WIP: Proof of concept / demo

Signed-off-by: Richard Wall <[email protected]>

Author: wallrj

.gitignore

@@ -14,3 +14,5 @@ predicate.json
 *.tgz
 
 _bin
+.envrc
+.env

agent.yaml

@@ -1,17 +1,55 @@
-server: "https://platform.jetstack.io"
-organization_id: "my-organization"
-cluster_id: "my_cluster"
-period: "0h1m0s"
+machineHub:
+  subdomain: tlskp-test
+  credentialsSecretName: machinehub-credentials
 data-gatherers:
-  - kind: "dummy"
-    name: "dummy"
-    config:
-      failed-attempts: 5
-  - kind: "dummy"
-    name: "dummy-fail"
-    config:
-      always-fail: true
-venafi-cloud:
-  uploader_id: "example-id"
-  upload_path: "/example/endpoint/path"
-  
+# gather k8s apiserver version information
+- kind: "k8s-discovery"
+  name: "k8s-discovery"
+- kind: "k8s-dynamic"
+  name: "k8s/serviceaccounts"
+  config:
+    resource-type:
+      resource: serviceaccounts
+      version: v1
+- kind: "k8s-dynamic"
+  name: "k8s/secrets"
+  config:
+    resource-type:
+      version: v1
+      resource: secrets
+    field-selectors:
+    - type!=kubernetes.io/service-account-token
+    - type!=kubernetes.io/dockercfg
+    - type!=kubernetes.io/dockerconfigjson
+    - type!=kubernetes.io/basic-auth
+    - type!=kubernetes.io/ssh-auth
+    - type!=bootstrap.kubernetes.io/token
+    - type!=helm.sh/release.v1
+- kind: "k8s-dynamic"
+  name: "k8s/roles"
+  config:
+    resource-type:
+      version: v1
+      group: rbac.authorization.k8s.io
+      resource: roles
+- kind: "k8s-dynamic"
+  name: "k8s/clusterroles"
+  config:
+    resource-type:
+      version: v1
+      group: rbac.authorization.k8s.io
+      resource: clusterroles
+- kind: "k8s-dynamic"
+  name: "k8s/rolebindings"
+  config:
+    resource-type:
+      version: v1
+      group: rbac.authorization.k8s.io
+      resource: rolebindings
+- kind: "k8s-dynamic"
+  name: "k8s/clusterrolebindings"
+  config:
+    resource-type:
+      version: v1
+      group: rbac.authorization.k8s.io
+      resource: clusterrolebindings

api/datareading.go

@@ -28,8 +28,8 @@ type DataReading struct {
 type GatheredResource struct {
 	// Resource is a reference to a k8s object that was found by the informer
 	// should be of type unstructured.Unstructured, raw Object
-	Resource  interface{}
-	DeletedAt Time
+	Resource  interface{} `json: "resource"`
+	DeletedAt Time        `json:"deleted_at,omitempty"`
 }
 
