Enable CyberArk integration and E2E tests in CI

wallrj-cyberark · wallrj-cyberark · commit cc7d3798c6ad · 2026-01-23T09:48:54.000Z
Additionally, use a real UID in integration tests to satisfy real API validation
And add a cluster name, a shorter upload period, and a sample secret so that
it's easier to find the uploaded Secret in the UI.

Signed-off-by: Richard Wall &lt;richard.wall@cyberark.com&gt;
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -67,6 +67,46 @@ jobs:
           key: downloaded-${{ runner.os }}-${{ hashFiles('klone.yaml') }}-test-unit
 
       - run: make -j test-unit test-helm
+        env:
+          # These environment variables are required to run the CyberArk client integration tests
+          ARK_DISCOVERY_API: https://platform-discovery.integration-cyberark.cloud/
+          ARK_SUBDOMAIN: ${{ secrets.ARK_SUBDOMAIN }}
+          ARK_USERNAME: ${{ secrets.ARK_USERNAME }}
+          ARK_SECRET: ${{ secrets.ARK_SECRET }}
+
+  ark-test-e2e:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
+        # the tags so `git describe` returns a valid version.
+        # see https://github.com/actions/checkout/issues/701 for extra info about this option
+        with: { fetch-depth: 0 }
+
+      - uses: ./.github/actions/repo_access
+        with:
+          DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }}
+
+      - id: go-version
+        run: |
+          make print-go-version >> "$GITHUB_OUTPUT"
+
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        with:
+          go-version: ${{ steps.go-version.outputs.result }}
+
+      - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
+          path: _bin/downloaded
+          key: downloaded-${{ runner.os }}-${{ hashFiles('klone.yaml') }}-test-unit
+
+      - run: make -j ark-test-e2e
+        env:
+          # These environment variables are required to connect to CyberArk Disco APIs
+          ARK_DISCOVERY_API: https://platform-discovery.integration-cyberark.cloud/
+          ARK_SUBDOMAIN: ${{ secrets.ARK_SUBDOMAIN }}
+          ARK_USERNAME: ${{ secrets.ARK_USERNAME }}
+          ARK_SECRET: ${{ secrets.ARK_SECRET }}
 
   test-e2e:
     if: contains(github.event.pull_request.labels.*.name, 'test-e2e')
diff --git a/hack/ark/test-e2e.sh b/hack/ark/test-e2e.sh
@@ -65,6 +65,15 @@ kubectl create secret generic agent-credentials \
         --from-literal=ARK_SUBDOMAIN=$ARK_SUBDOMAIN \
         --from-literal=ARK_DISCOVERY_API=$ARK_DISCOVERY_API
 
+# Create a sample secret in the cluster
+#
+# TODO(wallrj): See if there's an API for checking that this secret has been
+# imported by the backend. For now we have to log into the Disco web UI and
+# search for this secret.
+kubectl create secret generic e2e-sample-secret-$(date '+%s') \
+        --namespace default \
+        --from-literal=username=${RANDOM}
+
 # We use a non-existent tag and omit the `--version` flag, to work around a Helm
 # v4 bug. See: https://github.com/helm/helm/issues/31600
 helm upgrade agent "oci://${ARK_CHART}:NON_EXISTENT_TAG@${ARK_CHART_DIGEST}" \
@@ -76,7 +85,9 @@ helm upgrade agent "oci://${ARK_CHART}:NON_EXISTENT_TAG@${ARK_CHART_DIGEST}" \
      --set pprof.enabled=true \
      --set fullnameOverride=disco-agent \
      --set "image.digest=${ARK_IMAGE_DIGEST}" \
+     --set config.clusterName="e2e-test-cluster" \
      --set config.clusterDescription="A temporary cluster for E2E testing. Contact @wallrj-cyberark." \
+     --set config.period=60s \
      --set-json "podLabels={\"disco-agent.cyberark.cloud/test-id\": \"${RANDOM}\"}"
 
