[VC-43403] Disable events when not in cluster and only require installNamespace when using venafi-connection mode#695
Merged
Conversation
wallrj-cyberark
force-pushed
the
disable-events-when-not-in-cluster
branch
from
71429a6 to
a2e0a64
Compare
wallrj-cyberark
commented
Aug 21, 2025
Contributor
Author
There was a problem hiding this comment.
$ go test ./cmd/... -v -count 1
=== RUN TestAgentRunOneShot
agent_test.go:32: Running child process
agent_test.go:50: STDOUT
I0821 16:50:33.617894 135769 run.go:58] "Starting" logger="Run" version="development" commit=""
I0821 16:50:33.618071 135769 config.go:491] "Configured to push to Venafi" logger="Run" mode="Jetstack Secure API Token" reason="--api-token was specified"
I0821 16:50:33.618111 135769 run.go:116] "Healthz endpoints enabled" logger="Run.APIServer" addr=":8081" path="/healthz"
I0821 16:50:33.618123 135769 run.go:120] "Readyz endpoints enabled" logger="Run.APIServer" addr=":8081" path="/readyz"
I0821 16:50:33.618140 135769 run.go:269] "Pod event recorder disabled" logger="Run" reason="The agent does not appear to be running in a Kubernetes cluster." detail="When running in a Kubernetes cluster the following environment variables must be set: POD_NAME, POD_NODE, POD_UID, POD_NAMESPACE"
I0821 16:50:33.618149 135769 run.go:308] "Reading data from local file" logger="Run.gatherAndOutputData" inputPath="testdata/agent/one-shot/success/input.json"
I0821 16:50:33.618224 135769 run.go:334] "Data saved to local file" logger="Run.gatherAndOutputData" outputPath="/dev/null"
I0821 16:50:33.618246 135769 run.go:476] "Starting" logger="Run.APIServer.ListenAndServe" addr=":8081"
I0821 16:50:33.618250 135769 run.go:490] "Shutting down" logger="Run.APIServer.ListenAndServe" addr=":8081"
I0821 16:50:33.618295 135769 run.go:505] "Shutdown complete" logger="Run.APIServer.ListenAndServe" addr=":8081"
agent_test.go:51: STDERR
--- PASS: TestAgentRunOneShot (0.03s)
PASS
ok github.com/jetstack/preflight/cmd 0.064s| t.Setenv("POD_NAME", "venafi-kubernetes-e2e") | ||
| // Silence the error about missing kubeconfig. | ||
| // TODO(wallrj): This should not be required when an `--input-file` has been supplied. | ||
| t.Setenv("KUBECONFIG", "testdata/agent/one-shot/success/kubeconfig.yaml") |
Contributor
Author
There was a problem hiding this comment.
These deleted TODO comments were slightly inaccurate. What I meant was...if the agent is not running in a cluster, there's no Pod to attach events to, so the POD_NAME is not necessary.
And if the data is being read from a file, there are no K8S datagatherers, so KUBECONFIG should not be necessary. Nor is there a venafi-connection-lib to initialize, which is another reason KUBECONFIG is unnecessary.
| // TODO(wallrj): This should not be required when an `--input-file` has been supplied. | ||
| "--api-token=should-not-be-required", | ||
| // TODO(wallrj): This should not be required when an `--input-file` has been supplied. | ||
| "--install-namespace=default", |
Contributor
Author
There was a problem hiding this comment.
And this deleted TODO comment should have said...--install-namespace is only necessary for initializing the venafi-connection-lib client, so it should not be necessary in this test.
Contributor
Author
|
I ran And the test passed: |
wallrj-cyberark
commented
Aug 21, 2025
wallrj-cyberark
force-pushed
the
disable-events-when-not-in-cluster
branch
from
a2e0a64 to
98d3812
Compare
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
wallrj-cyberark
force-pushed
the
disable-events-when-not-in-cluster
branch
from
98d3812 to
7c60629
Compare
maelvls
approved these changes
Aug 22, 2025
Member
There was a problem hiding this comment.
You are correct, --install-namespace was originally only meant to let venafi-connection-lib where to find the service account used to impersonate. I should have never triggered an error outside of the Venafi Connection mode, which it does now due to my "events" PR (#589).
Seems like I hijacked --install-namespace in #589, but that was somewhat stupid; I should have used POD_NAMESPACE instead of using --install-namespace. My mistake!!!
Thanks for the example log output, it looks good.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
It should be possible to run the agent outside a cluster, reading data from an input file and publishing to Jetstack or TLSPK, without having to supply any Kubernetes related configuration.
--install-namespaceorPOD_NAMESPACEis only required when using venafi-connection mode, because that client needs to know where to find the agent service account which it uses to impersonate the venafi-connection service account (I think).So if the necessary POD_ environment variables are missing, the event recorder is now disabled.
And specifying an install namespace (by
--install-namespaceor byPOD_NAMESPACE) are now optional, unless venafi-connection mode is used.