agent

package
v1.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 14, 2025 License: Apache-2.0 Imports: 41 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	CredOldJetstackSecureOAuth credType = "CredOldJetstackSecureOAuth"
	CredVenafiCloudKeypair     credType = "CredVenafiCloudKeypair"
)

Variables

This section is empty.

Functions

func InitAgentCmdFlags added in v1.0.0 

func InitAgentCmdFlags(c *cobra.Command, cfg *AgentCmdFlags)

func Run 

func Run(cmd *cobra.Command, args []string) (returnErr error)

Run starts the agent process

func ValidateDataGatherers added in v1.1.0 

func ValidateDataGatherers(dataGatherers []DataGatherer) error

Same as ValidateAndCombineConfig but just for validating the data gatherers. This is separate because the `rbac` command only needs to validate the data gatherers, nothing else.

The error returned may be a multierror.Error. Use multierror.Prefix(err, "context:") rather than fmt.Errorf("context: %w", err) when wrapping the error.

Types

type AgentCmdFlags added in v1.0.0 

type AgentCmdFlags struct {
	// ConfigFilePath (--config-file, -c) is the path to the agent configuration
	// YAML file.
	ConfigFilePath string

	// Period (--period, -p) is the time waited between scans. It takes
	// precedence over the config field `period`.
	Period time.Duration

	// VenafiCloudMode (--venafi-cloud) turns on the Venafi Cloud Key Pair
	// Service Account mode. Must be used in conjunction with
	// --credentials-file.
	VenafiCloudMode bool

	// ClientID (--client-id) is the clientID in case of Venafi Cloud Key Pair
	// Service Account mode.
	ClientID string

	// PrivateKeyPath (--private-key-path) is the path for the service account
	// private key in case of Venafi Cloud Key Pair Service Account mode.
	PrivateKeyPath string

	// CredentialsPath (--credentials-file, -k) lets you specify the location of
	// the credentials file. This is used for the Jetstack Secure OAuth and
	// Venafi Cloud Key Pair Service Account modes. In Venafi Cloud Key Pair
	// Service Account mode, you also need to pass --venafi-cloud.
	CredentialsPath string

	// OneShot (--one-shot) is used for testing purposes. The agent will run
	// once and exit. It is often used in conjunction with --output-path and/or
	// --input-path.
	OneShot bool

	// OutputPath (--output-path) is used for testing purposes. In conjunction
	// with --one-shot, it allows you to write the data readings to a file
	// instead uploading them to the Venafi Cloud API.
	OutputPath string

	// InputPath (--input-path) is used for testing purposes. In conjunction
	// with --one-shot, it allows you to push manually crafted data readings (in
	// JSON format) to the Venafi Cloud API without the need to connect to a
	// Kubernetes cluster. See the jscp-testing-cli's README for more info:
	// https://gitlab.com/venafi/vaas/applications/tls-protect-for-k8s/cloud-services/-/tree/master/jscp-testing-cli
	InputPath string

	// BackoffMaxTime (--backoff-max-time) is the maximum time for which data
	// gatherers will retry after a failure.
	BackoffMaxTime time.Duration

	// StrictMode (--strict) causes the agent to fail at the first attempt.
	StrictMode bool

	// APIToken (--api-token) allows you to use the Jetstack Secure API Token
	// mode. Defaults to the value of the env var API_TOKEN.
	APIToken string

	// VenConnName (--venafi-connection) is the name of the VenafiConnection
	// resource to use. Using this flag will enable Venafi Connection mode.
	VenConnName string

	// VenConnNS (--venafi-connection-namespace) is the namespace of the
	// VenafiConnection resource to use. It is only useful when the
	// VenafiConnection isn't in the same namespace as the agent.
	//
	// May be left empty to use the same namespace as the agent.
	VenConnNS string

	// InstallNS (--install-namespace) is the namespace in which the agent is
	// running in. Only needed when running the agent outside of Kubernetes.
	//
	// May be left empty when running in Kubernetes. In Kubernetes, the
	// namespace is read from the environment variable `POD_NAMESPACE`.
	InstallNS string

	// Profiling (--enable-pprof) enables the pprof server.
	Profiling bool

	// Prometheus (--enable-metrics) enables the Prometheus metrics server.
	Prometheus bool
}
var Flags AgentCmdFlags

type AuthMode added in v1.1.0 

type AuthMode string
const (
	JetstackSecureOAuth         AuthMode = "Jetstack Secure OAuth"
	JetstackSecureAPIToken      AuthMode = "Jetstack Secure API Token"
	VenafiCloudKeypair          AuthMode = "Venafi Cloud Key Pair Service Account"
	VenafiCloudVenafiConnection AuthMode = "Venafi Cloud VenafiConnection"
)

type CombinedConfig added in v1.1.0 

type CombinedConfig struct {
	AuthMode AuthMode

	// Used by all modes.
	ClusterID      string
	DataGatherers  []DataGatherer
	Period         time.Duration
	BackoffMaxTime time.Duration
	StrictMode     bool
	OneShot        bool
	InstallNS      string

	// Used by JetstackSecureOAuth, JetstackSecureAPIToken, and
	// VenafiCloudKeypair. Ignored in VenafiCloudVenafiConnection mode.
	Server string

	// JetstackSecureOAuth and JetstackSecureAPIToken modes only.
	OrganizationID string
	EndpointPath   string // Deprecated.

