jetstack · wallrj-cyberark · Aug 10, 2025 · Aug 11, 2025 · Aug 11, 2025
diff --git a/api/datareading.go b/api/datareading.go
@@ -1,8 +1,11 @@
 package api
 
 import (
+	"bytes"
 	"encoding/json"
 	"time"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
 // DataReadingsPost is the payload in the upload request.
@@ -48,3 +51,20 @@ func (v GatheredResource) MarshalJSON() ([]byte, error) {
 
 	return json.Marshal(data)
 }
+
+func (v *GatheredResource) UnmarshalJSON(data []byte) error {
+	var tmpResource struct {
+		Resource  *unstructured.Unstructured `json:"resource"`
+		DeletedAt Time        `json:"deleted_at,omitempty"`
+	}
+
+	d := json.NewDecoder(bytes.NewReader(data))
+	d.DisallowUnknownFields()
+
+	if err := d.Decode(&tmpResource); err != nil {
+		return err
+	}
+	v.Resource = tmpResource.Resource
+	v.DeletedAt = tmpResource.DeletedAt
+	return nil
+}
diff --git a/deploy/charts/venafi-kubernetes-agent/templates/deployment.yaml b/deploy/charts/venafi-kubernetes-agent/templates/deployment.yaml
@@ -49,6 +49,26 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: spec.nodeName
+          - name: ARK_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.authentication.secretName }}
+                key: ARK_USERNAME
+          - name: ARK_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.authentication.secretName }}
+                key: ARK_SECRET
+          - name: ARK_PLATFORM_DOMAIN
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.authentication.secretName }}
+                key: ARK_PLATFORM_DOMAIN
+          - name: ARK_SUBDOMAIN
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.authentication.secretName }}
+                key: ARK_SUBDOMAIN
           {{- with .Values.http_proxy }}
           - name: HTTP_PROXY
             value: {{ . }}
@@ -71,18 +91,8 @@ spec:
             - "agent"
             - "-c"
             - "/etc/venafi/agent/config/{{ default "config.yaml" .Values.config.configmap.key }}"
-            {{- if .Values.authentication.venafiConnection.enabled }}
-            - --venafi-connection
-            - {{ .Values.authentication.venafiConnection.name | quote }}
-            - --venafi-connection-namespace
-            - {{ .Values.authentication.venafiConnection.namespace | quote }}
-            {{- else }}
-            - "--client-id"
-            - {{ .Values.config.clientId | quote }}
-            - "--private-key-path"
-            - "/etc/venafi/agent/key/{{ .Values.authentication.secretKey }}"
-            {{- end }}
-            - --venafi-cloud
+            - --log-level=6
+            - --machine-hub
             {{- if .Values.metrics.enabled }}
             - --enable-metrics
             {{- end }}
@@ -95,11 +105,6 @@ spec:
             - name: config
               mountPath: "/etc/venafi/agent/config"
               readOnly: true
-            {{- if not .Values.authentication.venafiConnection.enabled }}
-            - name: credentials
-              mountPath: "/etc/venafi/agent/key"
-              readOnly: true
-            {{- end }}
             {{- with .Values.volumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -137,12 +142,6 @@ spec:
           configMap:
             name: {{ default "agent-config" .Values.config.configmap.name }}
             optional: false
-        {{- if not .Values.authentication.venafiConnection.enabled }}
-        - name: credentials
-          secret:
-            secretName: {{ .Values.authentication.secretName }}
-            optional: false
-        {{- end }}
         {{- with .Values.volumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
diff --git a/hack/e2e/ca/config.yaml b/hack/e2e/ca/config.yaml
@@ -0,0 +1,3 @@
+machineHub:
+  subdomain: tlskp-test
+  credentialsSecretName: todo-unused
diff --git a/hack/e2e/ca/test.sh b/hack/e2e/ca/test.sh
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+#
+set -o nounset
+set -o errexit
+set -o pipefail
+
+# CyberArk API configuration
+: ${ARK_USERNAME?}
+: ${ARK_SECRET?}
+: ${ARK_PLATFORM_DOMAIN?}
+: ${ARK_SUBDOMAIN?}
+
+# The base URL of the OCI registry used for Docker images and Helm charts
+# E.g. ttl.sh/6ee49a01-c8ba-493e-bae9-4d8567574b56
+: ${OCI_BASE?}
+
+k8s_namespace=cyberark
+
+script_dir=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)
+root_dir=$(cd "${script_dir}/../../.." && pwd)
+export TERM=dumb
+
+tmp_dir="$(mktemp -d /tmp/jetstack-secure.XXXXX)"
+
+pushd "${tmp_dir}"
+> release.env
+make -C "$root_dir" release \
+     OCI_SIGN_ON_PUSH=false \
+     oci_platforms=linux/amd64 \
+     oci_preflight_image_name=$OCI_BASE/images/venafi-agent \
+     helm_chart_image_name=$OCI_BASE/charts/venafi-kubernetes-agent \
+     GITHUB_OUTPUT="${tmp_dir}/release.env"
+source release.env
+
+kind create cluster || true
+kubectl create ns "$k8s_namespace" || true
+
+kubectl create secret generic agent-credentials \
+        --namespace "$k8s_namespace" \
+        --from-literal=ARK_USERNAME=$ARK_USERNAME \
+        --from-literal=ARK_SECRET=$ARK_SECRET \
+        --from-literal=ARK_PLATFORM_DOMAIN=$ARK_PLATFORM_DOMAIN \
+        --from-literal=ARK_SUBDOMAIN=$ARK_SUBDOMAIN
+
+helm upgrade agent "oci://${OCI_BASE}/charts/venafi-kubernetes-agent" \
+     --install \
+     --create-namespace \
+     --namespace "$k8s_namespace" \
+     --version "${RELEASE_HELM_CHART_VERSION}" \
+     --set fullnameOverride=agent \
+     --set "image.repository=${OCI_BASE}/images/venafi-agent" \
+     --values "${script_dir}/values.agent.yaml"
+
+kubectl scale -n "$k8s_namespace" deployment agent  --replicas=0
+kubectl get cm -n "$k8s_namespace" agent-config -o jsonpath={.data.config\\.yaml} > config.original.yaml
+yq eval-all '. as $item ireduce ({}; . * $item)' config.original.yaml "${script_dir}/config.yaml" > config.yaml
+kubectl delete cm -n "$k8s_namespace" agent-config
+kubectl create cm -n "$k8s_namespace" agent-config --from-file=config.yaml
+kubectl scale -n "$k8s_namespace" deployment agent  --replicas=1
diff --git a/hack/e2e/ca/values.agent.yaml b/hack/e2e/ca/values.agent.yaml
@@ -0,0 +1 @@
+# Empty
diff --git a/pkg/agent/config.go b/pkg/agent/config.go
@@ -606,12 +606,12 @@ func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags)
 		res.ClusterID = clusterID
 		res.ClusterDescription = cfg.ClusterDescription
 
