[VC-45081] Automate the release process for cyberark-disco-agent

[wallrj-cyberark]

This update refactors the release process for the CyberArk Discovery and Context Agent, improving GitHub Actions integration, Makefile variable clarity, and branding/documentation for published images and charts.

Summary of Changes

• GitHub Actions:

  • Adds ARK image and chart outputs to the release workflow.
  • Outputs ARK image/chart details (name, tag, digest) for use in downstream jobs.
  • Updates release notes generation to include ARK artifacts.

• Makefile Refactor:

  • Removes unused OCI_BASE variable from the root Makefile.
  • Introduces ARK_OCI_BASE, ARK_IMAGE, and ARK_CHART variables for clarity and flexibility.
  • Refactors image/chart names to use CyberArk branding (e.g., quay.io/jetstack/cyberark-disco-agent).
  • Updates image annotations for vendor, authors, documentation, and product URLs.
  • Ensures all release outputs are clearly named and accessible for CI/CD.

• E2E Test Script:

  • Updates to use new ARK image/chart variables.
  • Ensures correct image/chart is deployed and tested in the e2e workflow.

Testing

Installed the released chart, as follows:

kind create cluster

export NAMESPACE=cyberark
export ARK_CHART=quay.io/jetstack/charts/cyberark-disco-agent

kubectl create ns "$NAMESPACE"

kubectl create secret generic agent-credentials \
        --namespace "$NAMESPACE" \
        --from-literal=ARK_USERNAME=$ARK_USERNAME \
        --from-literal=ARK_SECRET=$ARK_SECRET \
        --from-literal=ARK_SUBDOMAIN=$ARK_SUBDOMAIN \
        --from-literal=ARK_DISCOVERY_API=$ARK_DISCOVERY_API

helm upgrade agent "oci://${ARK_CHART}" \
     --debug \
     --devel \
     --install \
     --wait \
     --namespace "$NAMESPACE" \
     --set fullnameOverride=disco-agent

NOTES:
CHART NAME: cyberark-disco-agent
CHART VERSION: v1.7.0-alpha.1
APP VERSION: v1.7.0-alpha.1

- Check the application is running:
> kubectl get pods -n cyberark -l app.kubernetes.io/instance=agent

- Check the application logs for successful connection to the platform:
> kubectl logs -n cyberark -l app.kubernetes.io/instance=agent

$ kubectl logs -n cyberark -l app.kubernetes.io/instance=agent
{"ts":1758291401575.219,"caller":"agent/run.go:58","msg":"Starting","v":0,"logger":"Run","version":"development","commit":""}
{"ts":1758291401576.951,"caller":"agent/config.go:591","msg":"Using period from config","v":0,"logger":"Run","period":"12h0m0s"}
{"ts":1758291401577.008,"caller":"agent/run.go:107","msg":"Metrics endpoints enabled","v":0,"logger":"Run.APIServer","addr":":8081","path":"/metrics"}
{"ts":1758291401577.344,"caller":"agent/run.go:116","msg":"Healthz endpoints enabled","v":0,"logger":"Run.APIServer","addr":":8081","path":"/healthz"}
{"ts":1758291401577.3738,"caller":"agent/run.go:120","msg":"Readyz endpoints enabled","v":0,"logger":"Run.APIServer","addr":":8081","path":"/readyz"}
{"ts":1758291402828.249,"caller":"identity/identity.go:403","msg":"successfully completed AdvanceAuthentication request to CyberArk Identity; login complete","v":0,"logger":"Run.gatherAndOutputData.postData","username":"github-jetstack-secure-tests@cyberark.cloud.420375"}
{"ts":1758291426781.4143,"caller":"agent/run.go:334","msg":"Warning: PushingErr: retrying","v":0,"logger":"Run.gatherAndOutputData","in":"20.147492982s","reason":"post to server failed: while uploading snapshot: while retrieving snapshot upload URL: received response with status code 502: {\"message\": \"Internal server error\"}"}
{"ts":1758291447681.048,"caller":"identity/identity.go:403","msg":"successfully completed AdvanceAuthentication request to CyberArk Identity; login complete","v":0,"logger":"Run.gatherAndOutputData.postData","username":"github-jetstack-secure-tests@cyberark.cloud.420375"}
{"ts":1758291464540.994,"caller":"agent/run.go:334","msg":"Warning: PushingErr: retrying","v":0,"logger":"Run.gatherAndOutputData","in":"31.70021123s","reason":"post to server failed: while uploading snapshot: while retrieving snapshot upload URL: received response with status code 502: {\"message\": \"Internal server error\"}"}
{"ts":1758291496997.672,"caller":"identity/identity.go:403","msg":"successfully completed AdvanceAuthentication request to CyberArk Identity; login complete","v":0,"logger":"Run.gatherAndOutputData.postData","username":"github-jetstack-secure-tests@cyberark.cloud.420375"}

ℹ️ There's a problem with our test tenant which prevents the snapshot upload, but you can see that the agent deployed and attempts the upload.

I also ran the make ark-test-e2e target manually. It fails with timeout because of ☝️ that problem with the test tenant, but at least it deploys the agent and attempts to upload:

make ark-test-e2e
...
# ... output elided ...
# Readyz endpoints enabled
# Authentication succeeded
# Warning: PushingErr: retrying (502 Internal server error)
# Authentication succeeded
# Warning: PushingErr: retrying (502 Internal server error)
make: *** [ark-test-e2e] Error 124

[wallrj-cyberark]

Test release:

$ export VERSION=v1.7.0-alpha.1
git tag --annotate --message="Release ${VERSION}" "${VERSION}"
git push origin "${VERSION}"
Enumerating objects: 1, done.
Counting objects: 100% (1/1), done.
Writing objects: 100% (1/1), 175 bytes | 175.00 KiB/s, done.
Total 1 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
To github.com:jetstack/jetstack-secure.git
 * [new tag]         v1.7.0-alpha.1 -> v1.7.0-alpha.1

• Failed: https://github.com/jetstack/jetstack-secure/actions/runs/17855337858 (First few attempts failed because we had to create and then set the correct permissions on these new quay.io repos)
• Succeeded: https://github.com/jetstack/jetstack-secure/actions/runs/17855337858 (after we added the right permissions to the new repos)
  • https://github.com/jetstack/jetstack-secure/releases/tag/untagged-7ff248e4a9a73cdc8a1c

[wallrj-cyberark]

This was changed some time after the 1.4.0 release. Newer releases push the helm chart directly to quay.io

• https://github.com/jetstack/jetstack-secure/releases/tag/v1.4.0

[wallrj-cyberark]

TBH I don't know whether these variables should be set as target specific variables or as sub-make variables in the rule or both....these ark- targets are a temporary hack because makefile-modules doesn't really support multiple charts.
This combination of variables and overrides seems to work...but I can't explain why.

[wallrj-cyberark]

Tim explained what _dirty means...something to do with the "dirty" state of the working tree when we use the verify.sh script...but I still don't understand. By experimentation I found that it wasn't actually necessary to use the _dirty variable here. I used it originally out of desparation to get the ark-verify added to the general verify dependencies.

[wallrj-cyberark]

This was only used by the ark- targets, so I moved it to the ark/*.mk files for context.

[maelvls]

not sure why, but i'm getting a "403 Forbidden from request to service discovery API". I've used this:

export ARK_SUBDOMAIN=tlskp-test
export ARK_DISCOVERY_API=https://platform-discovery.integration-cyberark.cloud/api/v2
export ARK_USERNAME=mael.valais@cyberark.cloud.420375
export ARK_SECRET=...
export ARK_PLATFORM_DOMAIN=integration-cyberark.cloud

and agent deployed with:

helm upgrade agent "oci://${ARK_CHART}" \
     --debug \
     --devel \
     --install \
     --wait \
     --namespace "$NAMESPACE" \
     --set fullnameOverride=disco-agent \
     --set extraArgs='{--log-level=6}'

$ k logs -n cyberark -l app.kubernetes.io/instance=agent --follow
{"ts":1758292482713.6648,"caller":"agent/run.go:334","msg":"Warning: PushingErr: retrying","v":0,"logger":"Run.gatherAndOutputData","in":"1m6.686541673s","reason":"post to server failed: while initializing data upload client: got unexpected status code 403 Forbidden from request to service discovery API"}

Is that the error you were mentioning when you said "There's a problem with our test tenant which prevents the snapshot upload"?

[maelvls]

why do we push to quay.io? Eventually, customers will be pulling from

registry.venafi.cloud/public/venafi-images/cyberark-disco-agent

so why not push to Harbor directly?

[wallrj-cyberark]

I don't have permission, do I?

[wallrj-cyberark]

And also for consistency with the existing agent release process. I can change the release process in future to push all artifacts direct to harbor, if that is possible.

[wallrj-cyberark]

Your .envrc is out of date.

• ARK_DISCOVERY_API=https://platform-discovery.integration-cyberark.cloud
• ARK_PLATFORM_DOMAIN (no longer needed)

See

jetstack-secure/.envrc.template

Lines 16 to 21 in cf3ad78

	# The following variables are required for CyberArk / MachineHub integration tests.
	export ARK_SUBDOMAIN= # your CyberArk tenant subdomain e.g. tlskp-test
	export ARK_USERNAME= # your CyberArk username
	export ARK_SECRET= # your CyberArk password
	# OPTIONAL: the URL for the CyberArk Discovery API if not using the production environment
	export ARK_DISCOVERY_API=https://platform-discovery.integration-cyberark.cloud/

[maelvls]

Ah, it works now (I mean, I also get a 502 like you).

[maelvls]

All good! I haven't tested the release process, but I've looked at the GitHub Action job and have tested that the image produced worked.