Proper way to configure NATS resolver with JWTs and natsbox

[mac-chaffee]

Hi there!

I've been trying to install NATS with the resolver enabled, essentially following this: https://github.com/nats-io/k8s/tree/main/helm/charts/nats#operator-mode-with-nats-resolver

The first step I've done is to run nsc init inside of a local natsbox instance, then extract the generated config like the above link mentions:

$ docker run -it natsio/nats-box:latest

$ nsc init
? enter a configuration directory /nsc/nats/nsc/stores
? Select an operator Create Operator
? name your operator, account and user nats-admin
...
[ OK ] user creds file stored in "/nsc/nkeys/creds/nats-admin/nats-admin/nats-admin.creds"
[ OK ] created account nats-admin
[ OK ] created user "nats-admin"

The first problem I've encountered is that if you only put the system account JWT inside resolver_preload, then when you helm install, there will be no record of the operator account (nats-admin). Shouldn't we put both the system account and the operator account JWTs inside of resolver_preload? Otherwise, when you try to authenticate as a user under the nats-admin account, the server will say that it doesn't recognize the account.

Assuming you do need both account JWTs in resolver_preload, then the second problem I've hit is that I'm not sure how exactly to configure natsbox. I know that I need some kind of user creds.txt file to give to natsbox, like this format:

natsBox:
  contexts:
    default:
      creds:
        contents: |
          -----BEGIN NATS USER JWT-----
          ...

Presumably I should use nats-admin.creds which was generated by nsc init right? Because there is no system account user generated by nsc init anyway. But if you use nats-admin.creds (which is my operator, not my system account), then I can't do some operations like nats server info due to insufficient permissions. Additionally, I can't do operations like nsc add user because it throws the error: Error: set an operator -- 'nsc env -o operatorName'.

I was able to run nsc add operator -i and import my operator JWT, but shouldn't that not be necessary? Is there a config I can set on natsbox to do that automatically?

Finally, even once I import the operator, commands like nsc pull fail due to Error: operator "nats-admin" doesn't set account server url - unable to pull. Is there a natsbox setting to ensure that is set automatically?

---

Is there maybe a completely different approach to this problem? Like should I helm install without creating an operator or system account, and run nsc init inside the natsbox that gets deployed (instead of locally)? Feels like I'm barking up the wrong tree. Any advice is appreciated!