Skip to content

Cannot enable leafnodes due to a flaw at headless template #1122

New issue
New issue
Open
Open
Cannot enable leafnodes due to a flaw at headless template#1122
Labels
defectSuspected defect such as a bug or regression
@ggarri

Description

@ggarri
ggarri
opened on Feb 3, 2026

What version were you using?

The issue is in the headless service template - it's a Helm chart bug. Look at the port definition:

- {{ dict "name" $protocol "port" $configProtocol.port "targetPort" $protocol "appProtocol" $appProtocol | toYaml | nindent 4 }}

Missing: The protocol field (TCP/UDP) is not included in the dict, and unlike the regular service template, there's no merge with user config - it hardcodes the fields.
Comparison:
Template Includes protocol? Can inject via values?

Service	No (but merges $servicePort)	✓ service.ports.leafnodes.protocol
Headless Service	No	✗ No merge mechanism

This is a NATS Helm chart bug - the headless service should include "protocol" "TCP" in the dict.
Workarounds:

What environment was the server running in?

Helm version 1.3.16

Is this defect reproducible?

Yes, enable leafnodes with following config blocks

---
config:
  cluster:
    enabled: true
    replicas: 3
  jetstream:
    enabled: true
    storageClassName: gp3
    fileStore:
      pvc:
        storageClassName: gp3
        size: 20Gi
        accessModes:
          - ReadWriteOnce
    memoryStore:
      enabled: true
      maxSize: 2Gi
  mqtt:
    enabled: false
    ackWait: 1m
    maxAckPending: 100
  leafnodes:
    enabled: true
    port: 7422
    merge:
      authorization:
        users:
          - user: datalake
            password: datalake

service:
  enabled: true
  name: nats-dev-sot
  merge:
    spec:
      type: LoadBalancer
    metadata:
      annotations:
        # AWS NLB annotations
        service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
        service.beta.kubernetes.io/aws-load-balancer-target-type: "ip"
        service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
        service.beta.kubernetes.io/aws-load-balancer-name: "nats-dev-sot"
        service.beta.kubernetes.io/aws-load-balancer-internal: "true"
        service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
  ports:
    nats:
      enabled: true
    leafnodes:
      enabled: true
      protocol: TCP
    websocket:
      enabled: false

Given the capability you are leveraging, describe your expectation?

I expect no the following error to be raised

Failed to compare desired state to live state: failed to calculate diff: error calculating server side diff: serverSideDiff error: error removing non config mutations for resource Service/nats-dev-sot-headless: error reverting webhook modified fields in predicted live resource: .spec.ports: element 1: associative list with keys has an element that omits key field "protocol" (and doesn't have default value)

Given the expectation, what is the defect you are observing?

_

Metadata

Metadata

Assignees

No one assigned

    Labels

    defectSuspected defect such as a bug or regression

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions