agent

package
v1.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 25, 2025 License: Apache-2.0 Imports: 39 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	CredOldJetstackSecureOAuth credType = "CredOldJetstackSecureOAuth"
	CredVenafiCloudKeypair     credType = "CredVenafiCloudKeypair"
)

Variables

This section is empty.

Functions

func InitAgentCmdFlags added in v1.0.0 

func InitAgentCmdFlags(c *cobra.Command, cfg *AgentCmdFlags)

func Run 

func Run(cmd *cobra.Command, args []string) (returnErr error)

Run starts the agent process

func ValidateDataGatherers added in v1.1.0 

func ValidateDataGatherers(dataGatherers []DataGatherer) error

Same as ValidateAndCombineConfig but just for validating the data gatherers. This is separate because the `rbac` command only needs to validate the data gatherers, nothing else.

The error returned may be a multierror.Error. Use multierror.Prefix(err, "context:") rather than fmt.Errorf("context: %w", err) when wrapping the error.

Types

type AgentCmdFlags added in v1.0.0 

type AgentCmdFlags struct {
	// ConfigFilePath (--config-file, -c) is the path to the agent configuration
	// YAML file.
	ConfigFilePath string

	// Period (--period, -p) is the time waited between scans. It takes
	// precedence over the config field `period`.
	Period time.Duration

	// VenafiCloudMode (--venafi-cloud) turns on the Venafi Cloud Key Pair
	// Service Account mode. Must be used in conjunction with
	// --credentials-file.
	VenafiCloudMode bool

	// MachineHubMode configures the agent to send data to CyberArk Machine Hub.
	MachineHubMode bool

	// ClientID (--client-id) is the clientID in case of Venafi Cloud Key Pair
	// Service Account mode.
	ClientID string

	// PrivateKeyPath (--private-key-path) is the path for the service account
	// private key in case of Venafi Cloud Key Pair Service Account mode.
	PrivateKeyPath string

	// CredentialsPath (--credentials-file, -k) lets you specify the location of
	// the credentials file. This is used for the Jetstack Secure OAuth and
	// Venafi Cloud Key Pair Service Account modes. In Venafi Cloud Key Pair
	// Service Account mode, you also need to pass --venafi-cloud.
	CredentialsPath string

	// OneShot (--one-shot) is used for testing purposes. The agent will run
	// once and exit. It is often used in conjunction with --output-path and/or
	// --input-path.
	OneShot bool

	// OutputPath (--output-path) is used for testing purposes. In conjunction
	// with --one-shot, it allows you to write the data readings to a file
	// instead uploading them to the Venafi Cloud API.
	OutputPath string

	// InputPath (--input-path) is used for testing purposes. In conjunction
	// with --one-shot, it allows you to push manually crafted data readings (in
	// JSON format) to the Venafi Cloud API without the need to connect to a
	// Kubernetes cluster. See the jscp-testing-cli's README for more info:
	// https://gitlab.com/venafi/vaas/applications/tls-protect-for-k8s/cloud-services/-/tree/master/jscp-testing-cli
	InputPath string

	// BackoffMaxTime (--backoff-max-time) is the maximum time for which data
	// gatherers will retry after a failure.
	BackoffMaxTime time.Duration

	// StrictMode (--strict) causes the agent to fail at the first attempt.
	StrictMode bool

	// APIToken (--api-token) allows you to use the Jetstack Secure API Token
	// mode. Defaults to the value of the env var API_TOKEN.
	APIToken string

	// VenConnName (--venafi-connection) is the name of the VenafiConnection
	// resource to use. Using this flag will enable Venafi Connection mode.
	VenConnName string

	// VenConnNS (--venafi-connection-namespace) is the namespace of the
	// VenafiConnection resource to use. It is only useful when the
	// VenafiConnection isn't in the same namespace as the agent.
	//
	// May be left empty to use the same namespace as the agent.
	VenConnNS string

	// InstallNS (--install-namespace) is the namespace in which the agent is
	// running in. Only needed when running the agent outside of Kubernetes.
	//
	// May be left empty when running in Kubernetes. In Kubernetes, the
	// namespace is read from the environment variable `POD_NAMESPACE`.
	InstallNS string

	// Profiling (--enable-pprof) enables the pprof server.
	Profiling bool

	// Prometheus (--enable-metrics) enables the Prometheus metrics server.
	Prometheus bool
}
var Flags AgentCmdFlags

type CombinedConfig added in v1.1.0 

type CombinedConfig struct {
	DataGatherers  []DataGatherer
	Period         time.Duration
	BackoffMaxTime time.Duration
	InstallNS      string
	StrictMode     bool
	OneShot        bool

	TLSPKMode TLSPKMode

	// Used by all TLSPK modes.
	ClusterID string

	// Used by JetstackSecureOAuth, JetstackSecureAPIToken, and
	// VenafiCloudKeypair. Ignored in VenafiCloudVenafiConnection mode.
	Server string

	// JetstackSecureOAuth and JetstackSecureAPIToken modes only.
	OrganizationID string
	EndpointPath   string // Deprecated.

	// VenafiCloudKeypair mode only.
	UploadPath         string
	ClusterDescription string

	// VenafiCloudVenafiConnection mode only.
	VenConnName string
	VenConnNS   string

	// VenafiCloudKeypair and VenafiCloudVenafiConnection modes only.
	ExcludeAnnotationKeysRegex []*regexp.Regexp
	ExcludeLabelKeysRegex      []*regexp.Regexp

	// Only used for testing purposes.
	OutputPath string
	InputPath  string

	// MachineHub-related settings.
	MachineHubMode                  bool
	MachineHubSubdomain             string
	MachineHubCredentialsSecretName string
}

The command-line flags and the config file are combined into this struct by ValidateAndCombineConfig.

func ValidateAndCombineConfig added in v1.1.0 

func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags) (CombinedConfig, client.Client, error)

ValidateAndCombineConfig combines and validates the input configuration with the flags passed to the agent and returns the final configuration as well as the Venafi client to be used to upload data. Does not do any network call. The logger can be changed for testing purposes. You do not need to call ValidateDataGatherers as ValidateAndCombineConfig already does that.

