CyberArk(client): extract cluster UID from data readings

- Added `extractClusterUIDFromReading` to derive the cluster UID from
  `ark/namespaces` data readings.
- Updated `ConvertDataReadingsToCyberarkSnapshot` to include the cluster UID
  in the snapshot.
- Modified tests to validate cluster UID extraction logic.
- Updated example test data to include `ark/namespaces` data gatherer.
- Removed `pkg/clusteruid` package as its functionality is now integrated
  into the client logic.

Signed-off-by: Richard Wall <[email protected]>

Author: wallrj-cyberark

pkg/client/client_cyberark.go

@@ -2,6 +2,7 @@ package client
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net/http"
 
@@ -55,9 +56,6 @@ func (o *CyberArkClient) PostDataReadingsWithOptions(ctx context.Context, readin
 	if err != nil {
 		return fmt.Errorf("while converting data readings: %s", err)
 	}
-	// Temporary hard coded cluster ID.
-	// TODO(wallrj): The clusterID will eventually be extracted from the supplied readings.
-	snapshot.ClusterID = "success-cluster-id"
 
 	err = datauploadClient.PutSnapshot(ctx, snapshot)
 	if err != nil {
@@ -85,6 +83,25 @@ var gathererNameToResourceDataKeyMap = map[string]string{
 	"ark/pods":                "pods",
 }
 
+// extractClusterUIDFromReading converts the opaque data from a DynamicData
+// reading to Unstructured Namespace resources, and finds the UID of the
+// `kube-system` namespace.
+// This UID can be used as a unique identifier for the Kubernetes cluster.
+// - https://venafi.slack.com/archives/C04SQR5DAD7/p1747825325264979
+// - https://github.com/kubernetes/kubernetes/issues/77487#issuecomment-489786023
+func extractClusterUIDFromReading(reading *api.DataReading) (string, error) {
+	resources, err := extractResourceListFromReading(reading)
+	if err != nil {
+		return "", err
+	}
+	for _, resource := range resources {
+		if resource.GetName() == "kube-system" {
+			return string(resource.GetUID()), nil
+		}
+	}
+	return "", fmt.Errorf("kube-system namespace UID not found in data reading: %v", reading)
+}
+
 // extractServerVersionFromReading converts the opaque data from a DiscoveryData
 // data reding to allow access to the Kubernetes version fields within.
 func extractServerVersionFromReading(reading *api.DataReading) (string, error) {
@@ -124,6 +141,7 @@ func ConvertDataReadingsToCyberarkSnapshot(
 	readings []*api.DataReading,
 ) (s dataupload.Snapshot, _ error) {
 	k8sVersion := ""
+	clusterID := ""
 	resourceData := resourceData{}
 	for _, reading := range readings {
 		if reading.DataGatherer == "ark/discovery" {
@@ -133,6 +151,13 @@ func ConvertDataReadingsToCyberarkSnapshot(
 				return s, fmt.Errorf("while extracting server version from data-reading: %s", err)
 			}
 		}
+		if reading.DataGatherer == "ark/namespaces" {
+			var err error
+			clusterID, err = extractClusterUIDFromReading(reading)
+			if err != nil {
+				return s, fmt.Errorf("while extracting cluster UID from data-reading: %s", err)
+			}
+		}
 		if key, found := gathererNameToResourceDataKeyMap[reading.DataGatherer]; found {
 			resources, err := extractResourceListFromReading(reading)
 			if err != nil {
@@ -141,10 +166,13 @@ func ConvertDataReadingsToCyberarkSnapshot(
 			resourceData[key] = append(resourceData[key], resources...)
 		}
 	}
-
+	if clusterID == "" {
+		return s, errors.New("failed to compute a clusterID from the data-readings")
+	}
 	return dataupload.Snapshot{
 		AgentVersion:        version.PreflightVersion,
 		K8SVersion:          k8sVersion,
+		ClusterID:           clusterID,
 		Secrets:             resourceData["secrets"],
 		ServiceAccounts:     resourceData["serviceaccounts"],
 		Roles:               resourceData["roles"],

pkg/client/client_cyberark_test.go

@@ -10,6 +10,8 @@ import (
 	"github.com/jetstack/venafi-connection-lib/http_client"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/transport"
 	"k8s.io/klog/v2"
 	"k8s.io/klog/v2/ktesting"
@@ -24,6 +26,40 @@ import (
 	_ "k8s.io/klog/v2/ktesting/init"
 )
 
+func genNamespace(name string) *unstructured.Unstructured {
+	o := &unstructured.Unstructured{}
+	o.SetAPIVersion("")
+	o.SetKind("Namespace")
+	o.SetName(name)
+	return o
+}
+
+func genArkNamespacesDataReading(clusterID types.UID) *api.DataReading {
+	kubeSystemNamespace := genNamespace("kube-system")
+	kubeSystemNamespace.SetUID(clusterID)
+	return &api.DataReading{
+		ClusterID:    "ignored-tlspk-cluster-id",
+		DataGatherer: "ark/namespaces",
+		Data: &api.DynamicData{
+			Items: []*api.GatheredResource{
+				{
+					Resource: kubeSystemNamespace,
+				},
+				{
+					Resource: genNamespace("kube-public"),
+				},
+				{
+					Resource: genNamespace("venafi"),
+				},
+				{
+					Resource: genNamespace("cert-manager"),
+				},
+			},
+		},
+		SchemaVersion: "v1",
+	}
+}
+
 // TestCyberArkClient_PostDataReadingsWithOptions_MockAPI demonstrates that the
 // dataupload code works with the mock CyberArk APIs.
 // The environment variables are chosen to match those expected by the mock
@@ -41,7 +77,9 @@ func TestCyberArkClient_PostDataReadingsWithOptions_MockAPI(t *testing.T) {
 		c, err := client.NewCyberArk(httpClient)
 		require.NoError(t, err)
 
-		var readings []*api.DataReading
+		readings := []*api.DataReading{
+			genArkNamespacesDataReading("success-cluster-id"),
+		}
 		err = c.PostDataReadingsWithOptions(ctx, readings, client.Options{})
 		require.NoError(t, err)
 	})

pkg/client/testdata/example-1/README.md

@@ -14,7 +14,7 @@ go run . agent \
     --one-shot \
     --agent-config-file pkg/client/testdata/example-1/agent.yaml \
     --output-path pkg/client/testdata/example-1/datareadings.json
-gzip pkg/internal/cyberark/dataupload/testdata/example-1/datareadings.json
+gzip pkg/client/testdata/example-1/datareadings.json
 ```
 
 

pkg/client/testdata/example-1/agent.yaml

@@ -4,6 +4,12 @@ data-gatherers:
 # gather k8s apiserver version information
 - kind: k8s-discovery
   name: ark/discovery
+- kind: k8s-dynamic
+  name: ark/namespaces
+  config:
+    resource-type:
+      version: v1
+      resource: namespaces
 - kind: k8s-dynamic
   name: ark/secrets
   config:

pkg/client/testdata/example-1/datareadings.json.gz

@@ -123,7 +123,7 @@ func (mds *mockDataUploadServer) handleSnapshotLinks(w http.ResponseWriter, r *h
 	}
 
 	if req.ClusterID != successClusterID {
-		http.Error(w, "post body contains cluster ID", http.StatusInternalServerError)
+		http.Error(w, "post body does not contain cluster ID", http.StatusInternalServerError)
 		return
 	}