Add cluster name and description to CyberArk Discovery and Context snapshot

- Add ClusterName and ClusterDescription fields to Snapshot struct - Populate these fields from Options in PostDataReadingsWithOptions - Add clusterName and clusterDescription Helm values and docs - Populate cluster_id and cluster_description in the rendered configmap - Update values.schema.json to include descriptions for the new values - Add ClusterDescription field to pkg/agent Config and CombinedConfig - Default MachineHub cluster ID from ARK_USERNAME env when not set - Clarify comments and add TODO about ClusterID vs ClusterName naming Signed-off-by: Richard Wall <richard.wall@cyberark.com>

Author: wallrj-cyberark

deploy/charts/disco-agent/README.md

@@ -277,6 +277,24 @@ Example: excludeAnnotationKeysRegex: ['^kapp\.k14s\.io/original.*']
 > ```yaml
 > []
 > ```
+#### **config.clusterName** ~ `string`
+> Default value:
+> ```yaml
+> ""
+> ```
+
+A human readable name for the cluster where the agent is deployed (optional). 
+ 
+This cluster name will be associated with the data that the agent uploads to the Discovery and Context service. If empty (the default), the service account name will be used instead.
+#### **config.clusterDescription** ~ `string`
+> Default value:
+> ```yaml
+> ""
+> ```
+
+A short description of the cluster where the agent is deployed (optional). 
+ 
+This description will be associated with the data that the agent uploads to the Discovery and Context service. The description should include contact information such as the email address of the cluster administrator, so that any problems and risks identified by the Discovery and Context service can be communicated to the people responsible for the affected secrets.
 #### **authentication.secretName** ~ `string`
 > Default value:
 > ```yaml

deploy/charts/disco-agent/templates/configmap.yaml

@@ -7,6 +7,8 @@ metadata:
  {{- include "disco-agent.labels" . | nindent 4 }}
 data:
  config.yaml: |-
+ cluster_id: {{ .Values.config.clusterName | quote }}
+ cluster_description: {{ .Values.config.clusterDescription | quote }}
  period: {{ .Values.config.period | quote }}
  {{- with .Values.config.excludeAnnotationKeysRegex }}
  exclude-annotation-keys-regex:

deploy/charts/disco-agent/tests/__snapshot__/configmap_test.yaml.snap

@@ -1,8 +1,224 @@
+custom-cluster-description:
+ 1: |
+ apiVersion: v1
+ data:
+ config.yaml: |-
+ cluster_id: ""
+ cluster_description: "A cloud hosted Kubernetes cluster hosting production workloads.\n\nteam: team-1\nemail: team-1@example.com\npurpose: Production workloads\n"
+ period: "12h0m0s"
+ data-gatherers:
+ - kind: k8s-discovery
+ name: ark/discovery
+ - kind: k8s-dynamic
+ name: ark/secrets
+ config:
+ resource-type:
+ version: v1
+ resource: secrets
+ field-selectors:
+ - type!=kubernetes.io/dockercfg
+ - type!=kubernetes.io/dockerconfigjson
+ - type!=bootstrap.kubernetes.io/token
+ - type!=helm.sh/release.v1
+ - kind: k8s-dynamic
+ name: ark/serviceaccounts
+ config:
+ resource-type:
+ resource: serviceaccounts
+ version: v1
+ - kind: k8s-dynamic
+ name: ark/roles
+ config:
+ resource-type:
+ version: v1
+ group: rbac.authorization.k8s.io
+ resource: roles
+ - kind: k8s-dynamic
+ name: ark/clusterroles
+ config:
+ resource-type:
+ version: v1
+ group: rbac.authorization.k8s.io
+ resource: clusterroles
+ - kind: k8s-dynamic
+ name: ark/rolebindings
+ config:
+ resource-type:
+ version: v1
+ group: rbac.authorization.k8s.io
+ resource: rolebindings
+ - kind: k8s-dynamic
+ name: ark/clusterrolebindings
+ config:
+ resource-type:
+ version: v1
+ group: rbac.authorization.k8s.io
+ resource: clusterrolebindings
+ - kind: k8s-dynamic
+ name: ark/jobs
+ config:
+ resource-type:
+ version: v1
+ group: batch
+ resource: jobs
+ - kind: k8s-dynamic
+ name: ark/cronjobs
+ config:
+ resource-type:
+ version: v1
+ group: batch
+ resource: cronjobs
+ - kind: k8s-dynamic
+ name: ark/deployments
+ config:
+ resource-type:
+ version: v1
+ group: apps
+ resource: deployments
+ - kind: k8s-dynamic
+ name: ark/statefulsets
+ config:
+ resource-type:
+ version: v1
+ group: apps
+ resource: statefulsets
+ - kind: k8s-dynamic
+ name: ark/daemonsets
+ config:
+ resource-type:
+ version: v1
+ group: apps
+ resource: daemonsets
+ - kind: k8s-dynamic
+ name: ark/pods
+ config:
+ resource-type:
+ version: v1
+ resource: pods
+ kind: ConfigMap
+ metadata:
+ labels:
+ app.kubernetes.io/instance: test
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: disco-agent
+ app.kubernetes.io/version: v0.0.0
+ helm.sh/chart: disco-agent-0.0.0
+ name: test-disco-agent-config
+ namespace: test-ns
+custom-cluster-name:
+ 1: |
+ apiVersion: v1
+ data:
+ config.yaml: |-
+ cluster_id: "cluster-1 region-1 cloud-1 "
+ cluster_description: ""
+ period: "12h0m0s"
+ data-gatherers:
+ - kind: k8s-discovery
+ name: ark/discovery
+ - kind: k8s-dynamic
+ name: ark/secrets
+ config:
+ resource-type:
+ version: v1
+ resource: secrets
+ field-selectors:
+ - type!=kubernetes.io/dockercfg
+ - type!=kubernetes.io/dockerconfigjson
+ - type!=bootstrap.kubernetes.io/token
+ - type!=helm.sh/release.v1
+ - kind: k8s-dynamic
+ name: ark/serviceaccounts
+ config:
+ resource-type:
+ resource: serviceaccounts
+ version: v1
+ - kind: k8s-dynamic
+ name: ark/roles
+ config:
+ resource-type:
+ version: v1
+ group: rbac.authorization.k8s.io
+ resource: roles
+ - kind: k8s-dynamic
+ name: ark/clusterroles
+ config:
+ resource-type:
+ version: v1
+ group: rbac.authorization.k8s.io
+ resource: clusterroles
+ - kind: k8s-dynamic
+ name: ark/rolebindings
+ config:
+ resource-type:
+ version: v1
+ group: rbac.authorization.k8s.io
+ resource: rolebindings
+ - kind: k8s-dynamic
+ name: ark/clusterrolebindings
+ config:
+ resource-type:
+ version: v1
+ group: rbac.authorization.k8s.io
+ resource: clusterrolebindings
+ - kind: k8s-dynamic
+ name: ark/jobs
+ config:
+ resource-type:
+ version: v1
+ group: batch
+ resource: jobs
+ - kind: k8s-dynamic
+ name: ark/cronjobs
+ config:
+ resource-type:
+ version: v1
+ group: batch
+ resource: cronjobs
+ - kind: k8s-dynamic
+ name: ark/deployments
+ config:
+ resource-type:
+ version: v1
+ group: apps
+ resource: deployments
+ - kind: k8s-dynamic
+ name: ark/statefulsets
+ config:
+ resource-type:
+ version: v1
+ group: apps
+ resource: statefulsets
+ - kind: k8s-dynamic
+ name: ark/daemonsets
+ config:
+ resource-type:
+ version: v1
+ group: apps
+ resource: daemonsets
+ - kind: k8s-dynamic
+ name: ark/pods
+ config:
+ resource-type:
+ version: v1
+ resource: pods
+ kind: ConfigMap
+ metadata:
+ labels:
+ app.kubernetes.io/instance: test
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: disco-agent
+ app.kubernetes.io/version: v0.0.0
+ helm.sh/chart: disco-agent-0.0.0
+ name: test-disco-agent-config
+ namespace: test-ns
 custom-period:
  1: |
  apiVersion: v1
  data:
  config.yaml: |-
+ cluster_id: ""
+ cluster_description: ""
  period: "1m"
  data-gatherers:
  - kind: k8s-discovery
@@ -108,6 +324,8 @@ defaults:
  apiVersion: v1
  data:
  config.yaml: |-
+ cluster_id: ""
+ cluster_description: ""
  period: "12h0m0s"
  data-gatherers:
  - kind: k8s-discovery

