argoproj · wwitzel3 · Nov 6, 2025 · Nov 13, 2025 · whynowy · Nov 18, 2025
@@ -2408,6 +2408,10 @@
           "$ref": "#/definitions/io.k8s.api.core.v1.SecretKeySelector",
           "description": "Secret for auth"
         },
+        "auth": {
+          "description": "Auth strategy, default to AuthStrategyNone",
+          "type": "string"
+        },
         "streamConfig": {
           "type": "string"
         },

@@ -1525,6 +1525,7 @@ AuthStrategy (<code>string</code> alias)
 <p>
 
 (<em>Appears on:</em>
+<a href="#argoproj.io/v1alpha1.JetStreamConfig">JetStreamConfig</a>,
 <a href="#argoproj.io/v1alpha1.NATSConfig">NATSConfig</a>,
 <a href="#argoproj.io/v1alpha1.NativeStrategy">NativeStrategy</a>)
 </p>
@@ -11605,6 +11606,26 @@ SSL/TLS settings for the NATS client
 
 </tr>
 
+<tr>
+
+<td>
+
+<code>auth</code></br> <em>
+<a href="#argoproj.io/v1alpha1.AuthStrategy"> AuthStrategy </a> </em>
+</td>
+
+<td>
+
+<em>(Optional)</em>
+<p>
+
+Auth strategy, default to AuthStrategyNone
+</p>
+
+</td>
+
+</tr>
+
 </tbody>
 
 </table>

@@ -105,4 +105,7 @@ type JetStreamConfig struct {
 	// SSL/TLS settings for the NATS client
 	// +optional
 	TLS *TLSConfig `json:"tls,omitempty" protobuf:"bytes,4,opt,name=tls"`
+	// Auth strategy, default to AuthStrategyNone
+	// +optional
+	Auth *AuthStrategy `json:"auth,omitempty" protobuf:"bytes,5,opt,name=auth,casttype=AuthStrategy"`
 }
@@ -20,6 +20,7 @@ var (
 	AuthStrategyNone  AuthStrategy = "none"
 	AuthStrategyToken AuthStrategy = "token"
 	AuthStrategyBasic AuthStrategy = "basic"
+	AuthStrategyJWT   AuthStrategy = "jwt"
 )
 
 // NativeStrategy indicates to install a native NATS service

@@ -12,9 +12,10 @@ type Auth struct {
 
 // AuthCredential host the credential info
 type AuthCredential struct {
-	Token    string
-	Username string
-	Password string
+	Token          string
+	Username       string
+	Password       string
+	CredentialFile string
 }
 
 type MsgHeader struct {

@@ -114,9 +114,13 @@ func GetAuth(ctx context.Context, eventBusConfig v1alpha1.BusConfig) (*eventbusc
 	case eventBusConfig.NATS != nil:
 		eventBusAuth = eventBusConfig.NATS.Auth
 	case eventBusConfig.JetStream != nil:
-		if eventBusConfig.JetStream.AccessSecret != nil {
+		switch {
+		case eventBusConfig.JetStream.Auth != nil:
+			eventBusAuth = eventBusConfig.JetStream.Auth
+		case eventBusConfig.JetStream.AccessSecret != nil:
+			// For backward compatibility, default to Basic auth if AccessSecret is present but Auth is not specified
 			eventBusAuth = &v1alpha1.AuthStrategyBasic
-		} else {
+		default:
 			eventBusAuth = nil
 		}
 	case eventBusConfig.Kafka != nil:
@@ -126,11 +130,21 @@ func GetAuth(ctx context.Context, eventBusConfig v1alpha1.BusConfig) (*eventbusc
 	}
 	var auth *eventbuscommon.Auth
 	cred := &eventbuscommon.AuthCredential{}
-	if eventBusAuth == nil || *eventBusAuth == v1alpha1.AuthStrategyNone {
+
+	switch {
+	case eventBusAuth == nil || *eventBusAuth == v1alpha1.AuthStrategyNone:
 		auth = &eventbuscommon.Auth{
 			Strategy: v1alpha1.AuthStrategyNone,
 		}
-	} else {
+	case *eventBusAuth == v1alpha1.AuthStrategyJWT:
+		// For JWT auth, we don't parse auth.yaml - just set the credential file path
+		cred.CredentialFile = fmt.Sprintf("%s/credentials.creds", v1alpha1.EventBusAuthFileMountPath)
+		auth = &eventbuscommon.Auth{
+			Strategy:   v1alpha1.AuthStrategyJWT,
+			Credential: cred,
+		}
+	default:
+		// For Basic and Token auth, parse auth.yaml
 		v := sharedutil.ViperWithLogging()
 		v.SetConfigName("auth")
 		v.SetConfigType("yaml")
@@ -144,6 +158,7 @@ func GetAuth(ctx context.Context, eventBusConfig v1alpha1.BusConfig) (*eventbusc
 			logger.Errorw("failed to unmarshal auth.yaml", zap.Error(err))
 			return nil, err
 		}
+
 		v.WatchConfig()
 		v.OnConfigChange(func(e fsnotify.Event) {
 			// Auth file changed, let it restart

