                    type: string
+                  metricsImagePullPolicy:
+                    type: string
+                  enableClientsHostPort:
+                    type: boolean
+                  advertiseExternalIP:
+                    type: boolean
+                  bootconfigImage:
+                    type: string
+                  bootconfigImageTag:
+                    type: string
+                  volumeMounts:
+                    type: array
+                    items:
+                      x-kubernetes-preserve-unknown-fields: true
+                      type: object
+              tls:
+                type: object
+                properties:
+                  serverSecret:
+                    type: string
+                  serverSecretCAFileName:
+                    type: string
+                  serverSecretKeyFileName:
+                    type: string
+                  serverSecretCertFileName:
+                    type: string
+                  routesSecret:
+                    type: string
+                  routesSecretCAFileName:
+                    type: string
+                  routesSecretKeyFileName:
+                    type: string
+                  routesSecretCertFileName:
+                    type: string
+                  gatewaySecret:
+                    type: string
+                  gatewaySecretCAFileName:
+                    type: string
+                  gatewaySecretKeyFileName:
+                    type: string
+                  gatewaySecretCertFileName:
+                    type: string
+                  leafnodeSecret:
+                    type: string
+                  leafnodeSecretCAFileName:
+                    type: string
+                  leafnodeSecretKeyFileName:
+                    type: string
+                  leafnodeSecretCertFileName:
+                    type: string
+                  websocketSecret:
+                    type: string
+                  websocketSecretCAFileName:
+                    type: string
+                  websocketSecretKeyFileName:
+                    type: string
+                  websocketSecretCertFileName:
+                    type: string
+                  websocketTLSTimeout:
+                    type: number
+                  enableHttps:
+                    type: boolean
+                  clientsTLSTimeout:
+                    type: number
+                  routesTLSTimeout:
+                    type: number
+                  gatewaysTLSTimeout:
+                    type: number
+                  leafnodesTLSTimeout:
+                    type: number
+                  verify:
+                    type: boolean
+                  cipherSuites:
+                    type: array
+                    items:
+                      type: string
+                  curvePreferences:
+                    type: array
+                    items:
+                      type: string
+              auth:
+                type: object
+                properties:
+                  enableServiceAccounts:
+                    type: boolean
+                  clientsAuthSecret:
+                    type: string
+                  clientsAuthFile:
+                    type: string
+                  clientsAuthTimeout:
+                    type: integer
+                  tlsVerifyAndMap:
+                    type: boolean
+              lameDuckDurationSeconds:
+                type: integer
+              noAdvertise:
+                type: boolean
+              template:
+                x-kubernetes-preserve-unknown-fields: true
+                type: object
+              extraRoutes:
+                type: array
+                items:
+                  type: object
+                  properties:
+                    cluster:
+                      type: string
+                    route:
+                      type: string
+              gatewayConfig:
+                type: object
+                properties:
+                  name:
+                    type: string
+                  hostPort:
+                    type: integer
+                  rejectUnknown:
+                    type: boolean
+                  gateways:
+                    type: array
+                    items:
+                      type: object
+                      properties:
+                        name:
+                          type: string
+                        url:
+                          type: string
+              leafnodeConfig:
+                type: object
+                properties:
+                  port:
+                    type: integer
+                  remotes:
+                    type: array
+                    items:
+                      type: object
+                      properties:
+                        url:
+                          type: string
+                        urls:
+                          type: array
+                          items:
+                            type: string
+                        credentials:
+                          type: string
+              operatorConfig:
+                type: object
+                properties:
+                  secret:
+                    type: string
+                  systemAccount:
+                    type: string
+                  resolver:
+                    type: string
+              websocketConfig:
+                type: object
+                properties:
+                  port:
+                    type: integer
+                  handshakeTimeout:
+                    type: integer
+                  compression:
+                    type: boolean
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: natsserviceroles.nats.io
+  annotations:
+    "helm.sh/hook": "crd-install"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+spec:
+  group: nats.io
+  scope: Namespaced
+  names:
+    kind: NatsServiceRole
+    listKind: NatsServiceRoleList
+    plural: natsserviceroles
+    singular: natsservicerole
+  versions:
+  - name: v1alpha2
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            properties:
+              permissions:
+                type: object
+                properties:
+                  publish:
+                    type: array
+                    items:
+                      type: string
+                  subscribe:
+                    type: array
+                    items:
+                      type: string

