Skip to content

Add support for ESO resources in disco-agent#780

Merged
SgtCoDFish merged 1 commit intomasterfrom
EldarShalev-feature/ESO_Patch
Feb 24, 2026
Merged

Add support for ESO resources in disco-agent#780
SgtCoDFish merged 1 commit intomasterfrom
EldarShalev-feature/ESO_Patch

Conversation

@SgtCoDFish
Copy link
Contributor

This is re-raised from #775 to enable e2e tests to run (because of how the repo is set up - in part for security reasons - the e2e tests don't run on PRs from forks)

All of the original work is by @EldarShalev - I've squashed the commits and pushed this branch.

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds collection and upload support for External Secrets Operator (ESO) resources in the disco-agent, primarily to enable end-to-end test coverage for these CRDs.

Changes:

  • Add new default k8s-dynamic data gatherers for ESO resources (ExternalSecret/SecretStore and cluster-scoped variants) in the Helm chart and examples.
  • Extend the CyberArk snapshot/extractor pipeline to include ESO resources, with new unit tests for conversion behavior.
  • Update e2e script and add sample ESO manifests to exercise discovery in a test cluster.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
pkg/client/client_cyberark.go Adds extractor mappings for ESO gatherers into snapshot fields.
internal/cyberark/dataupload/dataupload.go Extends Snapshot schema with ESO resource lists.
pkg/client/client_cyberark_test.go Updates default dynamic gatherer name list used by tests/fakes.
pkg/client/client_cyberark_convertdatareadings_test.go Adds conversion tests for ESO resources and deleted-item filtering.
deploy/charts/disco-agent/templates/configmap.yaml Enables ESO gatherers by default in the chart config.
deploy/charts/disco-agent/tests/snapshot/configmap_test.yaml.snap Updates Helm snapshot expectations for new gatherers.
examples/machinehub.yaml Adds ESO gatherers to the MachineHub example config.
examples/machinehub/input.json Adds empty ESO readings to the MachineHub example input.
hack/ark/test-e2e.sh Installs ESO via Helm and applies sample ESO CRs for e2e.
hack/ark/secret-store.yaml Adds sample SecretStore manifest for e2e.
hack/ark/external-secret.yaml Adds sample ExternalSecret manifest for e2e.
hack/ark/cluster-secret-store.yaml Adds sample ClusterSecretStore manifest for e2e.
hack/ark/cluster-external-secret.yaml Adds sample ClusterExternalSecret manifest for e2e.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

#
# This is required for the agent to discover ExternalSecret and SecretStore resources.
echo "Installing External Secrets Operator..."
helm repo add external-secrets https://charts.external-secrets.io
Copy link

Copilot AI Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

helm repo add external-secrets ... is not idempotent and will exit non-zero if the repo already exists, which breaks reruns because the script is running with set -o errexit. Use --force-update (or otherwise handle the "already exists" case) so the e2e script can be re-run reliably.

Suggested change
helm repo add external-secrets https://charts.external-secrets.io
helm repo add external-secrets https://charts.external-secrets.io --force-update

Copilot uses AI. Check for mistakes.
Comment on lines +120 to +147
- kind: k8s-dynamic
name: ark/esoexternalsecrets
config:
resource-type:
group: external-secrets.io
version: v1
resource: externalsecrets
- kind: k8s-dynamic
name: ark/esosecretstores
config:
resource-type:
group: external-secrets.io
version: v1
resource: secretstores
- kind: k8s-dynamic
name: ark/esoclusterexternalsecrets
config:
resource-type:
group: external-secrets.io
version: v1
resource: clusterexternalsecrets
- kind: k8s-dynamic
name: ark/esoclustersecretstores
config:
resource-type:
group: external-secrets.io
version: v1
resource: clustersecretstores
Copy link

Copilot AI Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These ESO CRD gatherers are enabled by default in the chart, but the chart RBAC currently only grants explicit access to core Secrets/RBAC plus the built-in view role. Custom resources like external-secrets.io/* typically require explicit RBAC (unless the CRDs aggregate into view), otherwise the informer will fail to list/watch and the gatherer will stay empty. Please add explicit ClusterRole rules for externalsecrets, secretstores, clusterexternalsecrets, and clustersecretstores in external-secrets.io (or make these gatherers opt-in).

Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CRD does aggregate into view

Comment on lines +87 to +94
helm repo add external-secrets https://charts.external-secrets.io
helm repo update
helm upgrade --install external-secrets \
external-secrets/external-secrets \
--namespace external-secrets-system \
--create-namespace \
--wait \
--set installCRDs=true
Copy link

Copilot AI Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This script installs the external-secrets/external-secrets Helm chart from the public https://charts.external-secrets.io repository without pinning to a specific immutable version or verifying integrity, so each test run may execute arbitrary code if the chart repository or DNS is compromised. Because the chart deploys a controller with cluster-level RBAC, a malicious or hijacked chart could access Kubernetes secrets (including the agent-credentials secret created earlier) and other cluster resources. Pin the chart to a specific version or digest and, where possible, add integrity verification to reduce this supply-chain risk.

Copilot uses AI. Check for mistakes.
Copy link
Member

@wallrj-cyberark wallrj-cyberark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I think this all looks ok. And I can see that the original PR had multiple rounds of review and improvement.

/approve

@SgtCoDFish SgtCoDFish merged commit fd80105 into master Feb 24, 2026
10 of 12 checks passed
@SgtCoDFish SgtCoDFish deleted the EldarShalev-feature/ESO_Patch branch February 24, 2026 10:37
@EldarShalev
Copy link

Thanks a lot everyone!

@SgtCoDFish
Copy link
Contributor Author

NB: followup PR to fix permissions has now merged too: #781

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants