WIP: Proof of concept / demo

Signed-off-by: Richard Wall <[email protected]>

Author: wallrj

deploy/charts/venafi-kubernetes-agent/templates/deployment.yaml

@@ -49,6 +49,26 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: spec.nodeName
+          - name: ARK_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.authentication.secretName }}
+                key: ARK_USERNAME
+          - name: ARK_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.authentication.secretName }}
+                key: ARK_SECRET
+          - name: ARK_PLATFORM_DOMAIN
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.authentication.secretName }}
+                key: ARK_PLATFORM_DOMAIN
+          - name: ARK_SUBDOMAIN
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.authentication.secretName }}
+                key: ARK_SUBDOMAIN
           {{- with .Values.http_proxy }}
           - name: HTTP_PROXY
             value: {{ . }}
@@ -71,18 +91,8 @@ spec:
             - "agent"
             - "-c"
             - "/etc/venafi/agent/config/{{ default "config.yaml" .Values.config.configmap.key }}"
-            {{- if .Values.authentication.venafiConnection.enabled }}
-            - --venafi-connection
-            - {{ .Values.authentication.venafiConnection.name | quote }}
-            - --venafi-connection-namespace
-            - {{ .Values.authentication.venafiConnection.namespace | quote }}
-            {{- else }}
-            - "--client-id"
-            - {{ .Values.config.clientId | quote }}
-            - "--private-key-path"
-            - "/etc/venafi/agent/key/{{ .Values.authentication.secretKey }}"
-            {{- end }}
-            - --venafi-cloud
+            - --log-level=6
+            - --machine-hub
             {{- if .Values.metrics.enabled }}
             - --enable-metrics
             {{- end }}
@@ -95,11 +105,6 @@ spec:
             - name: config
               mountPath: "/etc/venafi/agent/config"
               readOnly: true
-            {{- if not .Values.authentication.venafiConnection.enabled }}
-            - name: credentials
-              mountPath: "/etc/venafi/agent/key"
-              readOnly: true
-            {{- end }}
             {{- with .Values.volumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -137,12 +142,6 @@ spec:
           configMap:
             name: {{ default "agent-config" .Values.config.configmap.name }}
             optional: false
-        {{- if not .Values.authentication.venafiConnection.enabled }}
-        - name: credentials
-          secret:
-            secretName: {{ .Values.authentication.secretName }}
-            optional: false
-        {{- end }}
         {{- with .Values.volumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}

hack/e2e/ca/config.yaml

@@ -0,0 +1,3 @@
+machineHub:
+  subdomain: tlskp-test
+  credentialsSecretName: todo-unused

hack/e2e/ca/test.sh

@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+#
+set -o nounset
+set -o errexit
+set -o pipefail
+
+# CyberArk API configuration
+: ${ARK_USERNAME?}
+: ${ARK_SECRET?}
+: ${ARK_PLATFORM_DOMAIN?}
+: ${ARK_SUBDOMAIN?}
+
+# The base URL of the OCI registry used for Docker images and Helm charts
+# E.g. ttl.sh/6ee49a01-c8ba-493e-bae9-4d8567574b56
+: ${OCI_BASE?}
+
+k8s_namespace=cyberark
+
+script_dir=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)
+root_dir=$(cd "${script_dir}/../../.." && pwd)
+export TERM=dumb
+
+tmp_dir="$(mktemp -d /tmp/jetstack-secure.XXXXX)"
+
+pushd "${tmp_dir}"
+> release.env
+make -C "$root_dir" release \
+     OCI_SIGN_ON_PUSH=false \
+     oci_platforms=linux/amd64 \
+     oci_preflight_image_name=$OCI_BASE/images/venafi-agent \
+     helm_chart_image_name=$OCI_BASE/charts/venafi-kubernetes-agent \
+     GITHUB_OUTPUT="${tmp_dir}/release.env"
+source release.env
+
+kind create cluster || true
+kubectl create ns "$k8s_namespace" || true
+
+kubectl create secret generic agent-credentials \
+        --namespace "$k8s_namespace" \
+        --from-literal=ARK_USERNAME=$ARK_USERNAME \
+        --from-literal=ARK_SECRET=$ARK_SECRET \
+        --from-literal=ARK_PLATFORM_DOMAIN=$ARK_PLATFORM_DOMAIN \
+        --from-literal=ARK_SUBDOMAIN=$ARK_SUBDOMAIN
+
+helm upgrade agent "oci://${OCI_BASE}/charts/venafi-kubernetes-agent" \
+     --install \
+     --create-namespace \
+     --namespace "$k8s_namespace" \
+     --version "${RELEASE_HELM_CHART_VERSION}" \
+     --set fullnameOverride=agent \
+     --set "image.repository=${OCI_BASE}/images/venafi-agent" \
+     --values "${script_dir}/values.agent.yaml"
+
+kubectl scale -n "$k8s_namespace" deployment agent  --replicas=0
+kubectl get cm -n "$k8s_namespace" agent-config -o jsonpath={.data.config\\.yaml} > config.original.yaml
+yq eval-all '. as $item ireduce ({}; . * $item)' config.original.yaml "${script_dir}/config.yaml" > config.yaml
+kubectl delete cm -n "$k8s_namespace" agent-config
+kubectl create cm -n "$k8s_namespace" agent-config --from-file=config.yaml
+kubectl scale -n "$k8s_namespace" deployment agent  --replicas=1