packages/system/nats-operator/charts/nats-operator/templates/NOTES.txt

@@ -0,0 +1,26 @@
+** Please be patient while the chart is being deployed **
+{{- if .Values.clusterScoped }}
+
+** WARNING ! **: You've installed a cluster-scoped NATS Operator. Make sure that there are no other deployments of NATS Operator in the Kubernetes cluster.
+{{- if not (eq .Release.Namespace "nats-io") }}
+
+** WARNING ! **: The namespace must be "nats-io" however you used "{{ .Release.Namespace }}" !
+{{- end }}
+{{- end}}
+
+NATS can be accessed via port 4222 on the following DNS name from within your cluster:
+
+   nats-cluster.{{ .Release.Namespace }}.svc.cluster.local
+
+NATS monitoring service can be accessed via port 8222 on the following DNS name from within your cluster:
+
+    nats-cluster-mgmt.{{ .Release.Namespace }}.svc.cluster.local
+
+To access the Monitoring svc from outside the cluster, follow the steps below:
+
+1. Get the name of a pod from the cluster that was deployed, then use port-forward to connect top it. For example:
+
+    kubectl get pods -l nats_cluster=nats-cluster
+    kubectl port-forward nats-cluster-1 8222
+
+2. Open a browser and access the NATS monitoring browsing to the Monitoring URL

packages/system/nats-operator/charts/nats-operator/templates/_helpers.tpl

@@ -0,0 +1,44 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "nats.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "nats.fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "nats.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "nats.labels" -}}
+app.kubernetes.io/name: {{ template "nats.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/component: "operator"
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+helm.sh/chart: {{ include "nats.chart" . }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "nats.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "nats.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/component: "operator"
+{{- end -}}

packages/system/nats-operator/charts/nats-operator/templates/deployment.yaml

@@ -0,0 +1,130 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "nats.fullname" . }}
+{{- if and .Values.clusterScoped .Values.cluster.namespace }}
+  namespace: {{ .Values.cluster.namespace }}
+{{- end }}
+
+  labels:
+    {{- include "nats.labels" . | nindent 4 }}
+    app: {{ template "nats.name" . }}
+    chart: {{ template "nats.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  strategy:
+    type: {{ .Values.updateStrategy }}
+    {{- if eq .Values.updateStrategy "RollingUpdate" }}
+    rollingUpdate:
+      maxSurge: {{ .Values.rollingUpdateMaxSurge }}
+      maxUnavailable: {{ .Values.rollingUpdateMaxUnavailable }}
+        {{- end }}
+  selector:
+    matchLabels:
+      app: {{ template "nats.name" . }}
+      release: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        {{- include "nats.selectorLabels" . | nindent 8 }}
+        app: {{ template "nats.name" . }}
+        release: {{ .Release.Name }}
+      {{- if .Values.podLabels }}
+        {{- toYaml .Values.podLabels | nindent 8 }}
+      {{- end }}
+      {{- if .Values.podAnnotations }}
+      annotations:
+        {{- toYaml .Values.podAnnotations | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- if .Values.rbacEnabled }}
+      serviceAccountName: nats-operator
+      {{- end }}
+      containers:
+      - name: nats-operator
+        image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}
+        imagePullPolicy: {{ .Values.image.pullPolicy  }}
+        {{- if .Values.clusterScoped }}
+        args:
+        - nats-operator
+        - --feature-gates=ClusterScoped=true
+        {{- end }}
+        env:
+        - name: MY_POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: MY_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        ports:
+        - name: readyz
+          containerPort: 8080
+        {{- if .Values.livenessProbe.enabled }}
+        livenessProbe:
+          httpGet:
+            path: /readyz
+            port: readyz
+          initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.livenessProbe.successThreshold }}
+          failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
+        {{- end }}
+        {{- if .Values.readinessProbe.enabled }}
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: readyz
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+        {{- end }}
+        resources:
+{{ toYaml .Values.resources | indent 10}}
+      {{- if .Values.securityContext.enabled }}
+      securityContext:
+        fsGroup: {{ .Values.securityContext.fsGroup }}
+        runAsUser: {{ .Values.securityContext.runAsUser }}
+      {{- end }}
+      {{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+      {{- end }}
+      {{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | indent 8 }}
+      {{- end }}
+      {{- if .Values.schedulerName }}
+      schedulerName: "{{ .Values.schedulerName}}"
+      {{- end }}
+      {{- if eq .Values.antiAffinity "hard" }}
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - topologyKey: "kubernetes.io/hostname"
+              labelSelector:
+                matchLabels:
+                  app: "{{ template "nats.name" . }}"
+                  release: {{ .Release.Name | quote }}
+      {{- else if eq .Values.antiAffinity "soft" }}
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 1
+            podAffinityTerm:
+              topologyKey: kubernetes.io/hostname
+              labelSelector:
+                matchLabels:
+                  app: "{{ template "nats.name" . }}"
+                  release: "{{ .Release.Name }}"
+      {{- end }}
+      {{- if .Values.image.pullSecrets }}
+      imagePullSecrets:
+        {{ .Values.image.pullSecrets}}
+      {{- end }}

