nats-io · samuelattwood · Jan 16, 2025 · Jan 9, 2025 · Jan 11, 2025 · Jan 11, 2025
diff --git a/cmd/jetstream-controller/main.go b/cmd/jetstream-controller/main.go
@@ -25,7 +25,7 @@ import (
 
 	"github.com/nats-io/nack/controllers/jetstream"
 	"github.com/nats-io/nack/internal/controller"
-	jetstreamnatsiov1beta2 "github.com/nats-io/nack/pkg/jetstream/apis/jetstream/v1beta2"
+	v1beta2 "github.com/nats-io/nack/pkg/jetstream/apis/jetstream/v1beta2"
 	clientset "github.com/nats-io/nack/pkg/jetstream/generated/clientset/versioned"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -67,10 +67,12 @@ func run() error {
 	ca := flag.String("tlsca", "", "NATS TLS certificate authority chain")
 	tlsfirst := flag.Bool("tlsfirst", false, "If enabled, forces explicit TLS without waiting for Server INFO")
 	server := flag.String("s", "", "NATS Server URL")
-	crdConnect := flag.Bool("crd-connect", false, "If true, then NATS connections will be made from CRD config, not global config")
+	crdConnect := flag.Bool("crd-connect", false, "If true, then NATS connections will be made from CRD config, not global config. Ignored if running with control loop, CRD options will always override global config")
 	cleanupPeriod := flag.Duration("cleanup-period", 30*time.Second, "Period to run object cleanup")
 	readOnly := flag.Bool("read-only", false, "Starts the controller without causing changes to the NATS resources")
+	cacheDir := flag.String("cache-dir", "", "Directory to store cached credential and TLS files")
 	controlLoop := flag.Bool("control-loop", false, "Experimental: Run controller with a full reconciliation control loop.")
+	controlLoopSyncInterval := flag.Duration("sync-interval", 5*time.Minute, "Interval to perform scheduled reconcile")
 
 	flag.Parse()
 
@@ -108,9 +110,12 @@ func run() error {
 		}
 
 		controllerCfg := &controller.Config{
-			ReadOnly:  *readOnly,
-			Namespace: *namespace,
+			ReadOnly:        *readOnly,
+			Namespace:       *namespace,
+			CacheDir:        *cacheDir,
+			RequeueInterval: *controlLoopSyncInterval,
 		}
+
 		return runControlLoop(config, natsCfg, controllerCfg)
 	}
 
@@ -160,17 +165,25 @@ func runControlLoop(config *rest.Config, natsCfg *controller.NatsConfig, control
 	// Setup scheme
 	scheme := runtime.NewScheme()
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
-	utilruntime.Must(jetstreamnatsiov1beta2.AddToScheme(scheme))
+	utilruntime.Must(v1beta2.AddToScheme(scheme))
 
 	mgr, err := ctrl.NewManager(config, ctrl.Options{
 		Scheme: scheme,
 		Logger: klog.NewKlogr().WithName("controller-runtime"),
-		// TODO Add full configuration
 	})
 	if err != nil {
 		return fmt.Errorf("unable to start manager: %w", err)
 	}
 
+	if controllerCfg.CacheDir == "" {
+		cacheDir, err := os.MkdirTemp(".", "nack")
+		if err != nil {
+			return fmt.Errorf("create cache dir: %w", err)
+		}
+		defer os.RemoveAll(cacheDir)
+		controllerCfg.CacheDir = cacheDir
+	}
+
 	err = controller.RegisterAll(mgr, natsCfg, controllerCfg)
 	if err != nil {
 		return fmt.Errorf("register jetstream controllers: %w", err)

diff --git a/controllers/jetstream/consumer.go b/controllers/jetstream/consumer.go
@@ -92,7 +92,7 @@ func (c *Controller) processConsumerObject(cns *apis.Consumer, jsm jsmClientFunc
 			}
 		}
 		// Lookup the UserCredentials.
-		if acc.Spec.Creds != nil {
+		if acc.Spec.Creds != nil && acc.Spec.Creds.Secret != nil {
 			secretName := acc.Spec.Creds.Secret.Name
 			secret, err := c.ki.Secrets(ns).Get(c.ctx, secretName, k8smeta.GetOptions{})
 			if err != nil {

diff --git a/controllers/jetstream/stream.go b/controllers/jetstream/stream.go
@@ -106,7 +106,7 @@ func (c *Controller) processStreamObject(str *apis.Stream, jsm jsmClientFunc) (e
 			}
 		}
 		// Lookup the UserCredentials.
-		if acc.Spec.Creds != nil {
+		if acc.Spec.Creds != nil && acc.Spec.Creds.Secret != nil {
 			secretName := acc.Spec.Creds.Secret.Name
 			secret, err := c.ki.Secrets(ns).Get(c.ctx, secretName, k8smeta.GetOptions{})
 			if err != nil {

