New volume mount removes the existing config, pid volumes

[amit12cool]

What version were you using?

1.1.8 helm repo

What environment was the server running in?

K8

Is this defect reproducible?

yes

config:
  cluster:
    enabled: true
    replicas: 3
  jetstream:
    enabled: true
  nats:
    tls:
      enabled: true
      merge: { 
        verify: true,
        cert_file: '/mnt/nats-certificate/nats-playground-server.crt',
        key_file: '/mnt/nats-certificate/nats-playground-server.key',
        ca_file: '/mnt/nats-certificate/rootCA-playground.crt'
      }

podTemplate:
  topologySpreadConstraints:
    kubernetes.io/hostname:
      maxSkew: 1
      whenUnsatisfiable: DoNotSchedule
  merge:
    spec:
      volumes:
        - name: nats-certificate-volume
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: 'nats-certificate'

service:
  merge:
    spec:
      type: LoadBalancer

container:
  image:
    repository: nats
    image: 2.10.4-alpine
  merge:
    volumeMounts:
      - name: nats-certificate-volume
        mountPath: /mnt/nats-certificate

Given the capability you are leveraging, describe your expectation?

The volumes config and pid should be mounted as they are there in the pods template yaml file

Given the expectation, what is the defect you are observing?

volumes config and pid should be mounted along with the new volume Im trying to be mount

[caleblloyd]

Need to use patch to append to arrays

podTemplate:
  topologySpreadConstraints:
    kubernetes.io/hostname:
      maxSkew: 1
      whenUnsatisfiable: DoNotSchedule
  patch:
  - op: add
    path: /spec/volumes/-
    value:
      name: nats-certificate-volume
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: 'nats-certificate'

[caleblloyd]

Patch example in readme: https://github.com/nats-io/k8s/tree/main/helm/charts/nats#patch

[amit12cool]

Need to use patch to append to arrays

podTemplate:
  topologySpreadConstraints:
    kubernetes.io/hostname:
      maxSkew: 1
      whenUnsatisfiable: DoNotSchedule
  patch:
  - op: add
    path: /spec/volumes/-
    value:
      name: nats-certificate-volume
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: 'nats-certificate'

It fixed thanks. Previously I used path as /spec/volumes now with using /spec/volumes/- it works.

[amit12cool]

Now the volume is created but when I mount the CSI volume the other volumes pid and config are not mounted in container. I mount it like below

container:
  image:
    repository: nats
    image: 2.10.4-alpine
  merge:
    volumeMounts:
      - name: nats-certificate-volume
        mountPath: /mnt/nats-certificate/
``

[amit12cool]

ok..so I patched and it worked

container:
  image:
    repository: nats
    image: 2.10.4-alpine
  patch:
  - op: add
    path: /volumeMounts/-
    value:
      name: nats-certificate-volume
      mountPath: /mnt/nats-certificate

[amit12cool]

@caleblloyd

Now, my reloader container shows error

2024/02/10 17:38:57 Starting NATS Server Reloader v0.14.1
2024/02/10 17:38:57 Watching file: /etc/nats-config/nats.conf
Error: no such file or directory

I used below yaml values:-

config:
  cluster:
    enabled: true
    replicas: 3
  jetstream:
    enabled: true
  nats:
    tls:
      enabled: true
      merge: { 
        verify: true,
        cert_file: '/mnt/nats-certificate/nats-playground-server.crt',
        key_file: '/mnt/nats-certificate/nats-playground-server.key',
        ca_file: '/mnt/nats-certificate/rootCA-playground.crt'
      }

[caleblloyd]

Give the reloader container the same mount, it detects and watches TLS certificates

[amit12cool]

Give the reloader container the same mount, it detects and watches TLS certificates

That worked. Thanks @caleblloyd