 func (v GatheredResource) MarshalJSON() ([]byte, error) {

deploy/charts/venafi-kubernetes-agent/templates/deployment.yaml

@@ -49,6 +49,26 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: spec.nodeName
+          - name: ARK_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.authentication.secretName }}
+                key: ARK_USERNAME
+          - name: ARK_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.authentication.secretName }}
+                key: ARK_SECRET
+          - name: ARK_PLATFORM_DOMAIN
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.authentication.secretName }}
+                key: ARK_PLATFORM_DOMAIN
+          - name: ARK_SUBDOMAIN
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.authentication.secretName }}
+                key: ARK_SUBDOMAIN
           {{- with .Values.http_proxy }}
           - name: HTTP_PROXY
             value: {{ . }}
@@ -71,18 +91,8 @@ spec:
             - "agent"
             - "-c"
             - "/etc/venafi/agent/config/{{ default "config.yaml" .Values.config.configmap.key }}"
-            {{- if .Values.authentication.venafiConnection.enabled }}
-            - --venafi-connection
-            - {{ .Values.authentication.venafiConnection.name | quote }}
-            - --venafi-connection-namespace
-            - {{ .Values.authentication.venafiConnection.namespace | quote }}
-            {{- else }}
-            - "--client-id"
-            - {{ .Values.config.clientId | quote }}
-            - "--private-key-path"
-            - "/etc/venafi/agent/key/{{ .Values.authentication.secretKey }}"
-            {{- end }}
-            - --venafi-cloud
+            - --log-level=6
+            - --machine-hub
             {{- if .Values.metrics.enabled }}
             - --enable-metrics
             {{- end }}
@@ -95,11 +105,6 @@ spec:
             - name: config
               mountPath: "/etc/venafi/agent/config"
               readOnly: true
-            {{- if not .Values.authentication.venafiConnection.enabled }}
-            - name: credentials
-              mountPath: "/etc/venafi/agent/key"
-              readOnly: true
-            {{- end }}
             {{- with .Values.volumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -137,12 +142,6 @@ spec:
           configMap:
             name: {{ default "agent-config" .Values.config.configmap.name }}
             optional: false
-        {{- if not .Values.authentication.venafiConnection.enabled }}
-        - name: credentials
-          secret:
-            secretName: {{ .Values.authentication.secretName }}
-            optional: false
-        {{- end }}
         {{- with .Values.volumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}

hack/e2e/ca/config.yaml

@@ -0,0 +1,3 @@
+machineHub:
+  subdomain: tlskp-test
+  credentialsSecretName: todo-unused

hack/e2e/ca/test.sh

@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+#
+set -o nounset
+set -o errexit
+set -o pipefail
+
+# CyberArk API configuration
+: ${ARK_USERNAME?}
+: ${ARK_SECRET?}
+: ${ARK_PLATFORM_DOMAIN?}
+: ${ARK_SUBDOMAIN?}
+
+# The base URL of the OCI registry used for Docker images and Helm charts
+# E.g. ttl.sh/6ee49a01-c8ba-493e-bae9-4d8567574b56
+: ${OCI_BASE?}
+
+k8s_namespace=cyberark
+
+script_dir=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)
+root_dir=$(cd "${script_dir}/../../.." && pwd)
+export TERM=dumb
+
+tmp_dir="$(mktemp -d /tmp/jetstack-secure.XXXXX)"
+
+pushd "${tmp_dir}"
+> release.env
+make -C "$root_dir" release \
+     OCI_SIGN_ON_PUSH=false \
+     oci_platforms=linux/amd64 \
+     oci_preflight_image_name=$OCI_BASE/images/venafi-agent \
+     helm_chart_image_name=$OCI_BASE/charts/venafi-kubernetes-agent \
+     GITHUB_OUTPUT="${tmp_dir}/release.env"
+source release.env
+
+kind create cluster || true
+kubectl create ns "$k8s_namespace" || true
+
+kubectl create secret generic agent-credentials \
+        --namespace "$k8s_namespace" \
+        --from-literal=ARK_USERNAME=$ARK_USERNAME \
+        --from-literal=ARK_SECRET=$ARK_SECRET \
+        --from-literal=ARK_PLATFORM_DOMAIN=$ARK_PLATFORM_DOMAIN \
+        --from-literal=ARK_SUBDOMAIN=$ARK_SUBDOMAIN
+
+helm upgrade agent "oci://${OCI_BASE}/charts/venafi-kubernetes-agent" \
+     --install \
+     --create-namespace \
+     --namespace "$k8s_namespace" \
+     --version "${RELEASE_HELM_CHART_VERSION}" \
+     --set fullnameOverride=agent \
+     --set "image.repository=${OCI_BASE}/images/venafi-agent" \
+     --values "${script_dir}/values.agent.yaml"
+
+kubectl scale -n "$k8s_namespace" deployment agent  --replicas=0
+kubectl get cm -n "$k8s_namespace" agent-config -o jsonpath={.data.config\\.yaml} > config.original.yaml
+yq eval-all '. as $item ireduce ({}; . * $item)' config.original.yaml "${script_dir}/config.yaml" > config.yaml
+kubectl delete cm -n "$k8s_namespace" agent-config
+kubectl create cm -n "$k8s_namespace" agent-config --from-file=config.yaml
+kubectl scale -n "$k8s_namespace" deployment agent  --replicas=1

