build(release): update release process for CyberArk Discovery and Context

- Add ARK image and chart outputs to GitHub Actions workflow
- Refactor Makefile variables for ARK image/chart repositories and digests
- Update image annotations for CyberArk branding and documentation links
- Adjust e2e test script to use new ARK image/chart variables
- Remove unused OCI_BASE variable from root Makefile

Signed-off-by: Richard Wall <[email protected]>

Author: wallrj-cyberark

.github/workflows/release.yml

@@ -37,13 +37,19 @@ jobs:
           go-version: ${{ steps.go-version.outputs.result }}
 
       - id: release
-        run: make release
+        run: make release ark-release
 
     outputs:
       RELEASE_OCI_PREFLIGHT_IMAGE: ${{ steps.release.outputs.RELEASE_OCI_PREFLIGHT_IMAGE }}
       RELEASE_OCI_PREFLIGHT_TAG: ${{ steps.release.outputs.RELEASE_OCI_PREFLIGHT_TAG }}
       RELEASE_HELM_CHART_IMAGE: ${{ steps.release.outputs.RELEASE_HELM_CHART_IMAGE }}
       RELEASE_HELM_CHART_VERSION: ${{ steps.release.outputs.RELEASE_HELM_CHART_VERSION }}
+      ARK_IMAGE: ${{ steps.release.outputs.ARK_IMAGE }}
+      ARK_IMAGE_TAG: ${{ steps.release.outputs.ARK_IMAGE_TAG }}
+      ARK_IMAGE_DIGEST: ${{ steps.release.outputs.ARK_IMAGE_DIGEST }}
+      ARK_CHART: ${{ steps.release.outputs.ARK_CHART }}
+      ARK_CHART_TAG: ${{ steps.release.outputs.ARK_CHART_TAG }}
+      ARK_CHART_DIGEST: ${{ steps.release.outputs.ARK_CHART_DIGEST }}
 
   github_release:
     runs-on: ubuntu-latest
@@ -61,6 +67,12 @@ jobs:
           echo "OCI_PREFLIGHT_TAG: ${{ needs.build_and_push.outputs.RELEASE_OCI_PREFLIGHT_TAG }}" >> .notes-file
           echo "HELM_CHART_IMAGE: ${{ needs.build_and_push.outputs.RELEASE_HELM_CHART_IMAGE }}" >> .notes-file
           echo "HELM_CHART_VERSION: ${{ needs.build_and_push.outputs.RELEASE_HELM_CHART_VERSION }}" >> .notes-file
+          echo "ARK_IMAGE: ${{ needs.build_and_push.outputs.ARK_IMAGE }}" >> .notes-file
+          echo "ARK_IMAGE_TAG: ${{ needs.build_and_push.outputs.ARK_IMAGE_TAG }}" >> .notes-file
+          echo "ARK_IMAGE_DIGEST: ${{ needs.build_and_push.outputs.ARK_IMAGE_DIGEST }}" >> .notes-file
+          echo "ARK_CHART: ${{ needs.build_and_push.outputs.ARK_CHART }}" >> .notes-file
+          echo "ARK_CHART_TAG: ${{ needs.build_and_push.outputs.ARK_CHART_TAG }}" >> .notes-file
+          echo "ARK_CHART_DIGEST: ${{ needs.build_and_push.outputs.ARK_CHART_DIGEST }}" >> .notes-file
 
       - env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

RELEASE.md

@@ -10,10 +10,11 @@ The release process is semi-automated.
 > [!NOTE]
 >
 > Upon pushing the tag, a GitHub Action will do the following:
-> - Build and publish the container image at `quay.io/jetstack/venafi-agent`,
-> - Build and publish the Helm chart at `oci://quay.io/jetstack/charts/venafi-kubernetes-agent`,
+> - Build and publish the container image: `quay.io/jetstack/venafi-agent`,
+> - Build and publish the Helm chart: `oci://quay.io/jetstack/charts/venafi-kubernetes-agent`,
+> - Build and publish the container image: `quay.io/jetstack/cyberark-disco-agent`,
+> - Build and publish the Helm chart: `oci://quay.io/jetstack/charts/cyberark-disco-agent`,
 > - Create a draft GitHub release,
-> - Upload the Helm chart tarball to the GitHub release.
 