The error returned may be a multierror.Error. Use multierror.Prefix(err, "context:") rather than fmt.Errorf("context: %w", err) when wrapping the error.

type Config 

type Config struct {
	// Deprecated: Schedule doesn't do anything. Use `period` instead.
	Schedule string        `yaml:"schedule"`
	Period   time.Duration `yaml:"period"`

	// Deprecated: Use `server` instead.
	Endpoint Endpoint `yaml:"endpoint"`

	// Server is the base URL for the Preflight server. It defaults to
	// https://preflight.jetstack.io in Jetstack Secure OAuth and Jetstack
	// Secure API Token modes, and https://api.venafi.cloud in Venafi Cloud Key
	// Pair Service Account mode. It is ignored in Venafi Cloud VenafiConnection
	// mode and in MachineHub mode.
	Server string `yaml:"server"`

	// OrganizationID is only used in Jetstack Secure OAuth and Jetstack Secure
	// API Token modes.
	OrganizationID string `yaml:"organization_id"`

	// ClusterID is the cluster that the agent is scanning. Used in all modes.
	ClusterID          string             `yaml:"cluster_id"`
	ClusterDescription string             `yaml:"cluster_description"`
	DataGatherers      []DataGatherer     `yaml:"data-gatherers"`
	VenafiCloud        *VenafiCloudConfig `yaml:"venafi-cloud,omitempty"`

	// For testing purposes.
	InputPath string `yaml:"input-path"`
	// For testing purposes.
	OutputPath string `yaml:"output-path"`

	// Skips annotation keys that match the given set of regular expressions.
	// Example: ".*someprivateannotation.*".
	ExcludeAnnotationKeysRegex []string `yaml:"exclude-annotation-keys-regex"`
	// Skips label keys that match the given set of regular expressions.
	ExcludeLabelKeysRegex []string `yaml:"exclude-label-keys-regex"`

	// MachineHub holds config specific to MachineHub mode.
	MachineHub MachineHubConfig `yaml:"machineHub"`
}

Config defines the YAML configuration file that you can pass using `--config-file` or `-c`.

func ParseConfig 

func ParseConfig(data []byte) (Config, error)

ParseConfig only parses. It does not validate anything except for the data gatherer types. To validate the config, use ValidateDataGatherers or getConfiguration.

func (*Config) Dump 

func (c *Config) Dump() (string, error)

Dump generates a YAML string of the Config object

type DataGatherer added in v0.1.32 

type DataGatherer struct {
	Kind     string `yaml:"kind"`
	Name     string `yaml:"name"`
	DataPath string `yaml:"data_path"`
	Config   datagatherer.Config
}

func (*DataGatherer) UnmarshalYAML added in v0.1.32 

func (dg *DataGatherer) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML unmarshals a dataGatherer resolving the type according to Kind.

type Endpoint 

type Endpoint struct {
	Protocol string `yaml:"protocol"`
	Host     string `yaml:"host"`
	Path     string `yaml:"path"`
}

type Eventf added in v1.2.0 

type Eventf func(eventType, reason, msg string, args ...interface{})

Like Printf but for sending events to the agent's Pod object.

type MachineHubConfig added in v1.6.0 

type MachineHubConfig struct {
	// Subdomain is the subdomain indicating where data should be pushed. Used
	// for querying the Service Discovery Service to discover the Identity API
	// URL.
	Subdomain string `yaml:"subdomain"`

	// CredentialsSecretName is the name of a Kubernetes Secret in the same
	// namespace as the agent, which will be watched for a username and password
	// to send to CyberArk Identity for authentication.
	CredentialsSecretName string `yaml:"credentialsSecretName"`
}

MachineHubConfig holds configuration values specific to the CyberArk Machine Hub integration

func (MachineHubConfig) Validate added in v1.6.0 

func (mhc MachineHubConfig) Validate() error

type TLSPKMode added in v1.6.0 

type TLSPKMode string

TLSPKMode controls how to authenticate to TLSPK / Jetstack Secure. Only one TLSPKMode may be provided if using those backends. 

const (
	JetstackSecureOAuth         TLSPKMode = "Jetstack Secure OAuth"
	JetstackSecureAPIToken      TLSPKMode = "Jetstack Secure API Token"
	VenafiCloudKeypair          TLSPKMode = "Venafi Cloud Key Pair Service Account"
	VenafiCloudVenafiConnection TLSPKMode = "Venafi Cloud VenafiConnection"

	// It is possible to push to both MachineHub and TLSPK. With this mode, the
	// agent will only push to MachineHub and not to TLSPK.
	Off TLSPKMode = "MachineHub only"
)

type VenafiCloudConfig added in v0.1.40 

type VenafiCloudConfig struct {
	// Deprecated: UploaderID is ignored by the backend and is not needed.
	// UploaderID is the upload ID that will be used when creating a cluster
	// connection. This field is ignored by the backend and is often arbitrarily
	// set to "no".
	UploaderID string `yaml:"uploader_id,omitempty"`

	// UploadPath is the endpoint path for the upload API. Only used in Venafi
	// Cloud Key Pair Service Account mode.
	UploadPath string `yaml:"upload_path,omitempty"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.