Upload OIDC discovery data to disco backend

[inteon]

This PR adds OIDC discovery data upload functionality to the disco-agent.

The data gatherer itself was added in #758.

The following script can be used to test this PR (NOTE: I intentionally made the openid-discovery endpoint fail):

#!/bin/bash kubectl delete clusterrolebinding system:service-account-issuer-discovery ||true cat <<EOF | kubectl apply -f -apiVersion: v1kind: ServiceAccountmetadata: name: read-only-user---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata: namespace: default name: read-only-rolerules:- nonResourceURLs: - /openid/v1/jwks - /openid/v1/jwks/ verbs: - get---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata: name: read-only-bindingsubjects:- kind: ServiceAccount name: read-only-user namespace: defaultroleRef: kind: ClusterRole name: read-only-role apiGroup: rbac.authorization.k8s.ioEOF cat <<EOF > read-only-kubeconfig.yamlapiVersion: v1kind: Configclusters:- cluster: certificate-authority-data: $(kubectl config view --raw -o jsonpath="{.clusters[0].cluster.certificate-authority-data}") server: $(kubectl config view --raw -o jsonpath="{.clusters[0].cluster.server}") name: kubernetescontexts:- context: cluster: kubernetes user: read-only-user name: read-only-contextcurrent-context: read-only-contextusers:- name: read-only-user user: token: $(kubectl create token read-only-user --duration=24h)EOF KUBECONFIG=$(pwd)/read-only-kubeconfig.yaml \ go run . agent \ --agent-config-file examples/one-shot-oidc.yaml \ --one-shot \ --output-path output.json cat output.json

[Copilot]

Pull request overview

This PR adds OIDC discovery data collection and upload functionality to the disco-agent. The agent now gathers OpenID Connect configuration and JWKS (JSON Web Key Set) information from the Kubernetes API server's well-known OIDC endpoints and uploads this data to the CyberArk backend.

Changes:

• Introduced a new OIDC data gatherer that fetches OIDC configuration from /.well-known/openid-configuration and JWKS from /openid/v1/jwks endpoints
• Modified the OIDC data gatherer to return a pointer to OIDCDiscoveryData instead of a value, consistent with other data gatherers
• Added OIDC fields to the CyberArk snapshot structure for data upload
• Configured the OIDC gatherer in the default agent deployment templates

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pkg/datagatherer/oidc/oidc.go	Changed return type from value to pointer for consistency with other data gatherers
pkg/datagatherer/oidc/oidc_test.go	Updated type assertions to handle pointer type
api/datareading.go	Added OIDCDiscoveryData type to the unmarshal priority list
pkg/client/client_cyberark.go	Added extractOIDCFromReading function and registered it in defaultExtractorFunctions
pkg/client/client_cyberark_test.go	Added OIDC test data with error scenarios
internal/cyberark/dataupload/dataupload.go	Added OIDC-related fields to the Snapshot struct
examples/machinehub.yaml	Added OIDC gatherer configuration example
examples/machinehub/input.json	Added example OIDC data with configuration and JWKS
deploy/charts/disco-agent/templates/configmap.yaml	Enabled OIDC gatherer in default configuration
deploy/charts/disco-agent/tests/snapshot/configmap_test.yaml.snap	Updated test snapshots to include OIDC gatherer

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.