[helm nats 1.x] remove tls.ca options

helm/charts/nats/files/config/tls.yaml

@@ -3,9 +3,5 @@
 {{- $dir := trimSuffix "/" .dir }}
 cert_file: {{ printf "%s/%s" $dir .cert }}
 key_file: {{ printf "%s/%s" $dir .key }}
-{{- if .ca }}
-ca_file: {{ printf "%s/%s" $dir .ca }}
-verify: true
-{{- end }}
 {{- end }}
 {{- end }}

helm/charts/nats/files/nats-box/contexts-secret/context.yaml

@@ -1,5 +1,4 @@
 {{- $contextName := .contextName }}
-{{- $caSet := false }}
 
 # url
 {{- if .Values.service.enabled }}
@@ -34,14 +33,8 @@ nkey: {{ $dir }}/{{ .key }}
 {{- with .tls }}
 {{- if .secretName }}
 {{- $dir := trimSuffix "/" .dir }}
-{{- if and .cert .key }}
-cert: {{ $dir }}/{{ .cert }}
-key: {{ $dir }}/{{ .key }}
-{{- end }}
-{{- if .ca }}
-{{- $caSet = true }}
-ca: {{ $dir }}/{{ .ca }}
-{{- end }}
+cert: {{ $dir }}/{{ .cert | default "tls.crt" }}
+key: {{ $dir }}/{{ .key | default "tls.key" }}
 {{- end }}
 {{- end }}
 

helm/charts/nats/test/config_test.go

@@ -539,8 +539,8 @@ config:
     tls:
       enabled: true
       secretName: nats-tls
-      ca: tls.ca
       merge:
+        ca_file: /etc/my-ca/ca.crt
         verify_cert_and_check_known_urls: true
       patch: [{op: add, path: /verify_and_map, value: true}]
   leafnodes:
@@ -603,8 +603,7 @@ config:
 			"key_file":  "/etc/nats-certs/" + protocol + "/tls.key",
 		}
 		if protocol == "nats" {
-			tls["ca_file"] = "/etc/nats-certs/" + protocol + "/tls.ca"
-			tls["verify"] = true
+			tls["ca_file"] = "/etc/my-ca/ca.crt"
 			tls["verify_cert_and_check_known_urls"] = true
 			tls["verify_and_map"] = true
 			expected.Conf.Value["tls"] = tls
@@ -640,7 +639,7 @@ config:
 	reloaderArgs := expected.StatefulSet.Value.Spec.Template.Spec.Containers[1].Args
 	for _, protocol := range []string{"cluster", "gateway", "leafnodes", "mqtt", "nats", "websocket"} {
 		if protocol == "nats" {
-			reloaderArgs = append(reloaderArgs, "-config", "/etc/nats-certs/"+protocol+"/tls.ca")
+			reloaderArgs = append(reloaderArgs, "-config", "/etc/my-ca/ca.crt")
 		}
 		reloaderArgs = append(reloaderArgs, "-config", "/etc/nats-certs/"+protocol+"/tls.crt", "-config", "/etc/nats-certs/"+protocol+"/tls.key")
 	}

helm/charts/nats/test/resources_test.go

@@ -79,9 +79,8 @@ natsBox:
         key: nats.nk
       tls:
         secretName: loaded-tls
-        cert: tls.crt
-        key: tls.key
-        ca: tls.ca
+      merge:
+        ca: /etc/my-ca/ca.crt
     loadedContents:
       creds:
         contents: aabbcc
@@ -258,7 +257,7 @@ natsBox:
 	expected.NatsBoxContextsSecret.Value.ObjectMeta.Labels["global"] = "global"
 	expected.NatsBoxContextsSecret.Value.ObjectMeta.Namespace = "foo"
 	expected.NatsBoxContextsSecret.Value.StringData["loadedSecret.json"] = `{
-  "ca": "/etc/nats-certs/loadedSecret/tls.ca",
+  "ca": "/etc/my-ca/ca.crt",
   "cert": "/etc/nats-certs/loadedSecret/tls.crt",
   "creds": "/etc/nats-creds/loadedSecret/nats.creds",
   "key": "/etc/nats-certs/loadedSecret/tls.key",

helm/charts/nats/values.yaml

@@ -54,7 +54,6 @@ config:
       dir: /etc/nats-certs/cluster
       cert: tls.crt
       key: tls.key
-      ca:
       # merge or patch the tls config
       # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
       merge: {}
@@ -109,7 +108,6 @@ config:
       dir: /etc/nats-certs/nats
       cert: tls.crt
       key: tls.key
-      ca:
       # merge or patch the tls config
       # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
       merge: {}
@@ -125,7 +123,6 @@ config:
       dir: /etc/nats-certs/leafnodes
       cert: tls.crt
       key: tls.key
-      ca:
       # merge or patch the tls config
       # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
       merge: {}
@@ -146,7 +143,6 @@ config:
       dir: /etc/nats-certs/websocket
       cert: tls.crt
       key: tls.key
-      ca:
       # merge or patch the tls config
       # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
       merge: {}
@@ -189,7 +185,6 @@ config:
       dir: /etc/nats-certs/mqtt
       cert: tls.crt
       key: tls.key
-      ca:
       # merge or patch the tls config
       # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
       merge: {}
@@ -210,7 +205,6 @@ config:
       dir: /etc/nats-certs/gateway
       cert: tls.crt
       key: tls.key
-      ca:
       # merge or patch the tls config
       # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
       merge: {}
@@ -526,16 +520,14 @@ natsBox:
         # defaults to /etc/nats-nkeys/<context-name>
         dir:
         key: nats.nk
+      # used to connect with client certificates
       tls:
         # set secretName in order to mount an existing secret to dir
         secretName:
         # defaults to /etc/nats-certs/<context-name>
         dir:
-        # set cert and key to name of secret data keys to enable mTLS
-        cert:
-        key:
-        # set ca to name of secret data key to verify server CA
-        ca:
+        cert: tls.crt
+        key: tls.ca
 
       # merge or patch the context
       # https://docs.nats.io/using-nats/nats-tools/nats_cli#nats-contexts