add TLS considerations

Signed-off-by: Caleb Lloyd <caleb@synadia.com>
nats-io · Jun 23, 2023 · 4716ca8 · 4716ca8
1 parent 3812f2a
commit 4716ca8
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 4 deletions.
diff --git a/helm/charts/nats/README.md b/helm/charts/nats/README.md
@@ -166,6 +166,36 @@ config:
       SYS_ACCOUNT_ID: SYS_ACCOUNT_JWT
 ```
 
+
+## Accessing NATS
+
+The chart contains 2 services by default, `service` and `headlessService`.
+
+### `service`
+
+The `service` is intended to be accessed by NATS Clients.  It is a `ClusterIP` service by default, however it can easily be changed to a different service type.
+
+The `nats`, `websocket`, `leafnodes`, and `mqtt` ports will be exposed through this service by default if they are enabled.
+
+Example: change this service type to a `LoadBalancer`:
+
+```yaml
+service:
+  merge:
+    spec:
+      type: LoadBalancer
+```
+
+### `headlessService`
+
+The `headlessService` is used for NATS Servers in the Stateful Set to discover one another.  It is primarily intended to be used for Cluster Route connections.
+
+### TLS Considerations
+
+The TLS Certificate used for Client Connections should have a SAN covering DNS Name that clients access the `service` at.
+
+The TLS Certificate used for Cluster Route Connections should have a SAN covering the DNS Name that routes access each other on the `headlessService` at.  This is `*.<headless-service-name>` by default.
+
 ## Advanced Features
 
 ### Templating Values

diff --git a/helm/charts/nats/UPGRADING.md b/helm/charts/nats/UPGRADING.md
@@ -10,7 +10,7 @@ There are a number of immutable fields in the NATS Stateful Set and NATS Box dep
 config:
   # required if using JetStream file storage
   jetstream:
-    # make sure to uncomment the next line if using JetStream file storage
+    # uncomment the next line if using JetStream file storage
     # enabled: true
     fileStore:
       pvc:
@@ -21,7 +21,7 @@ config:
 
   # required if using a full or cache resolver
   resolver:
-    # make sure to uncomment the next line if using a full or cache resolver
+    # uncomment the next line if using a full or cache resolver
     # enabled: true
     pvc:
       name: nats-jwt-pvc
@@ -39,8 +39,11 @@ headlessService:
     $tplYaml: >-
       {{ include "nats.fullname" . }}
 
-# required to use new ClusterIP service for accessing NATS
+# required to use new ClusterIP service for Clients accessing NATS
+# if using TLS, this may require adding another SAN
 service:
+  # uncomment the next line to disable the new ClusterIP service
+  # enabled: false
   name:
     $tplYaml: >-
       {{ include "nats.fullname" . }}-svc
@@ -86,7 +89,6 @@ helm template \
   nats/nats
 ```
 
-
 ## Update Kubernetes Resources to new values.yaml schema
 
 Most values that control Kubernetes Resources have been changed.  Refer to the 1.x Chart's [values.yaml](values.yaml) for the complete schema.