packages/system/nats-operator/charts/nats-operator/templates/natscluster.yaml

@@ -0,0 +1,70 @@
+---
+{{- if .Values.cluster.create }}
+apiVersion: "nats.io/v1alpha2"
+kind: "NatsCluster"
+metadata:
+  name: {{ .Values.cluster.name }}
+{{- if and .Values.clusterScoped .Values.cluster.namespace }}
+  namespace: {{ .Values.cluster.namespace }}
+{{- end }}
+spec:
+  size: {{ .Values.cluster.size }}
+  version: {{ .Values.cluster.version }}
+
+  pod:
+    {{- if .Values.cluster.annotations }}
+    annotations: {{ toYaml .Values.cluster.annotations | nindent 6 }}
+    {{- end }}
+    {{- if .Values.cluster.resources }}
+    resources: {{ toYaml .Values.cluster.resources | nindent 6 }}
+    {{- end }}
+    enableConfigReload: {{ .Values.cluster.configReload.enabled }}
+    reloaderImage: {{ .Values.cluster.configReload.repository }}
+    reloaderImageTag: {{ .Values.cluster.configReload.tag }}
+    reloaderImagePullPolicy: {{ .Values.cluster.configReload.pullPolicy }}
+    {{- if .Values.cluster.configReload.resources }}
+    reloaderResources: {{ toYaml .Values.cluster.configReload.resources | nindent 6 }}
+    {{- end }}
+    enableMetrics: {{ .Values.cluster.metrics.enabled }}
+    metricsImage: {{ .Values.cluster.metrics.repository }}
+    metricsImageTag: {{ .Values.cluster.metrics.tag }}
+    metricsImagePullPolicy: {{ .Values.cluster.metrics.pullPolicy }}
+  {{- if .Values.cluster.auth.enabled }}
+  auth:
+    enableServiceAccounts: {{ .Values.cluster.auth.enableServiceAccounts }}
+    clientsAuthSecret: {{ .Values.cluster.name }}-clients-auth
+    clientsAuthTimeout: 5
+  {{- end }}
+
+  {{- if .Values.cluster.tls.enabled }}
+  tls:
+    # Certificates to secure the NATS client connections:
+    serverSecret: {{ .Values.cluster.tls.serverSecret }}
+
+    # Certificates to secure the routes.
+    routesSecret: {{ .Values.cluster.tls.routesSecret }}
+  {{- end }}
+---
+{{- if and .Values.cluster.metrics.enabled .Values.cluster.metrics.servicemonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ .Values.cluster.name }}
+{{- if and .Values.clusterScoped .Values.cluster.namespace }}
+  namespace: {{ .Values.cluster.namespace }}
+{{- end }}
+  labels:
+    app: nats
+    nats_cluster: {{ .Values.cluster.name }}
+    prometheus: {{ .Values.cluster.metrics.servicemonitor.prometheusInstance }}
+spec:
+  jobLabel: nats-{{ .Values.cluster.name }}
+  selector:
+    matchLabels:
+      app: nats
+      nats_cluster: {{ .Values.cluster.name }}
+  endpoints:
+  - port: metrics
+    interval: 60s
+{{- end }}
+{{- end }}

