jetstack
diff --git a/‎deploy/charts/discovery-agent/README.md‎
Lines changed: 25 additions & 3 deletions b/‎deploy/charts/discovery-agent/README.md‎
Lines changed: 25 additions & 3 deletions
diff --git a/‎deploy/charts/discovery-agent/templates/deployment.yaml‎
Lines changed: 26 additions & 0 deletions b/‎deploy/charts/discovery-agent/templates/deployment.yaml‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎deploy/charts/discovery-agent/tests/deployment_test.yaml‎
Lines changed: 128 additions & 0 deletions b/‎deploy/charts/discovery-agent/tests/deployment_test.yaml‎
Lines changed: 128 additions & 0 deletions
diff --git a/‎deploy/charts/discovery-agent/values.schema.json‎
Lines changed: 38 additions & 5 deletions b/‎deploy/charts/discovery-agent/values.schema.json‎
Lines changed: 38 additions & 5 deletions
diff --git a/‎deploy/charts/discovery-agent/values.yaml‎
Lines changed: 23 additions & 0 deletions b/‎deploy/charts/discovery-agent/values.yaml‎
Lines changed: 23 additions & 0 deletions
@@ -12,7 +12,7 @@ The Discovery Agent connects your Kubernetes or OpenShift cluster to Palo Alto N
 > ""
 > ```
 
-The TSG (Tenant Service Group) ID to use when connecting to SCM. The production SCM server URL is derived from this value. Required unless config.serverURL is set. Mutually exclusive with config.serverURL.
+The TSG (Tenant Service Group) ID to use when connecting to SCM. The production SCM server URL is derived from this value. Required unless config.serverURL is set. Mutually exclusive with config.serverURL. Must not be set when config.venafiConnection.enabled is true (the TSG ID is taken from the VenafiConnection's `spec.ngts` instead).
 
 
 #### **config.clusterName** ~ `string`
@@ -72,7 +72,7 @@ Example: excludeAnnotationKeysRegex: ['^kapp\.k14s\.io/original.*']
 > ""
 > ```
 
-Deprecated: Client ID for the configured service account. The client ID should be provided in the "clientID" field of the authentication secret (see config.secretName). This field is provided for compatibility for users migrating from the "venafi-kubernetes-agent" chart.
+Deprecated: Client ID for the configured service account. The client ID should be provided in the "clientID" field of the authentication secret (see config.secretName). This field is provided for compatibility for users migrating from the "venafi-kubernetes-agent" chart. Must not be set when config.venafiConnection.enabled is true.
 
 #### **config.secretName** ~ `string`
 > Default value:
@@ -84,8 +84,30 @@ The name of the Secret containing the NGTS built-in service account credentials.
 The Secret must contain the following key:  
 - privatekey.pem: PEM-encoded private key for the service account  
 The Secret should also contain the following key:  
-- clientID:       Service account client ID (config.clientID must be set if not present)
+- clientID:       Service account client ID (config.clientID must be set if not present)  
+Must not be set when config.venafiConnection.enabled is true (the credentials Secret is not mounted in that mode).
 
+#### **config.venafiConnection.enabled** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+When set to true, config.tsgID, config.serverURL, config.clientID and config.clientId must not be set (the chart will fail to render otherwise), and the Secret named by config.secretName will _not_ be mounted into the Discovery Agent Pod.
+#### **config.venafiConnection.name** ~ `string`
+> Default value:
+> ```yaml
+> venafi-components
+> ```
+
+The name of a VenafiConnection resource which contains the configuration for authenticating to the upload backend.
+#### **config.venafiConnection.namespace** ~ `string`
+> Default value:
+> ```yaml
+> venafi
+> ```
+
+The namespace of a VenafiConnection resource which contains the configuration for authenticating to the upload backend.
 #### **replicaCount** ~ `number`
 > Default value:
 > ```yaml
 