-		// Validation of `data-gatherers`.
-		if dgErr := ValidateDataGatherers(cfg.DataGatherers); dgErr != nil {
-			errs = multierror.Append(errs, dgErr)
-		}
-		res.DataGatherers = cfg.DataGatherers
 	}
+	// Validation of `data-gatherers`.
+	if dgErr := ValidateDataGatherers(cfg.DataGatherers); dgErr != nil {
+		errs = multierror.Append(errs, dgErr)
+	}
+	res.DataGatherers = cfg.DataGatherers
 
 	// Validation of --period, -p, and the `period` field, as well as
 	// --backoff-max-time, --one-shot, and --strict. The flag --period/-p takes

diff --git a/pkg/agent/run.go b/pkg/agent/run.go
@@ -32,9 +32,11 @@ import (
 
 	"github.com/jetstack/preflight/api"
 	"github.com/jetstack/preflight/pkg/client"
-	"github.com/jetstack/preflight/pkg/clusteruid"
 	"github.com/jetstack/preflight/pkg/datagatherer"
 	"github.com/jetstack/preflight/pkg/datagatherer/k8s"
+	"github.com/jetstack/preflight/pkg/internal/cyberark/dataupload"
+	"github.com/jetstack/preflight/pkg/internal/cyberark/identity"
+	"github.com/jetstack/preflight/pkg/internal/cyberark/servicediscovery"
 	"github.com/jetstack/preflight/pkg/kubeconfig"
 	"github.com/jetstack/preflight/pkg/logs"
 	"github.com/jetstack/preflight/pkg/version"
@@ -79,26 +81,42 @@ func Run(cmd *cobra.Command, args []string) (returnErr error) {
 		return fmt.Errorf("While evaluating configuration: %v", err)
 	}
 
