DirectorySecurity AdvisoriesPricing
Sign in
Directory
nats-nats logoHELM

nats-nats

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:
1
################################################################################
2
# Global options
3
################################################################################
4
global:
5
image:
6
# global image pull policy to use for all container images in the chart
7
# can be overridden by individual image pullPolicy
8
pullPolicy:
9
# global list of secret names to use as image pull secrets for all pod specs in the chart
10
# secrets must exist in the same namespace
11
# https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
12
pullSecretNames: []
13
# global registry to use for all container images in the chart
14
# can be overridden by individual image registry
15
registry:
16
# global labels will be applied to all resources deployed by the chart
17
labels: {}
18
################################################################################
19
# Common options
20
################################################################################
21
# override name of the chart
22
nameOverride:
23
# override full name of the chart+release
24
fullnameOverride:
25
# override the namespace that resources are installed into
26
namespaceOverride:
27
# reference a common CA Certificate or Bundle in all nats config `tls` blocks and nats-box contexts
28
# note: `tls.verify` still must be set in the appropriate nats config `tls` blocks to require mTLS
29
tlsCA:
30
enabled: false
31
# set configMapName in order to mount an existing configMap to dir
32
configMapName:
33
# set secretName in order to mount an existing secretName to dir
34
secretName:
35
# directory to mount the configMap or secret to
36
dir: /etc/nats-ca-cert
37
# key in the configMap or secret that contains the CA Certificate or Bundle
38
key: ca.crt
39
################################################################################
40
# NATS Stateful Set and associated resources
41
################################################################################
42
43
############################################################
44
# NATS config
45
############################################################
46
config:
47
cluster:
48
enabled: false
49
port: 6222
50
# must be 2 or higher when jetstream is enabled
51
replicas: 3
52
# set to false to allow cluster nodes to advertise their addresses
53
# so that clients can reconnect without extra DNS lookups.
54
# Note: in case clients have external connectivity make sure to define the `advertise` section as well.
55
# If clients are behind a load balancer it is best to leave this as is.
56
noAdvertise: true
57
# apply to generated route URLs that connect to other pods in the StatefulSet
58
routeURLs:
59
# if both user and password are set, they will be added to route URLs
60
# and the cluster authorization block
61
user:
62
password:
63
# set to true to use FQDN in route URLs
64
useFQDN: false
65
k8sClusterDomain: cluster.local
66
tls:
67
enabled: false
68
# set secretName in order to mount an existing secret to dir
69
secretName:
70
dir: /etc/nats-certs/cluster
71
cert: tls.crt
72
key: tls.key
73
# merge or patch the tls config
74
# https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
75
merge: {}
76
patch: []
77
# merge or patch the cluster config
78
# https://docs.nats.io/running-a-nats-service/configuration/clustering/cluster_config
79
merge: {}
80
patch: []
81
jetstream:
82
enabled: false
83
fileStore:
84
enabled: true
85
dir: /data
86
############################################################
87
# stateful set -> volume claim templates -> jetstream pvc
88
############################################################
89
pvc:
90
enabled: true
91
size: 10Gi
92
storageClassName:
93
# merge or patch the jetstream pvc
94
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#persistentvolumeclaim-v1-core
95
merge: {}
96
patch: []
97
# defaults to "{{ include "nats.fullname" $ }}-js"
98
name:
99
# defaults to the PVC size
100
maxSize:
101
memoryStore:
102
enabled: false
103
# ensure that container has a sufficient memory limit greater than maxSize
104
maxSize: 1Gi
105
# merge or patch the jetstream config
106
# https://docs.nats.io/running-a-nats-service/configuration#jetstream
107
merge: {}
108
patch: []
109
nats:
110
port: 4222
111
tls:
112
enabled: false
113
# set secretName in order to mount an existing secret to dir
114
secretName:
115
dir: /etc/nats-certs/nats
116
cert: tls.crt
117
key: tls.key
118
# merge or patch the tls config
119
# https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
120
merge: {}
121
patch: []
122
leafnodes:
123
enabled: false
124
port: 7422
125
tls:
126
enabled: false
127
# set secretName in order to mount an existing secret to dir
128
secretName:
129
dir: /etc/nats-certs/leafnodes
130
cert: tls.crt
131
key: tls.key
132
# merge or patch the tls config
133
# https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
134
merge: {}
135
patch: []
136
# merge or patch the leafnodes config
137
# https://docs.nats.io/running-a-nats-service/configuration/leafnodes/leafnode_conf
138
merge: {}
139
