From 961ed0cd719504371fc9ef3642e23bcc3006fcc6 Mon Sep 17 00:00:00 2001
From: Ashley Davis <ashley.davis@cyberark.com>
Date: Tue, 10 Mar 2026 15:00:29 +0000
Subject: [PATCH 1/2] make upgrade-klone to bump go to 1.26.1

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
---
 klone.yaml                   | 22 +++++++++++-----------
 make/_shared/tools/00_mod.mk | 10 +++++-----
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/klone.yaml b/klone.yaml
index 13135d6e..587aa983 100644
--- a/klone.yaml
+++ b/klone.yaml
@@ -10,55 +10,55 @@ targets:
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 55974d81000a5135b824a5534a30858203fbfdb6
+      repo_hash: db3f643e1aa63fc2873731249f9aabf777fb86aa
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 55974d81000a5135b824a5534a30858203fbfdb6
+      repo_hash: db3f643e1aa63fc2873731249f9aabf777fb86aa
       repo_path: modules/go
     - folder_name: helm
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 55974d81000a5135b824a5534a30858203fbfdb6
+      repo_hash: db3f643e1aa63fc2873731249f9aabf777fb86aa
       repo_path: modules/helm
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 55974d81000a5135b824a5534a30858203fbfdb6
+      repo_hash: db3f643e1aa63fc2873731249f9aabf777fb86aa
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 55974d81000a5135b824a5534a30858203fbfdb6
+      repo_hash: db3f643e1aa63fc2873731249f9aabf777fb86aa
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 55974d81000a5135b824a5534a30858203fbfdb6
+      repo_hash: db3f643e1aa63fc2873731249f9aabf777fb86aa
       repo_path: modules/klone
     - folder_name: licenses
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 55974d81000a5135b824a5534a30858203fbfdb6
+      repo_hash: db3f643e1aa63fc2873731249f9aabf777fb86aa
       repo_path: modules/licenses
     - folder_name: oci-build
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 55974d81000a5135b824a5534a30858203fbfdb6
+      repo_hash: db3f643e1aa63fc2873731249f9aabf777fb86aa
       repo_path: modules/oci-build
     - folder_name: oci-publish
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 55974d81000a5135b824a5534a30858203fbfdb6
+      repo_hash: db3f643e1aa63fc2873731249f9aabf777fb86aa
       repo_path: modules/oci-publish
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 55974d81000a5135b824a5534a30858203fbfdb6
+      repo_hash: db3f643e1aa63fc2873731249f9aabf777fb86aa
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 55974d81000a5135b824a5534a30858203fbfdb6
+      repo_hash: db3f643e1aa63fc2873731249f9aabf777fb86aa
       repo_path: modules/tools
diff --git a/make/_shared/tools/00_mod.mk b/make/_shared/tools/00_mod.mk
index 464e7911..b7fc2431 100644
--- a/make/_shared/tools/00_mod.mk
+++ b/make/_shared/tools/00_mod.mk
@@ -221,7 +221,7 @@ tools += $(ADDITIONAL_TOOLS)
 
 # https://go.dev/dl/
 # renovate: datasource=golang-version packageName=go
-VENDORED_GO_VERSION := 1.26.0
+VENDORED_GO_VERSION := 1.26.1
 
 # Print the go version which can be used in GH actions
 .PHONY: print-go-version
@@ -468,10 +468,10 @@ $(call for_each_kv,go_dependency,$(go_dependencies))
 # File downloads #
 ##################
 
-go_linux_amd64_SHA256SUM=aac1b08a0fb0c4e0a7c1555beb7b59180b05dfc5a3d62e40e9de90cd42f88235
-go_linux_arm64_SHA256SUM=bd03b743eb6eb4193ea3c3fd3956546bf0e3ca5b7076c8226334afe6b75704cd
-go_darwin_amd64_SHA256SUM=1ca28b7703cbea05a65b2a1d92d6b308610ef92f8824578a0874f2e60c9d5a22
-go_darwin_arm64_SHA256SUM=b1640525dfe68f066d56f200bef7bf4dce955a1a893bd061de6754c211431023
+go_linux_amd64_SHA256SUM=031f088e5d955bab8657ede27ad4e3bc5b7c1ba281f05f245bcc304f327c987a
+go_linux_arm64_SHA256SUM=a290581cfe4fe28ddd737dde3095f3dbeb7f2e4065cab4eae44dfc53b760c2f7
+go_darwin_amd64_SHA256SUM=65773dab2f8cc4cd23d93ba6d0a805de150ca0b78378879292be0b903b8cdd08
+go_darwin_arm64_SHA256SUM=353df43a7811ce284c8938b5f3c7df40b7bfb6f56cb165b150bc40b5e2dd541f
 
 .PRECIOUS: $(DOWNLOAD_DIR)/tools/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz
 $(DOWNLOAD_DIR)/tools/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz: | $(DOWNLOAD_DIR)/tools

From f047920d2f9a1bd3673fcb0929064b1a303a7626 Mon Sep 17 00:00:00 2001
From: Ashley Davis <ashley.davis@cyberark.com>
Date: Tue, 10 Mar 2026 15:02:24 +0000
Subject: [PATCH 2/2] temporary: disable sendSecretValues by default

In the long run, this should default to true. For now, while
the DisCo backend finishes the backend work, disable it and
print a warning when it's enabled

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
---
 deploy/charts/disco-agent/README.md           | 5 ++---
 deploy/charts/disco-agent/templates/NOTES.txt | 5 +++++
 deploy/charts/disco-agent/values.schema.json  | 4 ++--
 deploy/charts/disco-agent/values.yaml         | 5 +++--
 4 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/deploy/charts/disco-agent/README.md b/deploy/charts/disco-agent/README.md
index f548bdba..19310ee6 100644
--- a/deploy/charts/disco-agent/README.md
+++ b/deploy/charts/disco-agent/README.md
@@ -348,11 +348,10 @@ This description will be associated with the data that the agent uploads to the
 #### **config.sendSecretValues** ~ `bool`
 > Default value:
 > ```yaml
-> true
+> false
 > ```
 
-Enable sending of Secret values to CyberArk in addition to metadata. Metadata is always sent, but the actual values of Secrets are not sent by default. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk, fetched from the Discovery and Context service.  
-Default: true
+Enable sending of Secret values to CyberArk in addition to metadata. Metadata is always sent, but the actual values of Secrets are not sent by default. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk, fetched from the Discovery and Context service. This value will default to "true" in a future release when further updates have been made to the Discovery and Context backend.
 #### **authentication.secretName** ~ `string`
 > Default value:
 > ```yaml
diff --git a/deploy/charts/disco-agent/templates/NOTES.txt b/deploy/charts/disco-agent/templates/NOTES.txt
index 2aea6a74..2825c624 100644
--- a/deploy/charts/disco-agent/templates/NOTES.txt
+++ b/deploy/charts/disco-agent/templates/NOTES.txt
@@ -7,3 +7,8 @@ APP VERSION: {{ .Chart.AppVersion }}
 
 - Check the application logs for successful connection to the platform:
 > kubectl logs -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
+
+{{ if .Values.config.sendSecretValues }}
+WARNING: sendSecretValues is not finalised and is subject to breaking changes in the future.
+It should be enabled only for testing and validation.
+{{ end }}
diff --git a/deploy/charts/disco-agent/values.schema.json b/deploy/charts/disco-agent/values.schema.json
index 083d26ef..68fb432c 100644
--- a/deploy/charts/disco-agent/values.schema.json
+++ b/deploy/charts/disco-agent/values.schema.json
@@ -166,8 +166,8 @@
       "type": "string"
     },
     "helm-values.config.sendSecretValues": {
-      "default": true,
-      "description": "Enable sending of Secret values to CyberArk in addition to metadata. Metadata is always sent, but the actual values of Secrets are not sent by default. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk, fetched from the Discovery and Context service.\nDefault: true",
+      "default": false,
+      "description": "Enable sending of Secret values to CyberArk in addition to metadata. Metadata is always sent, but the actual values of Secrets are not sent by default. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk, fetched from the Discovery and Context service. This value will default to \"true\" in a future release when further updates have been made to the Discovery and Context backend.",
       "type": "boolean"
     },
     "helm-values.extraArgs": {
diff --git a/deploy/charts/disco-agent/values.yaml b/deploy/charts/disco-agent/values.yaml
index a82dabf9..229fc7ce 100644
--- a/deploy/charts/disco-agent/values.yaml
+++ b/deploy/charts/disco-agent/values.yaml
@@ -200,8 +200,9 @@ config:
   # Metadata is always sent, but the actual values of Secrets are not sent by default.
   # When enabled, Secret data is encrypted using envelope encryption using
   # a key managed by CyberArk, fetched from the Discovery and Context service.
-  # Default: true
-  sendSecretValues: true
+  # This value will default to "true" in a future release when further updates have been
+  # made to the Discovery and Context backend.
+  sendSecretValues: false
 
 authentication:
   secretName: agent-credentials