 1. Upgrade the Go dependencies.
 
@@ -71,18 +72,20 @@ The release process is semi-automated.
 
 For context, the new tag will create the following images:
 
-| Image                                                     | Automation                                                                                                                                                                                              |
-| --------------------------------------------------------- | -------------------------------------------------------------------------------------------- |
+| Image                                                     | Automation                                                                                   |
+|-----------------------------------------------------------|----------------------------------------------------------------------------------------------|
 | `quay.io/jetstack/venafi-agent`                           | Automatically built by the [release action](.github/workflows/release.yml) on Git tag pushes |
+| `quay.io/jetstack/cyberark-disco-agent`                   | Automatically built by the [release action](.github/workflows/release.yml) on Git tag pushes |
 | `registry.venafi.cloud/venafi-agent/venafi-agent`         | Automatically mirrored by Harbor Replication rule                                            |
 | `private-registry.venafi.cloud/venafi-agent/venafi-agent` | Automatically mirrored by Harbor Replication rule                                            |
 | `private-registry.venafi.eu/venafi-agent/venafi-agent`    | Automatically mirrored by Harbor Replication rule                                            |
 
 and the following OCI Helm charts:
 
 | Helm Chart                                                           | Automation                                                                                   |
-| -------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- |
+|----------------------------------------------------------------------|----------------------------------------------------------------------------------------------|
 | `oci://quay.io/jetstack/charts/venafi-kubernetes-agent`              | Automatically built by the [release action](.github/workflows/release.yml) on Git tag pushes |
+| `oci://quay.io/jetstack/charts/cyberark-disco-agent`                 | Automatically built by the [release action](.github/workflows/release.yml) on Git tag pushes |
 | `oci://registry.venafi.cloud/charts/venafi-kubernetes-agent`         | Automatically mirrored by Harbor Replication rule                                            |
 | `oci://private-registry.venafi.cloud/charts/venafi-kubernetes-agent` | Automatically mirrored by Harbor Replication rule                                            |
 | `oci://private-registry.venafi.eu/charts/venafi-kubernetes-agent`    | Automatically mirrored by Harbor Replication rule                                            |
@@ -118,3 +121,7 @@ v1.1.0 (Git tag in the jetstack-secure repo)
 ### Step 2: Test the Helm chart "venafi-kubernetes-agent" with venctl connect
 
 NOTE(mael): TBD
+
+### Step 3: Test the Helm chart "cyberark-disco-agent"
+
+NOTE(wallrj): TBD

hack/ark/test-e2e.sh

@@ -43,7 +43,11 @@ trap 'rm -rf "${tmp_dir}"' EXIT
 
 pushd "${tmp_dir}"
 > release.env
-make -C "$root_dir" ark-release GITHUB_OUTPUT="${tmp_dir}/release.env"
+make -C "$root_dir" ark-release \
+     GITHUB_OUTPUT="${tmp_dir}/release.env" \
+     OCI_SIGN_ON_PUSH=false \
+     oci_platforms="" \
+     ARK_OCI_BASE="${OCI_BASE}"
 cat release.env
 source release.env
 
@@ -61,15 +65,15 @@ kubectl create secret generic agent-credentials \
         --from-literal=ARK_SUBDOMAIN=$ARK_SUBDOMAIN \
         --from-literal=ARK_DISCOVERY_API=$ARK_DISCOVERY_API
 
