Merge pull request #63 from GitGuardian/amascia/cyberark-integrations

Amascia/cyberark integrations

Author: amascia-gg

.github/workflows/validate-helm-examples.yml

@@ -19,16 +19,16 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-      
+
       - name: Find all examples and create matrix
         id: set-matrix
         run: |
           # Find all example directories
           ALL_EXAMPLES=$(find charts/ggscout/examples -maxdepth 1 -mindepth 1 -type d -exec basename {} \;)
-          
+
           # Create JSON array for GitHub Actions matrix
           echo "examples=$(echo "$ALL_EXAMPLES" | jq -R -s -c 'split("\n") | map(select(length > 0))')" >> $GITHUB_OUTPUT
-          
+
           echo "Found examples: $ALL_EXAMPLES"
 
   lint-examples:
@@ -39,7 +39,7 @@ jobs:
       fail-fast: false
       matrix:
         example: ${{ fromJson(needs.find-examples.outputs.examples) }}
-    
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -48,7 +48,7 @@ jobs:
         uses: azure/setup-helm@v3
         with:
           version: 'latest'
-          
+
       - name: Install yq
         run: |
           sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
@@ -57,22 +57,22 @@ jobs:
       - name: Lint chart example - ${{ matrix.example }}
         run: |
           echo "🔍 Linting example: ${{ matrix.example }}"
-          
+
           # Create values-ci.yaml for linting
           echo "Creating values-ci.yaml for ${{ matrix.example }}"
           cp "charts/ggscout/examples/${{ matrix.example }}/values.yaml" "charts/ggscout/examples/${{ matrix.example }}/values-ci.yaml"
-          
+
           # Check if secret.yaml exists and apply values to values-ci.yaml
           if [ -f "charts/ggscout/examples/${{ matrix.example }}/secret.yaml" ]; then
             echo "Found secret.yaml, using it for values replacement"
-            
+
             # Create a temporary file to store environment variables
             ENV_FILE="charts/ggscout/examples/${{ matrix.example }}/.env.tmp"
             touch $ENV_FILE
-            
+
             # Extract keys and values from secret.yaml and write to env file
             yq '.stringData | to_entries | .[] | .key + "=" + .value' "charts/ggscout/examples/${{ matrix.example }}/secret.yaml" > $ENV_FILE
-            
+
             # Process values-ci.yaml and replace ${VAR} patterns with actual values from secret.yaml
             # Read env file line by line
             while IFS= read -r line; do
@@ -84,24 +84,24 @@ jobs:
               VALUE="${VALUE#\"}"
               VALUE="${VALUE%\'}"
               VALUE="${VALUE#\'}"
-              
+
               # Replace ${KEY} with VALUE in values-ci.yaml
               sed -i.bak "s|\${$KEY}|$VALUE|g" "charts/ggscout/examples/${{ matrix.example }}/values-ci.yaml"
               rm "charts/ggscout/examples/${{ matrix.example }}/values-ci.yaml.bak"
             done < $ENV_FILE
-            
+
             # Remove temporary env file
             rm $ENV_FILE
           fi
-          
+
           # Run helm lint
           if ! helm lint charts/ggscout -f "charts/ggscout/examples/${{ matrix.example }}/values-ci.yaml"; then
             echo "❌ Helm lint failed for ${{ matrix.example }}"
             exit 1
           else
             echo "✅ Helm lint passed for ${{ matrix.example }}"
           fi
-          
+
           # Clean up the temporary values-ci.yaml file
           rm "charts/ggscout/examples/${{ matrix.example }}/values-ci.yaml"
 
@@ -114,7 +114,7 @@ jobs:
       fail-fast: false
       matrix:
         example-group:
-          - secret_manager_group_1: ["akeyless", "conjurcloud", "hashicorpvault", "azurekeyvault"]
+          - secret_manager_group_1: ["akeyless", "cyberarksaas", "hashicorpvault", "azurekeyvault"]
           - secret_manager_group_2: ["delinea", "gcpsecretmanager", "awssecretsmanager"]  # TODO: add fetch-only
           # - consumers: ["k8s_incluster", "k8s_kubeconfigfile", "gitlabci"]
 

charts/ggscout/examples/conjurcloud-k8s/secret.yaml

@@ -1,25 +1,25 @@
-# Conjur Cloud with Kubernetes JWT Authentication
+# CyberArk SaaS with Kubernetes JWT Authentication
 
-This example demonstrates how to configure ggscout to authenticate with Conjur Cloud using Kubernetes JWT tokens.
+This example demonstrates how to configure ggscout to authenticate with CyberArk SaaS using Kubernetes JWT tokens.
 
 ## Overview
 
-Kubernetes JWT authentication allows ggscout running in a Kubernetes cluster to authenticate with Conjur Cloud using the cluster's service account tokens. This eliminates the need to manage static credentials.
+Kubernetes JWT authentication allows ggscout running in a Kubernetes cluster to authenticate with CyberArk SaaS using the cluster's service account tokens. This eliminates the need to manage static credentials.
 
 ## Prerequisites
 
 Before using this example, you need:
 
-1. **Conjur Cloud Account**: Access to a Conjur Cloud instance
+1. **CyberArk SaaS Account**: Access to a CyberArk SaaS instance
 2. **Kubernetes Cluster**: EKS, GKE, AKS, or self-hosted cluster
-3. **JWT Authenticator**: Configured in Conjur Cloud for your cluster
-4. **Workload Identity**: Created in Conjur Cloud for your ggscout service account
+3. **JWT Authenticator**: Configured in CyberArk SaaS for your cluster
+4. **Workload Identity**: Created in CyberArk SaaS for your ggscout service account
 
 ## Setup Steps
 
-### 1. Configure JWT Authenticator in Conjur Cloud
+### 1. Configure JWT Authenticator in CyberArk SaaS
 
-Create a JWT authenticator in Conjur Cloud with the following configuration:
+Create a JWT authenticator in CyberArk SaaS with the following configuration:
 
 **For AWS EKS:**
 ```bash
@@ -31,19 +31,19 @@ aws eks describe-cluster --name <YOUR_CLUSTER_NAME> --query "cluster.identity.oi
 - `jwks-uri`: `https://oidc.eks.us-east-1.amazonaws.com/id/EXAMPLE/keys`
 - `issuer`: `https://oidc.eks.us-east-1.amazonaws.com/id/EXAMPLE`
 - `token-app-property`: `sub` (IMPORTANT: Always use 'sub' for Kubernetes)
-- `audience`: `conjur` (recommended)
+- `audience`: `cyberark` (recommended)
 
 ### 2. Create Workload Identity
 
-Create a workload identity in Conjur Cloud for your ggscout service account:
+Create a workload identity in CyberArk SaaS for your ggscout service account:
 
 **Workload Configuration:**
 - **Authentication Method**: JWT
 - **JWT Authenticator**: Your authenticator ID (e.g., `k8s-cluster-name`)
 - **Workload ID**: `system:serviceaccount:<namespace>:<service-account-name>`
 - **Policy Branch**: `k8s-apps` (or your preferred branch)
 
-**Example using Conjur CLI:**
+**Example using CyberArk CLI:**
 ```yaml
 # Create workload policy (save as workload-policy.yaml)
 - !policy
@@ -57,13 +57,13 @@ Create a workload identity in Conjur Cloud for your ggscout service account:
         kubernetes/service-account: ggscout-service-account
 
     - !grant
-      role: !group conjur/authn-jwt/k8s-cluster-name/users
+      role: !group cyberark/authn-jwt/k8s-cluster-name/users
       member: !host system:serviceaccount:ggscout-namespace:ggscout-service-account
 ```
 
 Load the policy:
 ```bash
-conjur policy load -f workload-policy.yaml -b data
+cyberark policy load -f workload-policy.yaml -b data
 ```
 
 ### 3. Grant Access to Secrets
@@ -79,16 +79,16 @@ Create secrets and grant access to your workload:
       id: database/password
     - !variable
       id: api/token
-    
+
     - !group consumers
-    
+
     - !permit
       role: !group consumers
       privileges: [read, execute]
       resources:
         - !variable database/password
         - !variable api/token
-    
+
     - !grant
       role: !group consumers
       member: !host /data/k8s-apps/system:serviceaccount:ggscout-namespace:ggscout-service-account
@@ -100,8 +100,8 @@ Update the `secret.yaml` file with your specific values:
 
