feat(imagescan): Add installation through cp node command

Signed-off-by: Paveen Kumar <paveenkumar@accuknox.com>

Author: PaveenV

cmd/imagescan.go

@@ -6,6 +6,9 @@ import (
 	"strings"
 
 	"github.com/accuknox/accuknox-cli-v2/pkg/imagescan"
+	"github.com/accuknox/kmux"
+	"github.com/accuknox/kmux/config"
+	"github.com/accuknox/kmux/security"
 	kubesheildScanner "github.com/accuknox/kubeshield/pkg/scanner/scan"
 	"github.com/spf13/cobra"
 )
@@ -20,6 +23,11 @@ var (
 	imagesOnly                  bool
 	cfg                         = kubesheildScanner.ScanConfig{}
 	defaultArtifactEndpointPath = "/api/v1/artifact/"
+
+	// systemd config
+	kmuxConfigPath        string
+	defaultKmuxconfigPath = "/opt/kubeshield-service/kmux-config.yaml"
+	spireSockPath         = "unix:///var/run/spire/agent.sock"
 )
 
 var imageScanCmd = &cobra.Command{
@@ -60,8 +68,27 @@ and sends back the result to saas
 		_ = os.Setenv("TRIVY_DB_REPOSITORY", vulnerabilityDB)
 		_ = os.Setenv("TRIVY_JAVA_DB_REPOSITORY", javaDB)
 
+		// Init kmux for both cp and worker node
+		if imagescan.NodeType != "" {
+			if err := kmux.Init(&config.Options{
+				LocalConfigFile: kmuxConfigPath,
+			}); err != nil {
+				return err
+			}
+		}
+
+		// Only for control plane, we are connecting to spire for pushing
+		// the messages to knoxgateway
+		if imagescan.NodeType == "cp" {
+			if err := initSpire(spireSockPath); err != nil {
+				return err
+			}
+
+		}
+
 		cfg.ArtifactConfig.ArtifactAPI += artifactEndpointPath
 		return imagescan.DiscoverAndScan(cfg, HOST_NAME, RUN_TIME, !allContainers, imagesOnly)
+
 	},
 }
 
@@ -85,8 +112,32 @@ func init() {
 	imageScanCmd.Flags().StringVarP(&vulnerabilityDB, "db-repository", "", "", "OCI repository to retrieve vulnerability db")
 	imageScanCmd.Flags().StringVarP(&javaDB, "java-db-repository", "", "", "OCI repository to retrieve java db")
 
+	// ImageScanning configurations for systemd mode
+	// TODO: Add validation for either knoxgateway or rmq
+	imageScanCmd.Flags().StringVar(&imagescan.FlushTo, "flush-to", "", "flushes the data to the specified service")
+	imageScanCmd.Flags().StringVar(&kmuxConfigPath, "kmux-config", defaultKmuxconfigPath, "kmux config path")
+	imageScanCmd.Flags().StringVar(&imagescan.NodeType, "node-type", "", "specify the type of node (CP/Worker)")
+	imageScanCmd.Flags().StringVar(&spireSockPath, "spire-sock", spireSockPath, "spire socket path")
+	imageScanCmd.Flags().StringVar(&imagescan.CreateRegistryURL, "create-registry-url", "", "create registry url")
+
 	// Required Flags Validation
 	imageScanCmd.MarkFlagsOneRequired("artifactEndpoint", "token", "label")
 	imageScanCmd.MarkFlagsRequiredTogether("artifactEndpoint", "token", "label")
+
+	// For intenral purpose hide the flags
+	imageScanCmd.Flags().MarkHidden("flush-to")
+	imageScanCmd.Flags().MarkHidden("kmux-config")
+	imageScanCmd.Flags().MarkHidden("node-type")
+	imageScanCmd.Flags().MarkHidden("create-registry-url")
+
 	rootCmd.AddCommand(imageScanCmd)
 }
+
+func initSpire(sockPath string) error {
+	spireSecurity, err := security.NewSecurity("")
+	if err != nil {
+		return err
+	}
+
+	return spireSecurity.Connect(sockPath)
+}

cmd/onboard-vm-cp-node.go

@@ -54,8 +54,7 @@ var (
 
 	enableHostPolicyDiscovery bool
 	enableHardeningAgent      bool
-
-	proxy onboard.Proxy
+	proxy                     onboard.Proxy
 )
 
