[VC-43403] CyberArk(helm): add Disco Agent Helm chart #678
Conversation
wallrj-cyberark
force-pushed
the
rw-poc-1
branch
3 times, most recently
from
33e6a96 to
0f50e9f
Compare
wallrj-cyberark
changed the base branch from
master
to
VC-43403-inventory-api-2
wallrj-cyberark
force-pushed
the
rw-poc-1
branch
3 times, most recently
from
4a74c38 to
1283979
Compare
wallrj-cyberark
force-pushed
the
VC-43403-inventory-api-2
branch
5 times, most recently
from
8b9a233 to
5196fc9
Compare
wallrj-cyberark
force-pushed
the
rw-poc-1
branch
2 times, most recently
from
d842d66 to
0c0ac0f
Compare
wallrj-cyberark
changed the base branch from
VC-43403-inventory-api-2
to
VC-43403-inventory-api-3
wallrj-cyberark
force-pushed
the
rw-poc-1
branch
from
db9f9d7 to
9908884
Compare
wallrj-cyberark
force-pushed
the
VC-43403-inventory-api-3
branch
from
919c73d to
339f991
Compare
wallrj-cyberark
force-pushed
the
rw-poc-1
branch
from
9908884 to
40640a9
Compare
wallrj-cyberark
changed the title
wallrj-cyberark
changed the base branch from
VC-43403-inventory-api-3
to
VC-43403-inventory-api-2
wallrj-cyberark
force-pushed
the
rw-poc-1
branch
from
40640a9 to
d169ff6
Compare
wallrj-cyberark
force-pushed
the
VC-43403-inventory-api-2
branch
from
f0a0233 to
1970988
Compare
wallrj-cyberark
force-pushed
the
rw-poc-1
branch
from
d169ff6 to
6aba0f8
Compare
wallrj-cyberark
force-pushed
the
rw-poc-1
branch
2 times, most recently
from
0bef57d to
3348923
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a new CyberArk Discovery and Context Agent Helm chart with complete deployment automation and testing infrastructure. The agent connects Kubernetes clusters to CyberArk's Identity Security Platform for machine identity discovery.
Key changes:
- Added comprehensive Helm chart with templates, documentation, and schema validation
- Implemented build and release automation through Makefile modules
- Created E2E testing framework with automated deployment verification
Reviewed Changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
make/ark/00_mod.mk |
Defines build configuration and OCI image settings for ark agent |
make/ark/02_mod.mk |
Implements release, documentation, and E2E testing targets |
make/00_mod.mk |
Integrates ark module and generalizes helm configuration |
make/02_mod.mk |
Includes ark module in main build system |
hack/ark/test-e2e.sh |
E2E test script for automated agent deployment and verification |
cmd/ark/main.go |
Entry point for ark agent binary |
deploy/charts/cyberark-disco-agent/ |
Complete Helm chart with templates, values, schema, and documentation |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
wallrj-cyberark
force-pushed
the
rw-poc-1
branch
2 times, most recently
from
67657d6 to
71c6e05
Compare
| @echo "RELEASE_OCI_CHART=$(helm_chart_image_name)" >> "$(GITHUB_OUTPUT)" | ||
| @echo "RELEASE_OCI_CHART_TAG=$(helm_chart_version)" >> "$(GITHUB_OUTPUT)" | ||
|
|
||
| @echo "Release complete!" |
There was a problem hiding this comment.
richard@localhost:~/projects/jetstack/jetstack-secure$ make ark-release VERSION=v1.7.0-alpha.7
...
RELEASE_OCI_IMAGE=ghcr.io/wallrj-cyberark/images/cyberark-disco-agent
RELEASE_OCI_IMAGE_TAG=v1.7.0-alpha.7
RELEASE_OCI_CHART=ghcr.io/wallrj-cyberark/charts/cyberark-disco-agent
RELEASE_OCI_CHART_TAG=v1.7.0-alpha.7
Release complete!
$ helm inspect chart oci://$RELEASE_OCI_CHART --version $RELEASE_OCI_CHART_TAG
Pulled: ghcr.io/wallrj-cyberark/charts/cyberark-disco-agent:v1.7.0-alpha.7
Digest: sha256:33074111f39841d6a882eb27c2521b1fa985e560cafc99eddab237f95b513f87
annotations:
artifacthub.io/prerelease: "false"
apiVersion: v2
appVersion: v1.7.0-alpha.7
description: The cyberark-disco-agent connects your Kubernetes or Openshift cluster
to CyberArk Discovery and Context.
maintainers:
- email: [email protected]
name: CyberArk
url: https://cyberark.com
name: cyberark-disco-agent
sources:
- https://github.com/jetstack/jetstack-secure
version: v1.7.0-alpha.7$ _bin/tools/trivy image $RELEASE_OCI_IMAGE:$RELEASE_OCI_IMAGE_TAG --scanners vuln
2025-09-06T14:37:47+01:00 INFO [vuln] Vulnerability scanning is enabled
2025-09-06T14:37:53+01:00 INFO Detected OS family="alpine" version="3.21"
2025-09-06T14:37:53+01:00 INFO [alpine] Detecting vulnerabilities... os_version="3.21" repository="3.21" pkg_num=2
2025-09-06T14:37:53+01:00 INFO Number of language-specific files num=1
2025-09-06T14:37:53+01:00 INFO [gobinary] Detecting vulnerabilities...
