Attention: Deprecation notice for Bintray, JCenter, GoCenter and ChartCenter. Learn More

nats/stan

Chart version: 0.7.4
Api version: v2
App version: 0.19.0
A Helm chart for NATS Streaming
application
Chart Type
Active
Status
Unknown
License
4923
Downloads
https://nats-io.github.io/k8s/helm/charts
Set me up:
helm repo add center https://repo.chartcenter.io
Install Chart:
helm install stan center/nats/stan
Versions (0)

NATS Streaming (STAN)

NATS Streaming is an extremely performant, lightweight reliable streaming platform built on NATS.

TL;DR;

helm repo add nats https://nats-io.github.io/k8s/helm/charts/
helm install my-nats nats/nats
helm install my-stan nats/stan --set stan.nats.url=nats://my-nats:4222

kubectl exec -n default -it my-nats-box -- /bin/sh -l
my-nats-box:~# stan-sub -c my-stan -s my-nats foo
Connected to my-nats clusterID: [my-stan] clientID: [stan-sub]
Listening on [foo], clientID=[stan-sub], qgroup=[] durable=[]

Basic Configuration

Connecting to NATS Server

A NATS Streaming server requires a connection to a NATS Server. There are few ways to configure connection to NATS:

Without credentials

stan:
  nats:
    url: "nats://my-nats:4222"

Authenticate using NatsServiceRole

When using NATS Operator you can configure NATS Service Roles to generate credentials for your clients in NATS config. https://github.com/nats-io/nats-operator#using-serviceaccounts This will create ServiceAccount and NatsServiceRole and enable authentication using “bound-token”:

stan:
  nats:
    url: "my-nats.nats-namespace:4222" # Do not pass here `nats://` prefix
    serviceRoleAuth:
      enabled: "true"
      natsClusterName: my-nats # Name of NATS cluster created by NATS Operator

Authenticate with a ‘credentials’ file

In case of a secured NATS server the NATS Streaming server will need to connect to the server using user credentials. These user credentials are managed using the nsc tool and can be passed to the NATS Streaming server using “credentials”

stan:
  credentials:
    secret:
      name: nats-sys-creds
      key: sys.creds

With TLS

This will cause STAN to connect to NATS using TLS, given a secret containing the ca.crt, tls.crt, and tls.key.

  tls:
    enabled: true
    # the secret containing the client ca.crt, tls.crt, and tls.key for STAN
    secretName: "stan-client-tls"
    # Reference
    # https://docs.nats.io/nats-streaming-server/configuring/cfgfile#tls-configuration
    settings:
      client_cert: "/etc/nats/certs/tls.crt"
      client_key: "/etc/nats/certs/tls.key"
      client_ca: "/etc/nats/certs/ca.crt"
      timeout: 3

If you’re using the NATS Operator and cert-manager, you can provision a certificate for STAN like this:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: stan-client-tls
spec:
  secretName: stan-client-tls
  duration: 2160h # 90 days
  renewBefore: 240h # 10 days
  usages:
  - signing
  - key encipherment
  - server auth
  issuerRef:
    name: nats-ca
    kind: Issuer
  organization:
  - Your organization
  commonName: stan.default.svc.cluster.local
  dnsNames:
  - stan.default.svc

Number of replicas

In case of using fault tolerance mode, you can set the number of replicas to be used in the FT group.

stan:
  replicas: 2

Note: in case of using clustering, you must set the number of replicas to 3 or more.

stan:
  replicas: 3
store:
  cluster:
    enabled: true

Server Image

stan:
  image: nats-streaming:0.18.0
  pullPolicy: IfNotPresent

For the alpine image:

stan:
  image: nats-streaming:alpine

Custom Cluster ID

By default the cluster ID will be the same as the release of the NATS Streaming cluster, but you can set a custom one as follows:

stan:
  clusterID: my-cluster-name

This means that in order to connect,

Logging

NOTE: It is recommended to not enable debug/trace logging in production.

stan:
  logging:
    debug: true
    trace: true

Storage Configuration

Storage can be set to be either “file”, “sql” or “memory”. By default “file” storage is used using a persistent volume.

File storage

store:
  type: file

Fault Tolerance mode

In case of using a shared volume that supports a readwritemany, you can enable fault tolerance as follows. More info on how to set this up can be found here

stan:
  replicas: 2 # One replica will be active, other one in standby.
  nats:
    url: "nats://nats:4222"

store:
  type: file

  #
  # Fault tolerance group
  #
  ft:
    group: my-group

  #
  # File storage settings.
  #
  file:
    path: /data/stan/store

  # Volume for EFS
  volume:
    enabled: true

    # Mount path for the volume.
    mount: /data/stan

    # FT mode requires a single shared ReadWriteMany PVC volume.
    persistentVolumeClaim:
      claimName: stan-efs

Where the persistent volume claim is something like the following for example (using ReadWriteMany):

---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: stan-efs
  annotations:
    volume.beta.kubernetes.io/storage-class: "aws-efs"
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 100Mi

Partitioning

You can enable partitioning as follows:

store:
  type: file

  partitioning:
    enabled: true

For example to have two partitions under the same NATS/NATS Streaming cluster named stan with two Fault Tolerant groups managing different channels under the same shared filesystem.