packages/system/nats-operator/charts/nats-operator/templates/rbac.yaml

@@ -0,0 +1,108 @@
+{{- if .Values.rbacEnabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: nats-io-nats-operator-crd
+rules:
+# Allow creating CRDs
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs: ["get", "list", "create", "update", "watch"]
+# Allow all actions on NatsClusters
+- apiGroups:
+  - nats.io
+  resources:
+  - natsclusters
+  - natsserviceroles
+  verbs: ["*"]
+# Allowed actions on Pods
+- apiGroups: [""]
+  resources:
+  - pods
+  verbs: ["create", "watch", "get", "patch", "update", "delete", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: nats-io-nats-operator-crd-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: nats-io-nats-operator-crd
+subjects:
+- kind: ServiceAccount
+  name: nats-operator
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.clusterScoped }}
+kind: ClusterRole
+{{- else }}
+kind: Role
+{{- end }}
+metadata:
+  name: nats-io-nats-operator
+rules:
+# Allowed actions on Pods
+- apiGroups: [""]
+  resources:
+  - pods
+  verbs: ["create", "watch", "get", "patch", "update", "delete", "list"]
+
+# Allowed actions on Services
+- apiGroups: [""]
+  resources:
+  - services
+  verbs: ["create", "watch", "get", "patch", "update", "delete", "list"]
+
+# Allowed actions on Secrets
+- apiGroups: [""]
+  resources:
+  - secrets
+  verbs: ["create", "watch", "get", "update", "delete", "list"]
+
+# Allow all actions on some special subresources
+- apiGroups: [""]
+  resources:
+  - pods/exec
+  - pods/log
+  - serviceaccounts/token
+  - events
+  verbs: ["*"]
+
+# Allow listing Namespaces and ServiceAccounts
+- apiGroups: [""]
+  resources:
+  - namespaces
+  - serviceaccounts
+  verbs: ["list", "get", "watch"]
+
+# Allow actions on Endpoints
+- apiGroups: [""]
+  resources:
+  - endpoints
+  verbs: ["create", "watch", "get", "update", "delete", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.clusterScoped }}
+kind: ClusterRoleBinding
+{{- else }}
+kind: RoleBinding
+{{- end }}
+metadata:
+  name: nats-io-nats-operator-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  {{- if .Values.clusterScoped }}
+  kind: ClusterRole
+  {{- else }}
+  kind: Role
+  {{- end }}
+  name: nats-io-nats-operator
+subjects:
+- kind: ServiceAccount
+  name: nats-operator
+  namespace: {{ .Release.Namespace }}
+{{- end }}

packages/system/nats-operator/charts/nats-operator/templates/secret.yaml

@@ -0,0 +1,12 @@
+{{- if and .Values.cluster.create .Values.cluster.auth.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.cluster.name }}-clients-auth
+{{- if and .Values.clusterScoped .Values.cluster.namespace }}
+  namespace: {{ .Values.cluster.namespace }}
+{{- end }}
+type: Opaque
+data:
+  clients-auth.json: {{ (tpl (.Files.Get "config/client-auth.json") . ) | b64enc }}
+{{- end }}

packages/system/nats-operator/charts/nats-operator/templates/serviceaccount.yaml

@@ -0,0 +1,9 @@
+{{- if .Values.rbacEnabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nats-operator
+{{- if and .Values.clusterScoped .Values.cluster.namespace }}
+  namespace: {{ .Values.cluster.namespace }}
+{{- end }}
+{{- end }}

