Add support for ESO resources in disco-agent

deploy/charts/disco-agent/templates/configmap.yaml

@@ -117,3 +117,31 @@ data:
           version: v1
         label-selectors:
         - conjur.org/name=conjur-connect-configmap
+    - kind: k8s-dynamic
+      name: ark/esoexternalsecrets
+      config:
+        resource-type:
+          group: external-secrets.io
+          version: v1
+          resource: externalsecrets
+    - kind: k8s-dynamic
+      name: ark/esosecretstores
+      config:
+        resource-type:
+          group: external-secrets.io
+          version: v1
+          resource: secretstores
+    - kind: k8s-dynamic
+      name: ark/esoclusterexternalsecrets
+      config:
+        resource-type:
+          group: external-secrets.io
+          version: v1
+          resource: clusterexternalsecrets
+    - kind: k8s-dynamic
+      name: ark/esoclustersecretstores
+      config:
+        resource-type:
+          group: external-secrets.io
+          version: v1
+          resource: clustersecretstores

deploy/charts/disco-agent/tests/__snapshot__/configmap_test.yaml.snap

@@ -105,6 +105,34 @@ custom-cluster-description:
               version: v1
             label-selectors:
             - conjur.org/name=conjur-connect-configmap
+        - kind: k8s-dynamic
+          name: ark/esoexternalsecrets
+          config:
+            resource-type:
+              group: external-secrets.io
+              version: v1
+              resource: externalsecrets
+        - kind: k8s-dynamic
+          name: ark/esosecretstores
+          config:
+            resource-type:
+              group: external-secrets.io
+              version: v1
+              resource: secretstores
+        - kind: k8s-dynamic
+          name: ark/esoclusterexternalsecrets
+          config:
+            resource-type:
+              group: external-secrets.io
+              version: v1
+              resource: clusterexternalsecrets
+        - kind: k8s-dynamic
+          name: ark/esoclustersecretstores
+          config:
+            resource-type:
+              group: external-secrets.io
+              version: v1
+              resource: clustersecretstores
     kind: ConfigMap
     metadata:
       labels:
@@ -222,6 +250,34 @@ custom-cluster-name:
               version: v1
             label-selectors:
             - conjur.org/name=conjur-connect-configmap
+        - kind: k8s-dynamic
+          name: ark/esoexternalsecrets
+          config:
+            resource-type:
+              group: external-secrets.io
+              version: v1
+              resource: externalsecrets
+        - kind: k8s-dynamic
+          name: ark/esosecretstores
+          config:
+            resource-type:
+              group: external-secrets.io
+              version: v1
+              resource: secretstores
+        - kind: k8s-dynamic
+          name: ark/esoclusterexternalsecrets
+          config:
+            resource-type:
+              group: external-secrets.io
+              version: v1
+              resource: clusterexternalsecrets
+        - kind: k8s-dynamic
+          name: ark/esoclustersecretstores
+          config:
+            resource-type:
+              group: external-secrets.io
+              version: v1
+              resource: clustersecretstores
     kind: ConfigMap
     metadata:
       labels:
@@ -339,6 +395,34 @@ custom-period:
               version: v1
             label-selectors:
             - conjur.org/name=conjur-connect-configmap
+        - kind: k8s-dynamic
+          name: ark/esoexternalsecrets
+          config:
+            resource-type:
+              group: external-secrets.io
+              version: v1
+              resource: externalsecrets
+        - kind: k8s-dynamic
+          name: ark/esosecretstores
+          config:
+            resource-type:
+              group: external-secrets.io
+              version: v1
+              resource: secretstores
+        - kind: k8s-dynamic
+          name: ark/esoclusterexternalsecrets
+          config:
+            resource-type:
+              group: external-secrets.io
+              version: v1
+              resource: clusterexternalsecrets
+        - kind: k8s-dynamic
+          name: ark/esoclustersecretstores
+          config:
+            resource-type:
+              group: external-secrets.io
+              version: v1
+              resource: clustersecretstores
     kind: ConfigMap
     metadata:
       labels:
@@ -456,6 +540,34 @@ defaults:
               version: v1
             label-selectors:
             - conjur.org/name=conjur-connect-configmap
+        - kind: k8s-dynamic
+          name: ark/esoexternalsecrets
+          config:
+            resource-type:
+              group: external-secrets.io
+              version: v1
+              resource: externalsecrets
+        - kind: k8s-dynamic
+          name: ark/esosecretstores
+          config:
+            resource-type:
+              group: external-secrets.io
+              version: v1
+              resource: secretstores
+        - kind: k8s-dynamic
+          name: ark/esoclusterexternalsecrets
+          config:
+            resource-type:
+              group: external-secrets.io
+              version: v1
+              resource: clusterexternalsecrets
+        - kind: k8s-dynamic
+          name: ark/esoclustersecretstores
+          config:
+            resource-type:
+              group: external-secrets.io
+              version: v1
+              resource: clustersecretstores
     kind: ConfigMap
     metadata:
       labels:

examples/machinehub.yaml

@@ -139,3 +139,39 @@ data-gatherers:
       version: v1
     label-selectors:
     - conjur.org/name=conjur-connect-configmap
+
+# Gather External Secrets Operator ExternalSecret resources
+- name: ark/esoexternalsecrets
+  kind: k8s-dynamic
+  config:
+    resource-type:
+      group: external-secrets.io
+      version: v1
+      resource: externalsecrets
+
+# Gather External Secrets Operator SecretStore resources
+- name: ark/esosecretstores
+  kind: k8s-dynamic
+  config:
+    resource-type:
+      group: external-secrets.io
+      version: v1
+      resource: secretstores
+
+# Gather External Secrets Operator ClusterExternalSecret resources
+- name: ark/esoclusterexternalsecrets
+  kind: k8s-dynamic
+  config:
+    resource-type:
+      group: external-secrets.io
+      version: v1
+      resource: clusterexternalsecrets
+
+# Gather External Secrets Operator ClusterSecretStore resources
+- name: ark/esoclustersecretstores
+  kind: k8s-dynamic
+  config:
+    resource-type:
+      group: external-secrets.io
+      version: v1
+      resource: clustersecretstores

examples/machinehub/input.json

@@ -159,5 +159,29 @@
         "data": {
             "items": []
         }
+    },
+    {
+        "data-gatherer": "ark/esoexternalsecrets",
+        "data": {
+            "items": []
+        }
+    },
+    {
+        "data-gatherer": "ark/esosecretstores",
+        "data": {
+            "items": []
+        }
+    },
+    {
+        "data-gatherer": "ark/esoclusterexternalsecrets",
+        "data": {
+            "items": []
+        }
+    },
+    {
+        "data-gatherer": "ark/esoclustersecretstores",
+        "data": {
+            "items": []
+        }
     }
 ]

hack/ark/cluster-external-secret.yaml

@@ -0,0 +1,27 @@
+# Sample ClusterExternalSecret for e2e testing
+# This is a minimal ClusterExternalSecret CR that will be discovered by the agent.
+# This is a cluster-scoped resource that can create ExternalSecrets in multiple namespaces.
+apiVersion: external-secrets.io/v1
+kind: ClusterExternalSecret
+metadata:
+  name: e2e-test-cluster-external-secret
+  labels:
+    app.kubernetes.io/name: e2e-test
+    app.kubernetes.io/component: cluster-external-secret
+spec:
+  externalSecretSpec:
+    refreshInterval: 1h
+    secretStoreRef:
+      name: e2e-test-cluster-secret-store
+      kind: ClusterSecretStore
+    target:
+      name: e2e-test-synced-secret
+      creationPolicy: Owner
+    data:
+    - secretKey: example-key
+      remoteRef:
+        key: dummy/path/to/secret
+        property: password
+  namespaceSelector:
+    matchLabels:
+      environment: test

hack/ark/cluster-secret-store.yaml

@@ -0,0 +1,18 @@
+# Sample ClusterSecretStore for e2e testing
+# This is a minimal ClusterSecretStore CR that will be discovered by the agent.
+# This is a cluster-scoped resource that can be referenced by ExternalSecrets in any namespace.
+apiVersion: external-secrets.io/v1
+kind: ClusterSecretStore
+metadata:
+  name: e2e-test-cluster-secret-store
+  labels:
+    app.kubernetes.io/name: e2e-test
+    app.kubernetes.io/component: cluster-secret-store
+spec:
+  provider:
+    # Fake provider configuration - this won't actually work but allows the CR to be created
+    fake:
+      data:
+      - key: dummy/path/to/secret
+        value: dummy-value
+        version: "1"

hack/ark/external-secret.yaml

@@ -0,0 +1,25 @@
+# Sample ExternalSecret for e2e testing
+# This is a minimal ExternalSecret CR that will be discovered by the agent.
+# Note: This requires the External Secrets Operator CRDs to be installed,
+# but does not require a working secrets backend.
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: e2e-test-external-secret
+  namespace: default
+  labels:
+    app.kubernetes.io/name: e2e-test
+    app.kubernetes.io/component: external-secret
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: e2e-test-secret-store
+    kind: SecretStore
+  target:
+    name: e2e-test-synced-secret
+    creationPolicy: Owner
+  data:
+  - secretKey: example-key
+    remoteRef:
+      key: dummy/path/to/secret
+      property: password