# 
stan:
  image: nats-streaming:alpine
  replicas: 2
  clusterID: stan

store:
  type: file
  ft:
    group: A
  file:
    path: /data/stan/store/A

  partitioning:
    enabled: true

  limits:
    channels:
      foo.>:

  volume:
    enabled: true

    # Mount path for the volume.
    mount: /data/stan

    # FT mode requires a single shared ReadWriteMany PVC volume.
    persistentVolumeClaim:
      claimName: stan-efs
stan:
  image: nats-streaming:alpine
  replicas: 2
  clusterID: stan

store:
  type: file
  ft:
    group: B
  file:
    path: /data/stan/store/B

  partitioning:
    enabled: true

  limits:
    channels:
      bar.>:

  volume:
    enabled: true

    # Mount path for the volume.
    mount: /data/stan

    # FT mode requires a single shared ReadWriteMany PVC volume.
    persistentVolumeClaim:
      claimName: stan-efs

Clustered File Storage

In case of using file storage, this sets up a 3 node cluster, each with its own backed persistence volume.

store:
  cluster:
    enabled: true
    logPath: /data/stan/log

Example that will use a volume claim for each pod:

stan:
  image: nats-streaming:alpine
  replicas: 3 # At least 3 required.
  nats:
    url: "nats://nats:4222"

store:
  type: file

  cluster:
    enabled: true

  #
  # File storage settings.
  #
  file:
    path: /data/stan/store

  # Volume for each pod.
  volume:
    enabled: true

    # Mount path for the volume.
    mount: /data/stan

Example that will back up the file store when operating in clustered mode:

stan:
  image: nats-streaming:0.18.0-alpine
store:
  limits:
    max_msgs: 5

  file:
    options:
      slice_max_msgs: 0

  backup:
    enabled: true
    s3Path: s3://example-bucket/stan-backups

    # Create a secret called `aws-creds` with the 3 keys:
    # awsAccessKeyId
    # awsSecretKeyId
    # awsDefaultRegion
    credentialsSecretName: aws-creds

Alternatively, instead of creating a secret, you can provide an instance profile instead:

podAnnotations:
  # Configures a role with this name to be assumed by the pods.
  iam.amazonaws.com/role: "stan-backups"
Example of a STAN cluster with file storage with embedded NATS

This will create a 3-node STAN cluster that is also a NATS cluster, so no extra NATS Server deployment is required:

stan:
  image: nats-streaming:alpine
  replicas: 3

store:
  type: file

  cluster:
    enabled: true

  #
  # File storage settings.
  #
  file:
    path: /data/stan/store

  # Volume for each pod.
  volume:
    enabled: true

    # Mount path for the volume.
    mount: /data/stan
$ kubectl get pods
NAME             READY   STATUS    RESTARTS   AGE
stan-cluster-0   3/3     Running   0          52m
stan-cluster-1   3/3     Running   0          52m
stan-cluster-2   3/3     Running   0          53m

$ kubectl run -i --rm --tty nats-box --image=synadia/nats-box --restart=Never

nats-box:~# stan-pub -c stan-cluster -s stan-cluster foo hello
Published [foo] : 'hello'

nats-box:~# stan-sub -c stan-cluster -s stan-cluster -all foo
Connected to stan-cluster clusterID: [stan-cluster] clientID: [stan-sub]
Listening on [foo], clientID=[stan-sub], qgroup=[] durable=[]
[#1] Received: sequence:1 subject:"foo" data:"bar" timestamp:1602316504474885089 

Readiness Probe for clustering

In case of using an nats-streaming alpine image, the clusterReadinessProbe can be enabled to try to ensure that during server upgrades the pods in the statefulsets in the pod are restarted one by one until there is consensus in the quorum.

clusterReadinessProbe:
  enabled: true
  # probe: <-- can add custom readinessProbe parameters here.

stan:
  image: nats-streaming:alpine
  replicas: 3
  nats:
    url: "nats://my-nats:4222"

store:
  type: file

  cluster:
    enabled: true

  #
  # File storage settings.
  #
  file:
    path: /data/stan/store

  # Volume for each pod.
  volume:
    enabled: true

    # Mount path for the volume.
    mount: /data/stan

SQL Storage

store:
  sql:
    driver: postgres

    # "source" is used at runtime by NATS Streaming. For example:
    #
    # source: "dbname=postgres user=postgres password=stan host=stan-db sslmode=disable"
    #
    source: ""

    # Initialize the database. Only Postgres is supported.
    initdb:
      enabled: true

      # Client to use to init the db.
      image: postgres:11

    # SQL connection parameters used to run the initdb script:
    dbName: postgres
    dbUser: postgres
    dbPassword: stan
    dbHost: ""
    dbPort: 5432

Misc

Prometheus Exporter sidecar

You can toggle whether to start the sidecar that can be used to feed metrics to Prometheus:

exporter:
  enabled: true
  image: synadia/prometheus-nats-exporter:0.5.0
  pullPolicy: IfNotPresent

Prometheus operator ServiceMonitor support

You can enable prometheus operator ServiceMonitor:

exporter:
  # You have to enable exporter first
  enabled: true
  serviceMonitor:
    enabled: true
    ## Specify the namespace where Prometheus Operator is running
    # namespace: monitoring
    # ...

Pod Customizations

Security Context

Toggle whether to use setup a Pod Security Context:

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

securityContext:
  fsGroup: 1000
  runAsUser: 1000
  runAsNonRoot: true

Affinity

https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

matchExpressions must be configured according to your setup

affinity:
  nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      nodeSelectorTerms:
        - matchExpressions:
            - key: node.kubernetes.io/purpose
              operator: In
              values:
                - stan
  podAntiAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      - labelSelector:
          matchExpressions:
            - key: app
              operator: In
              values:
                - nats
                - stan
        topologyKey: "kubernetes.io/hostname"

Name Overides

Can change the name of the resources as needed with:

nameOverride: "my-stan"