fix(deploy): harden nkey generation (#6)

Signed-off-by: Frank Spitulski <fspitulski@nvidia.com>

Author: FrankSpitulski

Makefile

@@ -1,7 +1,7 @@
 # Copyright 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-.PHONY: add-license-headers check check-license-headers help test test-e2e test-helm third-party-licenses
+.PHONY: add-license-headers check check-license-headers clean-e2e help test test-e2e test-helm third-party-licenses
 
 COPYRIGHT_HOLDER := NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 COPYRIGHT_YEAR := 2026
@@ -24,6 +24,9 @@ check-license-headers: ## Verify SPDX license headers across repository sources
 
 check: check-license-headers test test-helm ## Run all local validation checks
 
+clean-e2e: ## Delete local Kind clusters and generated e2e artifacts
+	$(MAKE) -C local clean-e2e
+
 test: ## Run unit tests that do not require the local Kind environment
 	$(MAKE) -C auth-callout test
 	cd auth-callout/tests && go test -short ./...

deploy/.gitignore

@@ -32,3 +32,4 @@ Chart.lock
 *.backup
 *~
 
+secrets/

deploy/README.md

@@ -158,36 +158,43 @@ An example script is provided to generate all required secrets to local files:
 
 ```bash
 # Generate secrets for a cluster
-./scripts/generate-nkeys.sh [OPTIONS] [cpc-ids...]
+./scripts/generate-nkeys.sh [OPTIONS] -c CLUSTER [cpc-ids...]
 
 # Options:
-#   -c, --cluster CLUSTER    Cluster name: csc or cpc-{id} (default: csc)
-#   -o, --output DIR         Output directory (default: ./secrets/{cluster})
+#   -c, --cluster CLUSTER    Cluster name: csc or cpc-{id}
+#   -o, --output DIR         Output directory (default: deploy/secrets/{cluster})
+#       --force              Overwrite an existing non-empty output directory
 #   -h, --help               Show help message
 
 # Examples:
-./scripts/generate-nkeys.sh -c csc                    # Generate for CSC, output to ./secrets/csc
+./scripts/generate-nkeys.sh -c csc 1 2 3              # Generate for CSC, output to deploy/secrets/csc
 ./scripts/generate-nkeys.sh -c cpc-1 -o ./my-secrets  # Generate for CPC-1, custom output directory
-./scripts/generate-nkeys.sh -c csc 1 2 3              # Generate for CSC with CPC IDs 1, 2, 3
 ```
 
 The script generates all required NKey secrets (operator, accounts, users, XKey).
+It refuses to overwrite an existing non-empty output directory. Use `--force`
+only when intentionally rotating all generated NKeys for that cluster. Rotating
+these keys invalidates existing leaf, auth-callout, NACK, mTLS, and surveyor
+credentials created from the previous output.
+
+Generated secret files are written with mode `0600`, and generated secret
+directories are written with mode `0700`. Treat the full output directory as
+sensitive material.
 
 Output structure:
 ```
-secrets/{cluster}/
-└── nkeys/                    # NKey secrets (one directory per secret)
-    ├── nats-auth-signing/
-    ├── nats-xkey/
-    ├── nats-authx-user/
-    ├── nats-nack-user/
-    ├── nats-mtls-leaf/
-    ├── nats-mtls-authx-leaf/
-    ├── nats-mtls-sys-leaf/
-    ├── nats-surveyor/
-    ├── auth-callout-keys/
-    ├── nats-leaf-cpc-{id}/   # CSC only (when CPC IDs provided)
-    └── xkey.nk
+deploy/secrets/{cluster}/
+└── nkeys/
+    ├── nats-auth-signing/{seed,pubkey}
+    ├── nats-xkey/{seed,pubkey}
+    ├── nats-authx-user/{seed,pubkey}
+    ├── nats-nack-user/{seed,pubkey,nack-user.nk}
+    ├── nats-mtls-leaf/{seed,pubkey}
+    ├── nats-mtls-authx-leaf/{seed,pubkey}
+    ├── nats-mtls-sys-leaf/{seed,pubkey}
+    ├── nats-surveyor/{seed,pubkey}
+    ├── auth-callout-keys/{nkey-seed,issuer-seed,xkey-seed}
+    └── nats-leaf-cpc-{id}/{seed,pubkey}   # CSC only (when CPC IDs provided)
 ```
 
 ## Chart Dependencies
@@ -777,7 +784,8 @@ eventBus:
         account: "CSC"
 
 # CSC needs CPC leaf user pubkeys to authorize incoming leaf connections.
-# Add one entry per CPC cluster, matching the IDs in cpcIds.
+# This block is mandatory when eventBus.cpcIds is non-empty. Add one
+# entry per CPC cluster, matching the IDs in cpcIds.
 auth-callout:
   extraEnvs:
     NKEY_LEAF_CPC_1_PUBKEY:
@@ -792,6 +800,9 @@ auth-callout:
           key: pubkey
 ```
 
+The chart validates that every `eventBus.cpcIds` entry has a matching
+`NKEY_LEAF_CPC_{N}_PUBKEY` entry under `auth-callout.extraEnvs`.
+
 ### CPC Cluster
 
 ```yaml

deploy/nats-event-bus/templates/validation.yaml

@@ -0,0 +1,18 @@
+# Copyright 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+{{/*
+Validation template for nats-event-bus values.
+This template emits no resources; it fails rendering on unsafe combinations.
+*/}}
+{{- $authCallout := index .Values "auth-callout" | default dict -}}
+{{- $extraEnvs := get $authCallout "extraEnvs" | default dict -}}
+{{- if and (eq .Values.eventBus.clusterType "csc") (gt (len .Values.eventBus.cpcIds) 0) -}}
+{{- range .Values.eventBus.cpcIds }}
+{{- $cpcId := toString . -}}
+{{- $envName := printf "NKEY_LEAF_CPC_%s_PUBKEY" $cpcId -}}
+{{- if not (hasKey $extraEnvs $envName) -}}
+{{- fail (printf "eventBus.cpcIds includes %q, but auth-callout.extraEnvs.%s is missing. Add a secretKeyRef to nats-leaf-cpc-%s key pubkey so CSC can authorize the CPC leaf connection." $cpcId $envName $cpcId) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}

deploy/nats-event-bus/values.yaml

@@ -582,10 +582,13 @@ auth-callout:
   # Use external ConfigMap generated by nats-event-bus chart
   permissionsConfigMap: "auth-callout-permissions"
 
-  # Common auth-callout env vars
-  # CSC clusters must add NKEY_LEAF_CPC_{N}_PUBKEY entries for each CPC
-  # that will connect as a leaf node. The {N} corresponds to cpcIds values.
-  # Example: cpcIds: ["1", "2"] requires NKEY_LEAF_CPC_1_PUBKEY and NKEY_LEAF_CPC_2_PUBKEY
+  # Common auth-callout env vars.
+  # CSC clusters with eventBus.cpcIds must also provide one
+  # NKEY_LEAF_CPC_{N}_PUBKEY entry per CPC in auth-callout.extraEnvs.
+  # Example: cpcIds: ["1", "2"] requires NKEY_LEAF_CPC_1_PUBKEY
+  # and NKEY_LEAF_CPC_2_PUBKEY.
+  # The chart validates this so leaf federation fails at render time instead
+  # of failing later with NATS Authorization Violation.
   extraEnvs:
     AUTH_CALLOUT_NATS_NKEY_SEED: *authCalloutNkeySeed
     AUTH_CALLOUT_NATS_ISSUER_SEED: *authCalloutIssuerSeed