@@ -71,6 +71,27 @@ spec:
             - "agent"
             - "-c"
             - "/etc/discovery-agent/config.yaml"
+            {{- if .Values.config.venafiConnection.enabled }}
+            {{- if .Values.config.tsgID }}
+              {{- fail "config.tsgID must not be set when config.venafiConnection.enabled is true; the TSG ID is read from the VenafiConnection's spec.ngts" }}
+            {{- end }}
+            {{- if .Values.config.serverURL }}
+              {{- fail "config.serverURL must not be set when config.venafiConnection.enabled is true; the server URL is read from the VenafiConnection's spec" }}
+            {{- end }}
+            {{- if .Values.config.clientID }}
+              {{- fail "config.clientID must not be set when config.venafiConnection.enabled is true; authentication is performed via the VenafiConnection resource" }}
+            {{- end }}
+            {{- if .Values.config.clientId }}
+              {{- fail "config.clientId must not be set when config.venafiConnection.enabled is true; authentication is performed via the VenafiConnection resource" }}
+            {{- end }}
+            {{- if ne .Values.config.secretName "discovery-agent-credentials" }}
+              {{- fail "config.secretName must not be set when config.venafiConnection.enabled is true; the credentials Secret is not mounted in this mode (authentication is performed via the VenafiConnection resource)" }}
+            {{- end }}
+            - --venafi-connection
+            - {{ .Values.config.venafiConnection.name | quote }}
+            - --venafi-connection-namespace
+            - {{ .Values.config.venafiConnection.namespace | quote }}
+            {{- else }}
             - --ngts
             {{- if and .Values.config.tsgID .Values.config.serverURL }}
               {{- fail "config.tsgID and config.serverURL are mutually exclusive; set exactly one" }}
@@ -87,6 +108,7 @@ spec:
             {{- end }}
             - --private-key-path
             - /etc/discovery-agent/credentials/privatekey.pem
+            {{- end }}
             - --logging-format=json
             {{- if .Values.metrics.enabled }}
             - --enable-metrics
@@ -105,9 +127,11 @@ spec:
             - name: config
               mountPath: "/etc/discovery-agent"
               readOnly: true
+            {{- if not .Values.config.venafiConnection.enabled }}
             - name: credentials
               mountPath: "/etc/discovery-agent/credentials"
               readOnly: true
+            {{- end }}
             {{- with .Values.volumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -119,10 +143,12 @@ spec:
           configMap:
             name: {{ include "discovery-agent.fullname" . }}-config
             optional: false
+        {{- if not .Values.config.venafiConnection.enabled }}
         - name: credentials
           secret:
             secretName: {{ .Values.config.secretName }}
             optional: false
+        {{- end }}
         {{- with .Values.volumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
 
