intelops · Shifna12Zarnaz · Aug 1, 2023 · Aug 10, 2023 · jebinjeb · Aug 2, 2023
diff --git a/agent/container/pkg/clients/nats_client.go b/agent/container/pkg/clients/nats_client.go
@@ -1,12 +1,13 @@
 package clients
 
 import (
+	"context"
 	"fmt"
 	"log"
 	"time"
 
 	"github.com/intelops/kubviz/agent/container/pkg/config"
-
+	"github.com/intelops/kubviz/credential"
 	"github.com/nats-io/nats.go"
 )
 
@@ -27,8 +28,13 @@ type NATSContext struct {
 func NewNATSContext(conf *config.Config) (*NATSContext, error) {
 	fmt.Println("Waiting before connecting to NATS at:", conf.NatsAddress)
 	time.Sleep(1 * time.Second)
-
-	conn, err := nats.Connect(conf.NatsAddress, nats.Name("Github metrics"), nats.Token(conf.NatsToken))
+
+	cred, err := credential.GetGenericCredential(context.Background(), conf.EntityName, conf.CredIdentifier)
+	if err != nil {
+		return nil, err
+	}
+	token:=cred["nats"]
+	conn, err := nats.Connect(conf.NatsAddress, nats.Name("Github metrics"), nats.Token(token))
 	if err != nil {
 		return nil, err
 	}

diff --git a/agent/container/pkg/config/configuration.go b/agent/container/pkg/config/configuration.go
@@ -6,7 +6,11 @@ package config
 // Config will have the configuration details
 type Config struct {
 	NatsAddress string `envconfig:"NATS_ADDRESS"`
-	NatsToken   string `envconfig:"NATS_TOKEN"`
+	CredIdentifier string `envconfig:"NATS_CRED_IDENTIFIER" default:"authToken"`
+	EntityName     string `envconfig:"NATS_ENTITY_NAME" default:"astra"`
+
+
+	//NatsToken   string `envconfig:"NATS_TOKEN"`
 	Port        int    `envconfig:"PORT"`
 	StreamName  string `envconfig:"STREAM_NAME"`
 }

diff --git a/agent/git/pkg/clients/nats_client.go b/agent/git/pkg/clients/nats_client.go
@@ -1,9 +1,11 @@
 package clients
 
 import (
+	"context"
 	"fmt"
 
 	"github.com/intelops/kubviz/agent/git/pkg/config"
+	"github.com/intelops/kubviz/credential"
 	"github.com/intelops/kubviz/model"
 
 	"log"
@@ -30,7 +32,13 @@ func NewNATSContext(conf *config.Config) (*NATSContext, error) {
 	fmt.Println("Waiting before connecting to NATS at:", conf.NatsAddress)
 	time.Sleep(1 * time.Second)
 
-	conn, err := nats.Connect(conf.NatsAddress, nats.Name("Github metrics"), nats.Token(conf.NatsToken))
+	cred, err := credential.GetGenericCredential(context.Background(), conf.EntityName, conf.CredIdentifier)
+	if err != nil {
+		return nil, err
+	}
+	token:=cred["nats"]
+
+	conn, err := nats.Connect(conf.NatsAddress, nats.Name("Github metrics"), nats.Token(token))
 	if err != nil {
 		return nil, err
 	}

