WIP: Proof of concept / demo

Signed-off-by: Richard Wall <[email protected]>

Author: wallrj

hack/e2e/ca/config.yaml

@@ -0,0 +1,3 @@
+machineHub:
+  subdomain: tlskp-test
+  credentialsSecretName: todo-unused

hack/e2e/ca/test.sh

@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+#
+set -o nounset
+set -o errexit
+set -o pipefail
+
+# CyberArk API configuration
+: ${ARK_USERNAME?}
+: ${ARK_SECRET?}
+: ${ARK_PLATFORM_DOMAIN?}
+: ${ARK_SUBDOMAIN?}
+
+# The base URL of the OCI registry used for Docker images and Helm charts
+# E.g. ttl.sh/6ee49a01-c8ba-493e-bae9-4d8567574b56
+: ${OCI_BASE?}
+
+k8s_namespace=cyberark
+
+script_dir=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)
+root_dir=$(cd "${script_dir}/../../.." && pwd)
+export TERM=dumb
+
+tmp_dir="$(mktemp -d /tmp/jetstack-secure.XXXXX)"
+
+pushd "${tmp_dir}"
+> release.env
+make -C "$root_dir" release \
+     OCI_SIGN_ON_PUSH=false \
+     oci_platforms=linux/amd64 \
+     oci_preflight_image_name=$OCI_BASE/images/venafi-agent \
+     helm_chart_image_name=$OCI_BASE/charts/venafi-kubernetes-agent \
+     GITHUB_OUTPUT="${tmp_dir}/release.env"
+source release.env
+
+kind create cluster || true
+kubectl create ns "$k8s_namespace" || true
+
+kubectl create secret generic agent-credentials \
+        --namespace "$k8s_namespace" \
+        --from-literal=ARK_USERNAME=$ARK_USERNAME \
+        --from-literal=ARK_SECRET=$ARK_SECRET \
+        --from-literal=ARK_PLATFORM_DOMAIN=$ARK_PLATFORM_DOMAIN \
+        --from-literal=ARK_SUBDOMAIN=$ARK_SUBDOMAIN
+
+helm upgrade agent "oci://${OCI_BASE}/charts/venafi-kubernetes-agent" \
+     --install \
+     --create-namespace \
+     --namespace "$k8s_namespace" \
+     --version "${RELEASE_HELM_CHART_VERSION}" \
+     --set fullnameOverride=agent \
+     --set "image.repository=${OCI_BASE}/images/venafi-agent" \
+     --values "${script_dir}/values.agent.yaml"
+
+kubectl scale -n "$k8s_namespace" deployment agent  --replicas=0
+kubectl get cm -n "$k8s_namespace" agent-config -o jsonpath={.data.config\\.yaml} > config.original.yaml
+yq eval-all '. as $item ireduce ({}; . * $item)' config.original.yaml "${script_dir}/config.yaml" > config.yaml
+kubectl delete cm -n "$k8s_namespace" agent-config
+kubectl create cm -n "$k8s_namespace" agent-config --from-file=config.yaml
+kubectl scale -n "$k8s_namespace" deployment agent  --replicas=1

hack/e2e/ca/values.agent.yaml

@@ -0,0 +1 @@
+# Empty

pkg/agent/config.go

@@ -1,7 +1,6 @@
 package agent
 
 import (
-	"errors"
 	"fmt"
 	"io"
 	"net/url"
@@ -62,9 +61,6 @@ type Config struct {
 	ExcludeAnnotationKeysRegex []string `yaml:"exclude-annotation-keys-regex"`
 	// Skips label keys that match the given set of regular expressions.
 	ExcludeLabelKeysRegex []string `yaml:"exclude-label-keys-regex"`
-
-	// MachineHub holds config specific to MachineHub mode.
-	MachineHub MachineHubConfig `yaml:"machineHub"`
 }
 
 type Endpoint struct {
@@ -92,33 +88,6 @@ type VenafiCloudConfig struct {
 	UploadPath string `yaml:"upload_path,omitempty"`
 }
 
-// MachineHubConfig holds configuration values specific to the CyberArk Machine Hub integration
-type MachineHubConfig struct {
-	// Subdomain is the subdomain indicating where data should be pushed. Used
-	// for querying the Service Discovery Service to discover the Identity API
-	// URL.
-	Subdomain string `yaml:"subdomain"`
-
-	// CredentialsSecretName is the name of a Kubernetes Secret in the same
-	// namespace as the agent, which will be watched for a username and password
-	// to send to CyberArk Identity for authentication.
-	CredentialsSecretName string `yaml:"credentialsSecretName"`
-}
-
-func (mhc MachineHubConfig) Validate() error {
-	var errs []error
-
-	if mhc.Subdomain == "" {
-		errs = append(errs, fmt.Errorf("subdomain must not be empty in MachineHub mode"))
-	}
-
-	if mhc.CredentialsSecretName == "" {
-		errs = append(errs, fmt.Errorf("credentialsSecretName must not be empty in MachineHub mode"))
-	}
-
-	return errors.Join(errs...)
-}
-
 type AgentCmdFlags struct {
 	// ConfigFilePath (--config-file, -c) is the path to the agent configuration
 	// YAML file.
@@ -355,7 +324,7 @@ func InitAgentCmdFlags(c *cobra.Command, cfg *AgentCmdFlags) {
 
