feat: Allow disabling shareProcessNamespace and reloader sidecar in JetStream EventBus #3834
Description
Is your feature request related to a problem? Please describe.
We're running into a blocker when deploying the JetStream EventBus in environments with strict security policies (like OPA/Gatekeeper). These clusters often forbid the usage of shareProcessNamespace: true .
Right now, the JetStream installer enforces this setting to support the nats-server-config-reloader sidecar, which means we simply can't deploy it in these secured environments. It would be great to have an option to disable this requirement.
Describe the solution you'd like
I would like to add an optional shareProcessNamespace field to the JetStreamBus spec (defaulting to true to preserve backward compatibility).
When this field is explicitly set to false:
The shareProcessNamespace field in the generated StatefulSet PodSpec should be set to false.
The reloader sidecar container should be excluded from the StatefulSet, as it relies on the shared process namespace to send signals to the main NATS process.
This allows users to deploy JetStream in strict environments, accepting the trade-off that configuration hot-reloading will be disabled (requiring a Pod restart for config changes).
Describe alternatives you've considered
We considered using a Mutating Webhook to forcibly set shareProcessNamespace to false on the Pods. However, this would break the reloader sidecar functionality (which expects to signal the main process) without the controller being aware of it, potentially leading to inconsistent states or errors.
Additional context
I have already prepared a PR implementing this change. It involves:
Updating JetStreamBus struct in jetstream_eventbus.go.
Updating the installer logic in jetstream.go to conditionally append the reloader container.
Message from the maintainers:
If you wish to see this enhancement implemented please add a 👍 reaction to this issue! We often sort issues this way to know what to prioritize.