diff --git a/agent/git/pkg/config/configuration.go b/agent/git/pkg/config/configuration.go
@@ -6,7 +6,10 @@ package config
 //Config will have the configuration details
 type Config struct {
 	NatsAddress string `envconfig:"NATS_ADDRESS"`
-	NatsToken   string `envconfig:"NATS_TOKEN"`
+	CredIdentifier string `envconfig:"NATS_CRED_IDENTIFIER" default:"authToken"`
+	EntityName     string `envconfig:"NATS_ENTITY_NAME" default:"astra"`
+
+	//NatsToken   string `envconfig:"NATS_TOKEN"`
 	Port        int    `envconfig:"PORT"`
 	StreamName  string `envconfig:"STREAM_NAME"`
 }
diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.6
+version: 0.2.7
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/agent/templates/configmap.yaml b/charts/agent/templates/configmap.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "vault-role-kubviz"
+data:
+  roleName: vault-role-kubviz
+  policyNames: {{ .Values.vault.policyNames | quote }}
+  servieAccounts: {{ include "agent.serviceAccountName" . }}
+  servieAccountNameSpaces: {{ .Release.Namespace }}
diff --git a/charts/agent/templates/deployment.yaml b/charts/agent/templates/deployment.yaml
@@ -48,6 +48,16 @@ spec:
           env:
           - name: CLUSTER_NAME
             value: {{ .Values.clusterName }}
+          - name: VAULT_ADDR
+            value: {{ .Values.vault.address }}
+          - name: VAULT_ROLE
+            value: {{ .Values.vault.role }}
+
+          - name: NATS_CRED_IDENTIFIER
+            value: {{ .Values.nats.credidentifier | quote }}
+          - name: NATS_ENTITY_NAME
+            value: {{ .Values.nats.entityname | quote }}  
+
           - name: NATS_TOKEN
             value: {{ .Values.nats.auth.token }}
           - name: NATS_ADDRESS
@@ -83,8 +93,8 @@ spec:
           env:
           - name: CLUSTER_NAME
             value: {{ .Values.clusterName }}
-          - name: NATS_TOKEN
-            value: {{ .Values.nats.auth.token }}
+    #      - name: NATS_TOKEN
+    #        value: {{ .Values.nats.auth.token }}
           - name: NATS_ADDRESS
             value: {{ .Values.nats.host }}
           resources:

diff --git a/charts/agent/values.yaml b/charts/agent/values.yaml
@@ -129,6 +129,11 @@ resources:
     cpu: 200m
     memory: 256Mi
 
+vault:
+  address: http://vault:8200
+  role: "vault-role-kubviz"
+  policyNames: "vault-policy-cluster-admin,vault-policy-cluster-read"
+
 autoscaling:
   enabled: false
   minReplicas: 1
@@ -144,6 +149,8 @@ affinity: {}
 
 clusterName: "kubviz"
 nats:
-  host: kubviz-client-nats 
-  auth:
-    token: "UfmrJOYwYCCsgQvxvcfJ3BdI6c8WBbnD"
+  host: kubviz-client-nats
+  credidentifier: auth-token
+  entityname: nats
+ # auth:
+ #   token: "UfmrJOYwYCCsgQvxvcfJ3BdI6c8WBbnD"
diff --git a/charts/client/Chart.yaml b/charts/client/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.4
+version: 0.2.5
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/client/templates/configmap-kubviz.yaml b/charts/client/templates/configmap-kubviz.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "vault-role-kubviz"
+data:
+  roleName: vault-role-kubviz
+  policyNames: {{ .Values.vault.policyNames | quote }}
+  servieAccounts: {{ include "client.serviceAccountName" . }}
+  servieAccountNameSpaces: {{ .Release.Namespace }}
+
diff --git a/charts/client/templates/deployment.yaml b/charts/client/templates/deployment.yaml
@@ -46,8 +46,16 @@ spec:
 #              path: /
 #              port: http
           env:
-          - name: NATS_TOKEN
-            value: {{ .Values.nats.auth.token }}
+          - name: VAULT_ADDR
+            value: {{ .Values.vault.address }}
+          - name: VAULT_ROLE
+            value: {{ .Values.vault.role }}
+          - name: NATS_CRED_IDENTIFIER
+            value: {{ .Values.nats.credidentifier | quote }}
+          - name: NATS_ENTITY_NAME
+            value: {{ .Values.nats.entityname | quote }}  
+   #       - name: NATS_TOKEN
+   #         value: {{ .Values.nats.auth.token }}
           - name: NATS_ADDRESS
             value: {{ include "client.fullname" . }}-nats
           - name: DB_ADDRESS

diff --git a/charts/client/values.yaml b/charts/client/values.yaml
@@ -65,6 +65,13 @@ resources: {}
   #   cpu: 100m
   #   memory: 128Mi
 
