CyberArk(agent): add support for MachineHub output mode

- Introduced a new `MachineHub` output mode in the agent configuration.
- Added validation logic for `--machine-hub` flag and required environment variables.
- Implemented `CyberArkClient` to handle data uploads for MachineHub mode.
- Updated tests to cover `MachineHub` mode, including success and failure scenarios.
- Refactored and exposed constants for service discovery to improve reusability.

Author: wallrj-cyberark

pkg/agent/config.go

@@ -1,6 +1,7 @@
 package agent
 
 import (
+	"crypto/x509"
 	"fmt"
 	"io"
 	"net/url"
@@ -10,9 +11,11 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/hashicorp/go-multierror"
+	"github.com/jetstack/venafi-connection-lib/http_client"
 	"github.com/spf13/cobra"
 	"gopkg.in/yaml.v3"
 	"k8s.io/client-go/rest"
+	"k8s.io/client-go/transport"
 
 	"github.com/jetstack/preflight/api"
 	"github.com/jetstack/preflight/pkg/client"
@@ -334,6 +337,7 @@ const (
 	VenafiCloudKeypair          OutputMode = "Venafi Cloud Key Pair Service Account"
 	VenafiCloudVenafiConnection OutputMode = "Venafi Cloud VenafiConnection"
 	LocalFile                   OutputMode = "Local File"
+	MachineHub                  OutputMode = "MachineHub"
 )
 
 // The command-line flags and the config file are combined into this struct by
@@ -420,6 +424,9 @@ func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags)
 		case !flags.VenafiCloudMode && flags.CredentialsPath != "":
 			mode = JetstackSecureOAuth
 			reason = "--credentials-file was specified without --venafi-cloud"
+		case flags.MachineHubMode:
+			mode = MachineHub
+			reason = "--machine-hub was specified"
 		case flags.OutputPath != "":
 			mode = LocalFile
 			reason = "--output-path was specified"
@@ -433,6 +440,7 @@ func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags)
 				" - Use --venafi-connection for the " + string(VenafiCloudVenafiConnection) + " mode.\n" +
 				" - Use --credentials-file alone if you want to use the " + string(JetstackSecureOAuth) + " mode.\n" +
 				" - Use --api-token if you want to use the " + string(JetstackSecureAPIToken) + " mode.\n" +
+				" - Use --machine-hub if you want to use the " + string(MachineHub) + " mode.\n" +
 				" - Use --output-path or output-path in the config file for " + string(LocalFile) + " mode.")
 		}
 
@@ -762,6 +770,17 @@ func validateCredsAndCreateClient(log logr.Logger, flagCredentialsPath, flagClie
 		}
 	case LocalFile:
 		outputClient = client.NewFileClient(cfg.OutputPath)
+	case MachineHub:
+		var (
+			err     error
+			rootCAs *x509.CertPool
+		)
+		httpClient := http_client.NewDefaultClient(version.UserAgent(), rootCAs)
+		httpClient.Transport = transport.NewDebuggingRoundTripper(httpClient.Transport, transport.DebugByContext)
+		outputClient, err = client.NewCyberArk(httpClient)
+		if err != nil {
+			errs = multierror.Append(errs, err)
+		}
 	default:
 		panic(fmt.Errorf("programmer mistake: output mode not implemented: %s", cfg.OutputMode))
 	}

pkg/agent/config_test.go

@@ -199,6 +199,7 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 			 - Use --venafi-connection for the Venafi Cloud VenafiConnection mode.
 			 - Use --credentials-file alone if you want to use the Jetstack Secure OAuth mode.
 			 - Use --api-token if you want to use the Jetstack Secure API Token mode.
+			 - Use --machine-hub if you want to use the MachineHub mode.
 			 - Use --output-path or output-path in the config file for Local File mode.`))
 		assert.Nil(t, cl)
 	})
@@ -617,6 +618,38 @@ func Test_ValidateAndCombineConfig(t *testing.T) {
 		assert.Equal(t, VenafiCloudVenafiConnection, got.OutputMode)
 	})
 
