Skip to content

VC-52159: add certOwnership Helm flag to discovery-agent chart#794

Merged
SgtCoDFish merged 1 commit intomasterfrom
VC-52159-ngts-cert-ownership-agent
Apr 23, 2026
Merged

VC-52159: add certOwnership Helm flag to discovery-agent chart#794
SgtCoDFish merged 1 commit intomasterfrom
VC-52159-ngts-cert-ownership-agent

Conversation

@George-Yanev
Copy link
Copy Markdown

Add a certOwnership configuration field that flows from Helm values to the upload URL query parameter (?certOwnership=unassigned). When set, the TLSPK backend stores cert_ownership_mode='unassigned' on the cluster and leaves discovered certificates with NULL sub_tsg_id (claimable by any sub-TSG) rather than stamping them with the cluster's sub-TSG ID.

Changes:

  • pkg/client/client.go: CertOwnership field on Options struct
  • pkg/client/client_ngts.go: include ?certOwnership= in upload URL when set
  • pkg/agent/config.go: CertOwnership in Config and CombinedConfig
  • pkg/agent/run.go: pass CertOwnership through to PostDataReadingsWithOptions
  • deploy/charts/discovery-agent/values.yaml: certOwnership optional field
  • deploy/charts/discovery-agent/templates/configmap.yaml: render cert_ownership
  • deploy/charts/discovery-agent/values.schema.json: schema entry for new field
  • Tests: client_ngts_test and config_test verify the field flows end-to-end

Local replace directive added for venafi-connection-lib (private GitHub repo requires SAML SSO — points to local clone at development time).

Comment thread pkg/client/client_ngts_test.go Outdated
ClusterName: "test-cluster",
CertOwnership: "unassigned",
}
err = client.PostDataReadingsWithOptions(context.Background(), readings, optsUnassigned)
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: t.Context() over context.Background()

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

Comment thread pkg/agent/config.go Outdated
Comment on lines +427 to +428
// "unassigned" = certs stored with NULL sub_tsg_id, claimable by any sub-TSG.
// Empty (default) = TSG_OWNED: certs inherit the cluster's sub-TSG ID.
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: are we expecting this to gain more values in the future? seems like it could be simpler as a boolean?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved to boolean, change the name to reflect more cleanly what it does. fix the comments

@George-Yanev George-Yanev force-pushed the VC-52159-ngts-cert-ownership-agent branch 4 times, most recently from 12e3a20 to 9d58853 Compare April 23, 2026 11:50
Add a certOwnership configuration field that flows from Helm values to
the upload URL query parameter (?certOwnership=unassigned). When set,
the TLSPK backend stores cert_ownership_mode='unassigned' on the cluster
and leaves discovered certificates with NULL sub_tsg_id (claimable by
any sub-TSG) rather than stamping them with the cluster's sub-TSG ID.

Changes:
- pkg/client/client.go: CertOwnership field on Options struct
- pkg/client/client_ngts.go: include ?certOwnership= in upload URL when set
- pkg/agent/config.go: CertOwnership in Config and CombinedConfig
- pkg/agent/run.go: pass CertOwnership through to PostDataReadingsWithOptions
- deploy/charts/discovery-agent/values.yaml: certOwnership optional field
- deploy/charts/discovery-agent/templates/configmap.yaml: render cert_ownership
- deploy/charts/discovery-agent/values.schema.json: schema entry for new field
- Tests: client_ngts_test and config_test verify the field flows end-to-end

Local replace directive added for venafi-connection-lib (private GitHub repo
requires SAML SSO — points to local clone at development time).
@George-Yanev George-Yanev force-pushed the VC-52159-ngts-cert-ownership-agent branch from 9d58853 to 22cbdf7 Compare April 23, 2026 11:55
Copy link
Copy Markdown
Contributor

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

I'm not 100% sure about the name "claimableCerts" - I think there might be a more descriptive name for that, but I can't think of a better one. But I don't think it's worth blocking over, and if we ship that name it's not the end of the world.

Thanks for this!

@SgtCoDFish SgtCoDFish merged commit 380d4fd into master Apr 23, 2026
5 checks passed
@SgtCoDFish SgtCoDFish deleted the VC-52159-ngts-cert-ownership-agent branch April 23, 2026 12:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants