Skip to content

Add VenafiConnection support for NGTS #811

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
inteon merged 6 commits into from
Jun 3, 2026
Merged

Add VenafiConnection support for NGTS #811

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
ff4db6b
add VenafiConnection support for NGTS
inteon Jun 3, 2026
d41150a
update config options and comments to explain that VenafiConnection c…
inteon Jun 3, 2026
58469e8
add venafiConnection option to Helm chart
inteon Jun 3, 2026
a4ae282
apply Claude review suggestions
inteon Jun 3, 2026
76fa0de
fix stray periods in description
inteon Jun 3, 2026
45ee05c
rejects a non-default config.secretName
inteon Jun 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 25 additions & 3 deletions deploy/charts/discovery-agent/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ The Discovery Agent connects your Kubernetes or OpenShift cluster to Palo Alto N
> ""
> ```

The TSG (Tenant Service Group) ID to use when connecting to SCM. The production SCM server URL is derived from this value. Required unless config.serverURL is set. Mutually exclusive with config.serverURL.
The TSG (Tenant Service Group) ID to use when connecting to SCM. The production SCM server URL is derived from this value. Required unless config.serverURL is set. Mutually exclusive with config.serverURL. Must not be set when config.venafiConnection.enabled is true (the TSG ID is taken from the VenafiConnection's `spec.ngts` instead).


#### **config.clusterName** ~ `string`
Expand Down Expand Up @@ -72,7 +72,7 @@ Example: excludeAnnotationKeysRegex: ['^kapp\.k14s\.io/original.*']
> ""
> ```

Deprecated: Client ID for the configured service account. The client ID should be provided in the "clientID" field of the authentication secret (see config.secretName). This field is provided for compatibility for users migrating from the "venafi-kubernetes-agent" chart.
Deprecated: Client ID for the configured service account. The client ID should be provided in the "clientID" field of the authentication secret (see config.secretName). This field is provided for compatibility for users migrating from the "venafi-kubernetes-agent" chart. Must not be set when config.venafiConnection.enabled is true.

#### **config.secretName** ~ `string`
> Default value:
Expand All @@ -84,8 +84,30 @@ The name of the Secret containing the NGTS built-in service account credentials.
The Secret must contain the following key:
- privatekey.pem: PEM-encoded private key for the service account
The Secret should also contain the following key:
- clientID: Service account client ID (config.clientID must be set if not present)
- clientID: Service account client ID (config.clientID must be set if not present)
Must not be set when config.venafiConnection.enabled is true (the credentials Secret is not mounted in that mode).

#### **config.venafiConnection.enabled** ~ `bool`
> Default value:
> ```yaml
> false
> ```

When set to true, config.tsgID, config.serverURL, config.clientID and config.clientId must not be set (the chart will fail to render otherwise), and the Secret named by config.secretName will _not_ be mounted into the Discovery Agent Pod.
#### **config.venafiConnection.name** ~ `string`
> Default value:
> ```yaml
Comment thread
inteon marked this conversation as resolved.
> venafi-components
> ```

The name of a VenafiConnection resource which contains the configuration for authenticating to the upload backend.
#### **config.venafiConnection.namespace** ~ `string`
> Default value:
> ```yaml
> venafi
> ```