+	t.Run("--machine-hub selects MachineHub mode", func(t *testing.T) {
+		t.Setenv("POD_NAMESPACE", "venafi")
+		t.Setenv("KUBECONFIG", withFile(t, fakeKubeconfig))
+		t.Setenv("ARK_SUBDOMAIN", "tlspk")
+		t.Setenv("ARK_USERNAME", "[email protected]")
+		t.Setenv("ARK_SECRET", "test-secret")
+		got, cl, err := ValidateAndCombineConfig(discardLogs(),
+			withConfig(""),
+			withCmdLineFlags("--period", "1m", "--machine-hub"))
+		require.NoError(t, err)
+		assert.Equal(t, MachineHub, got.OutputMode)
+		assert.IsType(t, &client.CyberArkClient{}, cl)
+	})
+
+	t.Run("--machine-hub without required environment variables", func(t *testing.T) {
+		t.Setenv("POD_NAMESPACE", "venafi")
+		t.Setenv("KUBECONFIG", withFile(t, fakeKubeconfig))
+		t.Setenv("ARK_SUBDOMAIN", "")
+		t.Setenv("ARK_USERNAME", "")
+		t.Setenv("ARK_SECRET", "")
+		got, cl, err := ValidateAndCombineConfig(discardLogs(),
+			withConfig(""),
+			withCmdLineFlags("--period", "1m", "--machine-hub"))
+		assert.Equal(t, CombinedConfig{}, got)
+		assert.Nil(t, cl)
+		assert.EqualError(t, err, testutil.Undent(`
+			validating creds: failed loading config using the MachineHub mode: 1 error occurred:
+				* missing environment variables: ARK_SUBDOMAIN, ARK_USERNAME, ARK_SECRET
+
+	   `))
+	})
+
 	t.Run("argument: --output-file selects local file mode", func(t *testing.T) {
 		log, gotLog := recordLogs(t)
 		got, outputClient, err := ValidateAndCombineConfig(log,

pkg/client/client_cyberark.go

@@ -1,9 +1,51 @@
 package client
 
 import (
+	"context"
+	"fmt"
+	"net/http"
+
+	"github.com/jetstack/preflight/api"
+	"github.com/jetstack/preflight/pkg/internal/cyberark"
 	"github.com/jetstack/preflight/pkg/internal/cyberark/dataupload"
 )
 
-type CyberArkClient = dataupload.CyberArkClient
+type CyberArkClient struct {
+	configLoader cyberark.ClientConfigLoader
+	httpClient   *http.Client
+}
+
+var _ Client = &CyberArkClient{}
+
+func NewCyberArk(httpClient *http.Client) (*CyberArkClient, error) {
+	configLoader := cyberark.LoadClientConfigFromEnvironment
+	_, err := configLoader()
+	if err != nil {
+		return nil, err
+	}
+	return &CyberArkClient{
+		configLoader: configLoader,
+		httpClient:   httpClient,
+	}, nil
+}
+
+// An API token is obtained by authenticating with the ARK_USERNAME and ARK_SECRET from the environment.
+// ARK_SUBDOMAIN should be your tenant subdomain.
+func (o *CyberArkClient) PostDataReadingsWithOptions(ctx context.Context, readings []*api.DataReading, options Options) error {
+	cfg, err := o.configLoader()
+	if err != nil {
+		return err
+	}
+	datauploadClient, err := cyberark.NewDatauploadClient(ctx, o.httpClient, cfg)
+	if err != nil {
+		return fmt.Errorf("while initializing data upload client: %s", err)
+	}
 
-var NewCyberArkClient = dataupload.New
+	err = datauploadClient.PutSnapshot(ctx, dataupload.Snapshot{
+		ClusterID: options.ClusterID,
+	})
+	if err != nil {
+		return fmt.Errorf("while uploading snapshot: %s", err)
+	}
+	return nil
+}

pkg/internal/cyberark/dataupload/dataupload.go

@@ -35,10 +35,6 @@ type CyberArkClient struct {
 	authenticateRequest func(req *http.Request) error
 }
 
-type Options struct {
-	ClusterName string
-}
-
 func New(httpClient *http.Client, baseURL string, authenticateRequest func(req *http.Request) error) *CyberArkClient {
 	return &CyberArkClient{
 		baseURL:             baseURL,

pkg/internal/cyberark/identity/mock.go

@@ -28,7 +28,7 @@ const (
 	// mockSuccessfulStartAuthenticationToken is the token returned by the
 	// mock server in response to a successful AdvanceAuthentication request
 	// Must match what's in testdata/advance_authentication_success.json
-	mockSuccessfulStartAuthenticationToken = "long-token"
+	mockSuccessfulStartAuthenticationToken = "success-token"
 )
 
 var (

pkg/internal/cyberark/identity/testdata/advance_authentication_success.json

@@ -3,7 +3,7 @@
   "Result": {
     "AuthLevel": "Normal",
     "DisplayName": "Namey McNamerson",
-    "Token": "long-token",
+    "Token": "success-token",
     "Auth": "auth-auth",
     "UserId": "11111111-2222-3333-4444-555555555555",
     "EmailAddress": "[email protected]",

pkg/internal/cyberark/servicediscovery/discovery.go

@@ -16,9 +16,13 @@ const (
 	// ProdDiscoveryAPIBaseURL is the base URL for the production CyberArk Service Discovery API
 	ProdDiscoveryAPIBaseURL = "https://platform-discovery.cyberark.cloud/api/v2/"
 
