Add MachineHub output mode and a cyberark client

Signed-off-by: Richard Wall <[email protected]>

Author: wallrj-cyberark

pkg/agent/config.go

@@ -334,6 +334,7 @@ const (
 	VenafiCloudKeypair          OutputMode = "Venafi Cloud Key Pair Service Account"
 	VenafiCloudVenafiConnection OutputMode = "Venafi Cloud VenafiConnection"
 	LocalFile                   OutputMode = "Local File"
+	MachineHub                  OutputMode = "MachineHub"
 )
 
 // The command-line flags and the config file are combined into this struct by
@@ -420,6 +421,9 @@ func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags)
 		case !flags.VenafiCloudMode && flags.CredentialsPath != "":
 			mode = JetstackSecureOAuth
 			reason = "--credentials-file was specified without --venafi-cloud"
+		case flags.MachineHubMode:
+			mode = MachineHub
+			reason = "--machine-hub was specified"
 		case flags.OutputPath != "":
 			mode = LocalFile
 			reason = "--output-path was specified"
@@ -433,6 +437,7 @@ func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags)
 				" - Use --venafi-connection for the " + string(VenafiCloudVenafiConnection) + " mode.\n" +
 				" - Use --credentials-file alone if you want to use the " + string(JetstackSecureOAuth) + " mode.\n" +
 				" - Use --api-token if you want to use the " + string(JetstackSecureAPIToken) + " mode.\n" +
+				" - Use --machine-hub if you want to use the " + string(MachineHub) + " mode.\n" +
 				" - Use --output-path or output-path in the config file for " + string(LocalFile) + " mode.")
 		}
 
@@ -762,6 +767,12 @@ func validateCredsAndCreateClient(log logr.Logger, flagCredentialsPath, flagClie
 		}
 	case LocalFile:
 		outputClient = client.NewFileClient(cfg.OutputPath)
+	case MachineHub:
+		var err error
+		outputClient, err = client.NewCyberArk()
+		if err != nil {
+			errs = multierror.Append(errs, err)
+		}
 	default:
 		panic(fmt.Errorf("programmer mistake: output mode not implemented: %s", cfg.OutputMode))
 	}

pkg/agent/config_test.go

@@ -199,6 +199,7 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 			 - Use --venafi-connection for the Venafi Cloud VenafiConnection mode.
 			 - Use --credentials-file alone if you want to use the Jetstack Secure OAuth mode.
 			 - Use --api-token if you want to use the Jetstack Secure API Token mode.
+			 - Use --machine-hub if you want to use the MachineHub mode.
 			 - Use --output-path or output-path in the config file for Local File mode.`))
 		assert.Nil(t, cl)
 	})
@@ -617,6 +618,40 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 		assert.Equal(t, VenafiCloudVenafiConnection, got.OutputMode)
 	})
 
+	t.Run("--machine-hub selects MachineHub mode", func(t *testing.T) {
+		t.Setenv("POD_NAMESPACE", "venafi")
+		t.Setenv("KUBECONFIG", withFile(t, fakeKubeconfig))
+		t.Setenv("ARK_PLATFORM_DOMAIN", "cyberark.cloud")
+		t.Setenv("ARK_SUBDOMAIN", "tlspk")
+		t.Setenv("ARK_USERNAME", "[email protected]")
+		t.Setenv("ARK_SECRET", "test-secret")
+		got, cl, err := ValidateAndCombineConfig(discardLogs(),
+			withConfig(""),
+			withCmdLineFlags("--period", "1m", "--machine-hub"))
+		require.NoError(t, err)
+		assert.Equal(t, MachineHub, got.OutputMode)
+		assert.IsType(t, &client.CyberArkClient{}, cl)
+	})
+
+	t.Run("--machine-hub without required environment variables", func(t *testing.T) {
+		t.Setenv("POD_NAMESPACE", "venafi")
+		t.Setenv("KUBECONFIG", withFile(t, fakeKubeconfig))
+		t.Setenv("ARK_PLATFORM_DOMAIN", "")
+		t.Setenv("ARK_SUBDOMAIN", "")
+		t.Setenv("ARK_USERNAME", "")
+		t.Setenv("ARK_SECRET", "")
+		got, cl, err := ValidateAndCombineConfig(discardLogs(),
+			withConfig(""),
+			withCmdLineFlags("--period", "1m", "--machine-hub"))
+		assert.Equal(t, CombinedConfig{}, got)
+		assert.Nil(t, cl)
+		assert.EqualError(t, err, testutil.Undent(`
+			validating creds: failed loading config using the MachineHub mode: 1 error occurred:
+				* missing environment variables: ARK_PLATFORM_DOMAIN, ARK_SUBDOMAIN, ARK_USERNAME, ARK_SECRET
+
+	   `))
+	})
+
 	t.Run("argument: --output-file selects local file mode", func(t *testing.T) {
 		log, gotLog := recordLogs(t)
 		got, outputClient, err := ValidateAndCombineConfig(log,

pkg/client/client_cyberark.go

@@ -1,9 +1,48 @@
 package client
 
 import (
+	"context"
+
+	"github.com/jetstack/preflight/api"
+	"github.com/jetstack/preflight/pkg/internal/cyberark"
 	"github.com/jetstack/preflight/pkg/internal/cyberark/dataupload"
 )
 