-helm upgrade agent "oci://${RELEASE_OCI_CHART}@${RELEASE_OCI_CHART_DIGEST}" \
-     --version "${RELEASE_OCI_CHART_TAG}" \
+helm upgrade agent "oci://${ARK_CHART}@${ARK_CHART_DIGEST}" \
+     --version "${ARK_CHART_TAG}" \
      --install \
      --wait \
      --create-namespace \
      --namespace "$NAMESPACE" \
      --set pprof.enabled=true \
      --set fullnameOverride=disco-agent \
-     --set "image.digest=${RELEASE_OCI_IMAGE_DIGEST}" \
+     --set "image.digest=${ARK_IMAGE_DIGEST}" \
      --set-json "podLabels={\"disco-agent.cyberark.cloud/test-id\": \"${RANDOM}\"}"
 
 kubectl rollout status deployments/disco-agent --namespace "${NAMESPACE}"

make/00_mod.mk

@@ -6,8 +6,6 @@ repo_name := github.com/jetstack/jetstack-secure
 # third-party modules.
 generate-golangci-lint-config: repo_name := github.com/jetstack/preflight
 
-OCI_BASE ?= # default to an empty value to avoid warnings
-
 license_ignore := gitlab.com/venafi,github.com/jetstack
 
 kind_cluster_name := preflight

make/ark/00_mod.mk

@@ -7,20 +7,20 @@ go_ark_ldflags := \
 	-X $(repo_name)/pkg/version.BuildDate=$(shell date "+%F-%T-%Z") \
 
 oci_ark_base_image_flavor := static
-oci_ark_image_name := quay.io/jetstack/ark-agent
+oci_ark_image_name := quay.io/jetstack/cyberark-disco-agent
 oci_ark_image_tag := $(VERSION)
-oci_ark_image_name_development := jetstack.local/ark-agent
+oci_ark_image_name_development := jetstack.local/cyberark-disco-agent
 
 # Annotations are the standardised set of annotations we set on every component we publish
 oci_ark_build_args := \
 	--image-annotation="org.opencontainers.image.source"="https://github.com/jetstack/jetstack-secure" \
 	--image-annotation="org.opencontainers.image.vendor"="CyberArk Software Ltd." \
 	--image-annotation="org.opencontainers.image.licenses"="EULA - https://www.cyberark.com/contract-terms/" \
-	--image-annotation="org.opencontainers.image.authors"="TODO" \
+	--image-annotation="org.opencontainers.image.authors"="CyberArk Software Ltd." \
 	--image-annotation="org.opencontainers.image.title"="CyberArk Discovery and Context Agent" \
 	--image-annotation="org.opencontainers.image.description"="Gathers machine identity data from Kubernetes clusters." \
-	--image-annotation="org.opencontainers.image.url"="TODO" \
-	--image-annotation="org.opencontainers.image.documentation"="TODO" \
+	--image-annotation="org.opencontainers.image.url"="https://www.cyberark.com/products/" \
+	--image-annotation="org.opencontainers.image.documentation"="https://docs.cyberark.com" \
 	--image-annotation="org.opencontainers.image.version"="$(VERSION)" \
 	--image-annotation="org.opencontainers.image.revision"="$(GITCOMMIT)"
 

