Merge remote-tracking branch 'origin/master' into feature/ark-configmaps-discovery

Author: Atanas Chuchev

CONTRIBUTING.md

@@ -0,0 +1,243 @@
+# Contributing to Discovery Agent
+
+Thank you for your interest in contributing! This document provides guidelines and instructions for contributing.
+
+Note that this repository holds two separate components:
+
+- disco-agent: For CyberArk DisCo
+- venafi-kubernetes-agent: For TLSPK / Certificate Manager SaaS
+
+## Table of Contents
+
+- [Getting Started](#getting-started)
+- [Development Environment](#development-environment)
+- [Making Changes](#making-changes)
+- [Testing](#testing)
+- [Submitting a Pull Request](#submitting-a-pull-request)
+- [Code Review Process](#code-review-process)
+- [Additional Resources](#additional-resources)
+
+### Prerequisites
+
+Before you begin, ensure you have the following installed:
+
+- [Go](https://golang.org/doc/install) (version specified in `go.mod`)
+- [Make](https://www.gnu.org/software/make/)
+- [Git](https://git-scm.com/)
+- [Docker](https://docs.docker.com/get-docker/) (for building container images)
+
+To check which Go version will be used:
+
+```bash
+make which-go
+```
+
+It's also possible to use a vendored version of Go, via `make vendor-go`.
+
+### Repository Tooling
+
+Most of the setup logic for provisioning tooling and for handling builds and testing
+is defined in Makefile logic.
+
+Specifically, `the make/_shared` directory contains shared Makefile logic derived from
+the cert-manager [makefile-modules](https://github.com/cert-manager/makefile-modules/) project.
+
+### Setting Up Your Development Environment
+
+1. **Fork the repository** on GitHub
+
+2. **Clone your fork:**
+
+   ```bash
+   git clone git@github.com:YOUR-USERNAME/jetstack-secure.git
+   cd jetstack-secure
+   ```
+
+3. **Add the upstream remote:**
+
+   ```bash
+   git remote add upstream git@github.com:jetstack/jetstack-secure.git
+   ```
+
+4. **Run initial verification:**
+
+   ```bash
+   make verify
+   ```
+
+   This ensures your environment is set up correctly.
+
+## Development Environment
+
+### Local Execution
+
+To build and run the agent locally:
+
+```bash
+go run main.go agent --agent-config-file ./path/to/agent/config/file.yaml -p 0h1m0s
+```
+
+Example configuration files are available:
+- [agent.yaml](./agent.yaml)
+- [examples/one-shot-secret.yaml](./examples/one-shot-secret.yaml)
+- [examples/cert-manager-agent.yaml](./examples/cert-manager-agent.yaml)
+
+You can also run a local echo server to monitor agent requests:
+
+```bash
+go run main.go echo
+```
+
+### Useful Make Targets
+
+- `make help` - Show all available make targets
+- `make verify` - Run all verification checks (linting, formatting, etc.)
+- `make test-unit` - Run unit tests
+- `make test-helm` - Run Helm chart tests
+- `make generate` - Generate code, documentation, and other artifacts
+- `make oci-build-preflight` - Build container image
+- `make clean` - Clean all temporary files
+
+## Making Changes
+
+### Creating a Branch
+
+Always create a new branch for your changes:
+
+```bash
+git checkout -b feature/your-feature-name
+```
+
+Use descriptive branch names:
+- `feature/` for new features
+- `fix/` for bug fixes
+- `docs/` for documentation changes
+- `refactor/` for refactoring
+
+### Code Style
+
+This project follows standard Go conventions:
+
+- Run `make verify-golangci-lint` to check your code
+- Run `make fix-golangci-lint` to automatically fix some issues
+- Ensure all code is formatted with `gofmt`
+- Follow the [Effective Go](https://golang.org/doc/effective_go) guidelines
+- Most of the conventions are enforced by linters, and violations will prevent code being merged
+
+### Committing Changes
+
+1. **Stage your changes:**
+
+   ```bash
+   git add .
+   ```
+
+2. **Run verification before committing:**
+
+   ```bash
+   make verify
+   ```
+
+3. **Commit with a descriptive message:**
+
+   ```bash
+   git commit -m "Brief description of your changes"
+   ```
+
+   Write clear commit messages:
+   - Use the imperative mood ("Add feature" not "Added feature")
+   - Keep the first line under 72 characters
+   - Add additional context in the body if needed
+
+## Testing
+
+### Running Tests Locally
+
+Before submitting a PR, ensure all tests pass:
+
+```bash
+# Run unit tests
+make test-unit
+
+# Run Helm tests
+make test-helm
+
+# Run all verification checks
+make verify
+```
+
+### End-to-End Tests
+
+E2E tests run automatically in CI when you add specific labels to your PR:
+
+- Add the `test-e2e` label to trigger GKE-based E2E tests
+- Add the `keep-e2e-cluster` label if you need to keep the cluster for debugging (remember to delete it manually afterward to avoid costs)
+
+The E2E test script is located at [hack/e2e/test.sh](./hack/e2e/test.sh).
+
+### Writing Tests
+
+- Add unit tests for all new functionality
+- Place tests in `*_test.go` files alongside the code they test
+- Use the [testify](https://github.com/stretchr/testify) library for assertions
+- Aim for meaningful test coverage, not just high percentages
+
+## Submitting a Pull Request
+
+1. **Push your branch to your fork:**
+
+   ```bash
+   git push origin feature/your-feature-name
+   ```
+
+2. **Create a Pull Request** on GitHub from your fork to the `master` branch of `jetstack/jetstack-secure`
+
+3. **Fill out the PR description** with:
+   - Clear description of the changes
+   - Related issue numbers (if applicable)
+   - Testing instructions
+   - Any breaking changes or special considerations
+
+4. **Ensure CI passes:**
+   - All tests must pass
+   - Code must pass verification / linting checks
+   - No merge conflicts
+
+## Code Review Process
+
+### For All Contributors
+
+- PRs require approval before merging
+- Keep PRs focused and reasonably sized
+- Update your branch if `master` has moved forward:
+
+  ```bash
+  git fetch upstream
+  git rebase upstream/master
+  git push --force-with-lease origin feature/your-feature-name
+  ```
+
+### For CyberArk Contributors
+
+**Contributors from inside CyberArk should reach out to the cert-manager team for reviews for PRs which are passing CI.**
+
+The cert-manager team maintains this project and will provide code reviews and guidance for merging changes.
+
+## Additional Resources
+
+- [Project Documentation](https://docs.cyberark.com/mis-saas/vaas/k8s-components/c-tlspk-agent-overview/)
+- [Issue Tracker](https://github.com/jetstack/jetstack-secure/issues)
+- [Release Process](./RELEASE.md)
+- [cert-manager Community](https://cert-manager.io/docs/contributing/)
+
+## Getting Help
+
+If you need help or have questions:
+
+1. Check existing [issues](https://github.com/jetstack/jetstack-secure/issues) and [documentation](https://docs.cyberark.com/mis-saas/vaas/k8s-components/c-tlspk-agent-overview/)
+2. Open a new issue with the `question` label
+3. For CyberArk contributors, reach out to the cert-manager team
+
+## License
+
+By contributing, you agree that your contributions will be licensed under the license in the LICENSE file in the root directory of this repository.

