{"id":18834009,"url":"https://github.com/jetstack/jetstack-secure","last_synced_at":"2025-05-16T12:10:49.660Z","repository":{"id":36964643,"uuid":"219985875","full_name":"jetstack/jetstack-secure","owner":"jetstack","description":"Open-source components of Jetstack Secure.","archived":false,"fork":false,"pushed_at":"2025-05-14T08:56:36.000Z","size":2385,"stargazers_count":257,"open_issues_count":19,"forks_count":25,"subscribers_count":24,"default_branch":"master","last_synced_at":"2025-05-14T09:50:51.289Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://venafi.com/jetstack-consult/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jetstack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-11-06T11:55:36.000Z","updated_at":"2025-05-07T18:16:31.000Z","dependencies_parsed_at":"2023-10-11T18:45:50.006Z","dependency_job_id":"e4235d49-685b-4299-96cc-25358284a108","html_url":"https://github.com/jetstack/jetstack-secure","commit_stats":{"total_commits":649,"total_committers":38,"mean_commits":17.07894736842105,"dds":0.8258859784283513,"last_synced_commit":"eb3c30aff4b197412ee9529d48dd053029f769eb"},"previous_names":["jetstack/preflight"],"tags_count":76,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fjetstack-secure","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fjetstack-secure/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fjetstack-secure/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fjetstack-secure/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jetstack","download_url":"https://codeload.github.com/jetstack/jetstack-secure/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254527099,"owners_count":22085919,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T02:06:13.689Z","updated_at":"2025-05-16T12:10:49.642Z","avatar_url":"https://github.com/jetstack.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"[![tests](https://github.com/jetstack/jetstack-secure/actions/workflows/tests.yaml/badge.svg?branch=master\u0026event=push)](https://github.com/jetstack/jetstack-secure/actions/workflows/tests.yaml)\n[![Go Reference](https://pkg.go.dev/badge/github.com/jetstack/jetstack-secure.svg)](https://pkg.go.dev/github.com/jetstack/jetstack-secure)\n[![Go Report Card](https://goreportcard.com/badge/github.com/jetstack/jetstack-secure)](https://goreportcard.com/report/github.com/jetstack/jetstack-secure)\n\n![Jetstack Secure](./docs/images/js.png)\n\n[Jetstack Secure](https://www.jetstack.io/jetstack-secure/) manages your machine identities across Cloud Native Kubernetes and OpenShift environments and builds a detailed view of the enterprise security posture.\n\nThis repo contains the open source in-cluster agent of Jetstack Secure, that sends data to the [Jetstack Secure\nSaaS](https://platform.jetstack.io).\n\n\u003e **Wondering about Preflight?** Preflight was the name for the project that was the foundation for the Jetstack Secure platform. It was a tool to perform configuration checks on a Kubernetes cluster using OPA's REGO policy. We decided to incorporate that functionality as part of the Jetstack Secure SaaS service, making this component a basic agent. You can find the old Preflight Check functionality in the git history ( tagged as `preflight-local-check` and you also check [this documentation](https://github.com/jetstack/jetstack-secure/blob/preflight-local-check/docs/check.md).\n\n## Installation\n\nPlease [review the documentation](https://platform.jetstack.io/documentation/installation/agent)\nfor the agent before getting started.\n\nThe released container images are cryptographically signed by\n[`cosign`](https://github.com/sigstore/cosign), with\n[SLSA provenance](https://slsa.dev/provenance/v0.2) and a\n[CycloneDX SBOM](https://cyclonedx.org/) attached. For instructions on how to\nverify those signatures and attachments, refer to\n[this guide](docs/guides/cosign).\n\n## Local Execution\n\nTo build and run a version from master:\n\n```bash\ngo run main.go agent --agent-config-file ./path/to/agent/config/file.yaml -p 0h1m0s\n```\n\nYou can find the example agent file\n[here](https://github.com/jetstack/preflight/blob/master/agent.yaml).\n\nYou might also want to run a local echo server to monitor requests the agent\nsends:\n\n```bash\ngo run main.go echo\n```\n\n## Metrics\n\nThe Jetstack-Secure agent exposes its metrics through a Prometheus server, on port 8081.