@@ -373,3 +373,131 @@ tests:
           path: spec.template.spec.imagePullSecrets
           content:
             name: my-secret
+
+  # VenafiConnection mode wires the connection name/namespace through as flags
+  # and skips both the --ngts/--tsg-id flags and the keypair Secret mount. The
+  # agent picks the actual upload backend (NGTS or VCP) from the
+  # VenafiConnection resource at runtime.
+  - it: VenafiConnection mode passes the connection flags and omits NGTS/keypair flags
+    set:
+      config.clusterName: test-cluster
+      config.venafiConnection.enabled: true
+      config.venafiConnection.name: my-venconn
+      config.venafiConnection.namespace: my-ns
+    template: deployment.yaml
+    asserts:
+      - isKind:
+          of: Deployment
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: --venafi-connection
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: my-venconn
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: --venafi-connection-namespace
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: my-ns
+      - notContains:
+          path: spec.template.spec.containers[0].args
+          content: --ngts
+      - notContains:
+          path: spec.template.spec.containers[0].args
+          content: --tsg-id
+      - notContains:
+          path: spec.template.spec.containers[0].args
+          content: --ngts-server-url
+      - notContains:
+          path: spec.template.spec.containers[0].args
+          content: --client-id
+      - notContains:
+          path: spec.template.spec.containers[0].args
+          content: --private-key-path
+      - notContains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: credentials
+            mountPath: "/etc/discovery-agent/credentials"
+            readOnly: true
+      - notContains:
+          path: spec.template.spec.volumes
+          content:
+            name: credentials
+            secret:
+              secretName: discovery-agent-credentials
+              optional: false
+
+  # VenafiConnection mode does not require config.tsgID, since the agent reads
+  # the TSG ID from the VenafiConnection resource at runtime.
+  - it: VenafiConnection mode does not require config.tsgID
+    set:
+      config.clusterName: test-cluster
+      config.venafiConnection.enabled: true
+    template: deployment.yaml
+    asserts:
+      - isKind:
+          of: Deployment
+
+  # Keypair-mode fields must not be set in VenafiConnection mode; the chart
+  # should fail to render rather than silently dropping the values, so users
+  # don't end up with a config that looks wired but isn't.
+  - it: VenafiConnection mode rejects config.tsgID
+    set:
+      config.clusterName: test-cluster
+      config.tsgID: "999"
+      config.venafiConnection.enabled: true
+    template: deployment.yaml
+    asserts:
+      - failedTemplate:
+          errorMessage: "config.tsgID must not be set when config.venafiConnection.enabled is true; the TSG ID is read from the VenafiConnection's spec.ngts"
+
+  - it: VenafiConnection mode rejects config.serverURL
+    set:
+      config.clusterName: test-cluster
+      config.serverURL: "https://should-be-rejected.example.com"
+      config.venafiConnection.enabled: true
+    template: deployment.yaml
+    asserts:
+      - failedTemplate:
+          errorMessage: "config.serverURL must not be set when config.venafiConnection.enabled is true; the server URL is read from the VenafiConnection's spec"
+
+  - it: VenafiConnection mode rejects config.clientID
+    set:
+      config.clusterName: test-cluster
+      config.clientID: "should-be-rejected"
+      config.venafiConnection.enabled: true
+    template: deployment.yaml
+    asserts:
+      - failedTemplate:
+          errorMessage: "config.clientID must not be set when config.venafiConnection.enabled is true; authentication is performed via the VenafiConnection resource"
+
+  - it: VenafiConnection mode rejects config.clientId
+    set:
+      config.clusterName: test-cluster
+      config.clientId: "should-be-rejected"
+      config.venafiConnection.enabled: true
+    template: deployment.yaml
+    asserts:
+      - failedTemplate:
+          errorMessage: "config.clientId must not be set when config.venafiConnection.enabled is true; authentication is performed via the VenafiConnection resource"
+
+  - it: VenafiConnection mode rejects a non-default config.secretName
+    set:
+      config.clusterName: test-cluster
+      config.secretName: custom-credentials-secret
+      config.venafiConnection.enabled: true
+    template: deployment.yaml
+    asserts:
+      - failedTemplate:
+          errorMessage: "config.secretName must not be set when config.venafiConnection.enabled is true; the credentials Secret is not mounted in this mode (authentication is performed via the VenafiConnection resource)"
+
+  - it: VenafiConnection mode accepts the default config.secretName
+    set:
+      config.clusterName: test-cluster
+      config.venafiConnection.enabled: true
+    template: deployment.yaml
+    asserts:
+      - isKind:
+          of: Deployment
@@ -126,6 +126,9 @@
         },
         "tsgID": {
           "$ref": "#/$defs/helm-values.config.tsgID"
+        },
+        "venafiConnection": {
+          "$ref": "#/$defs/helm-values.config.venafiConnection"
         }
       },
       "type": "object"
@@ -137,12 +140,12 @@
     },
     "helm-values.config.clientID": {
       "default": "",
-      "description": "Deprecated: Client ID for the configured service account. The client ID should be provided in the \"clientID\" field of the authentication secret (see config.secretName). This field is provided for compatibility for users migrating from the \"venafi-kubernetes-agent\" chart.",
+      "description": "Deprecated: Client ID for the configured service account. The client ID should be provided in the \"clientID\" field of the authentication secret (see config.secretName). This field is provided for compatibility for users migrating from the \"venafi-kubernetes-agent\" chart. Must not be set when config.venafiConnection.enabled is true.",
       "type": "string"
     },
     "helm-values.config.clientId": {
       "default": "",
-      "description": "Deprecated: Client ID for the configured service account (alternative to clientID). The client ID should be provided in the \"clientID\" field of the authentication secret (see config.secretName). This field is provided for compatibility for users migrating from the \"venafi-kubernetes-agent\" chart. If both clientID and clientId are set, clientID takes precedence.",
+      "description": "Deprecated: Client ID for the configured service account (alternative to clientID). The client ID should be provided in the \"clientID\" field of the authentication secret (see config.secretName). This field is provided for compatibility for users migrating from the \"venafi-kubernetes-agent\" chart. If both clientID and clientId are set, clientID takes precedence. Must not be set when config.venafiConnection.enabled is true.",
       "type": "string"
     },
     "helm-values.config.clusterDescription": {
@@ -173,17 +176,47 @@
     },
     "helm-values.config.secretName": {
       "default": "discovery-agent-credentials",
-      "description": "The name of the Secret containing the NGTS built-in service account credentials.\nThe Secret must contain the following key:\n- privatekey.pem: PEM-encoded private key for the service account\nThe Secret should also contain the following key:\n- clientID:       Service account client ID (config.clientID must be set if not present)",
+      "description": "The name of the Secret containing the NGTS built-in service account credentials.\nThe Secret must contain the following key:\n- privatekey.pem: PEM-encoded private key for the service account\nThe Secret should also contain the following key:\n- clientID:       Service account client ID (config.clientID must be set if not present)\nMust not be set when config.venafiConnection.enabled is true (the credentials Secret is not mounted in that mode).",
       "type": "string"
     },
     "helm-values.config.serverURL": {
       "default": "",
-      "description": "Explicit SCM server URL (optional).\nIf not set, the production SCM server URL is derived from config.tsgID. This value is intended for development purposes only and should not be set in production.\nMutually exclusive with config.tsgID.",
+      "description": "Explicit SCM server URL (optional).\nIf not set, the production SCM server URL is derived from config.tsgID. This value is intended for development purposes only and should not be set in production.\nMutually exclusive with config.tsgID.\nMust not be set when config.venafiConnection.enabled is true.",
       "type": "string"
     },
     "helm-values.config.tsgID": {
       "default": "",
-      "description": "The TSG (Tenant Service Group) ID to use when connecting to SCM. The production SCM server URL is derived from this value. Required unless config.serverURL is set. Mutually exclusive with config.serverURL."
+      "description": "The TSG (Tenant Service Group) ID to use when connecting to SCM. The production SCM server URL is derived from this value. Required unless config.serverURL is set. Mutually exclusive with config.serverURL. Must not be set when config.venafiConnection.enabled is true (the TSG ID is taken from the VenafiConnection's `spec.ngts` instead)."
+    },
+    "helm-values.config.venafiConnection": {
+      "additionalProperties": false,
+      "properties": {
+        "enabled": {
+          "$ref": "#/$defs/helm-values.config.venafiConnection.enabled"
+        },
+        "name": {
+          "$ref": "#/$defs/helm-values.config.venafiConnection.name"
+        },
+        "namespace": {
+          "$ref": "#/$defs/helm-values.config.venafiConnection.namespace"
+        }
+      },
+      "type": "object"
+    },
+    "helm-values.config.venafiConnection.enabled": {
+      "default": false,
+      "description": "When set to true, config.tsgID, config.serverURL, config.clientID and config.clientId must not be set (the chart will fail to render otherwise), and the Secret named by config.secretName will _not_ be mounted into the Discovery Agent Pod.",
+      "type": "boolean"
+    },
+    "helm-values.config.venafiConnection.name": {
+      "default": "venafi-components",
+      "description": "The name of a VenafiConnection resource which contains the configuration for authenticating to the upload backend.",
+      "type": "string"
+    },
+    "helm-values.config.venafiConnection.namespace": {
+      "default": "venafi",
+      "description": "The namespace of a VenafiConnection resource which contains the configuration for authenticating to the upload backend.",
+      "type": "string"
     },
     "helm-values.extraArgs": {
       "default": [],
 
