Discovery of ConfigMaps and Label Selectors

deploy/charts/disco-agent/templates/configmap.yaml

@@ -38,6 +38,14 @@ data:
         resource-type:
           resource: serviceaccounts
           version: v1
+    - kind: k8s-dynamic
+      name: ark/configmaps
+      config:
+        resource-type:
+          resource: configmaps
+          version: v1
+        label-selectors:
+        - conjur.org/name=conjur-connect-configmap
     - kind: k8s-dynamic
       name: ark/roles
       config:

deploy/charts/disco-agent/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,6 +26,14 @@ custom-cluster-description:
             resource-type:
               resource: serviceaccounts
               version: v1
+        - kind: k8s-dynamic
+          name: ark/configmaps
+          config:
+            resource-type:
+              resource: configmaps
+              version: v1
+            label-selectors:
+            - conjur.org/name=conjur-connect-configmap
         - kind: k8s-dynamic
           name: ark/roles
           config:
@@ -133,6 +141,14 @@ custom-cluster-name:
             resource-type:
               resource: serviceaccounts
               version: v1
+        - kind: k8s-dynamic
+          name: ark/configmaps
+          config:
+            resource-type:
+              resource: configmaps
+              version: v1
+            label-selectors:
+            - conjur.org/name=conjur-connect-configmap
         - kind: k8s-dynamic
           name: ark/roles
           config:
@@ -240,6 +256,14 @@ custom-period:
             resource-type:
               resource: serviceaccounts
               version: v1
+        - kind: k8s-dynamic
+          name: ark/configmaps
+          config:
+            resource-type:
+              resource: configmaps
+              version: v1
+            label-selectors:
+            - conjur.org/name=conjur-connect-configmap
         - kind: k8s-dynamic
           name: ark/roles
           config:
@@ -347,6 +371,14 @@ defaults:
             resource-type:
               resource: serviceaccounts
               version: v1
+        - kind: k8s-dynamic
+          name: ark/configmaps
+          config:
+            resource-type:
+              resource: configmaps
+              version: v1
+            label-selectors:
+            - conjur.org/name=conjur-connect-configmap
         - kind: k8s-dynamic
           name: ark/roles
           config:

examples/machinehub.yaml

@@ -37,6 +37,16 @@ data-gatherers:
       resource: serviceaccounts
       version: v1
 
+# Gather Kubernetes config maps with specific conjur.org label
+- name: ark/configmaps
+  kind: k8s-dynamic
+  config:
+    resource-type:
+      resource: configmaps
+      version: v1
+    label-selectors:
+    - conjur.org/name=conjur-connect-configmap
+
 # Gather Kubernetes roles
 - name: ark/roles
   kind: k8s-dynamic

examples/machinehub/input.json

@@ -123,5 +123,11 @@
         "data": {
             "items": []
         }
+    },
+    {
+        "data-gatherer": "ark/configmaps",
+        "data": {
+            "items": []
+        }
     }
 ]

