nauth

module
v0.5.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 12, 2026 License: Apache-2.0

README

NAUTH

NAUTH

A Kubernetes operator for managing decentralized authentication & authorization for NATS

NAuth allows platform teams to provide easy multi-tenancy support for development teams by providing Account & User CRD:s that conveniently packages:

  • Account creation & updates
  • Account exports & imports
  • User creation & credentials delivery

[!NOTE] This project is still in early and active development. There will likely be breaking changes before getting to a stable release.

Installation

NAuth supports installation through packaged Helm charts.

helm install nauth oci://ghcr.io/wirelesscar/nauth --create-namespace --namespace nauth

A nauth-crds chart is also available for installing CRDs separately, which works alongside the main chart with crds.install=false.

Pre-requisites

NAuth requires NATS to be installed in the cluster, since NAuth integrates with NATS (over NATS) to provide the account JWT:s. See examples of how to setup NATS with JWT auth together with NAuth in the examples directory.

[!IMPORTANT] Nauth requires the system account user credentials and the operator signing key nkey seed to be provided as a k8s secret with the proper labels.

  • nauth.io/secret-type: system-account-user-creds
  • nauth.io/secret-type: operator-sign

You can see a full operator example setup here.

Getting Started

Running a large NATS cluster requires that the operator is secured properly. If you do not already have an operator, try out the operator-bootstrap utility which comes with NAuth.

You can also use nsc directly to create a throw-away operator & system account.

More on decentralized JWT Auth

Check out this video for a comprehensive description on how decentralized JWT Auth works. In order to work with NAuth, it's important to have an understanding of how the basics work.

NATS decentralized JWT Auth

Import an existing NATS Account

Use this to "observe" an account that already exists in the NATS cluster. NAuth will fetch the JWT from NATS and update the account status, but it will never push a new JWT.

Required Secrets
  • Account root seed secret labeled: account.nauth.io/id=$ACCOUNT_PUBKEY, nauth.io/secret-type=account-root and nauth.io/managed=true.
  • Account signing seed secret labeled: account.nauth.io/id=$ACCOUNT_PUBKEY, nauth.io/secret-type=account-sign and nauth.io/managed=true.
Account CR example
apiVersion: nauth.io/v1alpha1
kind: Account
metadata:
  name: my-acc
  labels:
    account.nauth.io/id: $ACCOUNT_PUBKEY
    nauth.io/management-policy: observe        # observe-only

Note: the System Account required by NAuth itself can only be observed and reconciliation of such an Account CRD without nauth.io/management-policy: observe label will fail.

Nauth Development

Check out the CONTRIBUTING guide.

Directories

Path Synopsis
api
v1alpha1
Package v1alpha1 contains API Schema definitions for the nats v1alpha1 API group.
 Package v1alpha1 contains API Schema definitions for the nats v1alpha1 API group.
internal
account
controller
k8s
k8s/secret
nats
user

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.