Refactor the TLSPKMode to be OutputMode and add a Local File mode

Signed-off-by: Richard Wall <[email protected]>

Author: wallrj-cyberark

cmd/agent_test.go

@@ -27,8 +27,6 @@ func TestAgentRunOneShot(t *testing.T) {
 			"agent",
 			"--one-shot",
 			// TODO(wallrj): This should not be required when an `--input-file` has been supplied.
-			"--api-token=should-not-be-required",
-			// TODO(wallrj): This should not be required when an `--input-file` has been supplied.
 			"--install-namespace=default",
 			"--agent-config-file=testdata/agent/one-shot/success/config.yaml",
 			"--input-path=testdata/agent/one-shot/success/input.json",

pkg/agent/config.go

@@ -355,19 +355,17 @@ func InitAgentCmdFlags(c *cobra.Command, cfg *AgentCmdFlags) {
 
 }
 
-// TLSPKMode controls how to authenticate to TLSPK / Jetstack Secure. Only one
-// TLSPKMode may be provided if using those backends.
-type TLSPKMode string
+// OutputMode controls how the collected data is published.
+// Only one OutputMode may be provided.
+type OutputMode string
 
 const (
-	JetstackSecureOAuth         TLSPKMode = "Jetstack Secure OAuth"
-	JetstackSecureAPIToken      TLSPKMode = "Jetstack Secure API Token"
-	VenafiCloudKeypair          TLSPKMode = "Venafi Cloud Key Pair Service Account"
-	VenafiCloudVenafiConnection TLSPKMode = "Venafi Cloud VenafiConnection"
-
-	// It is possible to push to both MachineHub and TLSPK. With this mode, the
-	// agent will only push to MachineHub and not to TLSPK.
-	Off TLSPKMode = "MachineHub only"
+	JetstackSecureOAuth         OutputMode = "Jetstack Secure OAuth"
+	JetstackSecureAPIToken      OutputMode = "Jetstack Secure API Token"
+	VenafiCloudKeypair          OutputMode = "Venafi Cloud Key Pair Service Account"
+	VenafiCloudVenafiConnection OutputMode = "Venafi Cloud VenafiConnection"
+	MachineHub                  OutputMode = "MachineHub"
+	LocalFile                   OutputMode = "Local File"
 )
 
 // The command-line flags and the config file are combined into this struct by
@@ -380,7 +378,7 @@ type CombinedConfig struct {
 	StrictMode     bool
 	OneShot        bool
 
-	TLSPKMode TLSPKMode
+	OutputMode OutputMode
 
 	// Used by all TLSPK modes.
 	ClusterID string
@@ -410,7 +408,6 @@ type CombinedConfig struct {
 	InputPath  string
 
 	// MachineHub-related settings.
-	MachineHubMode                  bool
 	MachineHubSubdomain             string
 	MachineHubCredentialsSecretName string
 }
@@ -431,8 +428,6 @@ func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags)
 		if err := cfg.MachineHub.Validate(); err != nil {
 			return CombinedConfig{}, nil, fmt.Errorf("invalid MachineHub config provided: %w", err)
 		}
-
-		res.MachineHubMode = true
 		res.MachineHubSubdomain = cfg.MachineHub.Subdomain
 		res.MachineHubCredentialsSecretName = cfg.MachineHub.CredentialsSecretName
 
@@ -442,7 +437,7 @@ func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags)
 