 ```yaml
 stringData:
-  CONJUR_SUBDOMAIN: "your-company"
-  CONJUR_JWT_AUTHENTICATOR_ID: "k8s-cluster-name"
+  CYBERARK_SUBDOMAIN: "your-company"
+  CYBERARK_JWT_AUTHENTICATOR_ID: "k8s-cluster-name"
   GITGUARDIAN_API_KEY: "your_gitguardian_api_token"
   NAMESPACE: "ggscout-namespace"
 ```
@@ -128,7 +128,7 @@ helm upgrade ggscout ggscout-charts/ggscout \
 
 ### Service Account Identity Format
 
-The workload identity in Conjur Cloud must exactly match the Kubernetes service account format:
+The workload identity in CyberArk SaaS must exactly match the Kubernetes service account format:
 ```
 system:serviceaccount:<namespace>:<service-account-name>
 ```
@@ -139,7 +139,7 @@ Always use `sub` as the `token-app-property` in your JWT authenticator. The `sub
 
 ### Namespace Considerations
 
-- The namespace in your Kubernetes deployment must match the namespace in your Conjur workload identity
+- The namespace in your Kubernetes deployment must match the namespace in your CyberArk workload identity
 - Update the `NAMESPACE` environment variable in `secret.yaml` if using a different namespace
 - Ensure your service account has the necessary RBAC permissions
 
@@ -149,7 +149,7 @@ Always use `sub` as the `token-app-property` in your JWT authenticator. The `sub
 
 1. **Verify JWT authenticator configuration**: Check that `jwks-uri`, `issuer`, and `token-app-property` are correctly set
 2. **Check workload identity**: Ensure the workload ID matches the service account format exactly
-3. **Verify RBAC**: Make sure the service account has access to the required Conjur resources
+3. **Verify RBAC**: Make sure the service account has access to the required CyberArk resources
 
 ### Common Errors
 
@@ -171,6 +171,6 @@ logs:
 
 ## Additional Resources
 
-- [Conjur Cloud JWT Authentication Documentation](https://docs.cyberark.com/conjur-cloud/latest/en/Content/Operations/Services/JWT_Authenticator.htm)
+- [CyberArk SaaS JWT Authentication Documentation](https://docs.cyberark.com/secrets-hub/latest/en/Content/Operations/Services/JWT_Authenticator.htm)
 - [Kubernetes Service Account Tokens](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/)
 - [ggscout Configuration Guide](https://docs.gitguardian.com/ggscout-docs/configuration)

charts/ggscout/examples/conjurcloud-workload/secret.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ggscout-secrets
+stringData:
+  # CyberArk SaaS subdomain (your company's subdomain)
+  CYBERARK_SUBDOMAIN: "your-cyberark-subdomain"
+
+  # JWT Authenticator ID configured in CyberArk SaaS
+  CYBERARK_JWT_AUTHENTICATOR_ID: "k8s-cluster-name"
+
+  # GitGuardian API token
+  GITGUARDIAN_API_KEY: "your_gitguardian_token"

…scout/examples/conjurcloud-k8s/README.md …cout/examples/cyberarksaas-k8s/README.mdcharts/ggscout/examples/conjurcloud-k8s/README.md renamed to charts/ggscout/examples/cyberarksaas-k8s/README.md charts/ggscout/examples/conjurcloud-k8s/README.md renamed to charts/ggscout/examples/cyberarksaas-k8s/README.md

@@ -4,14 +4,14 @@
 inventory:
   config:
     sources:
-      conjur_cloud_k8s:
-        type: conjurcloud
+      cyberark_saas_k8s:
+        type: cyberarksaas
         auth:
           auth_mode: "k8s"
-          service_id: "${CONJUR_JWT_AUTHENTICATOR_ID}"
+          service_id: "${CYBERARK_JWT_AUTHENTICATOR_ID}"
         fetch_all_versions: true
         mode: "read/write" # Can be `read`, `write` or `read/write` depending on wether fetch and/or sync are enabled
-        subdomain: "${CONJUR_SUBDOMAIN}"
+        subdomain: "${CYBERARK_SUBDOMAIN}"
 
     gitguardian:
       endpoint: "https://api.gitguardian.com/v1"

charts/ggscout/examples/cyberarksaas-k8s/secret.yaml

@@ -1,18 +1,18 @@
-# Conjur Cloud with Workload Authentication
+# CyberArk SaaS with Workload Authentication
 
-This example demonstrates how to configure ggscout to authenticate with Conjur Cloud using Workload authentication.
+This example demonstrates how to configure ggscout to authenticate with CyberArk SaaS using Workload authentication.
 
 ## Prerequisites
 
-1. Access to a Conjur Cloud instance
-2. A Conjur workload with appropriate permissions
+1. Access to a CyberArk SaaS instance
+2. A CyberArk workload with appropriate permissions
 3. Workload login ID and API key
 
 ## Configuration
 
 ### 1. Workload Setup
 
-In your Conjur Cloud instance, ensure you have:
+In your CyberArk SaaS instance, ensure you have:
 - A workload identity configured
 - Appropriate policies granting the workload access to secrets
 - The workload login ID and API key
@@ -21,9 +21,9 @@ In your Conjur Cloud instance, ensure you have:
 
 Edit the `secret.yaml` file to match your environment:
 
-- `CONJUR_WORKLOAD_LOGIN`: Your Conjur workload login ID (e.g., "host/my-app")
-- `CONJUR_WORKLOAD_API_KEY`: Your Conjur workload API key
-- `CONJUR_SUBDOMAIN`: Your Conjur Cloud subdomain
+- `CYBERARK_WORKLOAD_LOGIN`: Your CyberArk workload login ID (e.g., "host/my-app")
+- `CYBERARK_WORKLOAD_API_KEY`: Your CyberArk workload API key
+- `CYBERARK_SUBDOMAIN`: Your CyberArk SaaS subdomain
 - `GITGUARDIAN_API_KEY`: Your GitGuardian API token
 
 Edit the `values.yaml` file:
@@ -41,13 +41,13 @@ helm repo update
 # Apply the secret first
 kubectl apply -f secret.yaml
 
-# Install ggscout with Conjur Cloud Workload authentication
-helm install ggscout-conjur ggscout/ggscout -f values.yaml
+# Install ggscout with CyberArk SaaS Workload authentication
+helm install ggscout-cyberark ggscout/ggscout -f values.yaml
 ```
 
 ## Verification
 
-Check that ggscout can authenticate with Conjur Cloud:
+Check that ggscout can authenticate with CyberArk SaaS:
 
 ```bash
 # Check the logs of the ggscout pods
@@ -61,6 +61,6 @@ kubectl get cronjobs
 
 1. **Authentication Issues**: Verify the workload login ID and API key are correct
 2. **Permission Issues**: Ensure the workload has proper policies to access the required secrets
-3. **Network Connectivity**: Verify ggscout pods can reach your Conjur Cloud instance
+3. **Network Connectivity**: Verify ggscout pods can reach your CyberArk SaaS instance
 
-For more details on Conjur Cloud workload authentication, refer to the [Conjur Cloud documentation](https://docs.cyberark.com/conjur-cloud/). 
+For more details on CyberArk SaaS workload authentication, refer to the [CyberArk SaaS documentation](https://docs.cyberark.com/secrets-hub/).

…out/examples/conjurcloud-k8s/values.yaml …ut/examples/cyberarksaas-k8s/values.yamlcharts/ggscout/examples/conjurcloud-k8s/values.yaml renamed to charts/ggscout/examples/cyberarksaas-k8s/values.yaml charts/ggscout/examples/conjurcloud-k8s/values.yaml renamed to charts/ggscout/examples/cyberarksaas-k8s/values.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ggscout-secrets
+stringData:
+  # CyberArk Workload authentication
+  CYBERARK_WORKLOAD_LOGIN: "your-workload-login"
+  CYBERARK_WORKLOAD_API_KEY: "your-workload-api-key"
+
+  # CyberArk subdomain
+  CYBERARK_SUBDOMAIN: "your-cyberark-subdomain"
+
+  # GitGuardian API token
+  GITGUARDIAN_API_KEY: "your_gitguardian_token"