@@ -89,6 +89,9 @@ func (stream *Jetstream) MakeConnection() (*JetstreamConnection, error) {
 	case v1alpha1.AuthStrategyBasic:
 		log.Info("NATS auth strategy: Basic")
 		opts = append(opts, nats.UserInfo(stream.auth.Credential.Username, stream.auth.Credential.Password))
+	case v1alpha1.AuthStrategyJWT:
+		log.Info("NATS auth strategy: JWT")
+		opts = append(opts, nats.UserCredentials(stream.auth.Credential.CredentialFile))
 	case v1alpha1.AuthStrategyNone:
 		log.Info("NATS auth strategy: None")
 	default:

@@ -251,17 +251,40 @@ func buildDeployment(args *AdaptorArgs, eventBus *v1alpha1.EventBus) (*appv1.Dep
 	if accessSecret != nil {
 		// Mount the secret as volume instead of using envFrom to gain the ability
 		// for the sensor deployment to auto reload when the secret changes
+
+		// Determine auth strategy to decide how to mount the secret
+		var authStrategy *v1alpha1.AuthStrategy
+		if eventBus.Status.Config.JetStream != nil {
+			authStrategy = eventBus.Status.Config.JetStream.Auth
+		} else if eventBus.Status.Config.NATS != nil {
+			authStrategy = eventBus.Status.Config.NATS.Auth
+		}
+
+		var items []corev1.KeyToPath
+		if authStrategy != nil && *authStrategy == v1alpha1.AuthStrategyJWT {
+			// For JWT auth, mount only the credentials file
+			items = []corev1.KeyToPath{
+				{
+					Key:  accessSecret.Key,
+					Path: "credentials.creds",
+				},
+			}
+		} else {
+			// For Basic/Token auth, mount as auth.yaml
+			items = []corev1.KeyToPath{
+				{
+					Key:  accessSecret.Key,
+					Path: "auth.yaml",
+				},
+			}
+		}
+
 		volumes = append(volumes, corev1.Volume{
 			Name: "auth-volume",
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
 					SecretName: accessSecret.Name,
-					Items: []corev1.KeyToPath{
-						{
-							Key:  accessSecret.Key,
-							Path: "auth.yaml",
-						},
-					},
+					Items:      items,
 				},
 			},
 		})

@@ -212,17 +212,40 @@ func buildDeployment(args *AdaptorArgs, eventBus *v1alpha1.EventBus) (*appv1.Dep
 	if accessSecret != nil {
 		// Mount the secret as volume instead of using envFrom to gain the ability
 		// for the sensor deployment to auto reload when the secret changes
+
+		// Determine auth strategy to decide how to mount the secret
+		var authStrategy *v1alpha1.AuthStrategy
+		if eventBus.Status.Config.JetStream != nil {
+			authStrategy = eventBus.Status.Config.JetStream.Auth
+		} else if eventBus.Status.Config.NATS != nil {
+			authStrategy = eventBus.Status.Config.NATS.Auth
+		}
+
+		var items []corev1.KeyToPath
+		if authStrategy != nil && *authStrategy == v1alpha1.AuthStrategyJWT {
+			// For JWT auth, mount only the credentials file
+			items = []corev1.KeyToPath{
+				{
+					Key:  accessSecret.Key,
+					Path: "credentials.creds",
+				},
+			}
+		} else {
+			// For Basic/Token auth, mount as auth.yaml
+			items = []corev1.KeyToPath{
+				{
+					Key:  accessSecret.Key,
+					Path: "auth.yaml",
+				},
+			}
+		}
+
 		volumes = append(volumes, corev1.Volume{
 			Name: "auth-volume",
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
 					SecretName: accessSecret.Name,
-					Items: []corev1.KeyToPath{
-						{
-							Key:  accessSecret.Key,
-							Path: "auth.yaml",
-						},
-					},
+					Items:      items,
 				},
 			},
 		})

@@ -74,11 +74,22 @@ func getEventBusAuth(ctx context.Context, authStrategy *aev1.AuthStrategy) (*eve
 
 	var auth *eventbuscommon.Auth
 
-	if authStrategy == nil || *authStrategy == aev1.AuthStrategyNone {
+	switch {
+	case authStrategy == nil || *authStrategy == aev1.AuthStrategyNone:
 		auth = &eventbuscommon.Auth{
 			Strategy: aev1.AuthStrategyNone,
 		}
-	} else {
+	case *authStrategy == aev1.AuthStrategyJWT:
+		// For JWT auth, we don't parse auth.yaml - just set the credential file path
+		cred := &eventbuscommon.AuthCredential{
+			CredentialFile: fmt.Sprintf("%s/credentials.creds", eventBusAuthFileMountPath),
+		}
+		auth = &eventbuscommon.Auth{
+			Strategy:   aev1.AuthStrategyJWT,
+			Credential: cred,
+		}
+	default:
+		// For Basic and Token auth, parse auth.yaml
 		v := sharedutil.ViperWithLogging()
 		v.SetConfigName("auth")
 		v.SetConfigType("yaml")