Chart compatible with TLSPK VCP auth (#466)

* feat: basic chart for TLS protect agent auth setup
* feat: Use new config options
* docs: Update readme and tests
* chore: cleanup unused files
* feat: Update CI to test both charts
* fix: Unittesting CI
* docs: fix a few minor issues and enhance helm readme
* docs: Include EU variant example plus run spell checker

---------

Signed-off-by: Peter Fiddes <[email protected]>

Author: hawksight

.github/workflows/chart-test.yaml

@@ -16,8 +16,8 @@ jobs:
       - uses: d3adb5/helm-unittest-action@v2
         with:
           flags: "--color --strict"
-          charts: deploy/charts/jetstack-agent
           helm-version: v3.12.3
       # This has to be second as helm may not be installed until after above action
       # source: https://github.com/marketplace/actions/helm-unit-tests#examples
       - run: helm lint deploy/charts/jetstack-agent
+      - run: helm lint deploy/charts/venafi-kubernetes-agent

.gitignore

@@ -9,5 +9,7 @@ terraform.tfstate
 terraform.tfstate.backup
 bom.xml
 predicate.json
-privatekey.pem
+*.pem
+*.pub
+*.tgz
 

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/norwoodj/helm-docs
-    rev: v1.11.0
+    rev: v1.11.3
     hooks:
       - id: helm-docs
         args:

deploy/charts/jetstack-agent/README.md

@@ -139,18 +139,19 @@ kubectl logs -n jetstack-secure $(kubectl get pod -n jetstack-secure -l app.kube
 | authentication.secretValue | string | `""` | Base64 encoded value from Jetstack Secure Dashboard - only required when createSecret is true |
 | authentication.type | string | `"file"` | Type can be "file"/"token" determining how the agent should authenticate the to the backend |
 | command | list | `[]` |  |
-| config | object | `{"cluster":"","dataGatherers":{"custom":[],"default":true},"organisation":"","override":{"config":"","configmap":{"key":"","name":""},"enabled":false},"period":"0h1m0s","server":"https://platform.jetstack.io"}` | Configuration section for the Jetstack Agent itself |
+| config | object | `{"cluster":"","dataGatherers":{"custom":[],"default":true},"organisation":"","override":{"config":null,"configmap":{"key":null,"name":null},"enabled":false},"period":"0h1m0s","server":"https://platform.jetstack.io"}` | Configuration section for the Jetstack Agent itself |
 | config.cluster | string | `""` | REQUIRED - Your Jetstack Secure Cluster Name |
 | config.dataGatherers | object | `{"custom":[],"default":true}` | Configure data that is gathered from your cluster, for full details see https://platform.jetstack.io/documentation/configuration/jetstack-agent/configuration |
 | config.dataGatherers.custom | list | `[]` | A list of data gatherers to limit agent scope |
 | config.dataGatherers.default | bool | `true` | Use the standard full set of data gatherers |
 | config.organisation | string | `""` | REQUIRED - Your Jetstack Secure Organisation Name |
-| config.override | object | `{"config":"","configmap":{"key":"","name":""},"enabled":false}` | Provide an Override to allow completely custom agent configuration |
-| config.override.config | string | `""` | Embed the agent configuration here in the chart values |
-| config.override.configmap | object | `{"key":"","name":""}` | Sepcify ConfigMap details to load config from existing ConfigMap |
+| config.override | object | `{"config":null,"configmap":{"key":null,"name":null},"enabled":false}` | Provide an Override to allow completely custom agent configuration |
+| config.override.config | string | `nil` | Embed the agent configuration here in the chart values |
+| config.override.configmap | object | `{"key":null,"name":null}` | Sepcify ConfigMap details to load config from existing ConfigMap |
 | config.override.enabled | bool | `false` | Override disabled by default |
 | config.period | string | `"0h1m0s"` | Send data back to the platform every minute unless changed |
 | config.server | string | `"https://platform.jetstack.io"` | Overrides the server if using a proxy between agent and Jetstack Secure |
+| extraArgs | list | `[]` |  |
 | fullnameOverride | string | `""` | Helm default setting, use this to shorten install name |
 | image.pullPolicy | string | `"IfNotPresent"` | Defaults to only pull if not already present |
 | image.repository | string | `"quay.io/jetstack/preflight"` | Default to Open Source image repository |
@@ -175,4 +176,4 @@ kubectl logs -n jetstack-secure $(kubectl get pod -n jetstack-secure -l app.kube
 | tolerations | list | `[]` |  |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
+Autogenerated from chart metadata using [helm-docs v1.11.3](https://github.com/norwoodj/helm-docs/releases/v1.11.3)

