Jetstack Secure manages your machine identities across Cloud Native Kubernetes and OpenShift environments and builds a detailed view of the enterprise security posture.
This repo contains the open source in-cluster agent of Jetstack Secure, that sends data to the Jetstack Secure SaaS.
Wondering about Preflight? Preflight was the name for the project that was the foundation for the Jetstack Secure platform. It was a tool to perform configuration checks on a Kubernetes cluster using OPA's REGO policy. We decided to incorporate that functionality as part of the Jetstack Secure SaaS service, making this component a basic agent. You can find the old Preflight Check functionality in the git history ( tagged as
preflight-local-check
and you also check this documentation.
Please review the documentation for the agent before getting started.
The released container images are cryptographically signed by
cosign
, with
SLSA provenance and a
CycloneDX SBOM attached. For instructions on how to
verify those signatures and attachments, refer to
this guide.
To build and run a version from master:
go run main.go agent --agent-config-file ./path/to/agent/config/file.yaml -p 0h1m0s
You can find the example agent file here.
You might also want to run a local echo server to monitor requests the agent sends:
go run main.go echo
The Jetstack-Secure agent exposes its metrics through a Prometheus server, on port 8081.
The Prometheus server is disabled by default but can be enabled by passing the --enable-metrics
flag to the agent binary.
If you deploy the agent with Helm, using the venafi-kubernetes-agent Helm chart, the metrics server will be enabled by default, on port 8081.
If you use the Prometheus Operator, you can use --set metrics.podmonitor.enabled=true
to deploy a PodMonitor
resource,
which will add the venafi-kubernetes-agent metrics to your Prometheus server.
The following metrics are collected:
- Go collector: via the default registry in Prometheus client_golang.
- Process collector: via the default registry in Prometheus client_golang.
- Agent metrics:
data_readings_upload_size
: Data readings upload size (in bytes) sent by the jscp in-cluster agent.
The Docker images are:
Image | Access | Tier | Docs |
---|---|---|---|
quay.io/jetstack/preflight |
Public | Tier 1 and 2 of Jetstack Secure | |
quay.io/jetstack/venafi-agent |
Public | Not meant for users, used for mirroring | |
registry.venafi.cloud/venafi-agent/venafi-agent |
Public | Tier 1 of Venafi TLS Protect for Kubernetes | |
private-registry.venafi.cloud/venafi-agent/venafi-agent |
Private | Tier 2 of Venafi TLS Protect for Kubernetes | Venafi Private Registry |
private-registry.venafi.eu/venafi-agent/venafi-agent |
Private | Tier 2 of Venafi TLS Protect for Kubernetes | Venafi Private Registry |
The Helm charts are:
Helm Chart | Access | Tier | Access Documentation |
---|---|---|---|
oci://eu.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent |
Private | Tier 2 of Jetstack Secure | Jetstack Enterprise Registry |
oci://us.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent |
Private | Tier 2 of Jetstack Secure | Jetstack Enterprise Registry |
oci://quay.io/jetstack/charts/venafi-kubernetes-agent |
Public | Not meant for users, used for mirroring | |
oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent |
Private | Not meant for users, used for mirroring | |
oci://us.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent |
Private | Not meant for users, used for mirroring | |
oci://registry.venafi.cloud/charts/venafi-kubernetes-agent |
Public | Tier 1 of Venafi TLS Protect for Kubernetes | |
oci://private-registry.venafi.cloud/charts/venafi-kubernetes-agent |
Private | Tier 2 of Venafi TLS Protect for Kubernetes | Venafi Private Registry |
oci://private-registry.venafi.eu/charts/venafi-kubernetes-agent |
Private | Tier 2 of Venafi TLS Protect for Kubernetes | Venafi Private Registry |
Note
Before starting, let Michael McLoughlin know that a release is about to be created.
The release process is semi-automated.
- Go to the GitHub Releases page and click "Draft a New Release".
- Click "Create a new tag" with the version number prefixed with
v
(e.g.,v1.1.0
). - Use the title "v1.1.0",
- Click "Generate Release Notes"
- Edit the release notes to make them readable to the end-user.
- Click "Publish" (don't select "Draft")
- Click "Create a new tag" with the version number prefixed with
- Inform Michael McLoughlin of the new release so he can update the documentation at https://docs.venafi.cloud/.
Note
For context, the new tag will create the following images:
Image | Automation |
---|---|
quay.io/jetstack/preflight |
No longer built. Use quay.io/jetstack/venafi-agent instead. |
quay.io/jetstack/venafi-agent |
Automatically built by GitHub Actions release-master on Git tags |
registry.venafi.cloud/venafi-agent/venafi-agent |
Automatically mirrored by Harbor Replication rule public-img-and-chart-replication.tf that runs every 30 minutes, all image tags containing X.X.X are replicated, including e.g. 1.0.0-alpha.0 |
private-registry.venafi.cloud/venafi-agent/venafi-agent |
Automatically mirrored by Harbor Replication rule private-img-and-chart-replication.tf that runs every 10 minutes, all image tags containing X.X.X are replicated, including e.g. 1.0.0-alpha.0 |
private-registry.venafi.eu/venafi-agent/venafi-agent |
Automatically mirrored by Harbor Replication rule private-img-and-chart-replication.tf that runs every 10 minutes, all image tags containing X.X.X are replicated, including e.g. 1.0.0-alpha.0 |
and the following OCI Helm charts:
Helm Chart | Automation |
---|---|
oci://eu.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent |
Manually triggered, GitHub Actions workflow release_venafi-agent_chart.yaml |
oci://us.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent |
Manually triggered, GitHub Actions workflow release_venafi-agent_chart.yaml |
oci://quay.io/jetstack/charts/venafi-kubernetes-agent |
Automatically built by GitHub Actions release-master on Git tags[] |
oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent |
Manually triggered, GitHub Actions workflow release_js-agent_chart.yaml |
oci://us.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent |
Manually triggered, GitHub Actions workflow release_js-agent_chart.yaml |
oci://registry.venafi.cloud/charts/venafi-kubernetes-agent |
Automatically mirrored by Harbor Replication rule public-img-and-chart-replication.tf that runs every 30 minutes, all image tags containing X.X.X are replicated, including e.g. v1.0.0-alpha.0 |
oci://private-registry.venafi.cloud/charts/venafi-kubernetes-agent |
Automatically mirrored by Harbor Replication rule private-img-and-chart-replication.tf that runs every 10 minutes, all image tags containing X.X.X are replicated, including e.g. v1.0.0-alpha.0 |
oci://private-registry.venafi.eu/charts/venafi-kubernetes-agent |
Automatically mirrored by Harbor Replication rule private-img-and-chart-replication.tf that runs every 10 minutes, all image tags containing X.X.X are replicated, including e.g. v1.0.0-alpha.0 |
Here is replication flow for OCI Helm charts:
v1.1.0 (Git tag in the jetstack-secure repo)
└── oci://quay.io/jetstack/charts/venafi-kubernetes-agent --version 1.1.0 (GitHub Actions in the jetstack-secure repo)
├── oci://us.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent (Enterprise Builds's GitHub Actions)
└── oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent (Enterprise Builds's GitHub Actions)
├── oci://registry.venafi.cloud/charts/venafi-kubernetes-agent --version 1.1.0 (Harbor Replication)
└── oci://private-registry.venafi.cloud/charts/venafi-kubernetes-agent --version 1.1.0 (Harbor Replication)
└── oci://private-registry.venafi.eu/charts/venafi-kubernetes-agent --version 1.1.0 (Harbor Replication)
And the replication flow for Docker images:
v1.1.0 (Git tag in the jetstack-secure repo)
└── quay.io/jetstack/venafi-agent:v1.1.0 (GitHub Actions in the jetstack-secure repo)
├── us.gcr.io/jetstack-secure-enterprise/venafi-agent (Enterprise Builds's GitHub Actions)
└── eu.gcr.io/jetstack-secure-enterprise/venafi-agent (Enterprise Builds's GitHub Actions)
├── registry.venafi.cloud/venafi-agent/venafi-agent:v1.1.0 (Harbor Replication)
├── private-registry.venafi.cloud/venafi-agent/venafi-agent:v1.1.0 (Harbor Replication)
└── private-registry.venafi.eu/venafi-agent/venafi-agent:v1.1.0 (Harbor Replication)
NOTE(mael): TBD
This step is performed by Peter Fiddes and Adrian Lai separately from the main release process.
Run the Helm Chart workflow release_js-agent_chart.yaml.
The jetstack-agent chart has a different version number to the agent.
This is because the first version of this chart was given version 0.1.0
,
while the app version at the time was 0.1.38
.
And this allows the chart to be updated and released more frequently than the Docker image if necessary.
This chart is for Jetstack Secure.
- Create a branch
- Increment version numbers.
- Increment the
version
value in Chart.yaml. DO NOT use av
prefix. Thev
prefix breaks Helm OCI operations. - Increment the
appVersion
value in Chart.yaml. Use av
prefix, to match the Docker image tag. - Increment the
image.tag
value in values.yaml. Use av
prefix, to match the Docker image tag. - Update the Helm unit test snapshots:
helm unittest ./deploy/charts/jetstack-agent --update-snapshot
- Increment the
- Create a pull request and wait for it to be approved.
- Merge the branch
- Push a tag, using the format:
chart-vX.Y.Z
. This unique tag format is recognized by the private CI pipeline that builds and publishes the chart.
The chart will be published to the Jetstack Enterprise Registry by a private CI pipeline managed by Venafi.