patch: []
140
websocket:
141
enabled: false
142
port: 8080
143
tls:
144
enabled: false
145
# set secretName in order to mount an existing secret to dir
146
secretName:
147
dir: /etc/nats-certs/websocket
148
cert: tls.crt
149
key: tls.key
150
# merge or patch the tls config
151
# https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
152
merge: {}
153
patch: []
154
############################################################
155
# ingress
156
############################################################
157
# service must be enabled also
158
ingress:
159
enabled: false
160
# must contain at least 1 host otherwise ingress will not be created
161
hosts: []
162
path: /
163
pathType: Exact
164
# sets to the ingress class name
165
className:
166
# set to an existing secret name to enable TLS on the ingress; applies to all hosts
167
tlsSecretName:
168
# merge or patch the ingress
169
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#ingress-v1-networking-k8s-io
170
merge: {}
171
patch: []
172
# defaults to "{{ include "nats.fullname" $ }}-ws"
173
name:
174
# merge or patch the websocket config
175
# https://docs.nats.io/running-a-nats-service/configuration/websocket/websocket_conf
176
merge: {}
177
patch: []
178
mqtt:
179
enabled: false
180
port: 1883
181
tls:
182
enabled: false
183
# set secretName in order to mount an existing secret to dir
184
secretName:
185
dir: /etc/nats-certs/mqtt
186
cert: tls.crt
187
key: tls.key
188
# merge or patch the tls config
189
# https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
190
merge: {}
191
patch: []
192
# merge or patch the mqtt config
193
# https://docs.nats.io/running-a-nats-service/configuration/mqtt/mqtt_config
194
merge: {}
195
patch: []
196
gateway:
197
enabled: false
198
port: 7222
199
tls:
200
enabled: false
201
# set secretName in order to mount an existing secret to dir
202
secretName:
203
dir: /etc/nats-certs/gateway
204
cert: tls.crt
205
key: tls.key
206
# merge or patch the tls config
207
# https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
208
merge: {}
209
patch: []
210
# merge or patch the gateway config
211
# https://docs.nats.io/running-a-nats-service/configuration/gateways/gateway#gateway-configuration-block
212
merge: {}
213
patch: []
214
monitor:
215
enabled: true
216
port: 8222
217
tls:
218
# config.nats.tls must be enabled also
219
# when enabled, monitoring port will use HTTPS with the options from config.nats.tls
220
# if promExporter is also enabled, consider setting promExporter.monitorDomain
221
enabled: false
222
profiling:
223
enabled: false
224
port: 65432
225
resolver:
226
enabled: false
227
dir: /data/resolver
228
############################################################
229
# stateful set -> volume claim templates -> resolver pvc
230
############################################################
231
pvc:
232
enabled: true
233
size: 1Gi
234
storageClassName:
235
# merge or patch the pvc
236
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#persistentvolumeclaim-v1-core
237
merge: {}
238
patch: []
239
# defaults to "{{ include "nats.fullname" $ }}-resolver"
240
name:
241
# merge or patch the resolver
242
# https://docs.nats.io/running-a-nats-service/configuration/securing_nats/auth_intro/jwt/resolver
243
merge: {}
244
patch: []
245
# adds a prefix to the server name, which defaults to the pod name
246
# helpful for ensuring server name is unique in a super cluster
247
serverNamePrefix: ""
248
# merge or patch the nats config
249
# https://docs.nats.io/running-a-nats-service/configuration
250
# following special rules apply
251
# 1. strings that start with << and end with >> will be unquoted
252
# use this for variables and numbers with units
253
# 2. keys ending in $include will be switched to include directives
254
# keys are sorted alphabetically, use prefix before $includes to control includes ordering
255
# paths should be relative to /etc/nats-config/nats.conf
256
# example:
257
#
258
# merge:
259
# $include: ./my-config.conf
260
# zzz$include: ./my-config-last.conf
261
# server_name: nats
262
# authorization:
263
# token: << $TOKEN >>
264
# jetstream:
265
# max_memory_store: << 1GB >>
266
#
267
# will yield the config:
268
# {
269
# include ./my-config.conf;
270
# "authorization": {
271
# "token": $TOKEN
272
# },
273
# "jetstream": {
274
# "max_memory_store": 1GB
275
# },
276
# "server_name": "nats",
277
# include ./my-config-last.conf;
278
# }
279
merge: {}
280
patch: []
281
############################################################
282
# stateful set -> pod template -> nats container
283
############################################################
284
container:
285
image:
286
repository: chainguard-private/nats
287
tag: latest
288
pullPolicy:
289
registry: cgr.dev
290
# if digest is provided, it overrides tag (example: "sha256:abcdef1234567890")
291
digest: sha256:96317aa77c165e25a1308af285c223a8105fbad79ceb90e5e6fc752b9d7abc22
292
# if fullImageName is provided, it overrides registry, repository, tag, and digest
293
fullImageName:
294
# container port options
295
# must be enabled in the config section also
296
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#containerport-v1-core