deploy/charts/disco-agent/tests/configmap_test.yaml

@@ -14,3 +14,20 @@ tests:
  config.period: 1m
  asserts:
  - matchSnapshot: {}
+
+ - it: custom-cluster-name
+ set:
+ config.clusterName: "cluster-1 region-1 cloud-1 "
+ asserts:
+ - matchSnapshot: {}
+
+ - it: custom-cluster-description
+ set:
+ config.clusterDescription: |
+ A cloud hosted Kubernetes cluster hosting production workloads.
+
+ team: team-1
+ email: team-1@example.com
+ purpose: Production workloads
+ asserts:
+ - matchSnapshot: {}

deploy/charts/disco-agent/values.schema.json

@@ -104,6 +104,12 @@
  "helm-values.config": {
  "additionalProperties": false,
  "properties": {
+ "clusterDescription": {
+ "$ref": "#/$defs/helm-values.config.clusterDescription"
+ },
+ "clusterName": {
+ "$ref": "#/$defs/helm-values.config.clusterName"
+ },
  "excludeAnnotationKeysRegex": {
  "$ref": "#/$defs/helm-values.config.excludeAnnotationKeysRegex"
  },
@@ -116,6 +122,16 @@
  },
  "type": "object"
  },
+ "helm-values.config.clusterDescription": {
+ "default": "",
+ "description": "A short description of the cluster where the agent is deployed (optional).\n\nThis description will be associated with the data that the agent uploads to the Discovery and Context service. The description should include contact information such as the email address of the cluster administrator, so that any problems and risks identified by the Discovery and Context service can be communicated to the people responsible for the affected secrets.",
+ "type": "string"
+ },
+ "helm-values.config.clusterName": {
+ "default": "",
+ "description": "A human readable name for the cluster where the agent is deployed (optional).\n\nThis cluster name will be associated with the data that the agent uploads to the Discovery and Context service. If empty (the default), the service account name will be used instead.",
+ "type": "string"
+ },
  "helm-values.config.excludeAnnotationKeysRegex": {
  "default": [],
  "description": "You can configure the agent to exclude some annotations or labels from being pushed . All Kubernetes objects are affected. The objects are still pushed, but the specified annotations and labels are removed before being pushed.\n\nDots is the only character that needs to be escaped in the regex. Use either double quotes with escaped single quotes or unquoted strings for the regex to avoid YAML parsing issues with `\\.`.\n\nExample: excludeAnnotationKeysRegex: ['^kapp\\.k14s\\.io/original.*']",

deploy/charts/disco-agent/values.yaml

@@ -138,6 +138,22 @@ config:
  excludeAnnotationKeysRegex: []
  excludeLabelKeysRegex: []
 
+ # A human readable name for the cluster where the agent is deployed (optional).
+ #
+ # This cluster name will be associated with the data that the agent uploads to
+ # the Discovery and Context service. If empty (the default), the service
+ # account name will be used instead.
+ clusterName: ""
+
+ # A short description of the cluster where the agent is deployed (optional).
+ #
+ # This description will be associated with the data that the agent uploads to
+ # the Discovery and Context service. The description should include contact
+ # information such as the email address of the cluster administrator, so that
+ # any problems and risks identified by the Discovery and Context service can
+ # be communicated to the people responsible for the affected secrets.
+ clusterDescription: ""
+
 authentication:
  secretName: agent-credentials
 

internal/cyberark/dataupload/dataupload.go

@@ -51,6 +51,10 @@ type Snapshot struct {
 AgentVersion string `json:"agent_version"`
 // ClusterID is the unique ID of the Kubernetes cluster which this snapshot was taken from.
 ClusterID string `json:"cluster_id"`
+// ClusterName is the name of the Kubernetes cluster which this snapshot was taken from.
+ClusterName string `json:"cluster_name"`
+// ClusterDescription is an optional description of the Kubernetes cluster which this snapshot was taken from.
+ClusterDescription string `json:"cluster_description,omitempty"`
 // K8SVersion is the version of Kubernetes which the cluster is running.
 K8SVersion string `json:"k8s_version"`
 // Secrets is a list of Secret resources in the cluster. Not all Secret