deploy/charts/venafi-kubernetes-agent/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

deploy/charts/venafi-kubernetes-agent/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: venafi-kubernetes-agent
+description: |-
+  The Venafi Kubernetes Agent connects your Kubernetes or Openshift cluster to the Venafi Control Plane.
+type: application
+version: 0.1.0
+appVersion: "v0.1.43"

deploy/charts/venafi-kubernetes-agent/README.md

@@ -0,0 +1,134 @@
+# venafi-kubernetes-agent
+
+The Venafi Kubernetes Agent connects your Kubernetes or Openshift cluster to the Venafi Control Plane.
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.1.43](https://img.shields.io/badge/AppVersion-v0.1.43-informational?style=flat-square)
+
+## Additional Information
+
+The Venafi Kubernetes Agent connects your Kubernetes or OpenShift cluster to the Venafi Control Plane.
+You will require a Venafi Control Plane account to connect your cluster.
+If you do not have you, you can sign up for a free trial now at:
+- https://venafi.com/try-venafi/tls-protect/
+
+Note that there are EU and US Venafi Control Plane options.
+Upon signing up you will be redirected to one of either of the following login URLs:
+- https://ui.venafi.cloud/ (US)
+- https://ui.venafi.eu/ (EU)
+
+## Installation:
+
+Using chart installation, there are two credentials required.
+
+1) A registry credential to allow helm to pull the chart from our private OCI registry.
+2) A service account key pair used by the agent to authenticate to the Venafi Control Plane.
+
+### 1) Setup registry credentials
+
+The helm chart is an OCI chart artifact hosted on both EU and US registries:
+
+- `oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent`
+- `oci://us.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent`
+
+More detailed instructions on how to access our registry are available in [this guide](https://platform.jetstack.io/documentation/installation/enterprise-registry).
+
+For chart installation, run the following to set a registry configuration
+file, so `helm` can authenticate to our private OCI registry:
+
+```shell
+export VENAFI_DOCKER_CONFIG_PATH="$(pwd)"
+export VENAFI_DOCKER_CONFIG_FILE="${TLSPK_DOCKER_CONFIG_PATH}/config.json"
+jsctl registry auth output --format=dockerconfig > "${VENAFI_DOCKER_CONFIG_FILE}"
+```
+
+To validate you registry credentials are working with `helm`, we can use it to
+show us the full list of values available to configure the chart:
+
+```shell
+export VENAFI_REGISTRY="eu.gcr.io/jetstack-secure-enterprise"
+helm show values oci://${VENAFI_REGISTRY}/charts/venafi-kubernetes-agent \
+  --registry-config "${VENAFI_DOCKER_CONFIG_FILE}"
+```
+
+**Note**: Feel free to alter the registry to the US equivalent if that is closer to you.
+For example: `export VENAFI_REGISTRY="us.gcr.io/jetstack-secure-enterprise"`
+
+### 2) Creating Venafi Service Account:
+
+First we need to create an OpenSSL key pair and save the private key securely.
+The private key is used by the agent and you should have a unique key for each agent you connect to the Venafi Control Plane.
+The public key will be added to the Venafi Control Plane as the service account credential and assigned to the appropriate team for ownership.
+
+```shell
+export VENAFI_NAMESPACE="venafi" VENAFI_SERVICE_ACCOUNT="example-cluster"
+openssl genrsa -out ${VENAFI_SERVICE_ACCOUNT}.pem
+openssl rsa -in ${VENAFI_SERVICE_ACCOUNT}.pem -pubout --out ${VENAFI_SERVICE_ACCOUNT}.pub
+```
+
+Now that you have both the private and public key we now need to use the Venafi Control Plane to create a service account.
+
+- Navigate to the [service accounts page](https://ui.venafi.cloud/service-accounts/) and select "New"
+- Add a unique name matching the variable we used, eg: "example-cluster"
+- Assign a team that owns this credential
+- The scope should be "Kubernetes Discovery" only.
+- Set the validity period of your pubic key up to a maximum of 365 days.
+- Now paste in the **public key** from the pair you generated.
+
+Once created, you will be returned to the service accounts list.
+Find your newest entry matching the name you entered, and copy the "Client ID" column.
+
+### 3) Deploying the chart:
+
+Now we have the service account, let us prepare a namespace with the relevant private key needed at runtime.
+
+```shell
+export VENAFI_CLIENT_ID="<PASTE YOURS HERE>"
+kubectl create namespace ${VENAFI_NAMESPACE}
+kubectl create secret generic agent-credentials -n ${VENAFI_NAMESPACE} \
+  --from-file=privatekey.pem=${VENAFI_SERVICE_ACCOUNT}.pem
+```
+
+Install the chart by setting the `config.clientId` field:
+
+```shell
+helm upgrade --install venafi-kubernetes-agent deploy/charts/venafi-kubernetes-agent \
+  --namespace ${VENAFI_NAMESPACE} \
+  --set config.clientId="${VENAFI_CLIENT_ID}"
+```
+
+Optionally if you need to change the backend to the EU Venafi Control Plane you can use:
+
+```shell
+export VENAFI_SERVER_URL="https://api.venafi.eu/"
+helm upgrade --install venafi-kubernetes-agent deploy/charts/venafi-kubernetes-agent \
+  --namespace ${VENAFI_NAMESPACE} \
+  --set config.clientId="${VENAFI_CLIENT_ID}" \
+  --set config.server="${VENAFI_SERVER_URL}"
+```
+
+### 4) Add Cluster in Venafi Control Plane
+
+- Go to "Installations" -> "Kubernetes Clusters" [here](https://ui.venafi.cloud/clusters-inventory) and click "Connect". **Note** you may need to click [here](https://ui.venafi.eu/clusters-inventory) for the EU backend.
+- On step 1 select "Continue".
+- On step 2 select "Advanced Connection".
+- On step 3 select "Continue" to skip.
+- On step 4, fill in the details as needed:
+  - "Name" should match your service account name from before, e.g. "example-cluster".
+  - Under "Service Account" click that drop down and select the previously created service account.
+  - Then check the "The connection command has completed." box and select "continue".
+- On step 5, either wait for validation or select "Finish" to go back to the cluster list.
+
+### 5) Deployment Verification
+
+Check the agent logs to ensure you see a similar entry to the following:
+
+```console
+2023/10/24 12:10:03 Running Agent...
+2023/10/24 12:10:03 Posting data to: https://api.venafi.cloud/
+2023/10/24 12:10:04 Data sent successfully.
+```
+
+You can do this with the following command:
+
+```shell
+kubectl logs -n ${VENAFI_NAMESPACE} $(kubectl get pod -n ${VENAFI_NAMESPACE} -l app.kubernetes.io/instance=

deploy/charts/venafi-kubernetes-agent/README.md.gotmpl

@@ -0,0 +1,142 @@
+{{ template "chart.header" . }}
+{{ template "chart.description" . }}
+
+{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
+
+## Additional Information
+
+The Venafi Kubernetes Agent connects your Kubernetes or OpenShift cluster to the Venafi Control Plane.
+You will require a Venafi Control Plane account to connect your cluster. 
+If you do not have you, you can sign up for a free trial now at:
+- https://venafi.com/try-venafi/tls-protect/
+
+Note that there are EU and US Venafi Control Plane options. 
+Upon signing up you will be redirected to one of either of the following login URLs:
+- https://ui.venafi.cloud/ (US) 
+- https://ui.venafi.eu/ (EU)
+
+## Installation:
+
+Using chart installation, there are two credentials required.
+
+1) A registry credential to allow helm to pull the chart from our private OCI registry.
+2) A service account key pair used by the agent to authenticate to the Venafi Control Plane.
+
+### 1) Setup registry credentials
+
+The helm chart is an OCI chart artifact hosted on both EU and US registries:
+
+- `oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent`
+- `oci://us.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent`
+
+More detailed instructions on how to access our registry are available in [this guide](https://platform.jetstack.io/documentation/installation/enterprise-registry).
+
+For chart installation, run the following to set a registry configuration
+file, so `helm` can authenticate to our private OCI registry:
+
+```shell
+export VENAFI_DOCKER_CONFIG_PATH="$(pwd)"
+export VENAFI_DOCKER_CONFIG_FILE="${TLSPK_DOCKER_CONFIG_PATH}/config.json"
+jsctl registry auth output --format=dockerconfig > "${VENAFI_DOCKER_CONFIG_FILE}"
+```
+
+To validate you registry credentials are working with `helm`, we can use it to
+show us the full list of values available to configure the chart:
+
+```shell
+export VENAFI_REGISTRY="eu.gcr.io/jetstack-secure-enterprise"
+helm show values oci://${VENAFI_REGISTRY}/charts/venafi-kubernetes-agent \
+  --registry-config "${VENAFI_DOCKER_CONFIG_FILE}"
+```
+
+**Note**: Feel free to alter the registry to the US equivalent if that is closer to you. 
+For example: `export VENAFI_REGISTRY="us.gcr.io/jetstack-secure-enterprise"`
+
+### 2) Creating Venafi Service Account:
+
+First we need to create an OpenSSL key pair and save the private key securely.
+The private key is used by the agent and you should have a unique key for each agent you connect to the Venafi Control Plane.
+The public key will be added to the Venafi Control Plane as the service account credential and assigned to the appropriate team for ownership.
+
+```shell
+export VENAFI_NAMESPACE="venafi" VENAFI_SERVICE_ACCOUNT="example-cluster"
+openssl genrsa -out ${VENAFI_SERVICE_ACCOUNT}.pem
+openssl rsa -in ${VENAFI_SERVICE_ACCOUNT}.pem -pubout --out ${VENAFI_SERVICE_ACCOUNT}.pub
+```
+
+Now that you have both the private and public key we now need to use the Venafi Control Plane to create a service account.
+
+- Navigate to the [service accounts page](https://ui.venafi.cloud/service-accounts/) and select "New"
+- Add a unique name matching the variable we used, eg: "example-cluster"
+- Assign a team that owns this credential
+- The scope should be "Kubernetes Discovery" only.
+- Set the validity period of your pubic key up to a maximum of 365 days.
