nats health checks do not use the configured nats client options

[butonic]

Try encrypting the nats cluster connection with a self signed tls certificate, eg:

OC_EVENTS_ENABLE_TLS=true
OC_EVENTS_TLS_ROOT_CA_CERTIFICATE=/etc/nats/ca/ca.crt

If the provided ca was not used to sign thenats server certificate opencloud will correctly prevent startup:

{
    "level": "fatal",
    "service": "opencloud",
    "event": "opencloud: Failed service 'service.SutureService{exec:(func(context.Context) error)(0x564d63c90ce0)}' (5.996986 failures of 5.000000), restarting: false, error: tls: failed to verify certificate: x509: certificate signed by unknown authority",
    "service": "service.SutureService{exec:(func(context.Context) error)(0x564d63c90ce0)}",
    "supervisor": "opencloud",
    "restarting": false,
    "failures": 5.996986129906091,
    "threshold": 5,
    "error": {
        "UnverifiedCertificates": ...

you can then try to ignore the ca error to get things going:

OC_EVENTS_ENABLE_TLS=true
OC_EVENTS_TLS_INSECURE=true

However, even then the health checks will fail:

{
  "level": "error",
  "service": "postprocessing",
  "error": "'nats reachability': could not connect to nats server: tls: failed to verify certificate: x509: certificate signed by unknown authority",
  "time": "2025-12-17T10:59:09Z",
  "line": "github.com/opencloud-eu/opencloud/pkg/handlers/checker.go:107",
  "message": "check failed",
}

This in turn causes kubernetes health checks to fail, preventing the pod from becoming ready. Even if the ca file is correct.