hack/e2e/ca/values.agent.yaml

@@ -0,0 +1 @@
+# Empty

pkg/agent/config.go

@@ -606,12 +606,12 @@ func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags)
 		res.ClusterID = clusterID
 		res.ClusterDescription = cfg.ClusterDescription
 
-		// Validation of `data-gatherers`.
-		if dgErr := ValidateDataGatherers(cfg.DataGatherers); dgErr != nil {
-			errs = multierror.Append(errs, dgErr)
-		}
-		res.DataGatherers = cfg.DataGatherers
 	}
+	// Validation of `data-gatherers`.
+	if dgErr := ValidateDataGatherers(cfg.DataGatherers); dgErr != nil {
+		errs = multierror.Append(errs, dgErr)
+	}
+	res.DataGatherers = cfg.DataGatherers
 
 	// Validation of --period, -p, and the `period` field, as well as
 	// --backoff-max-time, --one-shot, and --strict. The flag --period/-p takes

pkg/agent/run.go

@@ -35,6 +35,9 @@ import (
 	"github.com/jetstack/preflight/pkg/clusteruid"
 	"github.com/jetstack/preflight/pkg/datagatherer"
 	"github.com/jetstack/preflight/pkg/datagatherer/k8s"
+	"github.com/jetstack/preflight/pkg/internal/cyberark/dataupload"
+	"github.com/jetstack/preflight/pkg/internal/cyberark/identity"
+	"github.com/jetstack/preflight/pkg/internal/cyberark/servicediscovery"
 	"github.com/jetstack/preflight/pkg/kubeconfig"
 	"github.com/jetstack/preflight/pkg/logs"
 	"github.com/jetstack/preflight/pkg/version"
@@ -79,8 +82,46 @@ func Run(cmd *cobra.Command, args []string) (returnErr error) {
 		return fmt.Errorf("While evaluating configuration: %v", err)
 	}
 
-	// We need the cluster UID before we progress further so it can be sent along with other data readings
+	var caClient *dataupload.CyberArkClient
+	{
+		platformDomain := os.Getenv("ARK_PLATFORM_DOMAIN")
+		subdomain := os.Getenv("ARK_SUBDOMAIN")
+		username := os.Getenv("ARK_USERNAME")
+		password := []byte(os.Getenv("ARK_SECRET"))
+
+		const (
+			discoveryContextServiceName = "inventory"
+			separator                   = "."
+		)
+
+		// TODO(wallrj): Maybe get this URL via the service discovery API.
+		// https://platform-discovery.integration-cyberark.cloud/api/public/tenant-discovery?allEndpoints=true&bySubdomain=tlskp-test
+		serviceURL := fmt.Sprintf("https://%s%s%s.%s", subdomain, separator, discoveryContextServiceName, platformDomain)
+
+		var (
+			identityClient *identity.Client
+			err            error
+		)
+		if platformDomain == "cyberark.cloud" {
+			identityClient, err = identity.New(ctx, subdomain)
+		} else {
+			discoveryClient := servicediscovery.New(servicediscovery.WithIntegrationEndpoint())
+			identityClient, err = identity.NewWithDiscoveryClient(ctx, discoveryClient, subdomain)
+		}
+		if err != nil {
+			return fmt.Errorf("while creating the CyberArk identity client: %v", err)
+		}
+		if err := identityClient.LoginUsernamePassword(ctx, username, password); err != nil {
+			return fmt.Errorf("while logging in: %v", err)
+		}
+		caClient, err = dataupload.NewCyberArkClient(nil, serviceURL, identityClient.AuthenticateRequest)
+		if err != nil {
+			return fmt.Errorf("while creating the CyberArk dataupload client: %v", err)
+		}
+	}
 