	// VenafiCloudKeypair mode only.
	UploadPath         string
	ClusterDescription string

	// VenafiCloudVenafiConnection mode only.
	VenConnName string
	VenConnNS   string

	// VenafiCloudKeypair and VenafiCloudVenafiConnection modes only.
	ExcludeAnnotationKeysRegex []*regexp.Regexp
	ExcludeLabelKeysRegex      []*regexp.Regexp

	// Only used for testing purposes.
	OutputPath string
	InputPath  string
}

The command-line flags and the config file are combined into this struct by ValidateAndCombineConfig.

func ValidateAndCombineConfig added in v1.1.0 

func ValidateAndCombineConfig(log logr.Logger, cfg Config, flags AgentCmdFlags) (CombinedConfig, client.Client, error)

ValidateAndCombineConfig combines and validates the input configuration with the flags passed to the agent and returns the final configuration as well as the Venafi client to be used to upload data. Does not do any network call. The logger can be changed for testing purposes. You do not need to call ValidateDataGatherers as ValidateAndCombineConfig already does that.

The error returned may be a multierror.Error. Use multierror.Prefix(err, "context:") rather than fmt.Errorf("context: %w", err) when wrapping the error.

type Config 

type Config struct {
	// Deprecated: Schedule doesn't do anything. Use `period` instead.
	Schedule string        `yaml:"schedule"`
	Period   time.Duration `yaml:"period"`

	// Deprecated: Use `server` instead.
	Endpoint Endpoint `yaml:"endpoint"`

	// Server is the base URL for the Preflight server. It defaults to
	// https://preflight.jetstack.io in Jetstack Secure OAuth and Jetstack
	// Secure API Token modes, and https://api.venafi.cloud in Venafi Cloud Key
	// Pair Service Account mode. It is ignored in Venafi Cloud VenafiConnection
	// mode.
	Server string `yaml:"server"`

	// OrganizationID is only used in Jetstack Secure OAuth and Jetstack Secure
	// API Token modes.
	OrganizationID string `yaml:"organization_id"`

	// ClusterID is the cluster that the agent is scanning. Used in all modes.
	ClusterID          string             `yaml:"cluster_id"`
	ClusterDescription string             `yaml:"cluster_description"`
	DataGatherers      []DataGatherer     `yaml:"data-gatherers"`
	VenafiCloud        *VenafiCloudConfig `yaml:"venafi-cloud,omitempty"`

	// For testing purposes.
	InputPath string `yaml:"input-path"`
	// For testing purposes.
	OutputPath string `yaml:"output-path"`

	// Skips annotation keys that match the given set of regular expressions.
	// Example: ".*someprivateannotation.*".
	ExcludeAnnotationKeysRegex []string `yaml:"exclude-annotation-keys-regex"`
	// Skips label keys that match the given set of regular expressions.
	ExcludeLabelKeysRegex []string `yaml:"exclude-label-keys-regex"`
}

Config defines the YAML configuration file that you can pass using `--config-file` or `-c`.

func ParseConfig 

func ParseConfig(data []byte) (Config, error)

ParseConfig only parses. It does not validate anything except for the data gatherer types. To validate the config, use ValidateDataGatherers or getConfiguration.

func (*Config) Dump 

func (c *Config) Dump() (string, error)

Dump generates a YAML string of the Config object

type DataGatherer added in v0.1.32 

type DataGatherer struct {
	Kind     string `yaml:"kind"`
	Name     string `yaml:"name"`
	DataPath string `yaml:"data_path"`
	Config   datagatherer.Config
}

func (*DataGatherer) UnmarshalYAML added in v0.1.32 

func (dg *DataGatherer) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML unmarshals a dataGatherer resolving the type according to Kind.

type Endpoint 

type Endpoint struct {
	Protocol string `yaml:"protocol"`
	Host     string `yaml:"host"`
	Path     string `yaml:"path"`
}

type Eventf added in v1.2.0 

type Eventf func(eventType, reason, msg string, args ...interface{})

Like Printf but for sending events to the agent's Pod object.

type VenafiCloudConfig added in v0.1.40 

type VenafiCloudConfig struct {
	// Deprecated: UploaderID is ignored by the backend and is not needed.
	// UploaderID is the upload ID that will be used when creating a cluster
	// connection. This field is ignored by the backend and is often arbitrarily
	// set to "no".
	UploaderID string `yaml:"uploader_id,omitempty"`

	// UploadPath is the endpoint path for the upload API. Only used in Venafi
	// Cloud Key Pair Service Account mode.
	UploadPath string `yaml:"upload_path,omitempty"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.