hack/e2e/ca/values.agent.yaml

@@ -0,0 +1 @@
+# Empty

pkg/agent/config.go

@@ -606,12 +606,12 @@ func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags)
 		res.ClusterID = clusterID
 		res.ClusterDescription = cfg.ClusterDescription
 
-		// Validation of `data-gatherers`.
-		if dgErr := ValidateDataGatherers(cfg.DataGatherers); dgErr != nil {
-			errs = multierror.Append(errs, dgErr)
-		}
-		res.DataGatherers = cfg.DataGatherers
 	}
+	// Validation of `data-gatherers`.
+	if dgErr := ValidateDataGatherers(cfg.DataGatherers); dgErr != nil {
+		errs = multierror.Append(errs, dgErr)
+	}
+	res.DataGatherers = cfg.DataGatherers
 
 	// Validation of --period, -p, and the `period` field, as well as
 	// --backoff-max-time, --one-shot, and --strict. The flag --period/-p takes
@@ -702,7 +702,6 @@ func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags)
 	if err != nil {
 		return CombinedConfig{}, nil, multierror.Prefix(err, "validating creds:")
 	}
-
 	return res, preflightClient, nil
 }
 

pkg/agent/run.go

@@ -35,6 +35,8 @@ import (
 	"github.com/jetstack/preflight/pkg/clusteruid"
 	"github.com/jetstack/preflight/pkg/datagatherer"
 	"github.com/jetstack/preflight/pkg/datagatherer/k8s"
+	"github.com/jetstack/preflight/pkg/internal/cyberark/identity"
+	"github.com/jetstack/preflight/pkg/internal/cyberark/servicediscovery"
 	"github.com/jetstack/preflight/pkg/kubeconfig"
 	"github.com/jetstack/preflight/pkg/logs"
 	"github.com/jetstack/preflight/pkg/version"
@@ -79,6 +81,44 @@ func Run(cmd *cobra.Command, args []string) (returnErr error) {
 		return fmt.Errorf("While evaluating configuration: %v", err)
 	}
 
+	var caClient *client.CyberArkClient
+	{
+		platformDomain := os.Getenv("ARK_PLATFORM_DOMAIN")
+		subdomain := os.Getenv("ARK_SUBDOMAIN")
+		username := os.Getenv("ARK_USERNAME")
+		password := []byte(os.Getenv("ARK_SECRET"))
+
+		const (
+			discoveryContextServiceName = "inventory"
+			separator                   = "."
+		)
+
+		// TODO(wallrj): Maybe get this URL via the service discovery API.
+		// https://platform-discovery.integration-cyberark.cloud/api/public/tenant-discovery?allEndpoints=true&bySubdomain=tlskp-test
+		serviceURL := fmt.Sprintf("https://%s%s%s.%s", subdomain, separator, discoveryContextServiceName, platformDomain)
+
+		var (
+			identityClient *identity.Client
+			err            error
+		)
+		if platformDomain == "cyberark.cloud" {
+			identityClient, err = identity.New(ctx, subdomain)
+		} else {
+			discoveryClient := servicediscovery.New(servicediscovery.WithIntegrationEndpoint())
+			identityClient, err = identity.NewWithDiscoveryClient(ctx, discoveryClient, subdomain)
+		}
+		if err != nil {
+			return fmt.Errorf("while creating the CyberArk identity client: %v", err)
+		}
+		if err := identityClient.LoginUsernamePassword(ctx, username, password); err != nil {
+			return fmt.Errorf("while logging in: %v", err)
+		}
+		caClient, err = client.NewCyberArkClient(nil, serviceURL, identityClient.AuthenticateRequest)
+		if err != nil {
+			return fmt.Errorf("while creating the CyberArk dataupload client: %v", err)
+		}
+	}
+
 	// We need the cluster UID before we progress further so it can be sent along with other data readings
 
