CyberArk(helm): add CyberArk Disco Agent Helm chart

- Introduced a new Helm chart for deploying the CyberArk Disco Agent.
- Added templates for deployment, RBAC, ConfigMap, PodDisruptionBudget, and PodMonitor.
- Included default values and configuration options in `values.yaml`.
- Added an end-to-end test script and supporting files for validating the chart.
- Enabled metrics support with optional Prometheus PodMonitor integration.

Signed-off-by: Richard Wall <[email protected]>

Author: wallrj-cyberark

cmd/ark/main.go

@@ -0,0 +1,7 @@
+package main
+
+import "github.com/jetstack/preflight/cmd"
+
+func main() {
+	cmd.Execute()
+}

deploy/charts/cyberark-disco-agent/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

deploy/charts/cyberark-disco-agent/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v2
+name: cyberark-disco-agent
+description: |-
+  The cyberark-disco-agent connects your Kubernetes or Openshift cluster to CyberArk Discovery and Context.
+
+maintainers:
+  - name: CyberArk
+    email: [email protected]
+    url: https://cyberark.com
+
+sources:
+  - https://github.com/jetstack/jetstack-secure
+
+# These versions are meant to be overridden by `make helm-chart`. No `v` prefix
+# for the `version` because Helm doesn't support auto-determining the latest
+# version for OCI Helm charts that use a `v` prefix.
+version: 0.0.0
+appVersion: "v0.0.0"

deploy/charts/cyberark-disco-agent/README.md

@@ -0,0 +1,292 @@
+# cyberark-disco-agent
+
+The Cyberark Discovery and Context Agent connects your Kubernetes or OpenShift
+cluster to the CyberArk Discovery and Context service.
+You will require a CyberArk account to connect your cluster.
+
+## Values
+
+<!-- AUTO-GENERATED -->
+
+#### **replicaCount** ~ `number`
+> Default value:
+> ```yaml
+> 1
+> ```
+
+This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
+#### **image.repository** ~ `string`
+> Default value:
+> ```yaml
+> ""
+> ```
+#### **image.pullPolicy** ~ `string`
+> Default value:
+> ```yaml
+> IfNotPresent
+> ```
+
+This sets the pull policy for images.
+#### **image.tag** ~ `string`
+> Default value:
+> ```yaml
+> ""
+> ```
+
+Overrides the image tag whose default is the chart appVersion.
+#### **imagePullSecrets** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+#### **nameOverride** ~ `string`
+> Default value:
+> ```yaml
+> ""
+> ```
+
+This is to override the chart name.
+#### **fullnameOverride** ~ `string`
+> Default value:
+> ```yaml
+> ""
+> ```
+#### **serviceAccount.create** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+
+Specifies whether a service account should be created
+#### **serviceAccount.automount** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+
+Automatically mount a ServiceAccount's API credentials?
+#### **serviceAccount.annotations** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Annotations to add to the service account
+#### **serviceAccount.name** ~ `string`
+> Default value:
+> ```yaml
+> ""
+> ```
+
+The name of the service account to use.  
+If not set and create is true, a name is generated using the fullname template
+#### **podAnnotations** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+This is for setting Kubernetes Annotations to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+#### **podLabels** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+This is for setting Kubernetes Labels to a Pod.  
+For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+#### **podSecurityContext** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+#### **securityContext** ~ `object`
+> Default value:
+> ```yaml
+> allowPrivilegeEscalation: false
+> capabilities:
+>   drop:
+>     - ALL
+> readOnlyRootFilesystem: true
+> runAsNonRoot: true
+> seccompProfile:
+>   type: RuntimeDefault
+> ```
+
+Add Container specific SecurityContext settings to the container. Takes precedence over `podSecurityContext` when set. See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container
+
+#### **resources** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+#### **volumes** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+Additional volumes on the output Deployment definition.
+#### **volumeMounts** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+Additional volumeMounts on the output Deployment definition.
+#### **nodeSelector** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+#### **tolerations** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+#### **affinity** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+#### **http_proxy** ~ `string`
+
+Configures the HTTP_PROXY environment variable where a HTTP proxy is required.
+
+#### **https_proxy** ~ `string`
+
+Configures the HTTPS_PROXY environment variable where a HTTP proxy is required.
+
+#### **no_proxy** ~ `string`
+
+Configures the NO_PROXY environment variable where a HTTP proxy is required, but certain domains should be excluded.
+
+#### **podDisruptionBudget** ~ `object`
+> Default value:
+> ```yaml
+> enabled: false
+> ```
+
+Configure a PodDisruptionBudget for the agent's Deployment. If running with multiple replicas, consider setting podDisruptionBudget.enabled to true.
+
+#### **config.period** ~ `string`
+> Default value:
+> ```yaml
+> 1h0m0s
+> ```
+
+Push data every hour unless changed.
+#### **config.excludeAnnotationKeysRegex** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+You can configure the agent to exclude some annotations or labels from being pushed . All Kubernetes objects are affected. The objects are still pushed, but the specified annotations and labels are removed before being pushed.  
+  
+Dots is the only character that needs to be escaped in the regex. Use either double quotes with escaped single quotes or unquoted strings for the regex to avoid YAML parsing issues with `\.`.  
+  
+Example: excludeAnnotationKeysRegex: ['^kapp\.k14s\.io/original.*']
+#### **config.excludeLabelKeysRegex** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+#### **authentication.secretName** ~ `string`
+> Default value:
+> ```yaml
+> agent-credentials
+> ```
+#### **extraArgs** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+```yaml
+extraArgs:
+- --logging-format=json
+- --log-level=6 # To enable HTTP request logging
+```
+#### **metrics.enabled** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+
+Enable the metrics server.  
+If false, the metrics server will be disabled and the other metrics fields below will be ignored.
+#### **metrics.podmonitor.enabled** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+Create a PodMonitor to add the metrics to Prometheus, if you are using Prometheus Operator. See https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor
+#### **metrics.podmonitor.namespace** ~ `string`
+
+The namespace that the pod monitor should live in. Defaults to the venafi-kubernetes-agent namespace.
+
+#### **metrics.podmonitor.prometheusInstance** ~ `string`
+> Default value:
+> ```yaml
+> default
+> ```
+
+Specifies the `prometheus` label on the created PodMonitor. This is used when different Prometheus instances have label selectors matching different PodMonitors.
+#### **metrics.podmonitor.interval** ~ `string`
+> Default value:
+> ```yaml
+> 60s
+> ```
+
+The interval to scrape metrics.
+#### **metrics.podmonitor.scrapeTimeout** ~ `string`
+> Default value:
+> ```yaml
+> 30s
+> ```
+
+The timeout before a metrics scrape fails.
+#### **metrics.podmonitor.labels** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Additional labels to add to the PodMonitor.
+#### **metrics.podmonitor.annotations** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Additional annotations to add to the PodMonitor.
+#### **metrics.podmonitor.honorLabels** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+Keep labels from scraped data, overriding server-side labels.
+#### **metrics.podmonitor.endpointAdditionalProperties** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.  
+  
+For example:
+
+```yaml
+endpointAdditionalProperties:
+ relabelings:
+ - action: replace
+   sourceLabels:
+   - __meta_kubernetes_pod_node_name
+   targetLabel: instance
+```
+

deploy/charts/cyberark-disco-agent/templates/NOTES.txt

@@ -0,0 +1,5 @@
+- Check the application is running:
+> kubectl get pods -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
+
+- Check the application logs for successful connection to the platform:
+> kubectl logs -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}