How to manage NATS users
This guide explains how to create and manage users for a NATS cluster on Hikube declaratively via Kubernetes manifests.
Prerequisitesโ
- kubectl configured with your Hikube kubeconfig
- A NATS cluster deployed on Hikube (or a manifest ready to deploy)
- (Optional) the nats CLI installed locally to test connections
Stepsโ
1. Add usersโ
Users are declared in the users section of the manifest. Each user is identified by a name and has a password.
apiVersion: apps.cozystack.io/v1alpha1
kind: NATS
metadata:
name: my-nats
spec:
replicas: 3
resourcesPreset: small
jetstream:
enabled: true
size: 10Gi
users:
admin:
password: SecureAdminPassword
appuser:
password: AppUserPassword456
monitoring:
password: MonitoringPassword789
User parameters:
| Parameter | Type | Description |
|---|---|---|
users[name].password | string | Password associated with the user |
Create separate users per application for granular access control. Use an admin account for administration, application accounts per service, and a dedicated monitoring account for supervision.
2. Apply the changesโ
kubectl apply -f nats-users.yaml
Monitor the rolling update of the pods:
kubectl get po -w | grep my-nats
Wait for all pods to be in Running state:
kubectl get po | grep my-nats
Expected output:
my-nats-0 1/1 Running 0 2m
my-nats-1 1/1 Running 0 4m
my-nats-2 1/1 Running 0 6m
3. Test the connection with the nats CLIโ
Open a port-forward to the NATS service:
kubectl port-forward svc/my-nats 4222:4222
Test the connection with each user:
Connection with the admin user:
nats pub test "Hello from admin" \
--server nats://admin:SecureAdminPassword@127.0.0.1:4222
Expected output:
Published 16 bytes to "test"
Connection with the appuser user:
nats pub app.events "Hello from appuser" \
--server nats://appuser:AppUserPassword456@127.0.0.1:4222
Expected output:
Published 18 bytes to "app.events"
Test with an incorrect password:
nats pub test "This should fail" \
--server nats://admin:wrongpassword@127.0.0.1:4222
Expected output:
nats: error: Authorization Violation
If external: true is enabled, the NATS cluster is accessible from outside the Kubernetes cluster. Ensure that all users have strong passwords.
4. Check active connectionsโ
You can check active connections on the NATS cluster:
nats server report connections \
--server nats://admin:SecureAdminPassword@127.0.0.1:4222
Expected output:
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Connection Report โ
โโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโโโโโค
โ Server โ Conns โ In Msgs โ Out Msgs โ In Bytes โ
โโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโโโโโโค
โ my-nats-0โ 2 โ 5 โ 3 โ 128B โ
โ my-nats-1โ 1 โ 2 โ 1 โ 64B โ
โ my-nats-2โ 0 โ 0 โ 0 โ 0B โ
โฐโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโโโโโฏ
To see connection details per user:
nats server report connz \
--server nats://admin:SecureAdminPassword@127.0.0.1:4222
Verificationโ
The configuration is successful if:
- All NATS pods are in
Runningstate after the update - Each user can connect with their password
- An incorrect password is rejected (
Authorization Violation) - Active connections are visible in the server report
Next stepsโ
- NATS API reference: full documentation of
usersparameters - How to configure JetStream: enable message persistence and streaming