chore(controlplane): Allow to setup NATS token based authentication (#1944)

javirln · web-flow · commit bb1159cc3b96 · 2025-04-03T12:28:43.000+02:00
Signed-off-by: Javier Rodriguez &lt;javier@chainloop.dev&gt;
diff --git a/app/controlplane/cmd/main.go b/app/controlplane/cmd/main.go
@@ -189,7 +189,17 @@ func newNatsConnection(c *conf.Bootstrap_NatsServer) (*nats.Conn, error) {
 		return nil, nil
 	}
 
-	nc, err := nats.Connect(uri)
+	var opts []nats.Option
+	if c.GetAuthentication() != nil {
+		switch c.GetAuthentication().(type) {
+		case *conf.Bootstrap_NatsServer_Token:
+			opts = append(opts, nats.Token(c.GetToken()))
+		default:
+			return nil, fmt.Errorf("unsupported nats authentication type: %T", c.GetAuthentication())
+		}
+	}
+
+	nc, err := nats.Connect(uri, opts...)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to nats: %w", err)
 	}
diff --git a/app/controlplane/internal/conf/controlplane/config/v1/conf.pb.go b/app/controlplane/internal/conf/controlplane/config/v1/conf.pb.go
diff --git a/app/controlplane/internal/conf/controlplane/config/v1/conf.proto b/app/controlplane/internal/conf/controlplane/config/v1/conf.proto
@@ -94,7 +94,10 @@ message Bootstrap {
   message NatsServer {
     // Connection URI
     string uri = 1 [(buf.validate.field).string.min_len = 1];
-    // TODO: add authentication options
+    oneof authentication {
+      // Token based authentication
+      string token = 2 [(buf.validate.field).string.min_len = 1];
+    }
   }
 }
 
diff --git a/deployment/chainloop/Chart.yaml b/deployment/chainloop/Chart.yaml
@@ -7,7 +7,7 @@ description: Chainloop is an open source software supply chain control plane, a
 
 type: application
 # Bump the patch (not minor, not major) version on each change in the Chart Source code
-version: 1.208.0
+version: 1.208.1
 # Do not update appVersion, this is handled automatically by the release process
 appVersion: v1.0.0-rc.1
 
diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md
@@ -557,6 +557,7 @@ chainloop config save \
 | `controlplane.nats.enabled`                    | Enable events publishing through a Nats stream                                                                                                                                                                                                                 | `false`           |
 | `controlplane.nats.host`                       | NATS Host                                                                                                                                                                                                                                                      | `""`              |
 | `controlplane.nats.port`                       | NATS Port                                                                                                                                                                                                                                                      | `4222`            |
+| `controlplane.nats.token`                      | NATS Client authentication token                                                                                                                                                                                                                               | `""`              |
 | `controlplane.onboarding.name`                 | Name of the organization to onboard                                                                                                                                                                                                                            |                   |
 | `controlplane.onboarding.role`                 | Role of the organization to onboard                                                                                                                                                                                                                            |                   |
 | `controlplane.prometheus_org_metrics`          | List of organizations to expose metrics for using Prometheus                                                                                                                                                                                                   |                   |
diff --git a/deployment/chainloop/templates/controlplane/secret-config.yaml b/deployment/chainloop/templates/controlplane/secret-config.yaml
@@ -98,8 +98,10 @@ stringData:
     {{- if and .Values.controlplane.nats.enabled }}
     nats_server: 
       uri: {{ include "controlplane.nats.connection_string" . | quote }}
+      {{- if ne .Values.controlplane.nats.token "" }}
+      token: {{ .Values.controlplane.nats.token | quote }}
+      {{- end }}
     {{- end }}
-    
 
     credentials_service: {{- include "chainloop.credentials_service_settings" . | indent 6 }}
 
diff --git a/deployment/chainloop/values.yaml b/deployment/chainloop/values.yaml
@@ -181,10 +181,12 @@ controlplane:
   ## @param controlplane.nats.enabled Enable events publishing through a Nats stream
   ## @param controlplane.nats.host NATS Host
   ## @param controlplane.nats.port NATS Port
+  ## @param controlplane.nats.token NATS Client authentication token
   nats:
     enabled: false
     host: ""
     port: 4222
+    token: ""
 
   ## @extra controlplane.onboarding.name Name of the organization to onboard
   ## @extra controlplane.onboarding.role Role of the organization to onboard

Original file line number	Diff line number	Diff line change
`@@ -94,7 +94,10 @@ message Bootstrap {`
`94`	`94`	`message NatsServer {`
`95`	`95`	`// Connection URI`
`96`	`96`	`string uri = 1 [(buf.validate.field).string.min_len = 1];`
`97`		`- // TODO: add authentication options`
	`97`	`+ oneof authentication {`
	`98`	`+ // Token based authentication`
	`99`	`+ string token = 2 [(buf.validate.field).string.min_len = 1];`
	`100`	`+ }`
`98`	`101`	`}`
`99`	`102`	`}`
`100`	`103`