 kubectl rollout status deployments/disco-agent --namespace "${NAMESPACE}"
diff --git a/internal/cyberark/client_test.go b/internal/cyberark/client_test.go
@@ -36,7 +36,7 @@ func TestCyberArkClient_PutSnapshot_MockAPI(t *testing.T) {
 	require.NoError(t, err)
 
 	err = cl.PutSnapshot(ctx, dataupload.Snapshot{
-		ClusterID:    "success-cluster-id",
+		ClusterID:    "ffffffff-ffff-ffff-ffff-ffffffffffff",
 		AgentVersion: version.PreflightVersion,
 	})
 	require.NoError(t, err)
@@ -73,7 +73,7 @@ func TestCyberArkClient_PutSnapshot_RealAPI(t *testing.T) {
 	require.NoError(t, err)
 
 	err = cl.PutSnapshot(ctx, dataupload.Snapshot{
-		ClusterID:    "bb068932-c80d-460d-88df-34bc7f3f3297",
+		ClusterID:    "ffffffff-ffff-ffff-ffff-ffffffffffff",
 		AgentVersion: version.PreflightVersion,
 	})
 	require.NoError(t, err)
diff --git a/internal/cyberark/dataupload/dataupload_test.go b/internal/cyberark/dataupload/dataupload_test.go
@@ -35,7 +35,7 @@ func TestCyberArkClient_PutSnapshot_MockAPI(t *testing.T) {
 		{
 			name: "successful upload",
 			snapshot: dataupload.Snapshot{
-				ClusterID:    "success-cluster-id",
+				ClusterID:    "ffffffff-ffff-ffff-ffff-ffffffffffff",
 				AgentVersion: version.PreflightVersion,
 			},
 			authenticate: setToken("success-token"),
diff --git a/internal/cyberark/dataupload/mock.go b/internal/cyberark/dataupload/mock.go
@@ -22,7 +22,7 @@ import (
 const (
 	successBearerToken = "success-token"
 
-	successClusterID = "success-cluster-id"
+	successClusterID = "ffffffff-ffff-ffff-ffff-ffffffffffff"
 )
 
 type mockDataUploadServer struct {
diff --git a/pkg/client/client_cyberark_test.go b/pkg/client/client_cyberark_test.go
@@ -107,7 +107,7 @@ func fakeReadings() []*api.DataReading {
 		{
 			DataGatherer: "ark/discovery",
 			Data: &api.DiscoveryData{
-				ClusterID: "success-cluster-id",
+				ClusterID: "ffffffff-ffff-ffff-ffff-ffffffffffff",
 				ServerVersion: &k8sversion.Info{
 					GitVersion: "v1.21.0",
 				},

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ func TestCyberArkClient_PutSnapshot_MockAPI(t *testing.T) {`
`35`	`35`	`{`
`36`	`36`	`name: "successful upload",`
`37`	`37`	`snapshot: dataupload.Snapshot{`
`38`		`- ClusterID: "success-cluster-id",`
	`38`	`+ ClusterID: "ffffffff-ffff-ffff-ffff-ffffffffffff",`
`39`	`39`	`AgentVersion: version.PreflightVersion,`
`40`	`40`	`},`
`41`	`41`	`authenticate: setToken("success-token"),`
Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ import (`
`22`	`22`	`const (`
`23`	`23`	`successBearerToken = "success-token"`
`24`	`24`
`25`		`- successClusterID = "success-cluster-id"`
	`25`	`+ successClusterID = "ffffffff-ffff-ffff-ffff-ffffffffffff"`
`26`	`26`	`)`
`27`	`27`
`28`	`28`	`type mockDataUploadServer struct {`
Original file line number	Diff line number	Diff line change
`@@ -107,7 +107,7 @@ func fakeReadings() []*api.DataReading {`
`107`	`107`	`{`
`108`	`108`	`DataGatherer: "ark/discovery",`
`109`	`109`	`Data: &api.DiscoveryData{`
`110`		`- ClusterID: "success-cluster-id",`
	`110`	`+ ClusterID: "ffffffff-ffff-ffff-ffff-ffffffffffff",`
`111`	`111`	`ServerVersion: &k8sversion.Info{`
`112`	`112`	`GitVersion: "v1.21.0",`
`113`	`113`	`},`