LICENSES

@@ -73,6 +73,11 @@ github.com/hashicorp/errwrap,MPL-2.0
 github.com/hashicorp/go-multierror,MPL-2.0
 github.com/josharian/intern,MIT
 github.com/json-iterator/go,MIT
+github.com/lestrrat-go/blackmagic,MIT
+github.com/lestrrat-go/httpcc,MIT
+github.com/lestrrat-go/httprc/v3,MIT
+github.com/lestrrat-go/jwx/v3,MIT
+github.com/lestrrat-go/option/v2,MIT
 github.com/mailru/easyjson,MIT
 github.com/mattn/go-colorable,MIT
 github.com/mattn/go-isatty,MIT

api/datareading.go

@@ -64,6 +64,7 @@ func (o *DataReading) UnmarshalJSON(data []byte) error {
 		target any
 		assign func(any)
 	}{
+		{&OIDCDiscoveryData{}, func(v any) { o.Data = v.(*OIDCDiscoveryData) }},
 		{&DiscoveryData{}, func(v any) { o.Data = v.(*DiscoveryData) }},
 		{&DynamicData{}, func(v any) { o.Data = v.(*DynamicData) }},
 	}
@@ -130,14 +131,14 @@ func (v *GatheredResource) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
-// DynamicData is the DataReading.Data returned by the k8s.DataGathererDynamic
+// DynamicData is the DataReading.Data returned by the k8sdynamic.DataGathererDynamic
 // gatherer
 type DynamicData struct {
 	// Items is a list of GatheredResource
 	Items []*GatheredResource `json:"items"`
 }
 