Report Summary
┌──────────────────────────────────────────────────────────────────────────────────┬──────────┬─────────────────┐
│ Target │ Type │ Vulnerabilities │
├──────────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┤
│ ghcr.io/wallrj-cyberark/images/cyberark-disco-agent:v1.7.0-alpha.7 (alpine 3.21) │ alpine │ 0 │
├──────────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┤
│ ko-app/ark │ gobinary │ 0 │
└──────────────────────────────────────────────────────────────────────────────────┴──────────┴─────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
There was a problem hiding this comment.
I'm not yet sure where we're going to publish this chart to, so I haven't automated this release process.
wallrj-cyberark
force-pushed
the
rw-poc-1
branch
8 times, most recently
from
d121d55 to
cd88522
Compare
…nd E2E test - introduce cyberark-disco-agent Helm chart with templates, docs, schema, and values - add build and release Makefile modules for ark agent and chart publishing - implement E2E test script for agent deployment and verification - update main.go for ark agent entrypoint - integrate chart build and test targets into main Makefiles - Add image.digest field to values.yaml, schema, and documentation - Update deployment.yaml to use image digest if provided - Pass digest in e2e test and chart upgrade scripts - Output digest variables in release Makefile targets - Add values.linter.exceptions file for chart validation - Add ark-verify target to Makefile for chart verification Signed-off-by: Richard Wall <[email protected]>
wallrj-cyberark
force-pushed
the
rw-poc-1
branch
from
cd88522 to
7a82248
Compare
There was a problem hiding this comment.
For Venafi TLSPK, these Secret types are omitted because they are not processed by the backend.
The CyberArk Discovery and Context, does process the metadata of service-account-token, basic-auth, and ssh-auth Secrets.
We do not send the data of these Secret types.
There was a problem hiding this comment.
I tried running this script with CI, but it currently fails because the CyberArk Discovery and Context APIs are only accessible from whitelisted source networks.
This did highlight that the script doesn't give any useful feedback when the agent fails to upload the data....it just times out.
I propose to improve that in another PR.
There was a problem hiding this comment.
These make targets are a hack to work around the fact that makefile-modules helm and oci modules expect there to be a single helm chart in each repo which references one or more images.
I'm re-invoking the existing make targets in a subprocess and overriding the default variables.
In future we might fix this by one or more of the following:
- Adapt makefile-modules to allow projects to have multiple helm charts.
- Creating a separate repo for the cyberark-disco-agent chart.
- Forking this repo to make an entirely new cyberark-agent project.
- Deprecating and removing the venafi-kubernetes-agent chart and adding TLSPK features to the cyberark-disco-agent chart.
- ....something else.
There was a problem hiding this comment.
I've personally found myself 'fighting' against the makefiles-modules. This seems another such instance. Completely unrelated to this PR could we maybe discuss if 'makefiles-modules' is doing more to hinder us than help us?
There was a problem hiding this comment.
When makefile-modules works, which it usually does, I find it very convenient. It saves having to rewrite all the build and test code and keeps our repos consistent.
I agree with you that it can make life difficult when you want to do something different.
And I really struggle to understand the Makefile code, when I occasionally need to change it.
I think we should discuss the future direction of makefile-modules, yes.
| '( .image.repository = "$(oci_preflight_image_name)" ) | \ | ||
| ( .image.tag = "$(oci_preflight_image_tag)" )' \ | ||
| '( .image.repository = "$(helm_image_name)" ) | \ | ||
| ( .image.tag = "$(helm_image_tag)" )' \ | ||
| $1 --inplace | ||
| endef |
There was a problem hiding this comment.
These changes allow me to use this mutation function for both charts.
| '( .image.repository = "$(oci_ark_image_name)" ) | \ | ||
| ( .image.tag = "$(oci_ark_image_tag)" )' \ | ||
| $1 --inplace | ||
| endef |
There was a problem hiding this comment.
I think this is unused. I should remove it.
There was a problem hiding this comment.
I'll do that in another PR.
| oci_ark_base_image_flavor := static | ||
| oci_ark_image_name := quay.io/jetstack/ark-agent | ||
| oci_ark_image_tag := $(VERSION) | ||
| oci_ark_image_name_development := jetstack.local/ark-agent |
There was a problem hiding this comment.