\nThe Prometheus server is disabled by default but can be enabled by passing the `--enable-metrics` flag to the agent binary.\n\nIf you deploy the agent with Helm, using the venafi-kubernetes-agent Helm chart, the metrics server will be enabled by default, on port 8081.\nIf you use the Prometheus Operator, you can use `--set metrics.podmonitor.enabled=true` to deploy a `PodMonitor` resource,\nwhich will add the venafi-kubernetes-agent metrics to your Prometheus server.\n\nThe following metrics are collected:\n\n- Go collector: via the [default registry](https://github.com/prometheus/client_golang/blob/34e02e282dc4a3cb55ca6441b489ec182e654d59/prometheus/registry.go#L60-L63) in Prometheus client_golang.\n- Process collector: via the [default registry](https://github.com/prometheus/client_golang/blob/34e02e282dc4a3cb55ca6441b489ec182e654d59/prometheus/registry.go#L60-L63) in Prometheus client_golang.\n- Agent metrics:\n- `data_readings_upload_size`: Data readings upload size (in bytes) sent by the jscp in-cluster agent.\n\n## Tiers, Images and Helm Charts\n\nThe Docker images are:\n\n| Image | Access | Tier | Docs |\n| --------------------------------------------------------- | ------- | ------------------------------------------- | --------------------------- |\n| `quay.io/jetstack/preflight` | Public | Tier 1 and 2 of Jetstack Secure | |\n| `quay.io/jetstack/venafi-agent` | Public | Not meant for users, used for mirroring | |\n| `registry.venafi.cloud/venafi-agent/venafi-agent` | Public | Tier 1 of Venafi TLS Protect for Kubernetes | |\n| `private-registry.venafi.cloud/venafi-agent/venafi-agent` | Private | Tier 2 of Venafi TLS Protect for Kubernetes | [Venafi Private Registry][] |\n| `private-registry.venafi.eu/venafi-agent/venafi-agent` | Private | Tier 2 of Venafi TLS Protect for Kubernetes | [Venafi Private Registry][] |\n\n[Jetstack Enterprise Registry]: https://platform.jetstack.io/documentation/installation/agent#1-obtain-oci-registry-credentials/\n[Venafi Private Registry]: https://docs.venafi.cloud/vaas/k8s-components/th-guide-confg-access-to-tlspk-enterprise-components/\n\nThe Helm charts are:\n\n| Helm Chart | Access | Tier | Access Documentation |\n| --------------------------------------------------------------------------- | ------- | ------------------------------------------- | -------------------------------- |\n| `oci://eu.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` | Private | Tier 2 of Jetstack Secure | [Jetstack Enterprise Registry][] |\n| `oci://us.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` | Private | Tier 2 of Jetstack Secure | [Jetstack Enterprise Registry][] |\n| `oci://quay.io/jetstack/charts/venafi-kubernetes-agent` | Public | Not meant for users, used for mirroring | |\n| `oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent` | Private | Not meant for users, used for mirroring | |\n| `oci://us.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent` | Private | Not meant for users, used for mirroring | |\n| `oci://registry.venafi.cloud/charts/venafi-kubernetes-agent` | Public | Tier 1 of Venafi TLS Protect for Kubernetes | |\n| `oci://private-registry.venafi.cloud/charts/venafi-kubernetes-agent` | Private | Tier 2 of Venafi TLS Protect for Kubernetes | [Venafi Private Registry][] |\n| `oci://private-registry.venafi.eu/charts/venafi-kubernetes-agent` | Private | Tier 2 of Venafi TLS Protect for Kubernetes | [Venafi Private Registry][] |\n\n## Release Process\n\n\u003e [!NOTE]\n\u003e Before starting, let Michael McLoughlin know that a release is about to be created.\n\nThe release process is semi-automated.\n\n### Step 1: Git Tag and GitHub Release\n\n\u003e [!NOTE]\n\u003e\n\u003e Upon pushing the tag, a GitHub Action will do the following:\n\u003e - Build and publish the container image at `quay.io/jetstack/venafi-agent`,\n\u003e - Build and publish the Helm chart at `oci://quay.io/jetstack/charts/venafi-kubernetes-agent`,\n\u003e - Create a draft GitHub release,\n\u003e - Upload the Helm chart tarball to the GitHub release.\n\n1. Open the [tests GitHub Actions workflow][tests-workflow]\n and verify that it succeeds on the master branch.\n2. Run govulncheck:\n ```bash\n go install golang.org/x/vuln/cmd/govulncheck@latest\n govulncheck -v ./...