 }
 
-// TLSPKMode controls how to authenticate to TLSPK / Jetstack Secure. Only one
+// TLSPKMode controls how to authenticate to TLSPK / Jetstack Secure / MachineHub. Only one
 // TLSPKMode may be provided if using those backends.
 type TLSPKMode string
 
@@ -364,10 +333,8 @@ const (
 	JetstackSecureAPIToken      TLSPKMode = "Jetstack Secure API Token"
 	VenafiCloudKeypair          TLSPKMode = "Venafi Cloud Key Pair Service Account"
 	VenafiCloudVenafiConnection TLSPKMode = "Venafi Cloud VenafiConnection"
-
-	// It is possible to push to both MachineHub and TLSPK. With this mode, the
-	// agent will only push to MachineHub and not to TLSPK.
-	Off TLSPKMode = "MachineHub only"
+	MachineHub                  TLSPKMode = "Machine Hub"
+	Off                         TLSPKMode = "Off"
 )
 
 // The command-line flags and the config file are combined into this struct by
@@ -408,11 +375,6 @@ type CombinedConfig struct {
 	// Only used for testing purposes.
 	OutputPath string
 	InputPath  string
-
-	// MachineHub-related settings.
-	MachineHubMode                  bool
-	MachineHubSubdomain             string
-	MachineHubCredentialsSecretName string
 }
 
 // ValidateAndCombineConfig combines and validates the input configuration with
@@ -426,20 +388,6 @@ type CombinedConfig struct {
 // error.
 func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags) (CombinedConfig, client.Client, error) {
 	res := CombinedConfig{}
-
-	if flags.MachineHubMode {
-		if err := cfg.MachineHub.Validate(); err != nil {
-			return CombinedConfig{}, nil, fmt.Errorf("invalid MachineHub config provided: %w", err)
-		}
-
-		res.MachineHubMode = true
-		res.MachineHubSubdomain = cfg.MachineHub.Subdomain
-		res.MachineHubCredentialsSecretName = cfg.MachineHub.CredentialsSecretName
-
-		keysAndValues := []any{"credentialsSecretName", res.MachineHubCredentialsSecretName}
-		log.V(logs.Info).Info("Will push to CyberArk MachineHub using a username and password loaded from a Kubernetes Secret", keysAndValues...)
-	}
-
 	{
 		var (
 			mode          TLSPKMode
@@ -472,23 +420,25 @@ func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags)
 		case !flags.VenafiCloudMode && flags.CredentialsPath != "":
 			mode = JetstackSecureOAuth
 			reason = "--credentials-file was specified without --venafi-cloud"
-		default:
-			if !flags.MachineHubMode {
-				return CombinedConfig{}, nil, fmt.Errorf("no TLSPK mode specified and MachineHub mode is disabled. You must either enable the MachineHub mode (using --machine-hub), or enable one of the TLSPK modes.\n" +
-					"To enable one of the TLSPK modes, you can:\n" +
-					" - Use (--venafi-cloud with --credentials-file) or (--client-id with --private-key-path) to use the " + string(VenafiCloudKeypair) + " mode.\n" +
-					" - Use --venafi-connection for the " + string(VenafiCloudVenafiConnection) + " mode.\n" +
-					" - Use --credentials-file alone if you want to use the " + string(JetstackSecureOAuth) + " mode.\n" +
-					" - Use --api-token if you want to use the " + string(JetstackSecureAPIToken) + " mode.\n" +
-					"Note that it is possible to use one of the TLSPK modes along with the MachineHub mode (--machine-hub).")
-			}
-
+		case flags.MachineHubMode:
+			mode = MachineHub
+			reason = "--machine-hub was specified."
+		case flags.OutputPath != "":
 			mode = Off
+			reason = "--output-path was specified. Data will be saved to a file. It will not be uploaded."
+		default:
+			return CombinedConfig{}, nil, fmt.Errorf("no upload mode specified. You must either enable one of the upload modes, or use --output-path to save data to a file.\n" +
+				"To enable one of the upload modes, you can:\n" +
+				" - Use (--venafi-cloud with --credentials-file) or (--client-id with --private-key-path) to use the " + string(VenafiCloudKeypair) + " mode.\n" +
+				" - Use --venafi-connection for the " + string(VenafiCloudVenafiConnection) + " mode.\n" +
+				" - Use --credentials-file alone if you want to use the " + string(JetstackSecureOAuth) + " mode.\n" +
+				" - Use --api-token if you want to use the " + string(JetstackSecureAPIToken) + " mode.\n" +
+				" - Use --machine-hub if you want to use the " + string(MachineHub) + " mode.")
 		}
 