-// DiscoveryData is the DataReading.Data returned by the k8s.ConfigDiscovery
+// DiscoveryData is the DataReading.Data returned by the k8sdiscovery.DataGathererDiscovery
 // gatherer
 type DiscoveryData struct {
 	// ClusterID is the unique ID of the Kubernetes cluster which this snapshot was taken from.
@@ -149,3 +150,18 @@ type DiscoveryData struct {
 	// See https://godoc.org/k8s.io/apimachinery/pkg/version#Info
 	ServerVersion *version.Info `json:"server_version"`
 }
+
+// OIDCDiscoveryData is the DataReading.Data returned by the oidc.OIDCDiscovery
+// gatherer
+type OIDCDiscoveryData struct {
+	// OIDCConfig contains OIDC configuration data from the API server's
+	// `/.well-known/openid-configuration` endpoint
+	OIDCConfig map[string]any `json:"openid_configuration,omitempty"`
+	// OIDCConfigError contains any error encountered while fetching the OIDC configuration
+	OIDCConfigError string `json:"openid_configuration_error,omitempty"`
+
+	// JWKS contains JWKS data from the API server's `/openid/v1/jwks` endpoint
+	JWKS map[string]any `json:"jwks,omitempty"`
+	// JWKSError contains any error encountered while fetching the JWKS
+	JWKSError string `json:"jwks_error,omitempty"`
+}

api/datareading_test.go

@@ -75,6 +75,20 @@ func TestDataReading_UnmarshalJSON(t *testing.T) {
 			}`,
 			wantDataType: &DynamicData{},
 		},
+		{
+			name: "OIDCDiscoveryData type",
+			input: `{
+				"cluster_id": "11111111-2222-3333-4444-555555555555",
+				"data-gatherer": "oidc",
+				"timestamp": "2024-06-01T12:00:00Z",
+				"data": {
+					"openid_configuration": {"issuer": "https://example.com"},
+					"jwks": {"keys": []}
+				},
+				"schema_version": "v1"
+			}`,
+			wantDataType: &OIDCDiscoveryData{},
+		},
 		{
 			name:        "Invalid JSON",
 			input:       `not a json`,

cmd/agent_test.go

@@ -33,6 +33,9 @@ func TestOutputModes(t *testing.T) {
 
 	t.Run("machinehub", func(t *testing.T) {
 		arktesting.SkipIfNoEnv(t)
+
+		t.Log("This test runs against a live service and has been known to flake. If you see timeout issues it's possible that the test is flaking and it could be unrelated to your changes.")
+
 		runSubprocess(t, repoRoot, []string{
 			"--agent-config-file", filepath.Join(repoRoot, "examples/machinehub/config.yaml"),
 			"--input-path", filepath.Join(repoRoot, "examples/machinehub/input.json"),

deploy/charts/disco-agent/templates/configmap.yaml

@@ -19,6 +19,8 @@ data:
       {{- . | toYaml | nindent 6 }}
     {{- end }}
     data-gatherers:
+    - kind: oidc
+      name: ark/oidc
     - kind: k8s-discovery
       name: ark/discovery
     - kind: k8s-dynamic

deploy/charts/disco-agent/templates/rbac.yaml

@@ -95,4 +95,18 @@ subjects:
   - kind: ServiceAccount
     name: {{ include "disco-agent.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
-
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "disco-agent.fullname" . }}-oidc-discovery
+  labels:
+    {{- include "disco-agent.labels" . | nindent 4 }}
+roleRef:
+  kind: ClusterRole
+  name: system:service-account-issuer-discovery
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "disco-agent.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}

deploy/charts/disco-agent/tests/__snapshot__/configmap_test.yaml.snap

@@ -7,6 +7,8 @@ custom-cluster-description:
         cluster_description: "A cloud hosted Kubernetes cluster hosting production workloads.\n\nteam: team-1\nemail: team-1@example.com\npurpose: Production workloads\n"
         period: "12h0m0s"
         data-gatherers:
+        - kind: oidc
+          name: ark/oidc
         - kind: k8s-discovery
           name: ark/discovery
         - kind: k8s-dynamic
@@ -122,6 +124,8 @@ custom-cluster-name:
         cluster_description: ""
         period: "12h0m0s"
         data-gatherers:
+        - kind: oidc
+          name: ark/oidc
         - kind: k8s-discovery
           name: ark/discovery
         - kind: k8s-dynamic
@@ -237,6 +241,8 @@ custom-period:
         cluster_description: ""
         period: "1m"
         data-gatherers:
+        - kind: oidc
+          name: ark/oidc
         - kind: k8s-discovery
           name: ark/discovery
         - kind: k8s-dynamic
@@ -352,6 +358,8 @@ defaults:
         cluster_description: ""
         period: "12h0m0s"
         data-gatherers:
+        - kind: oidc
+          name: ark/oidc
         - kind: k8s-discovery
           name: ark/discovery
         - kind: k8s-dynamic