-type CyberArkClient = dataupload.CyberArkClient
+type CyberArkClient struct {
+	configLoader cyberark.ClientConfigLoader
+}
+
+var _ Client = &CyberArkClient{}
+
+func NewCyberArk() (*CyberArkClient, error) {
+	configLoader := cyberark.LoadClientConfigFromEnvironment
+	_, err := configLoader()
+	if err != nil {
+		return nil, err
+	}
+	return &CyberArkClient{
+		configLoader: configLoader,
+	}, nil
+}
+
+// An API token is obtained by authenticating with the ARK_USERNAME and ARK_SECRET from the environment.
+// ARK_SUBDOMAIN should be your tenant subdomain.
+// ARK_PLATFORM_DOMAIN should be either integration-cyberark.cloud or cyberark.cloud
+func (o *CyberArkClient) PostDataReadingsWithOptions(ctx context.Context, readings []*api.DataReading, options Options) error {
+	cfg, err := o.configLoader()
+	if err != nil {
+		return err
+	}
+	datauploadClient, err := cyberark.NewDatauploadClient(ctx, cfg)
+	if err != nil {
+		return err
+	}
 
-var NewCyberArkClient = dataupload.NewCyberArkClient
+	err = datauploadClient.PostDataReadingsWithOptions(ctx, api.DataReadingsPost{}, dataupload.Options{
+		ClusterName: "bb068932-c80d-460d-88df-34bc7f3f3297",
+	})
+	if err != nil {
+		return err
+	}
+	return nil
+}

pkg/client/client_cyberark_test.go

@@ -0,0 +1,42 @@
+package client
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"k8s.io/klog/v2"
+	"k8s.io/klog/v2/ktesting"
+
+	"github.com/jetstack/preflight/api"
+
+	_ "k8s.io/klog/v2/ktesting/init"
+)
+
+// TestCyberArkClient_PostDataReadingsWithOptions_RealAPI demonstrates that the
+// dataupload code works with the real inventory API.
+//
+// To enable verbose request logging:
+//
+//	go test ./pkg/internal/cyberark/dataupload/... \
+//	  -v -count 1 -run TestPostDataReadingsWithOptionsWithRealAPI -args -testing.v 6
+func TestCyberArkClient_PostDataReadingsWithOptions_RealAPI(t *testing.T) {
+	platformDomain := os.Getenv("ARK_PLATFORM_DOMAIN")
+	subdomain := os.Getenv("ARK_SUBDOMAIN")
+	username := os.Getenv("ARK_USERNAME")
+	secret := os.Getenv("ARK_SECRET")
+
+	if platformDomain == "" || subdomain == "" || username == "" || secret == "" {
+		t.Skip("Skipping because one of the following environment variables is unset or empty: ARK_PLATFORM_DOMAIN, ARK_SUBDOMAIN, ARK_USERNAME, ARK_SECRET")
+		return
+	}
+
+	logger := ktesting.NewLogger(t, ktesting.DefaultConfig)
+	ctx := klog.NewContext(t.Context(), logger)
+
+	c, err := NewCyberArk()
+	require.NoError(t, err)
+	var readings []*api.DataReading
+	err = c.PostDataReadingsWithOptions(ctx, readings, Options{})
+	require.NoError(t, err)
+}

pkg/internal/cyberark/client.go

@@ -0,0 +1,75 @@
+package cyberark
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+
+	"github.com/jetstack/preflight/pkg/internal/cyberark/dataupload"
+	"github.com/jetstack/preflight/pkg/internal/cyberark/identity"
+	"github.com/jetstack/preflight/pkg/internal/cyberark/servicediscovery"
+)
+
+type ClientConfig struct {
+	platformDomain string
+	subdomain      string
+	username       string
+	secret         string
+}
+
+type ClientConfigLoader func() (ClientConfig, error)
+
+func LoadClientConfigFromEnvironment() (ClientConfig, error) {
+	platformDomain := os.Getenv("ARK_PLATFORM_DOMAIN")
+	subdomain := os.Getenv("ARK_SUBDOMAIN")
+	username := os.Getenv("ARK_USERNAME")
+	secret := os.Getenv("ARK_SECRET")
+
+	if platformDomain == "" || subdomain == "" || username == "" || secret == "" {
+		return ClientConfig{}, errors.New(
+			"missing environment variables: ARK_PLATFORM_DOMAIN, ARK_SUBDOMAIN, ARK_USERNAME, ARK_SECRET")
+	}
+
+	return ClientConfig{
+		platformDomain: platformDomain,
+		subdomain:      subdomain,
+		username:       username,
+		secret:         secret,
+	}, nil
+
+}
+
+func NewDatauploadClient(ctx context.Context, cfg ClientConfig) (*dataupload.CyberArkClient, error) {
+	const (
+		discoveryContextServiceName = "inventory"
+		separator                   = "."
+	)
+
+	serviceURL := fmt.Sprintf("https://%s%s%s.%s", cfg.subdomain, separator, discoveryContextServiceName, cfg.platformDomain)
+
+	var (
+		identityClient *identity.Client
+		err            error
+	)
+	if cfg.platformDomain == "cyberark.cloud" {
+		identityClient, err = identity.New(ctx, cfg.subdomain)
+	} else {
+		discoveryClient := servicediscovery.New(servicediscovery.WithIntegrationEndpoint())
+		identityClient, err = identity.NewWithDiscoveryClient(ctx, discoveryClient, cfg.subdomain)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	err = identityClient.LoginUsernamePassword(ctx, cfg.username, []byte(cfg.secret))
+	if err != nil {
+		return nil, err
+	}
+
+	cyberArkClient, err := dataupload.NewCyberArkClient(nil, serviceURL, identityClient.AuthenticateRequest)
+	if err != nil {
+		return nil, err
+	}
+	return cyberArkClient, nil
+}

