[VC-48429] helm chart updates

Enables secret sending by default when ToS is accepted.

Also adds acceptTerms validation, which causes the chart to error out if
the value is not set.

The error looks like this:

```console
$ helm template foo ./deploy/charts/disco-agent
Error: execution error at (disco-agent/templates/deployment.yaml:2:6):

=================================================================
                Terms & Conditions Notice
=================================================================

Before installing this application, you must review and accept
the terms and conditions available at:
https://www.cyberark.com/contract-terms/

To proceed with installation, you must indicate acceptance by
setting:

  - In your values file: acceptTerms: true
  or
  - Via the Helm flag: --set acceptTerms=true

By continuing with the next command, you confirm that you have
reviewed and accepted these terms and conditions.

=================================================================
```

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>

Author: SgtCoDFish

deploy/charts/disco-agent/README.md

@@ -91,6 +91,13 @@ kubectl logs deployments/disco-agent --namespace "${NAMESPACE}" --follow
 > ```
 
 This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
+#### **acceptTerms** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+Must be set to indicate that you have read and accepted the CyberArk Terms of Service. If false, the helm chart will fail to install and will print a message with instructions on how to accept the TOS.
 #### **image.repository** ~ `string`
 > Default value:
 > ```yaml
@@ -298,10 +305,11 @@ This description will be associated with the data that the agent uploads to the
 #### **config.sendSecretValues** ~ `bool`
 > Default value:
 > ```yaml
-> false
+> true
 > ```
 
-Enable sending of Secret values to CyberArk in addition to metadata. Metadata is always sent, but the actual values of Secrets are not sent by default. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk. Default: false (but default will change to true for a future release)
+Enable sending of Secret values to CyberArk in addition to metadata. Metadata is always sent, but the actual values of Secrets are not sent by default. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk, fetched from the Discovery and Context service.  
+Default: true
 #### **authentication.secretName** ~ `string`
 > Default value:
 > ```yaml

deploy/charts/disco-agent/templates/deployment.yaml

@@ -1,3 +1,6 @@
+{{- if not .Values.acceptTerms }}
+  {{- fail "\n\n=================================================================\n                Terms & Conditions Notice\n=================================================================\n\nBefore installing this application, you must review and accept\nthe terms and conditions available at:\nhttps://www.cyberark.com/contract-terms/\n\nTo proceed with installation, you must indicate acceptance by\nsetting:\n\n  - In your values file: acceptTerms: true\n  or\n  - Via the Helm flag: --set acceptTerms=true\n\nBy continuing with the next command, you confirm that you have\nreviewed and accepted these terms and conditions.\n\n=================================================================\n" }}
+{{- end }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:

deploy/charts/disco-agent/values.schema.json

@@ -3,6 +3,9 @@
     "helm-values": {
       "additionalProperties": false,
       "properties": {
+        "acceptTerms": {
+          "$ref": "#/$defs/helm-values.acceptTerms"
+        },
         "affinity": {
           "$ref": "#/$defs/helm-values.affinity"
         },
@@ -84,6 +87,11 @@
       },
       "type": "object"
     },
+    "helm-values.acceptTerms": {
+      "default": false,
+      "description": "Must be set to indicate that you have read and accepted the CyberArk Terms of Service. If false, the helm chart will fail to install and will print a message with instructions on how to accept the TOS.",
+      "type": "boolean"
+    },
     "helm-values.affinity": {
       "default": {},
       "type": "object"
@@ -152,8 +160,8 @@
       "type": "string"
     },
     "helm-values.config.sendSecretValues": {
-      "default": false,
-      "description": "Enable sending of Secret values to CyberArk in addition to metadata. Metadata is always sent, but the actual values of Secrets are not sent by default. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk. Default: false (but default will change to true for a future release)",
+      "default": true,
+      "description": "Enable sending of Secret values to CyberArk in addition to metadata. Metadata is always sent, but the actual values of Secrets are not sent by default. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk, fetched from the Discovery and Context service.\nDefault: true",
       "type": "boolean"
     },
     "helm-values.extraArgs": {

deploy/charts/disco-agent/values.yaml

@@ -5,6 +5,9 @@
 # This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
 replicaCount: 1
 
+# Must be set to indicate that you have read and accepted the CyberArk Terms of Service. If false, the helm chart will fail to install and will print a message with instructions on how to accept the TOS.
+acceptTerms: false
+
 # This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
 image:
   repository: ""
@@ -157,9 +160,9 @@ config:
   # Enable sending of Secret values to CyberArk in addition to metadata.
   # Metadata is always sent, but the actual values of Secrets are not sent by default.
   # When enabled, Secret data is encrypted using envelope encryption using
-  # a key managed by CyberArk.
-  # Default: false (but default will change to true for a future release)
-  sendSecretValues: false
+  # a key managed by CyberArk, fetched from the Discovery and Context service.
+  # Default: true
+  sendSecretValues: true
 
 authentication:
   secretName: agent-credentials

hack/ark/test-e2e.sh

@@ -101,7 +101,6 @@ kubectl apply -f "${root_dir}/hack/ark/cluster-external-secret.yaml"
 
 # We use a non-existent tag and omit the `--version` flag, to work around a Helm
 # v4 bug. See: https://github.com/helm/helm/issues/31600
-# TODO: shouldn't need to set config.sendSecretValues because it will default to true in future
 helm upgrade agent "oci://${ARK_CHART}:NON_EXISTENT_TAG@${ARK_CHART_DIGEST}" \
      --install \
      --wait \
@@ -114,7 +113,7 @@ helm upgrade agent "oci://${ARK_CHART}:NON_EXISTENT_TAG@${ARK_CHART_DIGEST}" \
      --set config.clusterName="e2e-test-cluster" \
      --set config.clusterDescription="A temporary cluster for E2E testing. Contact @wallrj-cyberark." \
      --set config.period=60s \
-     --set config.sendSecretValues=true \
+	 --set acceptTerms=true \
      --set-json "podLabels={\"disco-agent.cyberark.cloud/test-id\": \"${RANDOM}\"}"
 
 kubectl rollout status deployments/disco-agent --namespace "${NAMESPACE}"

make/ark/02_mod.mk

@@ -47,7 +47,7 @@ ark-test-e2e: $(NEEDS_KIND) $(NEEDS_KUBECTL) $(NEEDS_HELM)
 ## Verify the Helm chart
 ## @category CyberArk Discovery and Context
 ark-verify:
-	$(MAKE) verify-helm-lint verify-helm-values verify-pod-security-standards verify-helm-kubeconform \
+	INSTALL_OPTIONS="--set acceptTerms=true" $(MAKE) verify-helm-lint verify-helm-values verify-pod-security-standards verify-helm-kubeconform \
 		helm_chart_source_dir=deploy/charts/disco-agent \
 		helm_chart_image_name=$(ARK_CHART)