make/ark/02_mod.mk

@@ -1,31 +1,38 @@
+# Makefile targets for CyberArk Discovery and Context
+
+# The base OCI repository for all CyberArk Discovery and Context artifacts
+ARK_OCI_BASE ?= quay.io/jetstack
+
+# The OCI repository (without tag) for the CyberArk Discovery and Context Agent Docker image
+# Can be overridden when calling `make ark-release` to push to a different repository.
+ARK_IMAGE ?= $(ARK_OCI_BASE)/cyberark-disco-agent
+
+# The OCI repository (without tag) for the CyberArk Discovery and Context Helm chart
+# Can be overridden when calling `make ark-release` to push to a different repository.
+ARK_CHART ?= $(ARK_OCI_BASE)/charts/cyberark-disco-agent
+
+# Used to output variables when running in GitHub Actions
 GITHUB_OUTPUT ?= /dev/stderr
+
 .PHONY: ark-release
 ## Publish all release artifacts (image + helm chart)
 ## @category CyberArk Discovery and Context
-ark-release: oci_ark_image_name := $(OCI_BASE)/images/cyberark-disco-agent
-ark-release: OCI_SIGN_ON_PUSH := false
-ark-release: oci_platforms := linux/amd64
-ark-release: helm_chart_source_dir := deploy/charts/cyberark-disco-agent
-ark-release: helm_chart_image_name := $(OCI_BASE)/charts/cyberark-disco-agent
-ark-release: helm_chart_version := $(helm_chart_version)
 ark-release: oci_ark_image_digest_path := $(bin_dir)/scratch/image/oci-layout-ark.digests
 ark-release: helm_digest_path := $(bin_dir)/scratch/helm/cyberark-disco-agent-$(helm_chart_version).digests
 ark-release:
 	$(MAKE) oci-push-ark helm-chart-oci-push \
-		oci_ark_image_name="$(oci_ark_image_name)" \
-		OCI_SIGN_ON_PUSH="$(OCI_SIGN_ON_PUSH)" \
-		oci_platforms="$(oci_platforms)" \
-		helm_image_name="$(oci_ark_image_name)" \
+		oci_ark_image_name="$(ARK_IMAGE)" \
+		helm_image_name="$(ARK_IMAGE)" \
 		helm_image_tag="$(oci_ark_image_tag)" \
-		helm_chart_source_dir="$(helm_chart_source_dir)" \
-		helm_chart_image_name="$(helm_chart_image_name)"
+		helm_chart_source_dir=deploy/charts/cyberark-disco-agent \
+		helm_chart_image_name="$(ARK_CHART)"
 
-	@echo "RELEASE_OCI_IMAGE=$(oci_ark_image_name)" >> "$(GITHUB_OUTPUT)"
-	@echo "RELEASE_OCI_IMAGE_TAG=$(oci_ark_image_tag)" >> "$(GITHUB_OUTPUT)"
-	@echo "RELEASE_OCI_IMAGE_DIGEST=$$(head -1 $(oci_ark_image_digest_path))" >> "$(GITHUB_OUTPUT)"
-	@echo "RELEASE_OCI_CHART=$(helm_chart_image_name)" >> "$(GITHUB_OUTPUT)"
-	@echo "RELEASE_OCI_CHART_TAG=$(helm_chart_version)" >> "$(GITHUB_OUTPUT)"
-	@echo "RELEASE_OCI_CHART_DIGEST=$$(head -1 $(helm_digest_path))" >> "$(GITHUB_OUTPUT)"
+	@echo "ARK_IMAGE=$(ARK_IMAGE)" >> "$(GITHUB_OUTPUT)"
+	@echo "ARK_IMAGE_TAG=$(oci_ark_image_tag)" >> "$(GITHUB_OUTPUT)"
+	@echo "ARK_IMAGE_DIGEST=$$(head -1 $(oci_ark_image_digest_path))" >> "$(GITHUB_OUTPUT)"
+	@echo "ARK_CHART=$(ARK_CHART)" >> "$(GITHUB_OUTPUT)"
+	@echo "ARK_CHART_TAG=$(helm_chart_version)" >> "$(GITHUB_OUTPUT)"
+	@echo "ARK_CHART_DIGEST=$$(head -1 $(helm_digest_path))" >> "$(GITHUB_OUTPUT)"
 
 	@echo "Release complete!"
 
@@ -40,11 +47,11 @@ ark-test-e2e: $(NEEDS_KIND) $(NEEDS_KUBECTL) $(NEEDS_HELM)
 ## Verify the Helm chart
 ## @category CyberArk Discovery and Context
 ark-verify:
-	$(MAKE) verify-helm-lint verify-helm-values verify-pod-security-standards verify-helm-kubeconform\
+	$(MAKE) verify-helm-lint verify-helm-values verify-pod-security-standards verify-helm-kubeconform \
 		helm_chart_source_dir=deploy/charts/cyberark-disco-agent \
-		helm_chart_image_name=$(OCI_BASE)/charts/cyberark-disco-agent
+		helm_chart_image_name=$(ARK_CHART)
 
-shared_verify_targets_dirty += ark-verify
+shared_verify_targets += ark-verify
 
 .PHONY: ark-generate
 ## Generate Helm chart documentation and schema