Add support for fetching keys from a JWKS endpoint#777
Merged
SgtCoDFish merged 2 commits intomasterfrom Feb 27, 2026
Merged
Conversation
SgtCoDFish
force-pushed
the
keyfetch
branch
20 times, most recently
from
49fefca to
0337378
Compare
This requires changing a few function signatures and plumbing some things together. Notably, I don't want to have a second service discovery client and send duplicate calls off, so I shared the service discovery client from the CyberArk client and added caching of responses to the service discovery client. I also had to share credentials for auth. Also removes encrypted-secrets example The machinehub mode is required for key fetching, but doesn't play nicely with one shot mode and the example hangs. Secret encryption is covered in the e2e tests, so just remove the example for simplicity Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
wallrj-cyberark
approved these changes
Feb 27, 2026
Member
wallrj-cyberark
left a comment
wallrj-cyberark
left a comment
There was a problem hiding this comment.
Thanks @SgtCoDFish
Looks good to me.
We've been discussing this internally, in a slack thread: C057LS7JRLP/p1772021916784319
I tested the code on my laptop, as follows
mitmproxy
kind create cluster
kubectl create secret generic e2e-sample-secret-$(date '+%s') --namespace default --from-literal=username=${RANDOM}
ARK_SEND_SECRET_VALUES=true \
NO_PROXY=0.0.0.0:38601 \
HTTPS_PROXY=localhost:8080 \
go run ./cmd/ark/... agent --one-shot --machine-hub --agent-config-file examples/machinehub.yaml
There are two authentications, one for the jwks client which is used early in the collection process and one for the snapshot client which is used later in the upload process.
Happy to review followup PRs if necessary.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This requires changing a few function signatures and plumbing some things together.
Notably, I don't want to have a second service discovery client and send duplicate calls off, so I shared the service discovery client from the CyberArk client and added caching of responses to the service discovery client.
Likewise, I needed to handle auth for the jwks endpoint. I'd rather not have to have a second identity client (we could just have one) but this works for now.
Unfortunately, that means this is much longer than I'd have hoped but most of the changes are pretty simple.