 	{
 		var (
-			mode          TLSPKMode
+			mode          OutputMode
 			reason        string
 			keysAndValues []any
 		)
@@ -472,32 +467,32 @@ func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags)
 		case !flags.VenafiCloudMode && flags.CredentialsPath != "":
 			mode = JetstackSecureOAuth
 			reason = "--credentials-file was specified without --venafi-cloud"
+		case flags.MachineHubMode:
+			mode = MachineHub
+			reason = "--machine-hub was specified"
+		case flags.OutputPath != "":
+			mode = LocalFile
+			reason = "--output-path was specified"
 		default:
-			if !flags.MachineHubMode {
-				return CombinedConfig{}, nil, fmt.Errorf("no TLSPK mode specified and MachineHub mode is disabled. You must either enable the MachineHub mode (using --machine-hub), or enable one of the TLSPK modes.\n" +
-					"To enable one of the TLSPK modes, you can:\n" +
-					" - Use (--venafi-cloud with --credentials-file) or (--client-id with --private-key-path) to use the " + string(VenafiCloudKeypair) + " mode.\n" +
-					" - Use --venafi-connection for the " + string(VenafiCloudVenafiConnection) + " mode.\n" +
-					" - Use --credentials-file alone if you want to use the " + string(JetstackSecureOAuth) + " mode.\n" +
-					" - Use --api-token if you want to use the " + string(JetstackSecureAPIToken) + " mode.\n" +
-					"Note that it is possible to use one of the TLSPK modes along with the MachineHub mode (--machine-hub).")
-			}
-
-			mode = Off
+			return CombinedConfig{}, nil, fmt.Errorf("no output mode specified.\n" +
+				"To enable one of the output modes, you can:\n" +
+				" - Use (--venafi-cloud with --credentials-file) or (--client-id with --private-key-path) to use the " + string(VenafiCloudKeypair) + " mode.\n" +
+				" - Use --venafi-connection for the " + string(VenafiCloudVenafiConnection) + " mode.\n" +
+				" - Use --credentials-file alone if you want to use the " + string(JetstackSecureOAuth) + " mode.\n" +
+				" - Use --api-token if you want to use the " + string(JetstackSecureAPIToken) + " mode.\n" +
+				" - Use --machine-hub for " + string(MachineHub) + " mode.\n" +
+				" - Use --output-path for " + string(LocalFile) + " mode.")
 		}
 
 		keysAndValues = append(keysAndValues, "mode", mode, "reason", reason)
-		if mode != Off {
-			log.V(logs.Debug).Info("Configured to push to Venafi", keysAndValues...)
-		}
-
-		res.TLSPKMode = mode
+		log.V(logs.Debug).Info("Output mode selected", keysAndValues...)
+		res.OutputMode = mode
 	}
 
 	var errs error
 
 	// Validation and defaulting of `server` and the deprecated `endpoint.path`.
-	if res.TLSPKMode != Off {
+	if res.OutputMode != MachineHub {
 		// Only relevant if using TLSPK backends
 		hasEndpointField := cfg.Endpoint.Host != "" && cfg.Endpoint.Path != ""
 		hasServerField := cfg.Server != ""
@@ -520,7 +515,7 @@ func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags)
 			endpointPath = cfg.Endpoint.Path
 		case !hasServerField && !hasEndpointField:
 			server = "https://preflight.jetstack.io"
-			if res.TLSPKMode == VenafiCloudKeypair {
+			if res.OutputMode == VenafiCloudKeypair {
 				// The VenafiCloudVenafiConnection mode doesn't need a server.
 				server = client.VenafiCloudProdURL
 			}
@@ -529,7 +524,7 @@ func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags)
 		if urlErr != nil || url.Hostname() == "" {
 			errs = multierror.Append(errs, fmt.Errorf("server %q is not a valid URL", server))
 		}
-		if res.TLSPKMode == VenafiCloudVenafiConnection && server != "" {
+		if res.OutputMode == VenafiCloudVenafiConnection && server != "" {
 			log.Info(fmt.Sprintf("ignoring the server field specified in the config file. In %s mode, this field is not needed.", VenafiCloudVenafiConnection))
 			server = ""
 		}
@@ -540,10 +535,10 @@ func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags)
 	// Validation of `venafi-cloud.upload_path`.
 	{
 		var uploadPath string
-		switch res.TLSPKMode { // nolint:exhaustive
+		switch res.OutputMode { // nolint:exhaustive
 		case VenafiCloudKeypair:
 			if cfg.VenafiCloud == nil || cfg.VenafiCloud.UploadPath == "" {
-				errs = multierror.Append(errs, fmt.Errorf("the venafi-cloud.upload_path field is required when using the %s mode", res.TLSPKMode))
+				errs = multierror.Append(errs, fmt.Errorf("the venafi-cloud.upload_path field is required when using the %s mode", res.OutputMode))
 				break // Skip to the end of the switch statement.
 			}
 			_, urlErr := url.Parse(cfg.VenafiCloud.UploadPath)
@@ -560,7 +555,7 @@ func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags)
 			// change this value with the new --venafi-connection flag, and this
 			// field is simply ignored.
 			if cfg.VenafiCloud != nil && cfg.VenafiCloud.UploadPath != "" {
-				log.Info(fmt.Sprintf(`ignoring the venafi-cloud.upload_path field in the config file. In %s mode, this field is not needed.`, res.TLSPKMode))
+				log.Info(fmt.Sprintf(`ignoring the venafi-cloud.upload_path field in the config file. In %s mode, this field is not needed.`, res.OutputMode))
 			}
 			uploadPath = ""
 		}
@@ -578,18 +573,18 @@ func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags)
 	// https://venafi.atlassian.net/browse/VC-35385 is done.
 	{
 		if cfg.VenafiCloud != nil && cfg.VenafiCloud.UploaderID != "" {
-			log.Info(fmt.Sprintf(`ignoring the venafi-cloud.uploader_id field in the config file. This field is not needed in %s mode.`, res.TLSPKMode))
+			log.Info(fmt.Sprintf(`ignoring the venafi-cloud.uploader_id field in the config file. This field is not needed in %s mode.`, res.OutputMode))
 		}
 	}
 