 // cpNodeCmd represents the init command
@@ -130,7 +129,9 @@ var cpNodeCmd = &cobra.Command{
 			peaImage, feederImage, rmqImage, sumEngineImage, hardeningAgentImage, spireAgentImage, waitForItImage, discoverImage, nodeAddr, dryRun,
 			false, deployRMQ, imagePullPolicy, visibility, hostVisibility, sumEngineVisibility, audit, block, hostAudit, hostBlock,
 			alertThrottling, maxAlertPerSec, throttleSec,
-			cidr, secureContainers, skipBTF, systemMonitorPath, rmqAddress, deploySumEngine, registry, registryConfigPath, insecure, plainHTTP, preserveUpstream, topicPrefix, rmqConnectionName, sumEngineCronTime, tls, enableHostPolicyDiscovery, splunk, nodeStateRefreshTime, spireEnabled, spireCert, logRotate, parallel, enableHardeningAgent, releaseFile, proxy, deployDiscovery)
+			cidr, secureContainers, skipBTF, systemMonitorPath, rmqAddress, deploySumEngine, registry, registryConfigPath, insecure, plainHTTP,
+			preserveUpstream, topicPrefix, rmqConnectionName, sumEngineCronTime, tls, enableHostPolicyDiscovery, splunk, nodeStateRefreshTime,
+			spireEnabled, spireCert, logRotate, parallel, enableHardeningAgent, releaseFile, proxy, deployDiscovery, deploykubeshield, label, authToken, schedule)
 		if err != nil {
 			errConfig := onboard.DumpConfig(vmConfig, configDumpPath)
 			if errConfig != nil {
@@ -183,6 +184,7 @@ var cpNodeCmd = &cobra.Command{
 			logger.Error("vm mode: %s invalid, accepted values (docker/systemd)", vmMode)
 			return err
 		}
+
 		if enableVMScan {
 			err := vmConfig.InitRRAConfig(authToken, url, tenantID, clusterID, clusterName, label, schedule, profile, benchmark, registry, registryConfigPath, insecure, plainHTTP, rraImage, rraTag, releaseVersion, preserveUpstream, true, spireAgentImage, spireHost, spireDir, knoxGateway)
 			if err != nil {

cmd/onboard-vm-node.go

@@ -108,7 +108,9 @@ var joinNodeCmd = &cobra.Command{
 			peaImage, feederImage, rmqImage, sumEngineImage, hardeningAgentImage, spireAgentImage, waitForItImage, discoverImage, nodeAddr, dryRun,
 			true, deployRMQ, imagePullPolicy, visibility, hostVisibility, sumEngineVisibility, audit, block, hostAudit, hostBlock,
 			alertThrottling, maxAlertPerSec, throttleSec,
-			cidr, secureContainers, skipBTF, systemMonitorPath, rmqAddress, deploySumEngine, registry, registryConfigPath, insecure, plainHTTP, preserveUpstream, topicPrefix, rmqConnectionName, sumEngineCronTime, tls, enableHostPolicyDiscovery, splunk, nodeStateRefreshTime, spireEnabled, spireCert, logRotate, parallel, enableHardeningAgent, releaseFile, proxy, deployDiscovery)
+			cidr, secureContainers, skipBTF, systemMonitorPath, rmqAddress, deploySumEngine, registry, registryConfigPath, insecure, plainHTTP,
+			preserveUpstream, topicPrefix, rmqConnectionName, sumEngineCronTime, tls, enableHostPolicyDiscovery, splunk, nodeStateRefreshTime,
+			spireEnabled, spireCert, logRotate, parallel, enableHardeningAgent, releaseFile, proxy, deployDiscovery, deploykubeshield, label, authToken, schedule)
 		if err != nil {
 			errConfig := onboard.DumpConfig(vmConfigs, configDumpPath)
 			if errConfig != nil {

cmd/onboard-vm.go

@@ -82,6 +82,9 @@ var (
 	agentsResource     onboard.ResourceConfig
 
 	deployDiscovery bool
+
+	// flag for kubeshield
+	deploykubeshield bool
 )
 
 // onboardVMCmd represents the sub-command to onboard VM clusters
@@ -179,7 +182,8 @@ func init() {
 	onboardVMCmd.PersistentFlags().StringVar((*string)(&clusterID), "cluster-id", "", "cluster id")
 	onboardVMCmd.PersistentFlags().StringVar((*string)(&url), "url", "", "url")
 	onboardVMCmd.PersistentFlags().StringVar((*string)(&label), "label", "", "label")
-	onboardVMCmd.MarkFlagsRequiredTogether("benchmark", "profile", "auth-token", "url", "tenant-id", "cluster-name", "label", "schedule")
+	onboardVMCmd.MarkFlagsRequiredTogether("benchmark", "profile", "url", "tenant-id", "cluster-name")
+	onboardVMCmd.MarkFlagsRequiredTogether("auth-token", "label", "schedule")
 