297
ports:
298
nats: {}
299
leafnodes: {}
300
websocket: {}
301
mqtt: {}
302
cluster: {}
303
gateway: {}
304
monitor: {}
305
profiling: {}
306
# map with key as env var name, value can be string or map
307
# example:
308
#
309
# env:
310
# GOMEMLIMIT: 7GiB
311
# TOKEN:
312
# valueFrom:
313
# secretKeyRef:
314
# name: nats-auth
315
# key: token
316
env: {}
317
# merge or patch the container
318
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core
319
merge: {}
320
patch: []
321
# container resources
322
resources: {}
323
# requests:
324
# cpu: 100m
325
# memory: 128Mi
326
# limits:
327
# cpu: 100m
328
# memory: 128Mi
329
############################################################
330
# stateful set -> pod template -> reloader container
331
############################################################
332
reloader:
333
enabled: true
334
image:
335
repository: chainguard-private/nats-server-config-reloader
336
tag: latest
337
pullPolicy:
338
registry: cgr.dev
339
digest: sha256:b2072fe7907cc604593368dff03f5c0a5430102aa3f9f067de10bc89f1f19cb9
340
fullImageName:
341
# env var map, see nats.env for an example
342
env: {}
343
# all nats container volume mounts with the following prefixes
344
# will be mounted into the reloader container
345
natsVolumeMountPrefixes:
346
- /etc/
347
# merge or patch the container
348
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core
349
merge: {}
350
patch: []
351
############################################################
352
# stateful set -> pod template -> prom-exporter container
353
############################################################
354
# config.monitor must be enabled
355
promExporter:
356
enabled: false
357
image:
358
repository: chainguard-private/prometheus-nats-exporter
359
tag: latest
360
pullPolicy:
361
registry: cgr.dev
362
digest: sha256:f373df5ff8977b72d994e83d0d7a3a8b4bd5dab8fcae0976696c337a3c29fbea
363
fullImageName:
364
port: 7777
365
# if config.monitor.tls.enabled is set to true, monitorDomain must be set to the common name
366
# or a SAN used in the tls certificate
367
monitorDomain: localhost
368
# env var map, see nats.env for an example
369
env: {}
370
# merge or patch the container
371
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core
372
merge: {}
373
patch: []
374
############################################################
375
# prometheus pod monitor
376
############################################################
377
podMonitor:
378
enabled: false
379
# merge or patch the pod monitor
380
# https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.PodMonitor
381
merge: {}
382
patch: []
383
# defaults to "{{ include "nats.fullname" $ }}"
384
name:
385
############################################################
386
# service
387
############################################################
388
service:
389
enabled: true
390
# service port options
391
# additional boolean field enable to control whether port is exposed in the service
392
# must be enabled in the config section also
393
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#serviceport-v1-core
394
ports:
395
nats:
396
enabled: true
397
leafnodes:
398
enabled: true
399
websocket:
400
enabled: true
401
mqtt:
402
enabled: true
403
cluster:
404
enabled: false
405
gateway:
406
enabled: false
407
monitor:
408
enabled: false
409
profiling:
410
enabled: false
411
# merge or patch the service
412
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#service-v1-core
413
merge: {}
414
patch: []
415
# defaults to "{{ include "nats.fullname" $ }}"
416
name:
417
############################################################
418
# other nats extension points
419
############################################################
420
421
# stateful set
422
statefulSet:
423
# merge or patch the stateful set
424
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#statefulset-v1-apps
425
merge: {}
426
patch: []
427
# defaults to "{{ include "nats.fullname" $ }}"
428
name:
429
# stateful set -> pod template
430
podTemplate:
431
# adds a hash of the ConfigMap as a pod annotation
432
# this will cause the StatefulSet to roll when the ConfigMap is updated
433
# set to true to force pod rollouts on config changes instead of using the reloader for hot updates
434
configChecksumAnnotation: false
435
# map of topologyKey: topologySpreadConstraint
436
# labelSelector will be added to match StatefulSet pods
437
#
438
# topologySpreadConstraints:
439
# kubernetes.io/hostname:
440
# maxSkew: 1
441
#
442
topologySpreadConstraints: {}
443
# merge or patch the pod template
444
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#pod-v1-core
445
merge: {}
446
patch: []
447
# headless service
448
headlessService:
449
# merge or patch the headless service
450
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#service-v1-core
451
merge: {}
452
patch: []
453
# defaults to "{{ include "nats.fullname" $ }}-headless"
454
name:
455
# config map
456
configMap:
457
# merge or patch the config map
458
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#configmap-v1-core
459
merge: {}
460
patch: []
461
# defaults to "{{ include "nats.fullname" $ }}-config"
462
name:
463