 	// Validation of `cluster_id` and `organization_id`.
-	if res.TLSPKMode != Off {
+	if res.OutputMode != MachineHub {
 		var clusterID string
 		var organizationID string // Only used by the old jetstack-secure mode.
-		switch res.TLSPKMode {    // nolint:exhaustive
+		switch res.OutputMode {   // nolint:exhaustive
 		case VenafiCloudKeypair, VenafiCloudVenafiConnection:
 			if cfg.ClusterID == "" {
-				errs = multierror.Append(errs, fmt.Errorf("cluster_id is required in %s mode", res.TLSPKMode))
+				errs = multierror.Append(errs, fmt.Errorf("cluster_id is required in %s mode", res.OutputMode))
 			}
 			clusterID = cfg.ClusterID
 		case JetstackSecureOAuth, JetstackSecureAPIToken:
@@ -651,7 +646,7 @@ func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags)
 	res.InstallNS = installNS
 
 	// Validation of --venafi-connection and --venafi-connection-namespace.
-	if res.TLSPKMode == VenafiCloudVenafiConnection {
+	if res.OutputMode == VenafiCloudVenafiConnection {
 		res.VenConnName = flags.VenConnName
 		venConnNS := flags.VenConnNS
 		if flags.VenConnNS == "" {
@@ -717,7 +712,7 @@ func validateCredsAndCreateClient(log logr.Logger, flagCredentialsPath, flagClie
 
 	var preflightClient client.Client
 	metadata := &api.AgentMetadata{Version: version.PreflightVersion, ClusterID: cfg.ClusterID}
-	switch cfg.TLSPKMode {
+	switch cfg.OutputMode {
 	case JetstackSecureOAuth:
 		// Note that there are no command line flags to configure the
 		// JetstackSecureOAuth mode.
@@ -807,14 +802,16 @@ func validateCredsAndCreateClient(log logr.Logger, flagCredentialsPath, flagClie
 		if err != nil {
 			errs = multierror.Append(errs, err)
 		}
-	case Off:
+	case MachineHub:
+		// No client needed in this mode.
+	case LocalFile:
 		// No client needed in this mode.
 	default:
-		panic(fmt.Errorf("programmer mistake: auth mode not implemented: %s", cfg.TLSPKMode))
+		panic(fmt.Errorf("programmer mistake: output mode not implemented: %s", cfg.OutputMode))
 	}
 
 	if errs != nil {
-		return nil, fmt.Errorf("failed loading config using the %s mode: %w", cfg.TLSPKMode, errs)
+		return nil, fmt.Errorf("failed loading config using the %s mode: %w", cfg.OutputMode, errs)
 	}
 
 	return preflightClient, nil

pkg/agent/config_test.go

@@ -96,7 +96,7 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 			withCmdLineFlags("--period", "99m", "--credentials-file", fakeCredsPath))
 		require.NoError(t, err)
 		assert.Equal(t, testutil.Undent(`
-			INFO Configured to push to Venafi mode="Jetstack Secure OAuth" reason="--credentials-file was specified without --venafi-cloud"
+			INFO Output mode selected mode="Jetstack Secure OAuth" reason="--credentials-file was specified without --venafi-cloud"
 			INFO Both the 'period' field and --period are set. Using the value provided with --period.
 		`), gotLogs.String())
 		assert.Equal(t, 99*time.Minute, got.Period)
@@ -178,7 +178,7 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 
 		// The log line printed by pflag is not captured by the log recorder.
 		assert.Equal(t, testutil.Undent(`
-			INFO Configured to push to Venafi mode="Jetstack Secure OAuth" reason="--credentials-file was specified without --venafi-cloud"
+			INFO Output mode selected mode="Jetstack Secure OAuth" reason="--credentials-file was specified without --venafi-cloud"
 			INFO Using period from config period="1h0m0s"
 		`), b.String())
 	})
@@ -194,13 +194,14 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 			withoutCmdLineFlags(),
 		)
 		assert.EqualError(t, err, testutil.Undent(`
-			no TLSPK mode specified and MachineHub mode is disabled. You must either enable the MachineHub mode (using --machine-hub), or enable one of the TLSPK modes.
-			To enable one of the TLSPK modes, you can:
+			no output mode specified.
+			To enable one of the output modes, you can:
 			 - Use (--venafi-cloud with --credentials-file) or (--client-id with --private-key-path) to use the Venafi Cloud Key Pair Service Account mode.
 			 - Use --venafi-connection for the Venafi Cloud VenafiConnection mode.
 			 - Use --credentials-file alone if you want to use the Jetstack Secure OAuth mode.
 			 - Use --api-token if you want to use the Jetstack Secure API Token mode.
-			Note that it is possible to use one of the TLSPK modes along with the MachineHub mode (--machine-hub).`))
+			 - Use --machine-hub for MachineHub mode.
+			 - Use --output-path for Local File mode.`))
 		assert.Nil(t, cl)
 	})
 
@@ -228,8 +229,8 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 			withCmdLineFlags("--credentials-file", credsPath),
 		)
 		expect := CombinedConfig{
-			TLSPKMode: "Jetstack Secure OAuth",
-			ClusterID: "example-cluster",
+			OutputMode: "Jetstack Secure OAuth",
+			ClusterID:  "example-cluster",
 			DataGatherers: []DataGatherer{{Kind: "dummy",
 				Name:   "d1",
 				Config: &dummyConfig{},
@@ -277,7 +278,7 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 			InputPath:      "/home",
 			OutputPath:     "/nothome",
 			UploadPath:     "/testing/path",
-			TLSPKMode:      VenafiCloudKeypair,
+			OutputMode:     VenafiCloudKeypair,
 			ClusterID:      "the cluster name",
 			BackoffMaxTime: 99 * time.Minute,
 			InstallNS:      "venafi",
@@ -301,7 +302,7 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 			withCmdLineFlags("--client-id", "5bc7d07c-45da-11ef-a878-523f1e1d7de1", "--private-key-path", privKeyPath),
 		)
 		require.NoError(t, err)
-		assert.Equal(t, VenafiCloudKeypair, got.TLSPKMode)
+		assert.Equal(t, VenafiCloudKeypair, got.OutputMode)
 		assert.IsType(t, &client.VenafiCloudClient{}, cl)
 	})
 
@@ -390,7 +391,7 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 				`)),
 			withCmdLineFlags("--credentials-file", path))
 		require.NoError(t, err)
-		assert.Equal(t, CombinedConfig{Server: "https://api.venafi.eu", Period: time.Hour, OrganizationID: "foo", ClusterID: "bar", TLSPKMode: JetstackSecureOAuth, BackoffMaxTime: 10 * time.Minute, InstallNS: "venafi"}, got)
+		assert.Equal(t, CombinedConfig{Server: "https://api.venafi.eu", Period: time.Hour, OrganizationID: "foo", ClusterID: "bar", OutputMode: JetstackSecureOAuth, BackoffMaxTime: 10 * time.Minute, InstallNS: "venafi"}, got)
 		assert.IsType(t, &client.OAuthClient{}, cl)
 	})
 
@@ -469,7 +470,7 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 			`)),
 			withCmdLineFlags("--client-id", "5bc7d07c-45da-11ef-a878-523f1e1d7de1", "--private-key-path", path))
 		require.NoError(t, err)
-		assert.Equal(t, CombinedConfig{Server: "https://api.venafi.eu", Period: time.Hour, TLSPKMode: VenafiCloudKeypair, ClusterID: "the cluster name", UploadPath: "/foo/bar", BackoffMaxTime: 10 * time.Minute, InstallNS: "venafi"}, got)
+		assert.Equal(t, CombinedConfig{Server: "https://api.venafi.eu", Period: time.Hour, OutputMode: VenafiCloudKeypair, ClusterID: "the cluster name", UploadPath: "/foo/bar", BackoffMaxTime: 10 * time.Minute, InstallNS: "venafi"}, got)
 		assert.IsType(t, &client.VenafiCloudClient{}, cl)
 	})
 
@@ -491,7 +492,7 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 			`)),
 			withCmdLineFlags("--venafi-cloud", "--credentials-file", credsPath))
 		require.NoError(t, err)
-		assert.Equal(t, CombinedConfig{Server: "https://api.venafi.eu", Period: time.Hour, TLSPKMode: VenafiCloudKeypair, ClusterID: "the cluster name", UploadPath: "/foo/bar", BackoffMaxTime: 10 * time.Minute, InstallNS: "venafi"}, got)
+		assert.Equal(t, CombinedConfig{Server: "https://api.venafi.eu", Period: time.Hour, OutputMode: VenafiCloudKeypair, ClusterID: "the cluster name", UploadPath: "/foo/bar", BackoffMaxTime: 10 * time.Minute, InstallNS: "venafi"}, got)
 	})
 
 	t.Run("venafi-cloud-keypair-auth: venafi-cloud.upload_path field is required", func(t *testing.T) {
@@ -568,7 +569,7 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 		assert.Equal(t, CombinedConfig{
 			Period:         1 * time.Hour,
 			ClusterID:      "the cluster name",
-			TLSPKMode:      VenafiCloudVenafiConnection,
+			OutputMode:     VenafiCloudVenafiConnection,
 			VenConnName:    "venafi-components",
 			VenConnNS:      "venafi",
 			InstallNS:      "venafi",
@@ -594,13 +595,13 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 		)
 		require.NoError(t, err)
 		assert.Equal(t, testutil.Undent(`
-			INFO Configured to push to Venafi venConnName="venafi-components" mode="Venafi Cloud VenafiConnection" reason="--venafi-connection was specified"
+			INFO Output mode selected venConnName="venafi-components" mode="Venafi Cloud VenafiConnection" reason="--venafi-connection was specified"
 			INFO ignoring the server field specified in the config file. In Venafi Cloud VenafiConnection mode, this field is not needed.
 			INFO ignoring the venafi-cloud.upload_path field in the config file. In Venafi Cloud VenafiConnection mode, this field is not needed.
 			INFO ignoring the venafi-cloud.uploader_id field in the config file. This field is not needed in Venafi Cloud VenafiConnection mode.
 			INFO Using period from config period="1h0m0s"
 		`), gotLogs.String())
-		assert.Equal(t, VenafiCloudVenafiConnection, got.TLSPKMode)
+		assert.Equal(t, VenafiCloudVenafiConnection, got.OutputMode)
 		assert.IsType(t, &client.VenConnClient{}, gotCl)
 	})
 
@@ -615,7 +616,7 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 			`)),
 			withCmdLineFlags("--venafi-connection", "venafi-components"))
 		require.NoError(t, err)
-		assert.Equal(t, VenafiCloudVenafiConnection, got.TLSPKMode)
+		assert.Equal(t, VenafiCloudVenafiConnection, got.OutputMode)
 	})
 
 	t.Run("machinehub only: username and password", func(t *testing.T) {
@@ -630,8 +631,7 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 			`)),
 			withCmdLineFlags("--machine-hub"))
 		require.NoError(t, err)
-		assert.Equal(t, Off, got.TLSPKMode)
-		assert.Equal(t, true, got.MachineHubMode)
+		assert.Equal(t, MachineHub, got.OutputMode)
 	})
 
 	t.Run("machinehub + venafi-cloud-keypair-auth should work simultaneously", func(t *testing.T) {
@@ -650,8 +650,7 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 			`)),
 			withCmdLineFlags("--machine-hub", "--venafi-cloud", "--client-id", "5bc7d07c-45da-11ef-a878-523f1e1d7de1", "--private-key-path", privKeyPath))
 		require.NoError(t, err)
-		assert.Equal(t, VenafiCloudKeypair, got.TLSPKMode)
-		assert.Equal(t, true, got.MachineHubMode)
+		assert.Equal(t, VenafiCloudKeypair, got.OutputMode)
 	})
 }
 
@@ -690,7 +689,7 @@ func Test_ValidateAndCombineConfig_VenafiCloudKeyPair(t *testing.T) {
 		)
 		require.NoError(t, err)
 		testutil.TrustCA(t, cl, cert)
-		assert.Equal(t, VenafiCloudKeypair, got.TLSPKMode)
+		assert.Equal(t, VenafiCloudKeypair, got.OutputMode)
 
 		err = cl.PostDataReadingsWithOptions(ctx, nil, client.Options{ClusterName: "test cluster name"})
 		require.NoError(t, err)