Feature/eso patch #775
Feature/eso patch #775
Conversation
achuchev
left a comment
achuchev
left a comment
There was a problem hiding this comment.
The PR looks promising. I think the main area for improvement is implementing logic to exclude sensitive data. Unfortunately, the spec.provider.fake.data may include passwords in the manifest. Although the Fake provider is intended for testing purposes only, it still contains customer-sensitive data.
The potentially sensitive branch could be removed by applying the same approach used for managedFields.
| version: v1 | ||
| label-selectors: | ||
| - conjur.org/name=conjur-connect-configmap | ||
| - kind: k8s-dynamic |
There was a problem hiding this comment.
Please include the cluster-scoped resources: clusterexternalsecrets and clustersecretstores.
There was a problem hiding this comment.
or not, I need to add everything i did (for all files) the same for clusterexternalsecrets and clustersecretstores?
hack/ark/test-e2e.sh
Outdated
| # | ||
| # These require the ESO CRDs to be installed in the cluster. If the CRDs are not | ||
| # installed, these commands will fail but the e2e test can still proceed. | ||
| kubectl apply -f "${root_dir}/hack/ark/secret-store.yaml" || echo "Warning: SecretStore CRD not installed, skipping" |
There was a problem hiding this comment.
I am unable to find where the ESO CRDs have been deployed. If the CRDs are not in place, the CR will also not be deployed, which does not bring much value for the e2e.
| "ark/configmaps": func(r *api.DataReading, s *dataupload.Snapshot) error { | ||
| return extractResourceListFromReading(r, &s.ConfigMaps) | ||
| }, | ||
| "ark/externalsecrets": func(r *api.DataReading, s *dataupload.Snapshot) error { |
There was a problem hiding this comment.
| "ark/externalsecrets": func(r *api.DataReading, s *dataupload.Snapshot) error { | |
| "ark/esoexternalsecrets": func(r *api.DataReading, s *dataupload.Snapshot) error { |
It may be helpful to add a prefix to the names to clarify which project they originate from.
There was a problem hiding this comment.
sure, but I guess you dont mean only here right?
just to understand the scope of the prefix
|
@EldarShalev could you run |
will try to fix it, getting |
3 participants
I've implemented the ESO (External Secrets Operator) CRDs collection following the same minimal pattern as the ConfigMaps feature #769 .
Here's what was done:
Files Modified:
deploy/charts/disco-agent/templates/configmap.yaml
Added two new k8s-dynamic data gatherers:
ark/externalsecrets (group: external-secrets.io, version: v1, resource: externalsecrets)
ark/secretstores (group: external-secrets.io, version: v1, resource: secretstores)
No label selectors used (Option A: collect all in watched namespaces)
deploy/charts/disco-agent/tests/snapshot/configmap_test.yaml.snap
Updated all 4 test snapshot sections to include both ESO gatherers
examples/machinehub.yaml
Added both ESO gatherers with comments explaining their purpose
examples/machinehub/input.json
Added empty items entries for both ark/externalsecrets and ark/secretstores
internal/cyberark/dataupload/dataupload.go
Added ExternalSecrets []runtime.Object and SecretStores []runtime.Object fields to the Snapshot struct
pkg/client/client_cyberark.go
Added extractor functions for ark/externalsecrets and ark/secretstores
pkg/client/client_cyberark_test.go
Added both gatherers to defaultDynamicDatagathererNames list
pkg/client/client_cyberark_convertdatareadings_test.go
Added TestConvertDataReadings_ExternalSecrets test
Added TestConvertDataReadings_SecretStores test
Both tests verify: 2 resources are extracted, deleted resources are excluded
Files Created:
hack/ark/external-secret.yaml
Sample ExternalSecret CR for e2e testing (uses fake backend)
hack/ark/secret-store.yaml
Sample SecretStore CR for e2e testing (uses fake provider)
hack/ark/test-e2e.sh
Updated to apply both ESO sample manifests (with fallback if CRDs not installed)