I copy pasted these variables but I'm not really sure what they are used for. Investigate whether they're necessary.
There was a problem hiding this comment.
I added this new CLI entry point so that the platform-admin will see a process called ark agent.
Otherwise they'd see a process called preflight agent which I predict would cause confusion and concern.
$ ps faux
...
root 1694 0.0 0.1 2046892 12404 ? Sl 09:42 0:02 /usr/bin/containerd-shim-runc-v2 -namespace moby -id 4d4fe02905a090aa92a0ed239d4871be0bc17f2344976baac8a15473573e2834 -addr
root 1718 0.0 0.1 21856 13348 ? Ss 09:42 0:01 \_ /sbin/init
...
root 2836 0.0 0.1 1238320 15532 ? Sl 09:42 0:07 \_ /usr/local/bin/containerd-shim-runc-v2 -namespace k8s.io -id 87aee87b7aca372983184ef29d38c80101cd6b7a2291a58ac406eb
65535 2916 0.0 0.0 1028 704 ? Ss 09:42 0:00 | \_ /pause
65532 3609 0.0 0.6 1290388 55160 ? Ssl 09:43 0:13 | \_ /ko-app/ark agent -c /etc/cyberark-disco-agent/config.yaml --machine-hub --logging-format=json --enable-metrics
r
There was a problem hiding this comment.
Verified the make ark-test-e2e target with my account on the integration environment
CHART NAME: cyberark-disco-agent
CHART VERSION: v1.6.0-68-g7a82248426df04
APP VERSION: v1.6.0-68-g7a82248426df04
- Check the application is running:
> kubectl get pods -n cyberark -l app.kubernetes.io/instance=agent
- Check the application logs for successful connection to the platform:
> kubectl logs -n cyberark -l app.kubernetes.io/instance=agent
deployment "disco-agent" successfully rolled out
{
"ts": 1757513998590.8518,
"caller": "agent/run.go:58",
"msg": "Starting",
"v": 0,
"logger": "Run",
"version": "v1.6.0-68-g7a82248426df04",
"commit": "7a82248426df04144ccf34eddc82abb691e76ca7"
}
{
"ts": 1757513998591.5063,
"caller": "agent/config.go:591",
"msg": "Using period from config",
"v": 0,
"logger": "Run",
"period": "1h0m0s"
}
{
"ts": 1757513998591.5486,
"caller": "agent/run.go:98",
"msg": "Profiling endpoints enabled",
"v": 0,
"logger": "Run.APIServer",
"addr": ":8081",
"path": "/debug/pprof"
}
{
"ts": 1757513998591.5793,
"caller": "agent/run.go:107",
"msg": "Metrics endpoints enabled",
"v": 0,
"logger": "Run.APIServer",
"addr": ":8081",
"path": "/metrics"
}
{
"ts": 1757513998591.6257,
"caller": "agent/run.go:116",
"msg": "Healthz endpoints enabled",
"v": 0,
"logger": "Run.APIServer",
"addr": ":8081",
"path": "/healthz"
}
{
"ts": 1757513998591.6426,
"caller": "agent/run.go:120",
"msg": "Readyz endpoints enabled",
"v": 0,
"logger": "Run.APIServer",
"addr": ":8081",
"path": "/readyz"
}
{
"ts": 1757514001787.7139,
"caller": "identity/identity.go:402",
"msg": "successfully completed AdvanceAuthentication request to CyberArk Identity; login complete",
"v": 0,
"logger": "Run.gatherAndOutputData.postData",
"username": "[email protected]"
}
{"ts":1757514010619.172,"caller":"agent/run.go:417","msg":"Data sent successfully","v":0,"logger":"Run.gatherAndOutputData.postData"}
process_cpu_seconds_total 0.23
process_max_fds 1.048576e+06
process_network_receive_bytes_total 488976
process_network_transmit_bytes_total 322167
process_open_fds 13
process_resident_memory_bytes 6.1079552e+07
process_start_time_seconds 1.75751399757e+09
process_virtual_memory_bytes 1.320906752e+09
process_virtual_memory_max_bytes 1.8446744073709552e+19
/ko-app/ark agent -c /etc/cyberark-disco-agent/config.yaml --machine-hub --logging-format=json --enable-metrics --enable-pprof
|
Thanks @mladen-rusev-cyberark I'll merge this and improve it in followup PRs. |
Fixes: https://venafi.atlassian.net/browse/VC-44485
Installing the chart
I've temporarily published the chart to my GitHub repo, so you can try installing the chart yourself:
export OCI_BASE=ghcr.io/wallrj-cyberarkexport NAMESPACE=cyberark--develto thehelm upgradecommand, because its a pre-release version.Manual Testing
The new make help looks like this:
The E2E test is not run automatically, yet, so I ran it manually from my laptop