-	// We need the cluster UID before we progress further so it can be sent along with other data readings
-
-	{
-		restCfg, err := kubeconfig.LoadRESTConfig("")
-		if err != nil {
-			return err
+	var caClient *dataupload.CyberArkClient
+	if config.MachineHubMode {
+		platformDomain := os.Getenv("ARK_PLATFORM_DOMAIN")
+		subdomain := os.Getenv("ARK_SUBDOMAIN")
+		username := os.Getenv("ARK_USERNAME")
+		password := []byte(os.Getenv("ARK_SECRET"))
+
+		const (
+			discoveryContextServiceName = "inventory"
+			separator                   = "."
+		)
+
+		// TODO(wallrj): Maybe get this URL via the service discovery API.
+		// https://platform-discovery.integration-cyberark.cloud/api/public/tenant-discovery?allEndpoints=true&bySubdomain=tlskp-test
+		serviceURL := fmt.Sprintf("https://%s%s%s.%s", subdomain, separator, discoveryContextServiceName, platformDomain)
+
+		var (
+			identityClient *identity.Client
+			err            error
+		)
+		if platformDomain == "cyberark.cloud" {
+			identityClient, err = identity.New(ctx, subdomain)
+		} else {
+			discoveryClient := servicediscovery.New(servicediscovery.WithIntegrationEndpoint())
+			identityClient, err = identity.NewWithDiscoveryClient(ctx, discoveryClient, subdomain)
 		}
-
-		clientset, err := kubernetes.NewForConfig(restCfg)
 		if err != nil {
-			return err
+			return fmt.Errorf("while creating the CyberArk identity client: %v", err)
 		}
-
-		ctx, err = clusteruid.GetClusterUID(ctx, clientset)
+		if err := identityClient.LoginUsernamePassword(ctx, username, password); err != nil {
+			return fmt.Errorf("while logging in: %v", err)
+		}
+		caClient, err = dataupload.NewCyberArkClient(nil, serviceURL, identityClient.AuthenticateRequest)
 		if err != nil {
-			return fmt.Errorf("failed to get cluster UID: %v", err)
+			return fmt.Errorf("while creating the CyberArk dataupload client: %v", err)
 		}
-
-		clusterUID := clusteruid.ClusterUIDFromContext(ctx)
-		log.V(logs.Debug).Info("Retrieved cluster UID", "clusterUID", clusterUID)
 	}
 
 	group, gctx := errgroup.WithContext(ctx)
@@ -262,7 +280,7 @@ func Run(cmd *cobra.Command, args []string) (returnErr error) {
 	// be cancelled, which will cause this blocking loop to exit
 	// instead of waiting for the time period.
 	for {
-		if err := gatherAndOutputData(klog.NewContext(ctx, log), eventf, config, preflightClient, dataGatherers); err != nil {
+		if err := gatherAndOutputData(klog.NewContext(ctx, log), eventf, config, preflightClient, caClient, dataGatherers); err != nil {
 			return err
 		}
 
@@ -316,7 +334,7 @@ func newEventf(log logr.Logger, installNS string) (Eventf, error) {
 // Like Printf but for sending events to the agent's Pod object.
 type Eventf func(eventType, reason, msg string, args ...interface{})
 
-func gatherAndOutputData(ctx context.Context, eventf Eventf, config CombinedConfig, preflightClient client.Client, dataGatherers map[string]datagatherer.DataGatherer) error {
+func gatherAndOutputData(ctx context.Context, eventf Eventf, config CombinedConfig, preflightClient client.Client, caClient *dataupload.CyberArkClient, dataGatherers map[string]datagatherer.DataGatherer) error {
 	log := klog.FromContext(ctx).WithName("gatherAndOutputData")
 	var readings []*api.DataReading
 
@@ -362,8 +380,7 @@ func gatherAndOutputData(ctx context.Context, eventf Eventf, config CombinedConf
 
 		if config.MachineHubMode {
 			post := func() (any, error) {
-				log.Info("machine hub mode not yet implemented")
-				return struct{}{}, nil
+				return struct{}{}, caClient.PostDataReadingsWithOptions(ctx, readings, dataupload.Options{})
 			}
 
 			group.Go(func() error {

diff --git a/pkg/clusteruid/clusteruid.go b/pkg/clusteruid/clusteruid.go
diff --git a/pkg/clusteruid/clusteruid_test.go b/pkg/clusteruid/clusteruid_test.go