# pod disruption budget
464
podDisruptionBudget:
465
enabled: true
466
# merge or patch the pod disruption budget
467
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#poddisruptionbudget-v1-policy
468
merge: {}
469
patch: []
470
# defaults to "{{ include "nats.fullname" $ }}"
471
name:
472
# service account
473
serviceAccount:
474
enabled: false
475
# merge or patch the service account
476
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#serviceaccount-v1-core
477
merge: {}
478
patch: []
479
# defaults to "{{ include "nats.fullname" $ }}"
480
name:
481
############################################################
482
# natsBox
483
#
484
# NATS Box Deployment and associated resources
485
############################################################
486
natsBox:
487
enabled: true
488
############################################################
489
# NATS contexts
490
############################################################
491
contexts:
492
default:
493
creds:
494
# set contents in order to create a secret with the creds file contents
495
contents:
496
# set secretName in order to mount an existing secret to dir
497
secretName:
498
# defaults to /etc/nats-creds/<context-name>
499
dir:
500
key: nats.creds
501
nkey:
502
# set contents in order to create a secret with the nkey file contents
503
contents:
504
# set secretName in order to mount an existing secret to dir
505
secretName:
506
# defaults to /etc/nats-nkeys/<context-name>
507
dir:
508
key: nats.nk
509
# used to connect with client certificates
510
tls:
511
# set secretName in order to mount an existing secret to dir
512
secretName:
513
# defaults to /etc/nats-certs/<context-name>
514
dir:
515
cert: tls.crt
516
key: tls.key
517
# merge or patch the context
518
# https://docs.nats.io/using-nats/nats-tools/nats_cli#nats-contexts
519
merge: {}
520
patch: []
521
# name of context to select by default
522
defaultContextName: default
523
############################################################
524
# deployment -> pod template -> nats-box container
525
############################################################
526
container:
527
image:
528
repository: chainguard-private/nats-box
529
tag: latest
530
pullPolicy:
531
registry: cgr.dev
532
digest: sha256:5c608e7ff75a15d6c8402b5e14671fd3e34fb4f26a4ddf8636fae9d6d8f48b01
533
fullImageName:
534
resources: {}
535
# env var map, see nats.env for an example
536
env: {}
537
# merge or patch the container
538
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core
539
merge: {}
540
patch: []
541
############################################################
542
# other nats-box extension points
543
############################################################
544
545
# deployment
546
deployment:
547
# merge or patch the deployment
548
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#deployment-v1-apps
549
merge: {}
550
patch: []
551
# defaults to "{{ include "nats.fullname" $ }}-box"
552
name:
553
# deployment -> pod template
554
podTemplate:
555
# merge or patch the pod template
556
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#pod-v1-core
557
merge: {}
558
patch: []
559
# contexts secret
560
contextsSecret:
561
# merge or patch the context secret
562
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#secret-v1-core
563
merge: {}
564
patch: []
565
# defaults to "{{ include "nats.fullname" $ }}-box-contexts"
566
name:
567
# contents secret
568
contentsSecret:
569
# merge or patch the contents secret
570
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#secret-v1-core
571
merge: {}
572
patch: []
573
# defaults to "{{ include "nats.fullname" $ }}-box-contents"
574
name:
575
# service account
576
serviceAccount:
577
enabled: false
578
# merge or patch the service account
579
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#serviceaccount-v1-core
580
merge: {}
581
patch: []
582
# defaults to "{{ include "nats.fullname" $ }}-box"
583
name:
584
################################################################################
585
# Extra user-defined resources
586
################################################################################
587
#
588
# add arbitrary user-generated resources
589
# example:
590
#
591
# config:
592
# websocket:
593
# enabled: true
594
# extraResources:
595
# - apiVersion: networking.istio.io/v1beta1
596
# kind: VirtualService
597
# metadata:
598
# name:
599
# $tplYaml: >
600
# {{ include "nats.fullname" $ | quote }}
601
# labels:
602
# $tplYaml: |
603
# {{ include "nats.labels" $ }}
604
# spec:
605
# hosts:
606
# - demo.nats.io
607
# gateways:
608
# - my-gateway
609
# http:
610
# - name: default
611
# match:
612
# - name: root
613
# uri:
614
# exact: /
615
# route:
616
# - destination:
617
# host:
618
# $tplYaml: >
619
# {{ .Values.service.name | quote }}
620
# port:
621
# number:
622
# $tplYaml: >
623
# {{ .Values.config.websocket.port }}
624
#
625
extraResources: []
626

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0SOC 2Golden ImagesCVE RemediationPublic SectorStartups

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogOpen Source LeadershipPartnersNewsroomCareersLegal
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.