-	// identityServiceName is the name of the identity service we're looking for in responses from the Service Discovery API
+	// IdentityServiceName is the name of the identity service we're looking for in responses from the Service Discovery API
 	// We were told to use the identity_administration field, not the identity_user_portal field.
-	identityServiceName = "identity_administration"
+	IdentityServiceName = "identity_administration"
+
+	// DiscoveryContextServiceName is the name of the discovery and context API
+	// in responses from the Service Discovery API.
+	DiscoveryContextServiceName = "discoverycontext"
 
 	// maxDiscoverBodySize is the maximum allowed size for a response body from the CyberArk Service Discovery subdomain endpoint
 	// As of 2025-04-16, a response from the integration environment is ~4kB
@@ -101,7 +105,6 @@ func (c *Client) DiscoverServices(ctx context.Context, subdomain string) (*Servi
 	}
 
 	var services Services
-
 	err = json.NewDecoder(io.LimitReader(resp.Body, maxDiscoverBodySize)).Decode(&services)
 	if err != nil {
 		if err == io.ErrUnexpectedEOF {
@@ -112,7 +115,7 @@ func (c *Client) DiscoverServices(ctx context.Context, subdomain string) (*Servi
 	}
 
 	if services.Identity.API == "" {
-		return nil, fmt.Errorf("didn't find %s in service discovery response, which may indicate a suspended tenant; unable to detect CyberArk Identity API URL", identityServiceName)
+		return nil, fmt.Errorf("didn't find %s in service discovery response, which may indicate a suspended tenant; unable to detect CyberArk Identity API URL", IdentityServiceName)
 	}
 
 	return &services, nil

pkg/internal/cyberark/servicediscovery/discovery_test.go

@@ -31,7 +31,7 @@ func Test_DiscoverIdentityAPIURL(t *testing.T) {
 		"no identity service in response": {
 			subdomain:     "no-identity",
 			expectedURL:   "",
-			expectedError: fmt.Errorf("didn't find %s in service discovery response, which may indicate a suspended tenant; unable to detect CyberArk Identity API URL", identityServiceName),
+			expectedError: fmt.Errorf("didn't find %s in service discovery response, which may indicate a suspended tenant; unable to detect CyberArk Identity API URL", IdentityServiceName),
 		},
 		"unexpected HTTP response": {
 			subdomain:     "bad-request",

pkg/testutil/envtest.go

@@ -26,6 +26,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/envtest"
 
 	"github.com/jetstack/preflight/pkg/client"
+	"github.com/jetstack/preflight/pkg/internal/cyberark/dataupload"
+	"github.com/jetstack/preflight/pkg/internal/cyberark/identity"
+	"github.com/jetstack/preflight/pkg/internal/cyberark/servicediscovery"
 )
 
 // To see the API server logs, set:
@@ -259,6 +262,22 @@ func FakeTPP(t testing.TB) (*httptest.Server, *x509.Certificate) {
 	return server, cert
 }
 
+func FakeCyberArk(t *testing.T) *http.Client {
+	t.Helper()
+
+	identityAPI, _ := identity.MockIdentityServer(t)
+	discoveryContextAPI, _ := dataupload.MockDataUploadServer(t)
+	httpClient := servicediscovery.MockDiscoveryServer(t, servicediscovery.Services{
+		Identity: servicediscovery.ServiceEndpoint{
+			API: identityAPI,
+		},
+		DiscoveryContext: servicediscovery.ServiceEndpoint{
+			API: discoveryContextAPI,
+		},
+	})
+	return httpClient
+}
+
 // Generated using:
 //
 //	helm template ./deploy/charts/venafi-kubernetes-agent -n venafi --set crds.venafiConnection.include=true --show-only templates/venafi-connection-rbac.yaml | grep -ivE '(helm|\/version)'