pkg/internal/cyberark/dataupload/dataupload_test.go

@@ -5,20 +5,13 @@ import (
 	"encoding/pem"
 	"fmt"
 	"net/http"
-	"os"
 	"testing"
 	"time"
 
 	"github.com/stretchr/testify/require"
-	"k8s.io/klog/v2"
-	"k8s.io/klog/v2/ktesting"
 
 	"github.com/jetstack/preflight/api"
 	"github.com/jetstack/preflight/pkg/internal/cyberark/dataupload"
-	"github.com/jetstack/preflight/pkg/internal/cyberark/identity"
-	"github.com/jetstack/preflight/pkg/internal/cyberark/servicediscovery"
-
-	_ "k8s.io/klog/v2/ktesting/init"
 )
 
 func TestCyberArkClient_PostDataReadingsWithOptions(t *testing.T) {
@@ -123,57 +116,3 @@ func TestCyberArkClient_PostDataReadingsWithOptions(t *testing.T) {
 		})
 	}
 }
-
-// TestPostDataReadingsWithOptionsWithRealAPI demonstrates that the dataupload code works with the real inventory API.
-// An API token is obtained by authenticating with the ARK_USERNAME and ARK_SECRET from the environment.
-// ARK_SUBDOMAIN should be your tenant subdomain.
-// ARK_PLATFORM_DOMAIN should be either integration-cyberark.cloud or cyberark.cloud
-//
-// To enable verbose request logging:
-//
-//	go test ./pkg/internal/cyberark/dataupload/... \
-//	  -v -count 1 -run TestPostDataReadingsWithOptionsWithRealAPI -args -testing.v 6
-func TestPostDataReadingsWithOptionsWithRealAPI(t *testing.T) {
-	platformDomain := os.Getenv("ARK_PLATFORM_DOMAIN")
-	subdomain := os.Getenv("ARK_SUBDOMAIN")
-	username := os.Getenv("ARK_USERNAME")
-	secret := os.Getenv("ARK_SECRET")
-
-	if platformDomain == "" || subdomain == "" || username == "" || secret == "" {
-		t.Skip("Skipping because one of the following environment variables is unset or empty: ARK_PLATFORM_DOMAIN, ARK_SUBDOMAIN, ARK_USERNAME, ARK_SECRET")
-		return
-	}
-
-	logger := ktesting.NewLogger(t, ktesting.DefaultConfig)
-	ctx := klog.NewContext(t.Context(), logger)
-
-	const (
-		discoveryContextServiceName = "inventory"
-		separator                   = "."
-	)
-
-	serviceURL := fmt.Sprintf("https://%s%s%s.%s", subdomain, separator, discoveryContextServiceName, platformDomain)
-
-	var (
-		identityClient *identity.Client
-		err            error
-	)
-	if platformDomain == "cyberark.cloud" {
-		identityClient, err = identity.New(ctx, subdomain)
-	} else {
-		discoveryClient := servicediscovery.New(servicediscovery.WithIntegrationEndpoint())
-		identityClient, err = identity.NewWithDiscoveryClient(ctx, discoveryClient, subdomain)
-	}
-	require.NoError(t, err)
-
-	err = identityClient.LoginUsernamePassword(ctx, username, []byte(secret))
-	require.NoError(t, err)
-
-	cyberArkClient, err := dataupload.NewCyberArkClient(nil, serviceURL, identityClient.AuthenticateRequest)
-	require.NoError(t, err)
-
-	err = cyberArkClient.PostDataReadingsWithOptions(ctx, api.DataReadingsPost{}, dataupload.Options{
-		ClusterName: "bb068932-c80d-460d-88df-34bc7f3f3297",
-	})
-	require.NoError(t, err)
-}