packages/system/nats-operator/charts/nats-operator/values.yaml

@@ -0,0 +1,191 @@
+## Specify if RBAC authorization is enabled.
+## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+##
+rbacEnabled: true
+
+## Operator scope
+## NOTE: If true
+## * Make sure that no othe NATS operator is running in the cluster
+## * The Release namespace must be "nats-io"
+clusterScoped: false
+
+## Set default Replica Coint for the Operator
+replicaCount: 1
+
+image:
+  # natsio/nats-operator:0.8.3
+  registry: docker.io
+  repository: natsio/nats-operator
+  tag: 0.8.3
+  ## Specify a imagePullPolicy
+  ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+  ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+  ##
+  pullPolicy: Always
+  ## Optionally specify an array of imagePullSecrets.
+  ## Secrets must be manually created in the namespace.
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+  ##
+  # pullSecrets:
+  #   - myRegistrKeySecretName
+
+## NATS Pod Security Context
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+##
+securityContext:
+  enabled: true
+  fsGroup: 1001
+  runAsUser: 1001
+
+## NATS Node selector and tolerations for pod assignment
+## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations
+##
+# nodeSelector: {}
+# tolerations: []
+
+## Use an alternate scheduler, e.g. "stork".
+## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+##
+# schedulerName:
+
+## Pods anti-affinity
+## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+##
+## Possible values: soft, hard
+antiAffinity: soft
+
+## Pod annotations
+## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+##
+podAnnotations: {}
+
+## Additional pod labels
+## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+##
+podLabels: {}
+
+## Update strategy, can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
+
+updateStrategy: RollingUpdate
+# rollingUpdateMaxSurge: 25%
+# rollingUpdateMaxUnavailable: "25%
+
+## Configure resource requests and limits
+## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+##
+resources: {}
+# limits:
+#   cpu: 100m
+#   memory: 64Mi
+# requests:
+#   cpu: 10m
+#   memory: 64Mi
+
+## Configure extra options for liveness and readiness probes
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+livenessProbe:
+  enabled: true
+  initialDelaySeconds: 30
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 6
+  successThreshold: 1
+readinessProbe:
+  enabled: true
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 6
+  successThreshold: 1
+
+cluster:
+  ## Create a NATS Cluster when installing the operator
+  create: true
+
+  name: nats-cluster
+
+  ## Choose namespace for cluster deployment if clusterScoped is set to true
+  namespace: "nats-io"
+
+  ## Nats version
+  ## Image tags are listed here: https://hub.docker.com/_/nats?tab=tags
+  version: 1.4.1
+
+  ## Cluster Size
+  size: 3
+
+  ## Optional custom annotations to add to Pods in the cluster
+  annotations: {}
+
+  resources: {}
+  # limits:
+  #   cpu: 500m
+  #   memory: 512Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 256Mi
+
+  ## Client Authentication
+  ## ref: https://github.com/nats-io/gnatsd#authentication
+  ## note: token not supported only user/password will work with this chart version
+  ##
+  auth:
+    enabled: true
+
+    # NOTE: Only supported in Kubernetes v1.12+ clusters having the "TokenRequest" API enabled.
+    enableServiceAccounts: false
+
+    ## This is where you enter a username/password for 1 user
+    username: "my-user"
+    password: "T0pS3cr3t"
+
+    ## This is a where you can specify 2 or more users
+    users: []
+    # - username: "another-user-1"
+    #   password: "another-password-1"
+    # - username: "another-user-2"
+    #   password: "another-password-2"
+    #   permissions:
+    #     publish: ["hello.*"]
+    #     subscribe: ["hello.world"]
+
+    defaultPermissions: {}
+    # publish: ["SANDBOX.*"]
+    # subscribe: ["PUBLIC.>"]
+
+  tls:
+    enabled: false
+    # serverSecret:
+    # routesSecret:
+
+  ## Configuration Reload
+  ## NOTE: Only supported in Kubernetes v1.12+.
+  configReload:
+    enabled: false
+    registry: "docker.io"
+    repository: "connecteverything/nats-server-config-reloader"
+    tag: "0.2.2-v1alpha2"
+    pullPolicy: "IfNotPresent"
+    resources: {}
+    # limits:
+    #   cpu: 50m
+    #   memory: 32Mi
+    # requests:
+    #   cpu: 10m
+    #   memory: 32Mi
+
+  ## Prometheus Metrics Exporter
+  ##
+  metrics:
+    enabled: false
+    registry: "docker.io"
+    repository: "synadia/prometheus-nats-exporter"
+    tag: "0.6.2"
+    pullPolicy: "IfNotPresent"
+
+    # Prometheus Operator ServiceMonitor config
+    ##
+    servicemonitor:
+      enabled: false
+      prometheusInstance: default

packages/system/nats-operator/values.yaml

@@ -0,0 +1,6 @@
+nats-operator:
+  clusterScoped: true
+  cluster:
+    create: true
+    metrics:
+      enabled: true