How to configure auth via Secrets

[SimonSchmid]

Hi!

We just installed the 1.0.0 nats helm chart to our K8s cluster and want to set up auth. We are not sure how we achieve best what we want to do and I wanted to ask for some ideas or best practices.

We will mainly use the JetStream functionality and have multiple services that will connect to nats. Each service should have its own account so that we can set permissions accordingly as not all services should have sub and pub access to all streams and subjects.

We were thinking of having a Secret for each service that would contain username and password and could be mounted by the service. Important would be that the password is randomly generated and not specified statically in some helm chart. We struggle though as we are not sure how we would integrate those credentials into the auth configuration that nats expects. A solution we imagine could be to have the nats auth config as a template (defining users and permissions) and a job/controller running that reads in the different secrets to fill the passwords into the config template. The resulting config could then be mounted as configmap into nats.

Does that approach make any sense? Or are we maybe overlooking some easier solution?

Best and thanks in advance,
Simon