Passwords used for communication with the NATS backend, i.e. the passwords of the Provisioning consumers, must not start with a number. Otherwise NATS will fail to parse its configuration file correctly.
We are aware of the limitation and have documented this in the manual: https://docs.software-univention.de/nubus-kubernetes-operation/1.x/en/configuration/nats.html#configure-the-secrets > All NATS password strings must start with a character: [a-zA-Z]. A(n incomplete) selection of upstream issues of the same kind: - nats-io/nats-server#5189 - nats-io/nats-server#3431 - nats-io/nats-server#885 - nats-io/nats-server#6891 It was evaluated if this can be fixed, but we decided that any attempt at fixing this would make the situation worse. We need to load the password from environment variables. If we put password = "$PW" into the NATS config, it will get expanded to password = "$PW" (literally). If we put password = $PW into the NATS config, it will get expanded to e.g. password = 123abc, which triggers the problem. One would have to ensure that the quotes are present inside the environment variable, e.g. $PW = "123abc". Now the problem is that you cannot use K8s secrets anymore, unless the operator sticks the " inside the secret, which is really inconvenient. Therefore the decision was made to document the limitation, until it is fixed upstream.