The namespace of a VenafiConnection resource which contains the configuration for authenticating to the upload backend.
#### **replicaCount** ~ `number`
> Default value:
> ```yaml
Expand Down
26 changes: 26 additions & 0 deletions deploy/charts/discovery-agent/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,27 @@ spec:
- "agent"
- "-c"
- "/etc/discovery-agent/config.yaml"
{{- if .Values.config.venafiConnection.enabled }}
{{- if .Values.config.tsgID }}
{{- fail "config.tsgID must not be set when config.venafiConnection.enabled is true; the TSG ID is read from the VenafiConnection's spec.ngts" }}
Comment thread
inteon marked this conversation as resolved.
{{- end }}
{{- if .Values.config.serverURL }}
{{- fail "config.serverURL must not be set when config.venafiConnection.enabled is true; the server URL is read from the VenafiConnection's spec" }}
{{- end }}
{{- if .Values.config.clientID }}
{{- fail "config.clientID must not be set when config.venafiConnection.enabled is true; authentication is performed via the VenafiConnection resource" }}
{{- end }}
{{- if .Values.config.clientId }}
{{- fail "config.clientId must not be set when config.venafiConnection.enabled is true; authentication is performed via the VenafiConnection resource" }}
{{- end }}
{{- if ne .Values.config.secretName "discovery-agent-credentials" }}
{{- fail "config.secretName must not be set when config.venafiConnection.enabled is true; the credentials Secret is not mounted in this mode (authentication is performed via the VenafiConnection resource)" }}
{{- end }}
- --venafi-connection
- {{ .Values.config.venafiConnection.name | quote }}
- --venafi-connection-namespace
- {{ .Values.config.venafiConnection.namespace | quote }}
{{- else }}
- --ngts
{{- if and .Values.config.tsgID .Values.config.serverURL }}
{{- fail "config.tsgID and config.serverURL are mutually exclusive; set exactly one" }}
Expand All @@ -87,6 +108,7 @@ spec:
{{- end }}
- --private-key-path
- /etc/discovery-agent/credentials/privatekey.pem
{{- end }}
- --logging-format=json
{{- if .Values.metrics.enabled }}
- --enable-metrics
Expand All @@ -105,9 +127,11 @@ spec:
- name: config
mountPath: "/etc/discovery-agent"
readOnly: true
{{- if not .Values.config.venafiConnection.enabled }}
- name: credentials
mountPath: "/etc/discovery-agent/credentials"
readOnly: true
{{- end }}
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
Expand All @@ -119,10 +143,12 @@ spec:
configMap:
name: {{ include "discovery-agent.fullname" . }}-config
optional: false
{{- if not .Values.config.venafiConnection.enabled }}
- name: credentials
secret:
secretName: {{ .Values.config.secretName }}
optional: false
{{- end }}
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
Expand Down
128 changes: 128 additions & 0 deletions deploy/charts/discovery-agent/tests/deployment_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -373,3 +373,131 @@ tests:
path: spec.template.spec.imagePullSecrets
content:
name: my-secret

# VenafiConnection mode wires the connection name/namespace through as flags
# and skips both the --ngts/--tsg-id flags and the keypair Secret mount. The
# agent picks the actual upload backend (NGTS or VCP) from the
# VenafiConnection resource at runtime.
- it: VenafiConnection mode passes the connection flags and omits NGTS/keypair flags
set:
config.clusterName: test-cluster
config.venafiConnection.enabled: true
config.venafiConnection.name: my-venconn
config.venafiConnection.namespace: my-ns
template: deployment.yaml
asserts:
- isKind:
of: Deployment
- contains:
path: spec.template.spec.containers[0].args
content: --venafi-connection
- contains:
path: spec.template.spec.containers[0].args
content: my-venconn
- contains:
path: spec.template.spec.containers[0].args
content: --venafi-connection-namespace
- contains:
path: spec.template.spec.containers[0].args
content: my-ns
- notContains:
path: spec.template.spec.containers[0].args
content: --ngts
- notContains:
path: spec.template.spec.containers[0].args
content: --tsg-id
- notContains:
path: spec.template.spec.containers[0].args
content: --ngts-server-url
- notContains:
path: spec.template.spec.containers[0].args
content: --client-id
- notContains:
path: spec.template.spec.containers[0].args
content: --private-key-path
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: credentials
mountPath: "/etc/discovery-agent/credentials"
readOnly: true
- notContains:
path: spec.template.spec.volumes
content:
name: credentials
secret:
secretName: discovery-agent-credentials
optional: false

# VenafiConnection mode does not require config.tsgID, since the agent reads
# the TSG ID from the VenafiConnection resource at runtime.
- it: VenafiConnection mode does not require config.tsgID
set:
config.clusterName: test-cluster
config.venafiConnection.enabled: true
template: deployment.yaml
asserts:
- isKind:
of: Deployment

# Keypair-mode fields must not be set in VenafiConnection mode; the chart
# should fail to render rather than silently dropping the values, so users
# don't end up with a config that looks wired but isn't.
- it: VenafiConnection mode rejects config.tsgID
set:
config.clusterName: test-cluster
config.tsgID: "999"
config.venafiConnection.enabled: true
template: deployment.yaml
asserts:
- failedTemplate:
errorMessage: "config.tsgID must not be set when config.venafiConnection.enabled is true; the TSG ID is read from the VenafiConnection's spec.ngts"

- it: VenafiConnection mode rejects config.serverURL
set:
config.clusterName: test-cluster
config.serverURL: "https://should-be-rejected.example.com"
config.venafiConnection.enabled: true
template: deployment.yaml
asserts:
- failedTemplate:
errorMessage: "config.serverURL must not be set when config.venafiConnection.enabled is true; the server URL is read from the VenafiConnection's spec"

- it: VenafiConnection mode rejects config.clientID
set:
config.clusterName: test-cluster
config.clientID: "should-be-rejected"
config.venafiConnection.enabled: true
template: deployment.yaml
asserts:
- failedTemplate:
errorMessage: "config.clientID must not be set when config.venafiConnection.enabled is true; authentication is performed via the VenafiConnection resource"

- it: VenafiConnection mode rejects config.clientId
set:
config.clusterName: test-cluster
config.clientId: "should-be-rejected"
config.venafiConnection.enabled: true
template: deployment.yaml
asserts:
- failedTemplate:
errorMessage: "config.clientId must not be set when config.venafiConnection.enabled is true; authentication is performed via the VenafiConnection resource"

- it: VenafiConnection mode rejects a non-default config.secretName
set:
config.clusterName: test-cluster
config.secretName: custom-credentials-secret
config.venafiConnection.enabled: true
template: deployment.yaml
asserts:
- failedTemplate:
errorMessage: "config.secretName must not be set when config.venafiConnection.enabled is true; the credentials Secret is not mounted in this mode (authentication is performed via the VenafiConnection resource)"

- it: VenafiConnection mode accepts the default config.secretName
set:
config.clusterName: test-cluster
config.venafiConnection.enabled: true
template: deployment.yaml
asserts:
- isKind:
of: Deployment
43 changes: 38 additions & 5 deletions deploy/charts/discovery-agent/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,9 @@
},
"tsgID": {
"$ref": "#/$defs/helm-values.config.tsgID"
},
"venafiConnection": {
"$ref": "#/$defs/helm-values.config.venafiConnection"
}
},
"type": "object"
Expand All @@ -137,12 +140,12 @@
},
"helm-values.config.clientID": {
"default": "",
"description": "Deprecated: Client ID for the configured service account. The client ID should be provided in the \"clientID\" field of the authentication secret (see config.secretName). This field is provided for compatibility for users migrating from the \"venafi-kubernetes-agent\" chart.",
"description": "Deprecated: Client ID for the configured service account. The client ID should be provided in the \"clientID\" field of the authentication secret (see config.secretName). This field is provided for compatibility for users migrating from the \"venafi-kubernetes-agent\" chart. Must not be set when config.venafiConnection.enabled is true.",
"type": "string"
},
"helm-values.config.clientId": {
"default": "",
"description": "Deprecated: Client ID for the configured service account (alternative to clientID). The client ID should be provided in the \"clientID\" field of the authentication secret (see config.secretName). This field is provided for compatibility for users migrating from the \"venafi-kubernetes-agent\" chart. If both clientID and clientId are set, clientID takes precedence.",
"description": "Deprecated: Client ID for the configured service account (alternative to clientID). The client ID should be provided in the \"clientID\" field of the authentication secret (see config.secretName). This field is provided for compatibility for users migrating from the \"venafi-kubernetes-agent\" chart. If both clientID and clientId are set, clientID takes precedence. Must not be set when config.venafiConnection.enabled is true.",
"type": "string"
},
"helm-values.config.clusterDescription": {
Expand Down Expand Up @@ -173,17 +176,47 @@
},
"helm-values.config.secretName": {
"default": "discovery-agent-credentials",
"description": "The name of the Secret containing the NGTS built-in service account credentials.\nThe Secret must contain the following key:\n- privatekey.pem: PEM-encoded private key for the service account\nThe Secret should also contain the following key:\n- clientID: Service account client ID (config.clientID must be set if not present)",
"description": "The name of the Secret containing the NGTS built-in service account credentials.\nThe Secret must contain the following key:\n- privatekey.pem: PEM-encoded private key for the service account\nThe Secret should also contain the following key:\n- clientID: Service account client ID (config.clientID must be set if not present)\nMust not be set when config.venafiConnection.enabled is true (the credentials Secret is not mounted in that mode).",
"type": "string"
},
"helm-values.config.serverURL": {
"default": "",
"description": "Explicit SCM server URL (optional).\nIf not set, the production SCM server URL is derived from config.tsgID. This value is intended for development purposes only and should not be set in production.\nMutually exclusive with config.tsgID.",
"description": "Explicit SCM server URL (optional).\nIf not set, the production SCM server URL is derived from config.tsgID. This value is intended for development purposes only and should not be set in production.\nMutually exclusive with config.tsgID.\nMust not be set when config.venafiConnection.enabled is true.",
"type": "string"
},
"helm-values.config.tsgID": {
"default": "",
"description": "The TSG (Tenant Service Group) ID to use when connecting to SCM. The production SCM server URL is derived from this value. Required unless config.serverURL is set. Mutually exclusive with config.serverURL."
"description": "The TSG (Tenant Service Group) ID to use when connecting to SCM. The production SCM server URL is derived from this value. Required unless config.serverURL is set. Mutually exclusive with config.serverURL. Must not be set when config.venafiConnection.enabled is true (the TSG ID is taken from the VenafiConnection's `spec.ngts` instead)."
},
"helm-values.config.venafiConnection": {
"additionalProperties": false,
"properties": {
"enabled": {
"$ref": "#/$defs/helm-values.config.venafiConnection.enabled"
},
"name": {
"$ref": "#/$defs/helm-values.config.venafiConnection.name"
},
"namespace": {
"$ref": "#/$defs/helm-values.config.venafiConnection.namespace"
}
},
"type": "object"
},
"helm-values.config.venafiConnection.enabled": {
"default": false,
"description": "When set to true, config.tsgID, config.serverURL, config.clientID and config.clientId must not be set (the chart will fail to render otherwise), and the Secret named by config.secretName will _not_ be mounted into the Discovery Agent Pod.",
"type": "boolean"
},
"helm-values.config.venafiConnection.name": {
"default": "venafi-components",
"description": "The name of a VenafiConnection resource which contains the configuration for authenticating to the upload backend.",
"type": "string"
},
"helm-values.config.venafiConnection.namespace": {
"default": "venafi",
"description": "The namespace of a VenafiConnection resource which contains the configuration for authenticating to the upload backend.",
"type": "string"
},
"helm-values.extraArgs": {
"default": [],
Expand Down
23 changes: 23 additions & 0 deletions deploy/charts/discovery-agent/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ config:
# The TSG (Tenant Service Group) ID to use when connecting to SCM.
# The production SCM server URL is derived from this value.
# Required unless config.serverURL is set. Mutually exclusive with config.serverURL.
# Must not be set when config.venafiConnection.enabled is true (the TSG ID is taken from the VenafiConnection's `spec.ngts` instead).
# +docs:property
# +docs:type=number,string
tsgID: ""
Expand Down Expand Up @@ -44,13 +45,15 @@ config:
# Deprecated: Client ID for the configured service account.
# The client ID should be provided in the "clientID" field of the authentication secret (see config.secretName).
# This field is provided for compatibility for users migrating from the "venafi-kubernetes-agent" chart.
# Must not be set when config.venafiConnection.enabled is true.
# +docs:property
clientID: ""

# Deprecated: Client ID for the configured service account (alternative to clientID).
# The client ID should be provided in the "clientID" field of the authentication secret (see config.secretName).
# This field is provided for compatibility for users migrating from the "venafi-kubernetes-agent" chart.
# If both clientID and clientId are set, clientID takes precedence.
# Must not be set when config.venafiConnection.enabled is true.
# +docs:hidden
clientId: ""

Expand All @@ -59,16 +62,36 @@ config:
# - privatekey.pem: PEM-encoded private key for the service account
# The Secret should also contain the following key:
# - clientID: Service account client ID (config.clientID must be set if not present)
# Must not be set when config.venafiConnection.enabled is true (the credentials Secret is not mounted in that mode).
# +docs:property
secretName: discovery-agent-credentials

# Explicit SCM server URL (optional).
# If not set, the production SCM server URL is derived from config.tsgID.
# This value is intended for development purposes only and should not be set in production.
# Mutually exclusive with config.tsgID.
# Must not be set when config.venafiConnection.enabled is true.
# +docs:hidden
serverURL: ""

# When venafiConnection.enabled is true, the Discovery Agent authenticates to
# its upload backend using the referenced VenafiConnection resource instead
# of the NGTS built-in service account key pair. For the NGTS backend, the
# VenafiConnection's `spec.ngts` (with `tsgID` or `url`, and a `jwt` source)
# is used.
venafiConnection:
# When set to true, config.tsgID, config.serverURL, config.clientID and
# config.clientId must not be set (the chart will fail to render
# otherwise), and the Secret named by config.secretName will _not_ be
# mounted into the Discovery Agent Pod.
enabled: false
# The name of a VenafiConnection resource which contains the configuration
# for authenticating to the upload backend.
name: venafi-components
# The namespace of a VenafiConnection resource which contains the
# configuration for authenticating to the upload backend.
namespace: venafi

# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
replicaCount: 1

Expand Down
Loading
Loading