\n ```\n3. Create a tag for the new release:\n ```sh\n export VERSION=v1.1.0\n git tag --annotate --message=\"Release ${VERSION}\" \"${VERSION}\"\n git push origin \"${VERSION}\"\n ```\n4. Wait until the GitHub Actions finishes.\n5. Navigate to the GitHub Releases page and select the draft release to edit.\n 1. Click on “Generate release notes” to automatically compile the changelog.\n 2. Review and refine the generated notes to ensure they’re clear and useful\n for end users.\n 3. Remove any irrelevant entries, such as “update deps,” “update CI,” “update\n docs,” or similar internal changes that do not impact user functionality.\n6. Publish the release.\n7. Inform the `#venctl` channel that a new version of Venafi Kubernetes Agent has been\n released. Make sure to share any breaking change that may affect `venctl connect`\n or `venctl generate`.\n8. Inform Michael McLoughlin of the new release so he can update the\n documentation at \u003chttps://docs.venafi.cloud/\u003e.\n\n[tests-workflow]: https://github.com/jetstack/jetstack-secure/actions/workflows/tests.yaml?query=branch%3Amaster\n\n\u003e [!NOTE]\n\u003e\n\u003e For context, the new tag will create the following images:\n\u003e\n\u003e | Image | Automation |\n\u003e | --------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n\u003e | `quay.io/jetstack/preflight` | No longer built. Use `quay.io/jetstack/venafi-agent` instead. |\n\u003e | `quay.io/jetstack/venafi-agent` | Automatically built by GitHub Actions [release-master](.github/workflows/release-master.yml) on Git tags |\n\u003e | `registry.venafi.cloud/venafi-agent/venafi-agent` | Automatically mirrored by Harbor Replication rule [public-img-and-chart-replication.tf][] that runs every 30 minutes, all image tags containing `X.X.X` are replicated, including e.g. `1.0.0-alpha.0` |\n\u003e | `private-registry.venafi.cloud/venafi-agent/venafi-agent` | Automatically mirrored by Harbor Replication rule [private-img-and-chart-replication.tf][] that runs every 10 minutes, all image tags containing `X.X.X` are replicated, including e.g. `1.0.0-alpha.0` |\n\u003e | `private-registry.venafi.eu/venafi-agent/venafi-agent` | Automatically mirrored by Harbor Replication rule [private-img-and-chart-replication.tf][] that runs every 10 minutes, all image tags containing `X.X.X` are replicated, including e.g. `1.0.0-alpha.0` |\n\u003e\n\u003e and the following OCI Helm charts:\n\u003e\n\u003e | Helm Chart | Automation |\n\u003e | --------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n\u003e | `oci://eu.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` | Manually triggered, GitHub Actions workflow [release_venafi-agent_chart.yaml][] |\n\u003e | `oci://us.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` | Manually triggered, GitHub Actions workflow [release_venafi-agent_chart.yaml][] |\n\u003e | `oci://quay.io/jetstack/charts/venafi-kubernetes-agent` | Automatically built by GitHub Actions [release-master](.github/workflows/release-master.yml) on Git tags[] |\n\u003e | `oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent` | Automatically built by GitHub Actions [release_enterprise_builds.yaml][] |\n\u003e | `oci://us.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent` | Automatically built by GitHub Actions [release_enterprise_builds.yaml][] |\n\u003e | `oci://registry.venafi.cloud/charts/venafi-kubernetes-agent` | Automatically mirrored by Harbor Replication rule [public-img-and-chart-replication.tf][] that runs every 30 minutes, all image tags containing `X.X.X` are replicated, including e.g. `v1.0.0-alpha.0` |\n\u003e | `oci://private-registry.venafi.cloud/charts/venafi-kubernetes-agent` | Automatically mirrored by Harbor Replication rule [private-img-and-chart-replication.tf][] that runs every 10 minutes, all image tags containing `X.X.X` are replicated, including e.g. `v1.0.0-alpha.0` |\n\u003e | `oci://private-registry.venafi.eu/charts/venafi-kubernetes-agent` | Automatically mirrored by Harbor Replication rule [private-img-and-chart-replication.tf][] that runs every 10 minutes, all image tags containing `X.X.X` are replicated, including e.g. `v1.0.0-alpha.0` |\n\u003e\n\u003e Here is replication flow for OCI Helm charts:\n\u003e\n\u003e ```text\n\u003e v1.1.0 (Git tag in the jetstack-secure repo)\n\u003e └── oci://quay.io/jetstack/charts/venafi-kubernetes-agent --version 1.1.0 (GitHub Actions in the jetstack-secure repo)\n\u003e ├── oci://us.