From ec9e6c498a94e33657df6bf462c2cc16f7a4318e Mon Sep 17 00:00:00 2001
From: Matthias Bertschy <matthias.bertschy@gmail.com>
Date: Fri, 3 Apr 2026 12:16:14 +0200
Subject: [PATCH 1/2] get services from API, removing sidecar requirement

Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
---
 cmd/main.go          |  6 +++++-
 pkg/config/config.go | 13 ++++++-------
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/cmd/main.go b/cmd/main.go
index a1d60bf22..4b549ebef 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -395,7 +395,11 @@ func main() {
 
 	// Create scan failure reporter (sends SBOM failures to careportreceiver for user notifications)
 	var failureReporter sbommanager.SbomFailureReporter
-	if services, svcErr := config.LoadServiceURLs("/etc/config/services.json"); svcErr == nil && services.GetReportReceiverHttpUrl() != "" {
+	apiURL := os.Getenv("API_URL")
+	if apiURL == "" {
+		apiURL = "api.armosec.io"
+	}
+	if services, svcErr := config.LoadServiceURLs(apiURL); svcErr == nil && services.GetReportReceiverHttpUrl() != "" {
 		failureReporter = sbommanagerv1.NewHTTPSbomFailureReporter(services.GetReportReceiverHttpUrl(), accessKey, clusterData.AccountID, clusterData.ClusterName)
 		logger.L().Info("scan failure reporting enabled", helpers.String("eventReceiverURL", services.GetReportReceiverHttpUrl()))
 	}
diff --git a/pkg/config/config.go b/pkg/config/config.go
index f31ff3d18..ca44b7922 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -10,7 +10,7 @@ import (
 
 	"github.com/kubescape/backend/pkg/servicediscovery"
 	"github.com/kubescape/backend/pkg/servicediscovery/schema"
-	servicediscoveryv2 "github.com/kubescape/backend/pkg/servicediscovery/v2"
+	servicediscoveryv3 "github.com/kubescape/backend/pkg/servicediscovery/v3"
 	"github.com/kubescape/node-agent/pkg/exporters"
 	"github.com/kubescape/node-agent/pkg/hostfimsensor/v1"
 	processtreecreator "github.com/kubescape/node-agent/pkg/processtree/config"
@@ -289,13 +289,12 @@ func (c *Config) SkipNamespace(ns string) bool {
 	return false
 }
 
-func LoadServiceURLs(filePath string) (schema.IBackendServices, error) {
-	if pathFromEnv, present := os.LookupEnv("SERVICES"); present {
-		filePath = pathFromEnv
+func LoadServiceURLs(apiURL string) (schema.IBackendServices, error) {
+	client, err := servicediscoveryv3.NewServiceDiscoveryClientV3(apiURL)
+	if err != nil {
+		return nil, err
 	}
-	return servicediscovery.GetServices(
-		servicediscoveryv2.NewServiceDiscoveryFileV2(filePath),
-	)
+	return servicediscovery.GetServices(client)
 }
 
 type OrderedEventQueueConfig struct {

From 774f119af74ee9018c4af13f6e72e265310f5eab Mon Sep 17 00:00:00 2001
From: Matthias Bertschy <matthias.bertschy@gmail.com>
Date: Wed, 6 May 2026 16:14:25 +0200
Subject: [PATCH 2/2] fix: add timeout and file-based fallback to
 LoadServiceURLs

- Bound HTTP service discovery to 10 s so a slow/unreachable API
  cannot stall node-agent startup; failure is handled gracefully by
  the existing nil-check at the call site.
- Restore SERVICES env var / /etc/config/services.json fallback
  (using ServiceDiscoveryFileV3) so sidecar deployments retain
  scan-failure reporting without requiring migration to API_URL.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 pkg/config/config.go | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/pkg/config/config.go b/pkg/config/config.go
index ca44b7922..2f815851c 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -289,12 +289,39 @@ func (c *Config) SkipNamespace(ns string) bool {
 	return false
 }
 
+const serviceDiscoveryTimeout = 10 * time.Second
+
 func LoadServiceURLs(apiURL string) (schema.IBackendServices, error) {
+	// Preserve backward compatibility with sidecar/file-based deployments.
+	// SERVICES env var or the default mount path takes priority over API discovery.
+	filePath := "/etc/config/services.json"
+	if pathFromEnv, present := os.LookupEnv("SERVICES"); present {
+		filePath = pathFromEnv
+	}
+	if _, statErr := os.Stat(filePath); statErr == nil {
+		return servicediscovery.GetServices(servicediscoveryv3.NewServiceDiscoveryFileV3(filePath))
+	}
+
 	client, err := servicediscoveryv3.NewServiceDiscoveryClientV3(apiURL)
 	if err != nil {
 		return nil, err
 	}
-	return servicediscovery.GetServices(client)
+
+	type result struct {
+		svc schema.IBackendServices
+		err error
+	}
+	ch := make(chan result, 1)
+	go func() {
+		svc, svcErr := servicediscovery.GetServices(client)
+		ch <- result{svc, svcErr}
+	}()
+	select {
+	case r := <-ch:
+		return r.svc, r.err
+	case <-time.After(serviceDiscoveryTimeout):
+		return nil, fmt.Errorf("service discovery timed out after %s", serviceDiscoveryTimeout)
+	}
 }
 
 type OrderedEventQueueConfig struct {