[VC-36032] Log the client-id when VenafiCloudKeypair authentication is used

[wallrj]

In #549 @hawksight wrote:

...we are missing one important piece [of logged information] when connecting to TLSPK on VCP, the client-id

I've added client-id to the log messages when the configuration resolver selects Venafi Cloud Authentication.

But in the interests of reducing the overwhelming quantity of log messages, I've also changed that log message to only be shown at debug log level --log-level=1.

I've also associated this PR with [VC-36032] AGENT: Enhanced troubleshooting through improved logging.

Testing

$ go run ./ agent --install-namespace default --private-key-path /dev/null --client-id foo --agent-config-file examples/cert-manager-agent.yaml  --output-path /dev/null -v1
I1120 15:50:50.273235  185320 run.go:59] "Starting" logger="Run" version="development" commit=""
I1120 15:50:50.280681  185320 config.go:410] "Authentication mode" logger="Run" clientID="foo" privateKeyPath="/dev/null" mode="Venafi Cloud Key Pair Service Account" reason="--client-id and --private-key-path were specified"
I1120 15:50:50.280752  185320 config.go:428] "Using deprecated Endpoint configuration. User Server instead." logger="Run"
E1120 15:50:50.280799  185320 root.go:53] "Exiting due to error" err=<
        While evaluating configuration: 2 errors occurred:
                * the venafi-cloud.upload_path field is required when using the Venafi Cloud Key Pair Service Account mode
                * period must be set using --period or -p, or using the 'period' field in the config file

 > exit-code=1
exit status 1

$ go test -v ./pkg/agent/... -run  Test_ValidateAndCombineConfig | grep "Authentication mode"
    config.go:410: I1120 15:54:40.370580] Authentication mode mode="Jetstack Secure OAuth" reason="--credentials-file was specified without --venafi-cloud"
    config.go:410: I1120 15:54:40.415486] Authentication mode venConnName="venafi-components" mode="Venafi Cloud VenafiConnection" reason="--venafi-connection was specified"

[wallrj]

I changed this to a Debug log, so it will not be shown by default. Why? Because I thought it might be desirable to keep the logs as quiet as possible by default, while allowing these details to be logged in the case of problems.

I'm also not sure if the client-id is sensitive information...is there any risk in logging it?

[maelvls]

The client ID is just like a username I think. The difference being that it isn't a personal information (this GRPD course I had the other day made me start worrying about these things 😁). So I'd say that there is no problem displaying the client ID.

[hawksight]

The changes look good, and thank you for taking into account the log volume.
That said, it is only 1 log line and would only write once at startup, so perhaps it could just be an info level log? I'm not too fusses, just a suggestion :)

What is that default --log-level set to? Or is it not set on deployment?

I am just trying to think how a user would enable this, either directly through helm or venctl.

[wallrj]

What is that default --log-level set to? Or is it not set on deployment?
I am just trying to think how a user would enable this, either directly through helm or venctl.

I added some notes to the Helm chart values and README in #627

jetstack-secure/deploy/charts/venafi-kubernetes-agent/values.yaml

Lines 148 to 159 in 98afe3b

	# Specify additional arguments to pass to the agent binary.
	# For example, to enable JSON logging use `--logging-format`, or
	# to increase the logging verbosity use `--log-level`.
	# The log levels are: 0=Info, 1=Debug, 2=Trace.
	# Use 6-9 for increasingly verbose HTTP request logging.
	# The default log level is 0.
	#
	# Example:
	# extraArgs:
	# - --logging-format=json
	# - --log-level=6 # To enable HTTP request logging
	extraArgs: []

Those updated values will eventually find there way into the the docs at:

• https://docs.venafi.cloud/vaas/k8s-components/c-vka-helmvalues/#extraargs