Component(s)
router
Is your feature request related to a problem? Please describe.
The NATS event source (events.providers.nats) has no TLS support. The NatsEventSource config struct only has id, url, and authentication fields — there is no tls block. This means all NATS connections are plaintext, making it impossible to use NATS in environments that require encrypted transport (e.g., compliance requirements, production infrastructure with TLS-only brokers).
Describe the solution you'd like
Add a tls block to the NATS event source config supporting all standard TLS modes:
| Mode |
Config |
| No TLS |
omit tls block |
| TLS + skip verify (self-signed/dev) |
insecure_skip_verify: true |
| TLS + custom CA (1-way TLS) |
ca_file: /path/to/ca.crt |
| mTLS (mutual TLS) |
ca_file + cert_file + key_file |
Example config:
events:
providers:
nats:
- id: my-nats
url: nats://localhost:4222
tls:
ca_file: /path/to/ca.crt
cert_file: /path/to/client.crt
key_file: /path/to/client.keyImplementation requires:
- New
NatsTLSConfiguration struct in config.go
TLS *NatsTLSConfiguration field on NatsEventSource- TLS option building in
buildNatsOptions using nats.Secure(tlsCfg)
- Update
config.schema.json and testdata/config_full.json golden fixture
Describe alternatives you've considered
Adding the NATS server's CA to the host OS system cert pool. This is operationally impractical in containerized/ephemeral environments.
Additional context
The Kafka event source already has a (minimal) tls.enabled flag. This proposal brings NATS to full parity and beyond, covering all 4 standard TLS modes.
Component(s)
router
Is your feature request related to a problem? Please describe.
The NATS event source (
events.providers.nats) has no TLS support. TheNatsEventSourceconfig struct only hasid,url, andauthenticationfields — there is notlsblock. This means all NATS connections are plaintext, making it impossible to use NATS in environments that require encrypted transport (e.g., compliance requirements, production infrastructure with TLS-only brokers).Describe the solution you'd like
Add a
tlsblock to the NATS event source config supporting all standard TLS modes:tlsblockinsecure_skip_verify: trueca_file: /path/to/ca.crtca_file+cert_file+key_fileExample config:
Implementation requires:
NatsTLSConfigurationstruct inconfig.goTLS *NatsTLSConfigurationfield onNatsEventSourcebuildNatsOptionsusingnats.Secure(tlsCfg)config.schema.jsonandtestdata/config_full.jsongolden fixtureDescribe alternatives you've considered
Adding the NATS server's CA to the host OS system cert pool. This is operationally impractical in containerized/ephemeral environments.
Additional context
The Kafka event source already has a (minimal)
tls.enabledflag. This proposal brings NATS to full parity and beyond, covering all 4 standard TLS modes.