Skip to content

Commit ec61b2a

Browse files
committed
rename send secrets envvar
Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
1 parent 3568fb5 commit ec61b2a

File tree

5 files changed

+34
-22
lines changed

5 files changed

+34
-22
lines changed

deploy/charts/disco-agent/README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -295,13 +295,13 @@ This cluster name will be associated with the data that the agent uploads to the
295295
A short description of the cluster where the agent is deployed (optional).
296296
297297
This description will be associated with the data that the agent uploads to the Discovery and Context service. The description may include contact information such as the email address of the cluster administrator, so that any problems and risks identified by the Discovery and Context service can be communicated to the people responsible for the affected secrets.
298-
#### **config.sendSecrets** ~ `bool`
298+
#### **config.sendSecretValues** ~ `bool`
299299
> Default value:
300300
> ```yaml
301301
> false
302302
> ```
303303
304-
Enable sending of Secret data to CyberArk, in addition to the metadata. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk. Default: false (but default will change to true for a future release)
304+
Enable sending of Secret values to CyberArk in addition to metadata. Metadata is always sent, but the actual values of Secrets are not sent by default. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk. Default: false (but default will change to true for a future release)
305305
#### **authentication.secretName** ~ `string`
306306
> Default value:
307307
> ```yaml

deploy/charts/disco-agent/templates/deployment.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -76,8 +76,8 @@ spec:
7676
name: {{ .Values.authentication.secretName }}
7777
key: ARK_DISCOVERY_API
7878
optional: true
79-
- name: ARK_SEND_SECRETS
80-
value: {{ .Values.config.sendSecrets | default "false" | quote }}
79+
- name: ARK_SEND_SECRET_VALUES
80+
value: {{ .Values.config.sendSecretValues | default "false" | quote }}
8181
{{- with .Values.http_proxy }}
8282
- name: HTTP_PROXY
8383
value: {{ . }}

deploy/charts/disco-agent/values.schema.json

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -119,8 +119,8 @@
119119
"period": {
120120
"$ref": "#/$defs/helm-values.config.period"
121121
},
122-
"sendSecrets": {
123-
"$ref": "#/$defs/helm-values.config.sendSecrets"
122+
"sendSecretValues": {
123+
"$ref": "#/$defs/helm-values.config.sendSecretValues"
124124
}
125125
},
126126
"type": "object"
@@ -151,9 +151,9 @@
151151
"description": "Push data every 12 hours unless changed.",
152152
"type": "string"
153153
},
154-
"helm-values.config.sendSecrets": {
154+
"helm-values.config.sendSecretValues": {
155155
"default": false,
156-
"description": "Enable sending of Secret data to CyberArk, in addition to the metadata. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk. Default: false (but default will change to true for a future release)",
156+
"description": "Enable sending of Secret values to CyberArk in addition to metadata. Metadata is always sent, but the actual values of Secrets are not sent by default. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk. Default: false (but default will change to true for a future release)",
157157
"type": "boolean"
158158
},
159159
"helm-values.extraArgs": {

deploy/charts/disco-agent/values.yaml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -154,11 +154,12 @@ config:
154154
# be communicated to the people responsible for the affected secrets.
155155
clusterDescription: ""
156156

157-
# Enable sending of Secret data to CyberArk, in addition to the metadata.
157+
# Enable sending of Secret values to CyberArk in addition to metadata.
158+
# Metadata is always sent, but the actual values of Secrets are not sent by default.
158159
# When enabled, Secret data is encrypted using envelope encryption using
159160
# a key managed by CyberArk.
160161
# Default: false (but default will change to true for a future release)
161-
sendSecrets: false
162+
sendSecretValues: false
162163

163164
authentication:
164165
secretName: agent-credentials

pkg/agent/run.go

Lines changed: 23 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@ import (
3131
"sigs.k8s.io/controller-runtime/pkg/manager"
3232

3333
"github.com/jetstack/preflight/api"
34+
"github.com/jetstack/preflight/internal/envelope"
3435
"github.com/jetstack/preflight/internal/envelope/rsa"
3536
"github.com/jetstack/preflight/pkg/client"
3637
"github.com/jetstack/preflight/pkg/datagatherer"
@@ -185,20 +186,14 @@ func Run(cmd *cobra.Command, args []string) (returnErr error) {
185186

186187
// Check if secret encryption is enabled via environment variable
187188
// When enabled, secret data will be kept for encryption instead of being redacted
188-
encryptSecrets := strings.ToLower(os.Getenv("ARK_SEND_SECRETS"))
189+
encryptSecrets := strings.ToLower(os.Getenv("ARK_SEND_SECRET_VALUES"))
189190

190191
if encryptSecrets == "true" {
191-
// TODO(@SgtCoDFish): this will fetch a key from JWKS endpoint when that endpoint is available
192-
key, keyID, err := rsa.LoadHardcodedPublicKey()
193-
if err == nil {
194-
encryptor, err := rsa.NewEncryptor(keyID, key)
195-
if err == nil {
196-
dynDg.Encryptor = encryptor
197-
} else {
198-
log.Error(err, "Failed to create encryptor for secret encryption, secrets will not be sent to backend")
199-
}
200-
} else {
201-
log.Error(err, "Failed to load public key for secret encryption, secrets will not be sent to backend")
192+
var err error
193+
194+
dynDg.Encryptor, err = loadEncryptor()
195+
if err != nil {
196+
log.Error(err, "Failed to set up encryptor for secrets, secret data will not be sent")
202197
}
203198
}
204199
}
@@ -277,6 +272,22 @@ func Run(cmd *cobra.Command, args []string) (returnErr error) {
277272
return nil
278273
}
279274

275+
// loadEncryptor sets up an encryptor for encrypting secrets. For now, it just loads a hardcoded public key
276+
func loadEncryptor() (envelope.Encryptor, error) {
277+
// TODO(@SgtCoDFish): this will eventually fetch a key from JWKS endpoint when that endpoint is available
278+
key, keyID, err := rsa.LoadHardcodedPublicKey()
279+
if err != nil {
280+
return nil, fmt.Errorf("failed to load public key for secret encryption: %w", err)
281+
}
282+
283+
encryptor, err := rsa.NewEncryptor(keyID, key)
284+
if err != nil {
285+
return nil, fmt.Errorf("failed to create encryptor for secret encryption: %w", err)
286+
}
287+
288+
return encryptor, nil
289+
}
290+
280291
// Creates an event recorder for the agent's Pod object. Expects the env var
281292
// POD_NAME to contain the pod name. Note that the RBAC rule allowing sending
282293
// events is attached to the pod's service account, not the impersonated service

0 commit comments

Comments
 (0)