diff --git a/deploy/crds.yml b/deploy/crds.yml
@@ -287,6 +287,10 @@ spec:
                     type: array
                     items:
                       type: string
+              tlsFirst:
+                description: When true, the KV Store will iniate TLS before server INFO.
+                type: boolean
+                default: false
           status:
             type: object
             properties:
@@ -513,6 +517,11 @@ spec:
           spec:
             type: object
             properties:
+              durableName:
+                description: The name of the Consumer.
+                type: string
+                pattern: '^[^.*>]+$'
+                minLength: 1
               streamName:
                 description: The name of the Stream to create the Consumer in.
                 type: string
@@ -533,11 +542,6 @@ spec:
               optStartTime:
                 description: Time format must be RFC3339.
                 type: string
-              durableName:
-                description: The name of the Consumer.
-                type: string
-                pattern: '^[^.*>]+$'
-                minLength: 1
               deliverSubject:
                 description: The subject to deliver observed messages, when not set, a pull-based Consumer is created.
                 type: string
@@ -626,6 +630,32 @@ spec:
                 type: object
                 additionalProperties:
                   type: string
+              account:
+                description: Name of the account to which the Consumer belongs.
+                type: string
+                pattern: '^[^.*>]*$'
+              creds:
+                description: NATS user credentials for connecting to servers. Please make sure your controller has mounted the cerds on its path.
+                type: string
+                default: ''
+              nkey:
+                description: NATS user NKey for connecting to servers.
+                type: string
+                default: ''
+              preventDelete:
+                description: When true, the managed Consumer will not be deleted when the resource is deleted
+                type: boolean
+                default: false
+              preventUpdate:
+                description: When true, the managed Consumer will not be updated when the resource is updated
+                type: boolean
+                default: false
+              servers:
+                description: A list of servers for creating consumer
+                type: array
+                items:
+                  type: string
+                default: []
               tls:
                 description: A client's TLS certs and keys.
                 type: object
@@ -641,30 +671,8 @@ spec:
                     type: array
                     items:
                       type: string
-              servers:
-                description: A list of servers for creating consumer
-                type: array
-                items:
-                  type: string
-                default: []
-              creds:
-                description: NATS user credentials for connecting to servers. Please make sure your controller has mounted the cerds on its path.
-                type: string
-                default: ''
-              nkey:
-                description: NATS user NKey for connecting to servers.
-                type: string
-                default: ''
-              account:
-                description: Name of the account to which the Consumer belongs.
-                type: string
-                pattern: '^[^.*>]*$'
-              preventDelete:
-                description: When true, the managed Consumer will not be deleted when the resource is deleted
-                type: boolean
-                default: false
-              preventUpdate:
-                description: When true, the managed Consumer will not be updated when the resource is updated
+              tlsFirst:
+                description: When true, the KV Store will iniate TLS before server INFO.
                 type: boolean
                 default: false
           status:
@@ -991,6 +999,19 @@ spec:
                 type: string
                 pattern: '^[^.*>]*$'
                 minLength: 1
+              creds:
+                description: The creds to be used to connect to the NATS Service.
+                type: object
+                properties:
+                  secret:
+                    type: object
+                    properties:
+                      name:
+                        description: Name of the secret with the creds.
+                        type: string
+                  file:
+                    description: Credentials file, generated with github.com/nats-io/nsc tool.
+                    type: string
               servers:
                 description: A list of servers to connect.
                 type: array
@@ -1017,19 +1038,30 @@ spec:
                   key:
                     description: Filename of the TLS cert key.
                     type: string
-              creds:
-                description: The creds to be used to connect to the NATS Service.
-                type: object
-                properties:
-                  secret:
-                    type: object
-                    properties:
-                      name:
-                        description: Name of the secret with the creds.
-                        type: string
-                  file:
-                    description: Credentials file, generated with github.com/nats-io/nsc tool.
-                    type: string
+              tlsFirst:
+                description: When true, the KV Store will iniate TLS before server INFO.
+                type: boolean
+                default: false
+          status:
+            type: object
+            properties:
+              observedGeneration:
+                type: integer
+              conditions:
+                type: array
+                items:
+                  type: object
+                  properties:
+                    type:
+                      type: string
+                    status:
+                      type: string
+                    lastTransitionTime:
+                      type: string
+                    reason:
+                      type: string
+                    message:
+                      type: string
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
@@ -1212,6 +1244,10 @@ spec:
                     type: array
                     items:
                       type: string
+              tlsFirst:
+                description: When true, the KV Store will iniate TLS before server INFO.
+                type: boolean
+                default: false
           status:
             type: object
             properties:
@@ -1348,6 +1384,10 @@ spec:
                     type: array
                     items:
                       type: string
+              tlsFirst:
+                description: When true, the KV Store will iniate TLS before server INFO.
+                type: boolean
+                default: false
           status:
             type: object
             properties: