WIP

wallrj-cyberark · wallrj-cyberark · commit 949f2382fa06 · 2025-08-22T09:08:31.000+01:00
Signed-off-by: Richard Wall &lt;richard.wall@cyberark.com&gt;
diff --git a/pkg/agent/config_test.go b/pkg/agent/config_test.go
@@ -702,6 +702,46 @@ func Test_ValidateAndCombineConfig_VenafiCloudKeyPair(t *testing.T) {
 	})
 }
 
+func Test_ValidateAndCombineConfig_MachineHub(t *testing.T) {
+	t.Setenv("POD_NAMESPACE", "venafi")
+	t.Setenv("ARK_PLATFORM_DOMAIN", "integration-cyberark.cloud")
+	t.Setenv("ARK_SUBDOMAIN", "tlskp-test")
+	t.Setenv("ARK_USERNAME", "first_last@cyberark.cloud.123456")
+	t.Setenv("ARK_SECRET", "test-secret")
+
+	ctx, cancel := context.WithTimeout(t.Context(), time.Second*3)
+	defer cancel()
+	log := ktesting.NewLogger(t, ktesting.NewConfig(ktesting.Verbosity(7)))
+	ctx = klog.NewContext(ctx, log)
+
+	srv, _, setVenafiCloudAssert := testutil.FakeVenafiCloud(t)
+	t.Setenv("ARK_DISCOVERY_ENDPOINT", srv.URL)
+	setVenafiCloudAssert(func(t testing.TB, gotReq *http.Request) {
+		// Only care about /v1/tlspk/upload/clusterdata/:uploader_id?name=
+		if gotReq.URL.Path == "/v1/oauth/token/serviceaccount" {
+			return
+		}
+
+		assert.Equal(t, srv.URL, "https://"+gotReq.Host)
+		assert.Equal(t, "test cluster name", gotReq.URL.Query().Get("name"))
+		assert.Equal(t, "/v1/tlspk/upload/clusterdata/no", gotReq.URL.Path)
+	})
+
+	got, cl, err := ValidateAndCombineConfig(discardLogs(),
+		withConfig(testutil.Undent(`
+				period: 1h
+			`)),
+		withCmdLineFlags("--machine-hub"),
+	)
+	require.NoError(t, err)
+	//	testutil.TrustCA(t, cl, cert)
+	assert.Equal(t, MachineHub, got.OutputMode)
+
+	err = cl.PostDataReadingsWithOptions(ctx, nil, client.Options{})
+	require.NoError(t, err)
+
+}
+
 // Slower test cases due to envtest. That's why they are separated from the
 // other tests.
 func Test_ValidateAndCombineConfig_VenafiConnection(t *testing.T) {
diff --git a/pkg/internal/cyberark/client.go b/pkg/internal/cyberark/client.go
@@ -48,15 +48,29 @@ func NewDatauploadClient(ctx context.Context, cfg ClientConfig) (*dataupload.Cyb
 
 	serviceURL := fmt.Sprintf("https://%s%s%s.%s", cfg.subdomain, separator, discoveryContextServiceName, cfg.platformDomain)
 
+	var serviceDiscoveryOptions []servicediscovery.ClientOpt
+
+	if cfg.platformDomain != "cyberark.cloud" {
+
+	}
+
+	if serviceDiscoveryEndpoint := os.Getenv("ARK_SERVICE_DISCOVERY_ENDPOINT"); serviceDiscoveryEndpoint != "" {
+		serviceDiscoveryOptions = append(
+			serviceDiscoveryOptions,
+			servicediscovery.WithCustomEndpoint(serviceDiscoveryEndpoint),
+		)
+	}
+
+	serviceDiscoveryClient := servicediscovery.New(serviceDiscoveryOptions...)
+
 	var (
 		identityClient *identity.Client
 		err            error
 	)
 	if cfg.platformDomain == "cyberark.cloud" {
 		identityClient, err = identity.New(ctx, cfg.subdomain)
 	} else {
-		discoveryClient := servicediscovery.New(servicediscovery.WithIntegrationEndpoint())
-		identityClient, err = identity.NewWithDiscoveryClient(ctx, discoveryClient, cfg.subdomain)
+		identityClient, err = identity.NewWithDiscoveryClient(ctx, serviceDiscoveryClient, cfg.subdomain)
 	}
 	if err != nil {
 		return nil, err
diff --git a/pkg/internal/cyberark/servicediscovery/discovery.go b/pkg/internal/cyberark/servicediscovery/discovery.go
@@ -7,6 +7,7 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"os"
 	"time"
 
 	"k8s.io/client-go/transport"
@@ -62,12 +63,17 @@ func WithCustomEndpoint(endpoint string) ClientOpt {
 
 // New creates a new CyberArk Service Discovery client, configurable with ClientOpt
 func New(clientOpts ...ClientOpt) *Client {
+	endpoint := os.Getenv("ARK_DISCOVERY_ENDPOINT")
+	if endpoint == "" {
+		endpoint = prodDiscoveryEndpoint
+	}
+
 	client := &Client{
 		client: &http.Client{
 			Timeout:   10 * time.Second,
 			Transport: transport.NewDebuggingRoundTripper(http.DefaultTransport, transport.DebugByContext),
 		},
-		endpoint: prodDiscoveryEndpoint,
+		endpoint: endpoint,
 	}
 
 	for _, opt := range clientOpts {