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent (Enterprise Builds's GitHub Actions)\n\u003e └── oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent (Enterprise Builds's GitHub Actions)\n\u003e ├── oci://registry.venafi.cloud/charts/venafi-kubernetes-agent --version 1.1.0 (Harbor Replication)\n\u003e └── oci://private-registry.venafi.cloud/charts/venafi-kubernetes-agent --version 1.1.0 (Harbor Replication)\n\u003e └── oci://private-registry.venafi.eu/charts/venafi-kubernetes-agent --version 1.1.0 (Harbor Replication)\n\u003e ```\n\u003e\n\u003e And the replication flow for Docker images:\n\u003e\n\u003e ```text\n\u003e v1.1.0 (Git tag in the jetstack-secure repo)\n\u003e └── quay.io/jetstack/venafi-agent:v1.1.0 (GitHub Actions in the jetstack-secure repo)\n\u003e ├── us.gcr.io/jetstack-secure-enterprise/venafi-agent:v1.1.0 (Enterprise Builds's GitHub Actions)\n\u003e └── eu.gcr.io/jetstack-secure-enterprise/venafi-agent:v1.1.0 (Enterprise Builds's GitHub Actions)\n\u003e ├── registry.venafi.cloud/venafi-agent/venafi-agent:v1.1.0 (Harbor Replication)\n\u003e ├── private-registry.venafi.cloud/venafi-agent/venafi-agent:v1.1.0 (Harbor Replication)\n\u003e └── private-registry.venafi.eu/venafi-agent/venafi-agent:v1.1.0 (Harbor Replication)\n\u003e ```\n\n[public-img-and-chart-replication.tf]: https://gitlab.com/venafi/vaas/delivery/harbor/-/blob/3d114f54092eb44a1deb0edc7c4e8a2d4f855aa2/public-registry/module/subsystems/tlspk/replication.tf\n[private-img-and-chart-replication.tf]: https://gitlab.com/venafi/vaas/delivery/harbor/-/blob/3d114f54092eb44a1deb0edc7c4e8a2d4f855aa2/private-registry/module/subsystems/tlspk/replication.tf\n[release_venafi-agent_chart.yaml]: https://github.com/jetstack/enterprise-builds/blob/main/.github/workflows/release_venafi-agent_chart.yaml\n[release_enterprise_builds.yaml]: https://github.com/jetstack/enterprise-builds/actions/workflows/release_enterprise_builds.yaml\n\n### Step 2: Test the Helm chart \"venafi-kubernetes-agent\" with venctl connect\n\nNOTE(mael): TBD\n\n### (Optional) Step 3: Release the Helm Chart \"jetstack-secure\"\n\nThis step is performed by Peter Fiddes and Adrian Lai separately from the main\nrelease process.\n\nThe `jetstack-secure` chart is for [Jetstack\nSecure](https://platform.jetstack.io/documentation/installation/agent#jetstack-agent-helm-chart-installation).\nIt is composed of two OCI Helm charts:\n\n- `oci://eu.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent`\n- `oci://us.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent`\n\n\u003e [!NOTE]\n\u003e\n\u003e The [jetstack-agent](deploy/charts/jetstack-agent/README.md) chart has a\n\u003e different version number to the agent. This is because the first version of\n\u003e _this_ chart was given version `0.1.0`, while the app version at the time was\n\u003e `0.1.38`. And this allows the chart to be updated and released more frequently\n\u003e than the Docker image if necessary.\n\nThe process is as follows:\n\n1. Create a branch.\n2. Increment version numbers.\n 1. Increment the `version` value in [Chart.yaml](deploy/charts/jetstack-agent/Chart.yaml).\n DO NOT use a `v` prefix.\n The `v` prefix [breaks Helm OCI operations](https://github.com/helm/helm/issues/11107).\n 2. Increment the `appVersion` value in [Chart.yaml](deploy/charts/jetstack-agent/Chart.yaml).\n Use a `v` prefix, to match the Docker image tag.\n 3. Increment the `image.tag` value in [values.yaml](deploy/charts/jetstack-agent/values.yaml).\n Use a `v` prefix, to match the Docker image tag.\n 4. Update the Helm unit test snapshots:\n ```sh\n helm unittest ./deploy/charts/jetstack-agent --update-snapshot\n ```\n3. Create a pull request and wait for it to be approved.\n4. Merge the branch\n5. Manually trigger the Helm Chart workflow:\n [release_js-agent_chart.yaml](https://github.com/jetstack/enterprise-builds/actions/workflows/release_js-agent_chart.yaml).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetstack%2Fjetstack-secure","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjetstack%2Fjetstack-secure","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetstack%2Fjetstack-secure/lists"}