Cross namespace sharing of accounts.

[bobo]

What motivated this proposal?

I try to keep al the resources needed for a service in its own namespace. this includes the streams it produces to.
Today this requires me to either use the default cluster option for nack, or to have an Account in each k8s namespace i want to create a stream or consumer in.
I looked into how other operators like external-secrets, gateway api and certificate manager solves the problem and came up with some suggestions.
I have implemented al the options to learn and understand more. But would love to hear what others think before putting more polish on it.

What is the proposed change?

There are multiple options to solve this, And im not sure what is my prefered option. They are not mutualy exclusive and i could see a point in adding both option 2 and 3 for example.

Option 1: ClusterAccount
This would allow all namespaces in a cluster to reference the Account and create resources using it.

  apiVersion: jetstream.nats.io/v1beta2
  kind: ClusterAccount
  metadata:
    name: production-nats
  spec:
    servers: ["nats://nats.prod:4222"]

option 2: ClusterAccount with a namespace Selector.

This increases security somewhat by requireing the ClusterAccount to whitelist what namespaces are allowed to use it.

  apiVersion: jetstream.nats.io/v1beta2
  kind: ClusterAccount
  metadata:
    name: production-nats
  spec:
    servers: ["nats://nats.prod:4222"]
    namespaceSelector:
      matchLabels:
        environment: production

option 3: ReferenceGrant
Inspired by the gateway api, and following some other opeartors pattern to include this.
This allows the owning account namespace to let other namespaces use the account.

  # In namespace-a (where Account lives)
  apiVersion: gateway.networking.k8s.io/v1beta1
  kind: ReferenceGrant
  metadata:
    name: allow-ns-b
    namespace: namespace-a
  spec:
    from:
      - group: jetstream.nats.io
        kind: Stream
        namespace: namespace-b
    to:
      - group: jetstream.nats.io
        kind: Account
  ---
  # In namespace-b
  apiVersion: jetstream.nats.io/v1beta2
  kind: Stream
  metadata:
    name: my-stream
    namespace: namespace-b
  spec:
    accountRef:
      name: shared-account
      namespace: namespace-a

Who benefits from this change?

This change is alligned with how other operator handles cross namespace usage. And makes it easier to use Accounts in a secure way in your Cluster.

What alternatives have you evaluated?

No response

[kejne]

I believe this would be a useful addition. It would most likely be in the direction of option 2, since the ClusterAccount would need to be able to access secrets in order to get user credentials etc.
Option 3 is likely quite verbose since it would need to handle multiple sources. Also, the namespace where this could be deployed would need to be restricted.

Option 1 without any restriction is likely not enough as a MVP.