jetstack · wallrj-cyberark · Aug 10, 2025 · Aug 15, 2025
diff --git a/.envrc.template b/.envrc.template
@@ -0,0 +1,6 @@
+# Variables required for hack/e2e/ca/test.sh
+export OCI_BASE=ttl.sh/f702739d-6123-4070-8b2d-b90707d44f8b/cyberark-disco-agent
+export ARK_USERNAME=
+export ARK_SECRET=
+export ARK_PLATFORM_DOMAIN=
+export ARK_SUBDOMAIN=
diff --git a/deploy/charts/cyberark-disco-agent/.helmignore b/deploy/charts/cyberark-disco-agent/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/deploy/charts/cyberark-disco-agent/Chart.yaml b/deploy/charts/cyberark-disco-agent/Chart.yaml
@@ -0,0 +1,18 @@
+apiVersion: v2
+name: cyberark-disco-agent
+description: |-
+  The cyberark-disco-agent connects your Kubernetes or Openshift cluster to CyberArk Discovery and Context.
+
+maintainers:
+  - name: CyberArk
+    email: [email protected]
+    url: https://cyberark.com
+
+sources:
+  - https://github.com/jetstack/jetstack-secure
+
+# These versions are meant to be overridden by `make helm-chart`. No `v` prefix
+# for the `version` because Helm doesn't support auto-determining the latest
+# version for OCI Helm charts that use a `v` prefix.
+version: 0.0.0
+appVersion: "v0.0.0"
diff --git a/deploy/charts/cyberark-disco-agent/templates/NOTES.txt b/deploy/charts/cyberark-disco-agent/templates/NOTES.txt
@@ -0,0 +1,5 @@
+- Check the application is running:
+> kubectl get pods -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
+
+- Check the application logs for successful connection to the platform:
+> kubectl logs -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
diff --git a/deploy/charts/cyberark-disco-agent/templates/_helpers.tpl b/deploy/charts/cyberark-disco-agent/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cyberark-disco-agent.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cyberark-disco-agent.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cyberark-disco-agent.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "cyberark-disco-agent.labels" -}}
+helm.sh/chart: {{ include "cyberark-disco-agent.chart" . }}
+{{ include "cyberark-disco-agent.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "cyberark-disco-agent.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "cyberark-disco-agent.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "cyberark-disco-agent.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "cyberark-disco-agent.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/deploy/charts/cyberark-disco-agent/templates/configmap.yaml b/deploy/charts/cyberark-disco-agent/templates/configmap.yaml
@@ -0,0 +1,75 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "cyberark-disco-agent.fullname" . }}-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cyberark-disco-agent.labels" . | nindent 4 }}
+data:
+  config.yaml: |-
+    period: {{ .Values.config.period | quote }}
+    {{- with .Values.config.excludeAnnotationKeysRegex }}
+    exclude-annotation-keys-regex:
+      {{- . | toYaml | nindent 6 }}
+    {{- end }}
+    {{- with .Values.config.excludeLabelKeysRegex }}
+    exclude-label-keys-regex:
+      {{- . | toYaml | nindent 6 }}
+    {{- end }}
+    data-gatherers:
+    - kind: k8s-discovery
+      name: ark/discovery
+    - kind: k8s-dynamic
+      name: ark/namespaces
+      config:
+        resource-type:
+          version: v1
+          resource: namespaces
+    - kind: k8s-dynamic
+      name: ark/serviceaccounts
+      config:
+        resource-type:
+          resource: serviceaccounts
+          version: v1
+    - kind: k8s-dynamic
+      name: ark/secrets
+      config:
+        resource-type:
+          version: v1
+          resource: secrets
+        field-selectors:
+        - type!=kubernetes.io/service-account-token
+        - type!=kubernetes.io/dockercfg
+        - type!=kubernetes.io/dockerconfigjson
+        - type!=kubernetes.io/basic-auth
+        - type!=kubernetes.io/ssh-auth
+        - type!=bootstrap.kubernetes.io/token
+        - type!=helm.sh/release.v1
+    - kind: k8s-dynamic
+      name: ark/roles
+      config:
+        resource-type:
+          version: v1
+          group: rbac.authorization.k8s.io
+          resource: roles
+    - kind: k8s-dynamic
+      name: ark/clusterroles
+      config:
+        resource-type:
+          version: v1
+          group: rbac.authorization.k8s.io
+          resource: clusterroles
+    - kind: k8s-dynamic
+      name: ark/rolebindings
+      config:
+        resource-type:
+          version: v1
+          group: rbac.authorization.k8s.io
+          resource: rolebindings
+    - kind: k8s-dynamic
+      name: ark/clusterrolebindings
+      config:
+        resource-type:
+          version: v1
+          group: rbac.authorization.k8s.io
+          resource: clusterrolebindings
diff --git a/deploy/charts/cyberark-disco-agent/templates/deployment.yaml b/deploy/charts/cyberark-disco-agent/templates/deployment.yaml
@@ -0,0 +1,131 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "cyberark-disco-agent.fullname" . }}
+  labels:
+    {{- include "cyberark-disco-agent.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "cyberark-disco-agent.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "cyberark-disco-agent.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "cyberark-disco-agent.serviceAccountName" . }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          {{- with .Values.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_UID
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.uid
+          - name: POD_NODE
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+          - name: ARK_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.authentication.secretName }}
+                key: ARK_USERNAME
+          - name: ARK_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.authentication.secretName }}
+                key: ARK_SECRET
+          - name: ARK_PLATFORM_DOMAIN
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.authentication.secretName }}
+                key: ARK_PLATFORM_DOMAIN
+          - name: ARK_SUBDOMAIN
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.authentication.secretName }}
+                key: ARK_SUBDOMAIN
+          {{- with .Values.http_proxy }}
+          - name: HTTP_PROXY
+            value: {{ . }}
+          {{- end }}
+          {{- with .Values.https_proxy }}
+          - name: HTTPS_PROXY
+            value: {{ . }}
+          {{- end }}
+          {{- with .Values.no_proxy }}
+          - name: NO_PROXY
+            value: {{ . }}
+          {{- end }}
+          args:
+            - "agent"
+            - "-c"
+            - "/etc/cyberark-disco-agent/config.yaml"
+            - --machine-hub
+            {{- if .Values.metrics.enabled }}
+            - --enable-metrics
+            {{- end }}
+            {{- range .Values.extraArgs }}
+            - {{ . | quote }}
+            {{- end }}
+          {{- with .Values.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - name: config
+              mountPath: "/etc/cyberark-disco-agent"
+              readOnly: true
+            {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+      volumes:
+        - name: config
+          configMap:
+            name: {{ include "cyberark-disco-agent.fullname" . }}-config
+            optional: false
+        {{- with .Values.volumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/deploy/charts/cyberark-disco-agent/templates/poddisruptionbudget.yaml b/deploy/charts/cyberark-disco-agent/templates/poddisruptionbudget.yaml
@@ -0,0 +1,23 @@
+{{- if .Values.podDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "cyberark-disco-agent.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cyberark-disco-agent.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "cyberark-disco-agent.selectorLabels" . | nindent 6 }}
+
+  {{- if not (or (hasKey .Values.podDisruptionBudget "minAvailable") (hasKey .Values.podDisruptionBudget "maxUnavailable")) }}
+  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
+  {{- end }}
+  {{- if hasKey .Values.podDisruptionBudget "minAvailable" }}
+  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if hasKey .Values.podDisruptionBudget "maxUnavailable" }}
+  maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
+  {{- end }}
+{{- end }}
diff --git a/deploy/charts/cyberark-disco-agent/templates/podmonitor.yaml b/deploy/charts/cyberark-disco-agent/templates/podmonitor.yaml
@@ -0,0 +1,40 @@
+{{- if and .Values.metrics.enabled .Values.metrics.podmonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: {{ include "venafi-kubernetes-agent.fullname" . }}
+{{- if .Values.metrics.podmonitor.namespace }}
+  namespace: {{ .Values.metrics.podmonitor.namespace }}
+{{- else }}
+  namespace: {{ .Release.Namespace | quote }}
+{{- end }}
+  labels:
+    {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }}
+    prometheus: {{ .Values.metrics.podmonitor.prometheusInstance }}
+    {{- with .Values.metrics.podmonitor.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- with .Values.metrics.podmonitor.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+{{- end }}
+spec:
+  jobLabel: {{ include "venafi-kubernetes-agent.fullname" . }}
+  selector:
+    matchLabels:
+      {{- include "venafi-kubernetes-agent.selectorLabels" . | nindent 6 }}
+{{- if .Values.metrics.podmonitor.namespace }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace | quote }}
+{{- end }}
+  podMetricsEndpoints:
+    - port: http-metrics
+      path: /metrics
+      interval: {{ .Values.metrics.podmonitor.interval }}
+      scrapeTimeout: {{ .Values.metrics.podmonitor.scrapeTimeout }}
+      honorLabels: {{ .Values.metrics.podmonitor.honorLabels }}
+      {{- with .Values.metrics.podmonitor.endpointAdditionalProperties }}
+      {{- toYaml . | nindent 4 }}
+      {{- end }}
+{{- end }}