+	// We need the cluster UID before we progress further so it can be sent along with other data readings
+	// TODO(wallrj): Use the k8s-discovery gatherer to get clusterID
 	{
 		restCfg, err := kubeconfig.LoadRESTConfig("")
 		if err != nil {
@@ -262,7 +303,7 @@ func Run(cmd *cobra.Command, args []string) (returnErr error) {
 	// be cancelled, which will cause this blocking loop to exit
 	// instead of waiting for the time period.
 	for {
-		if err := gatherAndOutputData(klog.NewContext(ctx, log), eventf, config, preflightClient, dataGatherers); err != nil {
+		if err := gatherAndOutputData(klog.NewContext(ctx, log), eventf, config, preflightClient, caClient, dataGatherers); err != nil {
 			return err
 		}
 
@@ -316,7 +357,7 @@ func newEventf(log logr.Logger, installNS string) (Eventf, error) {
 // Like Printf but for sending events to the agent's Pod object.
 type Eventf func(eventType, reason, msg string, args ...interface{})
 
-func gatherAndOutputData(ctx context.Context, eventf Eventf, config CombinedConfig, preflightClient client.Client, dataGatherers map[string]datagatherer.DataGatherer) error {
+func gatherAndOutputData(ctx context.Context, eventf Eventf, config CombinedConfig, preflightClient client.Client, caClient *dataupload.CyberArkClient, dataGatherers map[string]datagatherer.DataGatherer) error {
 	log := klog.FromContext(ctx).WithName("gatherAndOutputData")
 	var readings []*api.DataReading
 
@@ -362,8 +403,7 @@ func gatherAndOutputData(ctx context.Context, eventf Eventf, config CombinedConf
 
 		if config.MachineHubMode {
 			post := func() (any, error) {
-				log.Info("machine hub mode not yet implemented")
-				return struct{}{}, nil
+				return struct{}{}, caClient.PostDataReadingsWithOptions(ctx, readings, dataupload.Options{})
 			}
 
 			group.Go(func() error {

pkg/internal/cyberark/dataupload/dataupload.go

@@ -80,11 +80,13 @@ func extractServerVersionFromReading(reading *api.DataReading) (string, error) {
 
 // ConvertDataReadingsToCyberarkSnapshot converts jetstack-secure DataReadings into Cyberark Snapshot format.
 func ConvertDataReadingsToCyberarkSnapshot(
-	input api.DataReadingsPost,
+	readings []*api.DataReading,
 ) (_ *Snapshot, err error) {
 	k8sVersion := ""
+	// TODO(wallrj): Use the k8s-discovery gatherer to get clusterID
+	clusterID := ""
 	resourceData := ResourceData{}
-	for _, reading := range input.DataReadings {
+	for _, reading := range readings {
 		if reading.DataGatherer == "k8s-discovery" {
 			k8sVersion, err = extractServerVersionFromReading(reading)
 			if err != nil {
@@ -102,9 +104,9 @@ func ConvertDataReadingsToCyberarkSnapshot(
 	}
 
 	return &Snapshot{
-		AgentVersion:    input.AgentMetadata.Version,
-		ClusterID:       input.AgentMetadata.ClusterID,
+		AgentVersion:    version.PreflightVersion,
 		K8SVersion:      k8sVersion,
+		ClusterID:       clusterID,
 		Secrets:         resourceData["secrets"],
 		ServiceAccounts: resourceData["serviceaccounts"],
 		Roles:           resourceData["roles"],
@@ -141,15 +143,17 @@ func NewCyberArkClient(trustedCAs *x509.CertPool, baseURL string, authenticateRe
 // PostDataReadingsWithOptions PUTs the supplied payload to an [AWS presigned URL] which it obtains via the CyberArk inventory API.
 //
 // [AWS presigned URL]: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html
-func (c *CyberArkClient) PostDataReadingsWithOptions(ctx context.Context, payload api.DataReadingsPost, opts Options) error {
+func (c *CyberArkClient) PostDataReadingsWithOptions(ctx context.Context, readings []*api.DataReading, opts Options) error {
 	if opts.ClusterName == "" {
 		return fmt.Errorf("programmer mistake: the cluster name (aka `cluster_id` in the config file) cannot be left empty")
 	}
 