 	// splunk flags
 	onboardVMCmd.PersistentFlags().BoolVar(&splunk.Enabled, "splunk", false, "enable Splunk")
@@ -227,6 +231,7 @@ func init() {
 	onboardVMCmd.PersistentFlags().StringArrayVar(&proxy.ExtraArgs, "proxy-args", []string{}, "extra env variables for proxy")
 
 	onboardVMCmd.PersistentFlags().BoolVar(&deployDiscovery, "deploy-discover", false, "deploy auto-discover policy agent")
+	onboardVMCmd.PersistentFlags().BoolVar(&deploykubeshield, "deploy-kubeshield", false, "deploy kubeshield")
 
 	onboardCmd.AddCommand(onboardVMCmd)
 }

go.mod

@@ -26,6 +26,7 @@ require (
 	github.com/accuknox/dev2/discover v0.0.0-20231026051927-56fe5412ae0d
 	github.com/accuknox/dev2/hardening v0.0.0-20250720150630-0e643f247e04
 	github.com/accuknox/dev2/sumengine v0.0.0-20250109055732-04767b7ac965
+	github.com/accuknox/kmux v0.0.0-20251211070044-f08f2bee3446
 	github.com/accuknox/kubeshield v0.1.2-0.20251111150757-1b3db72011d9
 	github.com/clarketm/json v1.17.1
 	github.com/coreos/go-systemd/v22 v22.5.0
@@ -57,10 +58,10 @@ require (
 	github.com/spf13/viper v1.20.1
 	go.uber.org/zap v1.27.0
 	golang.org/x/mod v0.27.0
-	golang.org/x/net v0.42.0
+	golang.org/x/net v0.43.0
 	golang.org/x/sync v0.17.0
-	golang.org/x/term v0.33.0
-	google.golang.org/grpc v1.73.0
+	golang.org/x/term v0.34.0
+	google.golang.org/grpc v1.74.2
 	gopkg.in/yaml.v2 v2.4.0
 	hermannm.dev/ipfinder v0.2.0
 	k8s.io/api v0.33.2
@@ -94,7 +95,6 @@ require (
 	github.com/Microsoft/hcsshim v0.13.0 // indirect
 	github.com/ZachtimusPrime/Go-Splunk-HTTP/splunk/v2 v2.0.2 // indirect
 	github.com/accuknox/go-spiffe/v2 v2.2.0 // indirect
-	github.com/accuknox/kmux v0.0.0-20250508061720-e1de0cfcf3c0 // indirect
 	github.com/accuknox/knox-gateway v0.9.2 // indirect
 	github.com/accuknox/registry-scanning/common v0.0.0-20250513065108-b8f4ebc6e184 // indirect
 	github.com/andybalholm/brotli v1.1.1 // indirect
@@ -188,7 +188,7 @@ require (
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
-	github.com/golang/glog v1.2.4 // indirect
+	github.com/golang/glog v1.2.5 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v1.0.0 // indirect
@@ -224,9 +224,9 @@ require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/itchyny/timefmt-go v0.1.6 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/pgx/v5 v5.6.0 // indirect
-	github.com/jackc/puddle/v2 v2.2.1 // indirect
+	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
@@ -334,21 +334,21 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.3 // indirect
-	golang.org/x/crypto v0.40.0 // indirect
+	golang.org/x/crypto v0.41.0 // indirect
 	golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/sys v0.34.0 // indirect
+	golang.org/x/sys v0.35.0 // indirect
 	golang.org/x/text v0.29.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250811230008-5f3141c8851a // indirect
+	google.golang.org/protobuf v1.36.7 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gorm.io/datatypes v1.2.0 // indirect
-	gorm.io/driver/mysql v1.5.6 // indirect
-	gorm.io/driver/postgres v1.5.7 // indirect
-	gorm.io/gorm v1.25.9 // indirect
+	gorm.io/driver/mysql v1.6.0 // indirect
+	gorm.io/driver/postgres v1.6.0 // indirect
+	gorm.io/gorm v1.31.1 // indirect
 	gotest.tools/v3 v3.5.2 // indirect
 	helm.sh/helm/v3 v3.17.3 // indirect
 	hermannm.dev/wrap v0.2.0 // indirect