hack/ark/secret-store.yaml

@@ -0,0 +1,20 @@
+# Sample SecretStore for e2e testing
+# This is a minimal SecretStore CR that will be discovered by the agent.
+# Note: This requires the External Secrets Operator CRDs to be installed,
+# but does not require a working secrets backend.
+apiVersion: external-secrets.io/v1
+kind: SecretStore
+metadata:
+  name: e2e-test-secret-store
+  namespace: default
+  labels:
+    app.kubernetes.io/name: e2e-test
+    app.kubernetes.io/component: secret-store
+spec:
+  provider:
+    # Fake provider configuration - this won't actually work but allows the CR to be created
+    fake:
+      data:
+      - key: dummy/path/to/secret
+        value: dummy-value
+        version: "1"

hack/ark/test-e2e.sh

@@ -80,6 +80,25 @@ kubectl create secret generic e2e-sample-secret-$(date '+%s') \
 # in the ark/configmaps data gatherer (conjur.org/name=conjur-connect-configmap).
 kubectl apply -f "${root_dir}/hack/ark/conjur-connect-configmap.yaml"
 
+# Install External Secrets Operator CRDs and controller
+#
+# This is required for the agent to discover ExternalSecret and SecretStore resources.
+echo "Installing External Secrets Operator..."
+helm repo add external-secrets https://charts.external-secrets.io
+helm repo update
+helm upgrade --install external-secrets \
+     external-secrets/external-secrets \
+     --namespace external-secrets-system \
+     --create-namespace \
+     --wait \
+     --set installCRDs=true
+
+# Create sample External Secrets Operator resources that will be discovered by the agent
+kubectl apply -f "${root_dir}/hack/ark/secret-store.yaml"
+kubectl apply -f "${root_dir}/hack/ark/external-secret.yaml"
+kubectl apply -f "${root_dir}/hack/ark/cluster-secret-store.yaml"
+kubectl apply -f "${root_dir}/hack/ark/cluster-external-secret.yaml"
+
 # We use a non-existent tag and omit the `--version` flag, to work around a Helm
 # v4 bug. See: https://github.com/helm/helm/issues/31600
 helm upgrade agent "oci://${ARK_CHART}:NON_EXISTENT_TAG@${ARK_CHART_DIGEST}" \

internal/cyberark/dataupload/dataupload.go

@@ -80,6 +80,14 @@ type Snapshot struct {
 	ServiceAccounts []runtime.Object `json:"serviceaccounts"`
 	// ConfigMaps is a list of ConfigMap resources in the cluster.
 	ConfigMaps []runtime.Object `json:"configmaps"`
+	// ExternalSecrets is a list of ExternalSecret resources in the cluster.
+	ExternalSecrets []runtime.Object `json:"externalsecrets"`
+	// SecretStores is a list of SecretStore resources in the cluster.
+	SecretStores []runtime.Object `json:"secretstores"`
+	// ClusterExternalSecrets is a list of ClusterExternalSecret resources in the cluster.
+	ClusterExternalSecrets []runtime.Object `json:"clusterexternalsecrets"`
+	// ClusterSecretStores is a list of ClusterSecretStore resources in the cluster.
+	ClusterSecretStores []runtime.Object `json:"clustersecretstores"`
 	// Roles is a list of Role resources in the cluster.
 	Roles []runtime.Object `json:"roles"`
 	// ClusterRoles is a list of ClusterRole resources in the cluster.

pkg/client/client_cyberark.go

@@ -223,6 +223,18 @@ var defaultExtractorFunctions = map[string]func(*api.DataReading, *dataupload.Sn
 	"ark/configmaps": func(r *api.DataReading, s *dataupload.Snapshot) error {
 		return extractResourceListFromReading(r, &s.ConfigMaps)
 	},
+	"ark/esoexternalsecrets": func(r *api.DataReading, s *dataupload.Snapshot) error {
+		return extractResourceListFromReading(r, &s.ExternalSecrets)
+	},
+	"ark/esosecretstores": func(r *api.DataReading, s *dataupload.Snapshot) error {
+		return extractResourceListFromReading(r, &s.SecretStores)
+	},
+	"ark/esoclusterexternalsecrets": func(r *api.DataReading, s *dataupload.Snapshot) error {
+		return extractResourceListFromReading(r, &s.ClusterExternalSecrets)
+	},
+	"ark/esoclustersecretstores": func(r *api.DataReading, s *dataupload.Snapshot) error {
+		return extractResourceListFromReading(r, &s.ClusterSecretStores)
+	},
 }
 
 // convertDataReadings processes a list of DataReadings using the provided