 		keysAndValues = append(keysAndValues, "mode", mode, "reason", reason)
 		if mode != Off {
-			log.V(logs.Debug).Info("Configured to push to Venafi", keysAndValues...)
+			log.V(logs.Debug).Info("Configured to push", keysAndValues...)
 		}
 
 		res.TLSPKMode = mode
@@ -606,12 +556,12 @@ func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags)
 		res.ClusterID = clusterID
 		res.ClusterDescription = cfg.ClusterDescription
 
-		// Validation of `data-gatherers`.
-		if dgErr := ValidateDataGatherers(cfg.DataGatherers); dgErr != nil {
-			errs = multierror.Append(errs, dgErr)
-		}
-		res.DataGatherers = cfg.DataGatherers
 	}
+	// Validation of `data-gatherers`.
+	if dgErr := ValidateDataGatherers(cfg.DataGatherers); dgErr != nil {
+		errs = multierror.Append(errs, dgErr)
+	}
+	res.DataGatherers = cfg.DataGatherers
 
 	// Validation of --period, -p, and the `period` field, as well as
 	// --backoff-max-time, --one-shot, and --strict. The flag --period/-p takes
@@ -807,6 +757,8 @@ func validateCredsAndCreateClient(log logr.Logger, flagCredentialsPath, flagClie
 		if err != nil {
 			errs = multierror.Append(errs, err)
 		}
+	case MachineHub:
+		preflightClient = client.NewMachineHub()
 	case Off:
 		// No client needed in this mode.
 	default:

pkg/agent/config_test.go

@@ -96,7 +96,7 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 			withCmdLineFlags("--period", "99m", "--credentials-file", fakeCredsPath))
 		require.NoError(t, err)
 		assert.Equal(t, testutil.Undent(`
-			INFO Configured to push to Venafi mode="Jetstack Secure OAuth" reason="--credentials-file was specified without --venafi-cloud"
+			INFO Configured to push mode="Jetstack Secure OAuth" reason="--credentials-file was specified without --venafi-cloud"
 			INFO Both the 'period' field and --period are set. Using the value provided with --period.
 		`), gotLogs.String())
 		assert.Equal(t, 99*time.Minute, got.Period)
@@ -178,7 +178,7 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 
 		// The log line printed by pflag is not captured by the log recorder.
 		assert.Equal(t, testutil.Undent(`
-			INFO Configured to push to Venafi mode="Jetstack Secure OAuth" reason="--credentials-file was specified without --venafi-cloud"
+			INFO Configured to push mode="Jetstack Secure OAuth" reason="--credentials-file was specified without --venafi-cloud"
 			INFO Using period from config period="1h0m0s"
 		`), b.String())
 	})
@@ -194,13 +194,13 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 			withoutCmdLineFlags(),
 		)
 		assert.EqualError(t, err, testutil.Undent(`
-			no TLSPK mode specified and MachineHub mode is disabled. You must either enable the MachineHub mode (using --machine-hub), or enable one of the TLSPK modes.
-			To enable one of the TLSPK modes, you can:
+			no upload mode specified. You must either enable one of the upload modes, or use --output-path to save data to a file.
+			To enable one of the upload modes, you can:
 			 - Use (--venafi-cloud with --credentials-file) or (--client-id with --private-key-path) to use the Venafi Cloud Key Pair Service Account mode.
 			 - Use --venafi-connection for the Venafi Cloud VenafiConnection mode.
 			 - Use --credentials-file alone if you want to use the Jetstack Secure OAuth mode.
 			 - Use --api-token if you want to use the Jetstack Secure API Token mode.
-			Note that it is possible to use one of the TLSPK modes along with the MachineHub mode (--machine-hub).`))
+			 - Use --machine-hub if you want to use the Machine Hub mode.`))
 		assert.Nil(t, cl)
 	})
 