+- Now paste in the **public key** from the pair you generated.
+
+Once created, you will be returned to the service accounts list.
+Find your newest entry matching the name you entered, and copy the "Client ID" column.
+
+### 3) Deploying the chart:
+
+Now we have the service account, let us prepare a namespace with the relevant private key needed at runtime.
+
+```shell
+export VENAFI_CLIENT_ID="<PASTE YOURS HERE>"
+kubectl create namespace ${VENAFI_NAMESPACE}
+kubectl create secret generic agent-credentials -n ${VENAFI_NAMESPACE} \
+  --from-file=privatekey.pem=${VENAFI_SERVICE_ACCOUNT}.pem
+```
+
+Install the chart by setting the `config.clientId` field:
+
+```shell
+helm upgrade --install venafi-kubernetes-agent deploy/charts/venafi-kubernetes-agent \
+  --namespace ${VENAFI_NAMESPACE} \
+  --set config.clientId="${VENAFI_CLIENT_ID}"
+```
+
+Optionally if you need to change the backend to the EU Venafi Control Plane you can use:
+
+```shell
+export VENAFI_SERVER_URL="https://api.venafi.eu/"
+helm upgrade --install venafi-kubernetes-agent deploy/charts/venafi-kubernetes-agent \
+  --namespace ${VENAFI_NAMESPACE} \
+  --set config.clientId="${VENAFI_CLIENT_ID}" \
+  --set config.server="${VENAFI_SERVER_URL}"
+```
+
+### 4) Add Cluster in Venafi Control Plane
+
+- Go to "Installations" -> "Kubernetes Clusters" [here](https://ui.venafi.cloud/clusters-inventory) and click "Connect". **Note** you may need to click [here](https://ui.venafi.eu/clusters-inventory) for the EU backend.
+- On step 1 select "Continue".
+- On step 2 select "Advanced Connection".
+- On step 3 select "Continue" to skip.
+- On step 4, fill in the details as needed:
+  - "Name" should match your service account name from before, e.g. "example-cluster".
+  - Under "Service Account" click that drop down and select the previously created service account.
+  - Then check the "The connection command has completed." box and select "continue".
+- On step 5, either wait for validation or select "Finish" to go back to the cluster list.
+
+### 5) Deployment Verification
+
+Check the agent logs to ensure you see a similar entry to the following:
+
+```console
+2023/10/24 12:10:03 Running Agent...
+2023/10/24 12:10:03 Posting data to: https://api.venafi.cloud/
+2023/10/24 12:10:04 Data sent successfully.
+```
+
+You can do this with the following command:
+
+```shell
+kubectl logs -n ${VENAFI_NAMESPACE} $(kubectl get pod -n ${VENAFI_NAMESPACE} -l app.kubernetes.io/instance={{ .Release.Name }} -o jsonpath='{.items[0].metadata.name}')
+```
+
+You can also check in the Venafi Control Plane to see when the "Last Check In" was for your cluster.
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}
+
+{{ template "helm-docs.versionFooter" . }}

deploy/charts/venafi-kubernetes-agent/templates/NOTES.txt

@@ -0,0 +1,8 @@
+1. Please make sure you have the credentials secret: "{{ .Values.authentication.secretName }}" available
+> kubectl get secret -n {{ .Release.Namespace }} {{ .Values.authentication.secretName }}
+
+2. Check the application is running with the following:
+> kubectl get pods -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
+
+3. Check the application logs for successful connection to the platform:
+> kubectl logs -n {{ .Release.Namespace }} $(kubectl get pod -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} -o jsonpath='{.items[0].metadata.name}')