@@ -3,6 +3,7 @@ config:
   # The TSG (Tenant Service Group) ID to use when connecting to SCM.
   # The production SCM server URL is derived from this value.
   # Required unless config.serverURL is set. Mutually exclusive with config.serverURL.
+  # Must not be set when config.venafiConnection.enabled is true (the TSG ID is taken from the VenafiConnection's `spec.ngts` instead).
   # +docs:property
   # +docs:type=number,string
   tsgID: ""
@@ -44,13 +45,15 @@ config:
   # Deprecated: Client ID for the configured service account.
   # The client ID should be provided in the "clientID" field of the authentication secret (see config.secretName).
   # This field is provided for compatibility for users migrating from the "venafi-kubernetes-agent" chart.
+  # Must not be set when config.venafiConnection.enabled is true.
   # +docs:property
   clientID: ""
 
   # Deprecated: Client ID for the configured service account (alternative to clientID).
   # The client ID should be provided in the "clientID" field of the authentication secret (see config.secretName).
   # This field is provided for compatibility for users migrating from the "venafi-kubernetes-agent" chart.
   # If both clientID and clientId are set, clientID takes precedence.
+  # Must not be set when config.venafiConnection.enabled is true.
   # +docs:hidden
   clientId: ""
 
@@ -59,16 +62,36 @@ config:
   # - privatekey.pem: PEM-encoded private key for the service account
   # The Secret should also contain the following key:
   # - clientID:       Service account client ID (config.clientID must be set if not present)
+  # Must not be set when config.venafiConnection.enabled is true (the credentials Secret is not mounted in that mode).
   # +docs:property
   secretName: discovery-agent-credentials
 
   # Explicit SCM server URL (optional).
   # If not set, the production SCM server URL is derived from config.tsgID.
   # This value is intended for development purposes only and should not be set in production.
   # Mutually exclusive with config.tsgID.
+  # Must not be set when config.venafiConnection.enabled is true.
   # +docs:hidden
   serverURL: ""
 
+  # When venafiConnection.enabled is true, the Discovery Agent authenticates to
+  # its upload backend using the referenced VenafiConnection resource instead
+  # of the NGTS built-in service account key pair. For the NGTS backend, the
+  # VenafiConnection's `spec.ngts` (with `tsgID` or `url`, and a `jwt` source)
+  # is used.
+  venafiConnection:
+    # When set to true, config.tsgID, config.serverURL, config.clientID and
+    # config.clientId must not be set (the chart will fail to render
+    # otherwise), and the Secret named by config.secretName will _not_ be
+    # mounted into the Discovery Agent Pod.
+    enabled: false
+    # The name of a VenafiConnection resource which contains the configuration
+    # for authenticating to the upload backend.
+    name: venafi-components
+    # The namespace of a VenafiConnection resource which contains the
+    # configuration for authenticating to the upload backend.
+    namespace: venafi
+
 # This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
 replicaCount: 1