+
+
+vault:
+  address: http://vault:8200
+  role: "vault-role-kubviz"
+  policyNames: "vault-policy-cluster-admin,vault-policy-cluster-read"
+
 autoscaling:
   enabled: false
   minReplicas: 1
@@ -79,11 +86,13 @@ tolerations: []
 affinity: {}
 
 nats:
+  credidentifier: auth-token
+  entityname: nats
   enabled: true
   #Authentication setup
   auth:
     enabled: true
-    token: "UfmrJOYwYCCsgQvxvcfJ3BdI6c8WBbnD"
+    #token: "UfmrJOYwYCCsgQvxvcfJ3BdI6c8WBbnD"
   nats:
     jetstream:
       enabled: true

diff --git a/client/pkg/clients/clients.go b/client/pkg/clients/clients.go
@@ -1,12 +1,15 @@
 package clients
 
 import (
+	"context"
 	"fmt"
 	"log"
 	"time"
 
 	"github.com/intelops/kubviz/client/pkg/clickhouse"
+
 	"github.com/intelops/kubviz/client/pkg/config"
+	"github.com/intelops/kubviz/credential"
 	"github.com/nats-io/nats.go"
 )
 
@@ -21,7 +24,13 @@ func NewNATSContext(conf *config.Config, dbClient clickhouse.DBInterface) (*NATS
 	log.Println("Waiting before connecting to NATS at:", conf.NatsAddress)
 	time.Sleep(1 * time.Second)
 
-	conn, err := nats.Connect(conf.NatsAddress, nats.Name("Github metrics"), nats.Token(conf.NatsToken))
+	cred, err := credential.GetGenericCredential(context.Background(), conf.EntityName, conf.CredIdentifier)
+	if err != nil {
+		return nil, err
+	}
+	token:=cred["nats"]
+
+	conn, err := nats.Connect(conf.NatsAddress, nats.Name("Github metrics"), nats.Token(token))
 	if err != nil {
 		return nil, err
 	}

diff --git a/client/pkg/config/config.go b/client/pkg/config/config.go
@@ -2,7 +2,10 @@ package config
 
 type Config struct {
 	NatsAddress string `envconfig:"NATS_ADDRESS"`
-	NatsToken   string `envconfig:"NATS_TOKEN"`
+	CredIdentifier string `envconfig:"NATS_CRED_IDENTIFIER" default:"authToken"`
+	EntityName     string `envconfig:"NATS_ENTITY_NAME" default:"astra"`
+
+	//NatsToken   string `envconfig:"NATS_TOKEN"`
 	DbPort      int    `envconfig:"DB_PORT"`
 	DBAddress   string `envconfig:"DB_ADDRESS"`
 }
diff --git a/credential/credential.go b/credential/credential.go
@@ -0,0 +1,27 @@
+package credential
+
+import (
+	"context"
+
+	"github.com/intelops/go-common/credentials"
+	"github.com/pkg/errors"
+)
+
+const (
+	credentialType = "cluster-cred"
+)
+
+func GetGenericCredential(ctx context.Context, Entity, CredIdentifier string) (map[string]string, error) {
+	credReader, err := credentials.NewCredentialReader(ctx)
+	if err != nil {
+		err = errors.WithMessage(err, "error in initializing credential reader")
+		return nil, err
+	}
+	cred, err := credReader.GetCredential(context.Background(), credentialType, Entity, CredIdentifier)
+	if err != nil {
+		err = errors.WithMessage(err, "error in reading credential")
+		return nil, err
+	}
+
+	return cred, nil
+}
diff --git a/go.mod b/go.mod
@@ -31,6 +31,25 @@ require (
 	k8s.io/klog/v2 v2.100.1
 )
 
+require (
+	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.4 // indirect
+	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
+	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/hashicorp/vault/api v1.9.2 // indirect
+	github.com/hashicorp/vault/api/auth/kubernetes v0.4.1 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/ryanuber/go-glob v1.0.0 // indirect
+)
+
 require (
 	github.com/ClickHouse/ch-go v0.52.1 // indirect
 	github.com/CycloneDX/cyclonedx-go v0.7.2-0.20230625092137-07e2f29defc3 // indirect
@@ -74,6 +93,7 @@ require (
 	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
 	github.com/imdario/mergo v0.3.15 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/intelops/go-common v1.0.15
 	github.com/invopop/yaml v0.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect