Skip to content

jetstack/jetstack-secure

BranchesTags

Repository files navigation

release-master Go Reference Go Report Card

Jetstack Secure

Jetstack Secure manages your machine identities across Cloud Native Kubernetes and OpenShift environments and builds a detailed view of the enterprise security posture.

This repo contains the open source in-cluster agent of Jetstack Secure, that sends data to the Jetstack Secure SaaS.

Wondering about Preflight? Preflight was the name for the project that was the foundation for the Jetstack Secure platform. It was a tool to perform configuration checks on a Kubernetes cluster using OPA's REGO policy. We decided to incorporate that functionality as part of the Jetstack Secure SaaS service, making this component a basic agent. You can find the old Preflight Check functionality in the git history ( tagged as preflight-local-check and you also check this documentation.

Installation

Please review the documentation for the agent before getting started.

The released container images are cryptographically signed by cosign, with SLSA provenance and a CycloneDX SBOM attached. For instructions on how to verify those signatures and attachments, refer to this guide.

Local Execution

To build and run a version from master:

go run main.go agent --agent-config-file ./path/to/agent/config/file.yaml -p 0h1m0s

You can find the example agent file here.

You might also want to run a local echo server to monitor requests the agent sends:

go run main.go echo

Metrics

The Jetstack-Secure agent exposes its metrics through a Prometheus server, on port 8081. The Prometheus server is disabled by default but can be enabled by passing the --enable-metrics flag to the agent binary.

If you deploy the agent with Helm, using the venafi-kubernetes-agent Helm chart, the metrics server will be enabled by default, on port 8081. If you use the Prometheus Operator, you can use --set metrics.podmonitor.enabled=true to deploy a PodMonitor resource, which will add the venafi-kubernetes-agent metrics to your Prometheus server.

The following metrics are collected:

  • Go collector: via the default registry in Prometheus client_golang.
  • Process collector: via the default registry in Prometheus client_golang.
  • Agent metrics:
  • data_readings_upload_size: Data readings upload size (in bytes) sent by the jscp in-cluster agent.

Tiers, Images and Helm Charts

The Docker images are:

Image Access Tier Docs
quay.io/jetstack/preflight Public Tier 1 and 2 of Jetstack Secure
quay.io/jetstack/venafi-agent Public Not meant for users, used for mirroring
registry.venafi.cloud/venafi-agent/venafi-agent Public Tier 1 of Venafi TLS Protect for Kubernetes
private-registry.venafi.cloud/venafi-agent/venafi-agent Private Tier 2 of Venafi TLS Protect for Kubernetes Venafi Private Registry
private-registry.venafi.eu/venafi-agent/venafi-agent Private Tier 2 of Venafi TLS Protect for Kubernetes Venafi Private Registry

The Helm charts are:

Helm Chart Access Tier Documentation
oci://eu.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent Private Tier 2 of Jetstack Secure Jetstack Enterprise Registry
oci://us.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent Private Tier 2 of Jetstack Secure Jetstack Enterprise Registry
oci://registry.venafi.cloud/charts/venafi-kubernetes-agent Public Tier 1 of Venafi TLS Protect for Kubernetes
oci://private-registry.venafi.cloud/charts/venafi-kubernetes-agent Private Tier 2 of Venafi TLS Protect for Kubernetes
oci://private-registry.venafi.eu/charts/venafi-kubernetes-agent Private Tier 2 of Venafi TLS Protect for Kubernetes

Release Process

Note

Before starting, let Michael McLoughlin know that a release is about to be created.

The release process is semi-automated.

Step 1: Incrementing Versions And Git Tag

  1. Choose the next semver version number. This project has only ever incremented the "patch" number (never the "minor" number) regardless of the scope of the changes.
  2. Create a branch.
  3. Increment version numbers in the venafi-kubernetes-agent Helm chart. (the jetstack-secure Helm chart uses a different version scheme and is updated and released separately):
    1. Increment the version value in Chart.yaml. DO NOT use a v prefix. The v prefix breaks Helm OCI operations.
    2. Increment appVersion value in Chart.yaml. Use a v prefix, to match the Docker image tag.
    3. Increment the image.tag value in values.yaml. Use a v prefix.
    4. Commit the changes.
  4. Create a pull request and wait for it to be approved.
  5. Merge the branch.
  6. Go to the GitHub Releases page and click "Draft a New Release".
    • Click "Create a new tag" with the version number prefixed with v (e.g., v0.1.49).
    • Use the title "v0.1.49",
    • Click "Generate Release Notes"
    • Edit the release notes to make them readable to the end-user.
    • Click "Publish" (don't select "Draft")

Warning

Don't worry about the "signing" pipeline job failing. It hasn't be working for a while. It should be removed as we don't need the provenance steps anymore. We are now signing our image during the replication of the OCI images to Harbor using the Venafi keys.

Note

For context, the new tag will trigger the following:

Image Automation
quay.io/jetstack/preflight Built by GitHub Actions release-master
quay.io/jetstack/venafi-agent Built by GitHub Actions release-master
registry.venafi.cloud/venafi-agent/venafi-agent Mirrored by a GitLab cron job
private-registry.venafi.cloud/venafi-agent/venafi-agent Mirrored by a GitLab cron job
private-registry.venafi.eu/venafi-agent/venafi-agent Mirrored by a GitLab cron job

The above GitLab cron job is managed by David Barranco. It mirrors the image quay.io/jetstack/venafi-agent.

Step 2: Release the Helm Chart "venafi-kubernetes-agent"

The venafi-kubernetes-agent chart is released manually, as follows:

export VERSION=0.1.43
helm package deploy/charts/venafi-kubernetes-agent --version "${VERSION}"
helm push venafi-kubernetes-agent-${VERSION}.tgz oci://eu.gcr.io/jetstack-secure-enterprise/charts

ℹ️ To test the Helm chart before releasing it, use a pre-release suffix. E.g. export VERSION=0.1.43-alpha.0.

The chart will be mirrored to:

  • registry.venafi.cloud/charts/venafi-kubernetes-agent (Public)
  • private-registry.venafi.cloud/charts/venafi-kubernetes-agent (Private, US)
  • private-registry.venafi.eu/charts/venafi-kubernetes-agent (Private, EU)

Step 3: Release the Helm Chart "jetstack-secure"

The jetstack-agent chart has a different version number to the agent. This is because the first version of this chart was given version 0.1.0, while the app version at the time was 0.1.38. And this allows the chart to be updated and released more frequently than the Docker image if necessary. This chart is for Jetstack Secure.

  1. Create a branch
  2. Increment version numbers.
    1. Increment the version value in Chart.yaml. DO NOT use a v prefix. The v prefix breaks Helm OCI operations.
    2. Increment the appVersion value in Chart.yaml. Use a v prefix, to match the Docker image tag.
    3. Increment the image.tag value in values.yaml. Use a v prefix, to match the Docker image tag.
  3. Create a pull request and wait for it to be approved.
  4. Merge the branch
  5. Push a tag, using the format: chart-vX.Y.Z. This unique tag format is recognized by the private CI pipeline that builds and publishes the chart.

The chart will be published to the Jetstack Enterprise Registry by a private CI pipeline managed by Venafi.

Step 4: Document the release

Finally, inform Michael McLoughlin of the new release so he can update the documentation at https://docs.venafi.cloud/.

About

Open-source components of Jetstack Secure.

venafi.com/jetstack-consult/

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

252 stars

Watchers

24 watching

Forks

25 forks
Report repository

Releases 46

v0.1.49 Latest
Jul 11, 2024
+ 45 releases

Contributors 25

+ 11 contributors

Languages