Add NATS TLS configuration options to wash host and runtime-operator

Cargo.toml

@@ -109,7 +109,7 @@ pbjson-types = { version = "0.8.0", default-features = false }
 pbjson-build = { version = "0.8.0", default-features = false }
 prost = { version = "0.14", default-features = false }
 reqwest = { version = "0.12.20", default-features = false, features = ["json", "rustls-tls"] }
-rustls = { version = "0.23", default-features = false, features = ["std", "tls12"] }
+rustls = { version = "0.23", default-features = false, features = ["std", "tls12", "ring"] }
 rustls-pemfile = { version = "2.2", default-features = false, features = ["std"] }
 schemars = { version = "0.8", default-features = false }
 git2 = { version = "0.19", default-features = false }

crates/wash-runtime/Cargo.toml

@@ -23,7 +23,7 @@ wasi-webgpu = ["dep:wasi-webgpu-wasmtime", "dep:wasi-graphics-context-wasmtime"]
 
 [dependencies]
 anyhow = { workspace = true }
-async-nats = { workspace = true, features = ["aws-lc-rs"] }
+async-nats = { workspace = true, features = ["ring"] }
 async-trait = { workspace = true }
 bytes = { workspace = true }
 chrono = { workspace = true }
@@ -49,7 +49,7 @@ tokio-rustls = { workspace = true }
 tokio-util = { workspace = true, features = ["rt"] }
 tonic = { workspace = true, features = [
     "gzip",
-    "tls-aws-lc",
+    "tls-ring",
     "transport",
     "router",
     "codegen",

crates/wash-runtime/src/washlet/mod.rs

@@ -1,3 +1,4 @@
+use std::path::PathBuf;
 use std::sync::Arc;
 use std::time::Duration;
 
@@ -191,14 +192,59 @@ pub async fn run_cluster_host(
     })
 }
 
+/// Configuration options for NATS connections
+#[derive(Debug, Clone, Default)]
+pub struct NatsConnectionOptions {
+    /// Request timeout for NATS operations
+    pub request_timeout: Option<Duration>,
+    /// Path to TLS CA certificate file for NATS connection
+    pub tls_ca: Option<PathBuf>,
+    /// Enable TLS handshake first mode for NATS connection
+    pub tls_first: bool,
+    /// Path to NATS credentials file
+    pub credentials: Option<PathBuf>,
+}
+
 pub async fn connect_nats(
     addr: impl async_nats::ToServerAddrs,
-    request_timeout: Option<Duration>,
+    options: Option<NatsConnectionOptions>,
 ) -> Result<async_nats::Client, anyhow::Error> {
+    let options = options.unwrap_or_default();
+
+    // Install the default crypto provider for rustls when using TLS options.
+    // This must be done before any TLS-related operations.
+    // We use ring for consistency with other dependencies in the workspace.
+    // It's safe to call multiple times - it will only install once.
+    if options.tls_ca.is_some() || options.tls_first {
+        let _ = rustls::crypto::ring::default_provider().install_default();
+    }
+
     let mut opts = async_nats::ConnectOptions::new();
-    if let Some(timeout) = request_timeout {
+    if let Some(timeout) = options.request_timeout {
         opts = opts.request_timeout(Some(timeout));
-    };
+    }
+    if let Some(tls_ca) = options.tls_ca {
+        anyhow::ensure!(
+            tls_ca.exists(),
+            "NATS TLS CA certificate file does not exist: {}",
+            tls_ca.display()
+        );
+        opts = opts.add_root_certificates(tls_ca);
+    }
+    if options.tls_first {
+        opts = opts.tls_first();
+    }
+    if let Some(credentials) = options.credentials {
+        anyhow::ensure!(
+            credentials.exists(),
+            "NATS credentials file does not exist: {}",
+            credentials.display()
+        );
+        opts = opts
+            .credentials_file(&credentials)
+            .await
+            .context("failed to load NATS credentials")?;
+    }
     opts.connect(addr)
         .await
         .context("failed to connect to NATS")
@@ -611,8 +657,6 @@ impl From<crate::types::WorkloadStatus> for types::v2::WorkloadStatus {
 
 #[cfg(test)]
 mod tests {
-    use crate::host;
-
     use super::*;
 
     #[tokio::test]

crates/wash/src/cli/host.rs

@@ -1,4 +1,4 @@
-use std::{net::SocketAddr, sync::Arc, time::Duration};
+use std::{net::SocketAddr, path::PathBuf, sync::Arc, time::Duration};
 
 use anyhow::Context as _;
 use clap::Args;
@@ -22,6 +22,18 @@ pub struct HostCommand {
     #[clap(long = "data-nats-url", default_value = "nats://localhost:4222")]
     pub data_nats_url: String,
 
+    /// Path to TLS CA certificate file for NATS connection
+    #[clap(long = "nats-tls-ca")]
+    pub nats_tls_ca: Option<PathBuf>,
+
+    /// Enable TLS handshake first mode for NATS connection
+    #[clap(long = "nats-tls-first", default_value_t = false)]
+    pub nats_tls_first: bool,
+
+    /// Path to NATS credentials file
+    #[clap(long = "nats-creds")]
+    pub nats_creds: Option<PathBuf>,
+
     /// The host name to assign to the host
     #[clap(long = "host-name")]
     pub host_name: Option<String>,
@@ -46,13 +58,20 @@ pub struct HostCommand {
 
 impl CliCommand for HostCommand {
     async fn handle(&self, _ctx: &CliContext) -> anyhow::Result<CommandOutput> {
+        let nats_options = Some(wash_runtime::washlet::NatsConnectionOptions {
+            tls_ca: self.nats_tls_ca.clone(),
+            tls_first: self.nats_tls_first,
+            credentials: self.nats_creds.clone(),
+            ..Default::default()
+        });
+
         let scheduler_nats_client =
-            wash_runtime::washlet::connect_nats(self.scheduler_nats_url.clone(), None)
+            wash_runtime::washlet::connect_nats(self.scheduler_nats_url.clone(), nats_options.clone())
                 .await
                 .context("failed to connect to NATS Scheduler URL")?;
 
         let data_nats_client =
-            wash_runtime::washlet::connect_nats(self.data_nats_url.clone(), None)
+            wash_runtime::washlet::connect_nats(self.data_nats_url.clone(), nats_options)
                 .await
                 .context("failed to connect to NATS")?;
         let data_nats_client = Arc::new(data_nats_client);

runtime-operator/.gitignore

@@ -34,4 +34,7 @@ tmp/**
 !tmp/.gitkeep
 
 # Junk
-.DS_Store
+.DS_Store
+
+# Compiled binary
+/main