hack/ark/conjur-connect-configmap.yaml

@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: conjur-connect-configmap
+  namespace: default
+  labels:
+    conjur.org/name: conjur-connect-configmap
+    app.kubernetes.io/name: authn-k8s
+    app.kubernetes.io/component: conjur-conn-configmap
+    app.kubernetes.io/instance: pet-store-authn-k8s
+    app.kubernetes.io/part-of: app-namespace-config
+    app.kubernetes.io/managed-by: helm
+    helm.sh/chart: authn-k8s-namespace-prep-1.0.0
+data:
+  CONJUR_ACCOUNT: myConjurAccount
+  CONJUR_APPLIANCE_URL: https://conjur.conjur-ns.svc.cluster.local
+  CONJUR_AUTHN_URL: https://conjur.conjur-ns.svc.cluster.local/authn-k8s/my-authenticator-id
+  CONJUR_AUTHENTICATOR_ID: my-authenticator-id
+  CONJUR_SSL_CERTIFICATE: |
+    -----BEGIN CERTIFICATE-----
+    MIIDYTCCAkmgAwIBAgIUTXBJk7Fm+M9kVD5x66jPiwU2JfcwDQYJKoZIhvcNAQEL
+    BQAwQDErMCkGA1UEAwwiY29uanVyLmNvbmp1ci1ucy5zdmMuY2x1c3Rlci5sb2Nh
+    bDERMA8GA1UECgwIRTJFIFRlc3QwHhcNMjYwMTI4MTMwNzA5WhcNMzYwMTI2MTMw
+    NzA5WjBAMSswKQYDVQQDDCJjb25qdXIuY29uanVyLW5zLnN2Yy5jbHVzdGVyLmxv
+    Y2FsMREwDwYDVQQKDAhFMkUgVGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+    AQoCggEBALdJ9InvV4oOy5LzP/JfZ7iAuM7RIQzeD1fDjm1EEfQcLqSgobH2yZtA
+    YETlj/c2bfJ8Cc2dTJMoTefwofwjA6iR43SBf0e78raKsGSmR3ors9BqaulvgII5
+    Tk3y5jdZxty7UNIGOJP9QoJ4kPQHu37HhSfaA517yQJNCOa4NSLkpHWK155o6Cvf
+    k03M6Szzs5uL7GTK/8IJnl0WSXJezC7lQ8Q+0VVCR6Cq4CzAKm2ZoVCPGkYDZb+Y
+    2i0aGe8ideO0JgTOsHzXiv5x1DzaEdX0+DhV+aQKbRJYENa2w5LCG0b1Z6Hpyvm6
+    uT0LobEgNLxJ8fOxa3LEq2IryzHFZjUCAwEAAaNTMFEwHQYDVR0OBBYEFHuXVFoC
+    IaF7T3Iic7fKxyKwVhpkMB8GA1UdIwQYMBaAFHuXVFoCIaF7T3Iic7fKxyKwVhpk
+    MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAF/7DwNERFTpucWi
+    roDVME2SH1kTKiemcKzguoeOkDBZd70GbLejy64gWF9nIbcQ9WYxRIuqSI2h0j8d
+    ED9SGQ66nic3uw16GN5IJk21ucFwAJstgQG3kvWPBbSrxMO9TB0pounRozZ5DkZe
+    ZI+vZ4BNOZDT9TAE08xXLrzVhzVDM8DGAydzXUlvscfhYpTe77Cm7yMxmItO7QTA
+    xTrBaamgxM1XYbx+DiS8nTm1U2G3UVACCv9zH6MXDe2DDREBuX1U3skqqbJlsypf
+    68ckx8fzdxIU5OLx0LZ4QZOR66cHyambDtngoD3iKqDcR1L8EdXajq+IaPRZfcD6
+    VLEtA4Y=
+    -----END CERTIFICATE-----

hack/ark/test-e2e.sh

@@ -74,6 +74,12 @@ kubectl create secret generic e2e-sample-secret-$(date '+%s') \
         --namespace default \
         --from-literal=username=${RANDOM}
 
+# Create a sample ConfigMap in the cluster that will be discovered by the agent
+#
+# This ConfigMap has the label that matches the default label-selector configured
+# in the ark/configmaps data gatherer (conjur.org/name=conjur-connect-configmap).
+kubectl apply -f "${root_dir}/hack/ark/conjur-connect-configmap.yaml"
+
 # We use a non-existent tag and omit the `--version` flag, to work around a Helm
 # v4 bug. See: https://github.com/helm/helm/issues/31600
 helm upgrade agent "oci://${ARK_CHART}:NON_EXISTENT_TAG@${ARK_CHART_DIGEST}" \

internal/cyberark/dataupload/dataupload.go

@@ -62,6 +62,8 @@ type Snapshot struct {
 	Secrets []runtime.Object `json:"secrets"`
 	// ServiceAccounts is a list of ServiceAccount resources in the cluster.
 	ServiceAccounts []runtime.Object `json:"serviceaccounts"`
+	// ConfigMaps is a list of ConfigMap resources in the cluster.
+	ConfigMaps []runtime.Object `json:"configmaps"`
 	// Roles is a list of Role resources in the cluster.
 	Roles []runtime.Object `json:"roles"`
 	// ClusterRoles is a list of ClusterRole resources in the cluster.

pkg/client/client_cyberark.go

@@ -186,6 +186,9 @@ var defaultExtractorFunctions = map[string]func(*api.DataReading, *dataupload.Sn
 	"ark/pods": func(r *api.DataReading, s *dataupload.Snapshot) error {
 		return extractResourceListFromReading(r, &s.Pods)
 	},
+	"ark/configmaps": func(r *api.DataReading, s *dataupload.Snapshot) error {
+		return extractResourceListFromReading(r, &s.ConfigMaps)
+	},
 }
 
 // convertDataReadings processes a list of DataReadings using the provided