@@ -594,7 +594,7 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 		)
 		require.NoError(t, err)
 		assert.Equal(t, testutil.Undent(`
-			INFO Configured to push to Venafi venConnName="venafi-components" mode="Venafi Cloud VenafiConnection" reason="--venafi-connection was specified"
+			INFO Configured to push venConnName="venafi-components" mode="Venafi Cloud VenafiConnection" reason="--venafi-connection was specified"
 			INFO ignoring the server field specified in the config file. In Venafi Cloud VenafiConnection mode, this field is not needed.
 			INFO ignoring the venafi-cloud.upload_path field in the config file. In Venafi Cloud VenafiConnection mode, this field is not needed.
 			INFO ignoring the venafi-cloud.uploader_id field in the config file. This field is not needed in Venafi Cloud VenafiConnection mode.
@@ -630,28 +630,7 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 			`)),
 			withCmdLineFlags("--machine-hub"))
 		require.NoError(t, err)
-		assert.Equal(t, Off, got.TLSPKMode)
-		assert.Equal(t, true, got.MachineHubMode)
-	})
-
-	t.Run("machinehub + venafi-cloud-keypair-auth should work simultaneously", func(t *testing.T) {
-		t.Setenv("POD_NAMESPACE", "venafi")
-		t.Setenv("KUBECONFIG", withFile(t, fakeKubeconfig))
-		privKeyPath := withFile(t, fakePrivKeyPEM)
-		got, _, err := ValidateAndCombineConfig(discardLogs(),
-			withConfig(testutil.Undent(`
-				machineHub:
-				  subdomain: foo
-				  credentialsSecretName: secret-1
-				period: 1h
-				venafi-cloud:
-				  upload_path: /v1/tlspk/upload/clusterdata
-				cluster_id: foo
-			`)),
-			withCmdLineFlags("--machine-hub", "--venafi-cloud", "--client-id", "5bc7d07c-45da-11ef-a878-523f1e1d7de1", "--private-key-path", privKeyPath))
-		require.NoError(t, err)
-		assert.Equal(t, VenafiCloudKeypair, got.TLSPKMode)
-		assert.Equal(t, true, got.MachineHubMode)
+		assert.Equal(t, MachineHub, got.TLSPKMode)
 	})
 }
 

pkg/agent/run.go

@@ -345,18 +345,6 @@ func gatherAndOutputData(ctx context.Context, eventf Eventf, config CombinedConf
 			log.Info("Warning: PushingErr: retrying", "in", t, "reason", err)
 		})
 
-		if config.MachineHubMode {
-			post := func() (any, error) {
-				log.Info("machine hub mode not yet implemented")
-				return struct{}{}, nil
-			}
-
-			group.Go(func() error {
-				_, err := backoff.Retry(ctx, post, backoff.WithBackOff(backOff), backoff.WithNotify(notificationFunc), backoff.WithMaxElapsedTime(config.BackoffMaxTime))
-				return err
-			})
-		}
-
 		if config.TLSPKMode != Off {
 			post := func() (any, error) {
 				return struct{}{}, postData(klog.NewContext(ctx, log), config, preflightClient, readings)
@@ -428,39 +416,31 @@ func gatherData(ctx context.Context, config CombinedConfig, dataGatherers map[st
 
 func postData(ctx context.Context, config CombinedConfig, preflightClient client.Client, readings []*api.DataReading) error {
 	log := klog.FromContext(ctx).WithName("postData")
-	baseURL := config.Server
-
-	log.V(logs.Debug).Info("Posting data", "baseURL", baseURL)
 
+	var opts client.Options
 	switch config.TLSPKMode { // nolint:exhaustive
 	case VenafiCloudKeypair, VenafiCloudVenafiConnection:
 		// orgID and clusterID are not required for Venafi Cloud auth
-		err := preflightClient.PostDataReadingsWithOptions(ctx, readings, client.Options{
+		opts = client.Options{
 			ClusterName:        config.ClusterID,
 			ClusterDescription: config.ClusterDescription,
-		})
-		if err != nil {
-			return fmt.Errorf("post to server failed: %+v", err)
 		}
-		log.Info("Data sent successfully")
-
-		return nil
-
 	case JetstackSecureOAuth, JetstackSecureAPIToken:
-		err := preflightClient.PostDataReadingsWithOptions(ctx, readings, client.Options{
+		opts = client.Options{
 			OrgID:     config.OrganizationID,
 			ClusterID: config.ClusterID,
-		})
-		if err != nil {
-			return fmt.Errorf("post to server failed: %+v", err)
 		}
-		log.Info("Data sent successfully")
-
-		return err
-
+	case MachineHub:
+		// Machine hub client gets all its metadata from the data-readings.
 	default:
 		return fmt.Errorf("not implemented for mode %s", config.TLSPKMode)
 	}
+
+	if err := preflightClient.PostDataReadingsWithOptions(ctx, readings, opts); err != nil {
+		return fmt.Errorf("post to server failed: %+v", err)
+	}
+	log.Info("Data sent successfully")
+	return nil
 }
 
 // listenAndServe starts the supplied HTTP server and stops it gracefully when