-	snapshot, err := ConvertDataReadingsToCyberarkSnapshot(payload)
+	snapshot, err := ConvertDataReadingsToCyberarkSnapshot(readings)
 	if err != nil {
 		return fmt.Errorf("while converting datareadings to Cyberark snapshot format: %s", err)
 	}
+	// TODO(wallrj): Use the k8s-discovery gatherer to get clusterID
+	snapshot.ClusterID = opts.ClusterName
 
 	encodedBody := &bytes.Buffer{}
 	checksum := sha256.New()

pkg/internal/cyberark/dataupload/dataupload_test.go

@@ -31,20 +31,13 @@ import (
 
 func TestCyberArkClient_PostDataReadingsWithOptions_MockAPI(t *testing.T) {
 	fakeTime := time.Unix(123, 0)
-	defaultPayload := api.DataReadingsPost{
-		AgentMetadata: &api.AgentMetadata{
-			Version:   "test-version",
-			ClusterID: "test",
-		},
-		DataGatherTime: fakeTime,
-		DataReadings: []*api.DataReading{
-			{
-				ClusterID:     "success-cluster-id",
-				DataGatherer:  "test-gatherer",
-				Timestamp:     api.Time{Time: fakeTime},
-				Data:          map[string]interface{}{"test": "data"},
-				SchemaVersion: "v1",
-			},
+	defaultPayload := []*api.DataReading{
+		{
+			ClusterID:     "success-cluster-id",
+			DataGatherer:  "test-gatherer",
+			Timestamp:     api.Time{Time: fakeTime},
+			Data:          map[string]interface{}{"test": "data"},
+			SchemaVersion: "v1",
 		},
 	}
 	defaultOpts := dataupload.Options{
@@ -60,7 +53,7 @@ func TestCyberArkClient_PostDataReadingsWithOptions_MockAPI(t *testing.T) {
 
 	tests := []struct {
 		name         string
-		payload      api.DataReadingsPost
+		payload      []*api.DataReading
 		authenticate func(req *http.Request) error
 		opts         dataupload.Options
 		requireFn    func(t *testing.T, err error)
@@ -197,12 +190,7 @@ func TestCyberArkClient_PostDataReadingsWithOptions_RealAPI(t *testing.T) {
 	dataReadings := parseDataReadings(t, readGZIP(t, "testdata/example-1/datareadings.json.gz"))
 	err = cyberArkClient.PostDataReadingsWithOptions(
 		ctx,
-		api.DataReadingsPost{
-			AgentMetadata: &api.AgentMetadata{
-				ClusterID: "bb068932-c80d-460d-88df-34bc7f3f3297",
-			},
-			DataReadings: dataReadings,
-		},
+		dataReadings,
 		dataupload.Options{
 			ClusterName: "bb068932-c80d-460d-88df-34bc7f3f3297",
 		},
@@ -272,13 +260,7 @@ func writeGZIP(t *testing.T, path string, data []byte) {
 
 func TestConvertDataReadingsToCyberarkSnapshot(t *testing.T) {
 	dataReadings := parseDataReadings(t, readGZIP(t, "testdata/example-1/datareadings.json.gz"))
-	snapshot, err := dataupload.ConvertDataReadingsToCyberarkSnapshot(api.DataReadingsPost{
-		AgentMetadata: &api.AgentMetadata{
-			Version:   "test-version",
-			ClusterID: "test-cluster-id",
-		},
-		DataReadings: dataReadings,
-	})
+	snapshot, err := dataupload.ConvertDataReadingsToCyberarkSnapshot(dataReadings)
 	require.NoError(t, err)
 
 	actualSnapshotBytes, err := json.MarshalIndent(snapshot, "", "  ")