 	{
@@ -185,7 +225,6 @@ func Run(cmd *cobra.Command, args []string) (returnErr error) {
 	}
 
 	dataGatherers := map[string]datagatherer.DataGatherer{}
-
 	// load datagatherer config and boot each one
 	for _, dgConfig := range config.DataGatherers {
 		kind := dgConfig.Kind
@@ -262,7 +301,7 @@ func Run(cmd *cobra.Command, args []string) (returnErr error) {
 	// be cancelled, which will cause this blocking loop to exit
 	// instead of waiting for the time period.
 	for {
-		if err := gatherAndOutputData(klog.NewContext(ctx, log), eventf, config, preflightClient, dataGatherers); err != nil {
+		if err := gatherAndOutputData(klog.NewContext(ctx, log), eventf, config, preflightClient, caClient, dataGatherers); err != nil {
 			return err
 		}
 
@@ -316,7 +355,7 @@ func newEventf(log logr.Logger, installNS string) (Eventf, error) {
 // Like Printf but for sending events to the agent's Pod object.
 type Eventf func(eventType, reason, msg string, args ...interface{})
 
-func gatherAndOutputData(ctx context.Context, eventf Eventf, config CombinedConfig, preflightClient client.Client, dataGatherers map[string]datagatherer.DataGatherer) error {
+func gatherAndOutputData(ctx context.Context, eventf Eventf, config CombinedConfig, preflightClient client.Client, caClient *client.CyberArkClient, dataGatherers map[string]datagatherer.DataGatherer) error {
 	log := klog.FromContext(ctx).WithName("gatherAndOutputData")
 	var readings []*api.DataReading
 
@@ -338,8 +377,18 @@ func gatherAndOutputData(ctx context.Context, eventf Eventf, config CombinedConf
 		}
 	}
 
+	clusterID := clusteruid.ClusterUIDFromContext(ctx)
+	payload := api.DataReadingsPost{
+		AgentMetadata: &api.AgentMetadata{
+			Version:   version.PreflightVersion,
+			ClusterID: clusterID,
+		},
+		DataGatherTime: time.Now(),
+		DataReadings:   readings,
+	}
 	if config.OutputPath != "" {
-		data, err := json.MarshalIndent(readings, "", "  ")
+
+		data, err := json.MarshalIndent(payload, "", "  ")
 		if err != nil {
 			return fmt.Errorf("failed to marshal JSON: %s", err)
 		}
@@ -359,11 +408,11 @@ func gatherAndOutputData(ctx context.Context, eventf Eventf, config CombinedConf
 			eventf("Warning", "PushingErr", "retrying in %v after error: %s", t, err)
 			log.Info("Warning: PushingErr: retrying", "in", t, "reason", err)
 		})
-
 		if config.MachineHubMode {
 			post := func() (any, error) {
-				log.Info("machine hub mode not yet implemented")
-				return struct{}{}, nil
+				return struct{}{}, caClient.PostDataReadingsWithOptions(ctx, payload, client.CyberArkClientOptions{
+					ClusterName: clusterID,
+				})
 			}
 
 			group.Go(func() error {

pkg/client/client_cyberark.go

@@ -5,5 +5,6 @@ import (
 )
 
 type CyberArkClient = dataupload.CyberArkClient
+type CyberArkClientOptions = dataupload.Options
 
 var NewCyberArkClient = dataupload.NewCyberArkClient