CyberArk(helm): add cyberark-disco-agent Helm chart, build scripts, and E2E test

- introduce cyberark-disco-agent Helm chart with templates, docs, schema, and values
- add build and release Makefile modules for ark agent and chart publishing
- implement E2E test script for agent deployment and verification
- update main.go for ark agent entrypoint
- integrate chart build and test targets into main Makefiles
- Add image.digest field to values.yaml, schema, and documentation
- Update deployment.yaml to use image digest if provided
- Pass digest in e2e test and chart upgrade scripts
- Output digest variables in release Makefile targets
- Add values.linter.exceptions file for chart validation
- Add ark-verify target to Makefile for chart verification
- Introduce e2e job that runs only for PRs from trusted contributors
- Configure job to require secrets and set appropriate permissions
- Add steps for repo access, Go setup, caching, and running e2e tests

Signed-off-by: Richard Wall <[email protected]>

Author: wallrj-cyberark

.github/workflows/tests.yaml

@@ -63,3 +63,48 @@ jobs:
           key: downloaded-${{ runner.os }}-${{ hashFiles('klone.yaml') }}-test-unit
 
       - run: make -j test-unit test-helm
+        env:
+          ARK_DISCOVERY_API: ${{ vars.ARK_DISCOVERY_API }}
+          ARK_SUBDOMAIN: ${{ vars.ARK_SUBDOMAIN }}
+          ARK_USERNAME: ${{ secrets.ARK_USERNAME }}
+          ARK_SECRET: ${{ secrets.ARK_SECRET }}
+
+  # These tests require access to secrets so are only run on PRs from trusted contributors
+  # (i.e. not from forks)
+  e2e:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    permissions:
+      contents: read # needed for checkout
+      id-token: write # needed for google auth
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: ./.github/actions/repo_access
+        with:
+          DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }}
+
+      - id: go-version
+        run: |
+          make print-go-version >> "$GITHUB_OUTPUT"
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ steps.go-version.outputs.result }}
+
+      - uses: actions/cache@v4
+        with:
+          path: _bin/downloaded
+          key: downloaded-${{ runner.os }}-${{ hashFiles('klone.yaml') }}-test-unit
+
+      - run: make -j ark-test-e2e
+        env:
+          OCI_BASE: ${{ secrets.OCI_BASE }}
+          ARK_DISCOVERY_API: ${{ vars.ARK_DISCOVERY_API }}
+          ARK_SUBDOMAIN: ${{ vars.ARK_SUBDOMAIN }}
+          ARK_USERNAME: ${{ secrets.ARK_USERNAME }}
+          ARK_SECRET: ${{ secrets.ARK_SECRET }}

cmd/ark/main.go

@@ -0,0 +1,7 @@
+package main
+
+import "github.com/jetstack/preflight/cmd"
+
+func main() {
+	cmd.Execute()
+}

deploy/charts/cyberark-disco-agent/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

deploy/charts/cyberark-disco-agent/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v2
+name: cyberark-disco-agent
+description: |-
+  The cyberark-disco-agent connects your Kubernetes or Openshift cluster to CyberArk Discovery and Context.
+
+maintainers:
+  - name: CyberArk
+    email: [email protected]
+    url: https://cyberark.com
+
+sources:
+  - https://github.com/jetstack/jetstack-secure
+
+# These versions are meant to be overridden by `make helm-chart`. No `v` prefix
+# for the `version` because Helm doesn't support auto-determining the latest
+# version for OCI Helm charts that use a `v` prefix.
+version: 0.0.0
+appVersion: "v0.0.0"