rename send secrets envvar

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>

Author: SgtCoDFish

deploy/charts/disco-agent/README.md

@@ -295,13 +295,13 @@ This cluster name will be associated with the data that the agent uploads to the
 A short description of the cluster where the agent is deployed (optional).  
   
 This description will be associated with the data that the agent uploads to the Discovery and Context service. The description may include contact information such as the email address of the cluster administrator, so that any problems and risks identified by the Discovery and Context service can be communicated to the people responsible for the affected secrets.
-#### **config.sendSecrets** ~ `bool`
+#### **config.sendSecretValues** ~ `bool`
 > Default value:
 > ```yaml
 > false
 > ```
 
-Enable sending of Secret data to CyberArk, in addition to the metadata. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk. Default: false (but default will change to true for a future release)
+Enable sending of Secret values to CyberArk in addition to metadata. Metadata is always sent, but the actual values of Secrets are not sent by default. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk. Default: false (but default will change to true for a future release)
 #### **authentication.secretName** ~ `string`
 > Default value:
 > ```yaml

deploy/charts/disco-agent/templates/deployment.yaml

@@ -76,8 +76,8 @@ spec:
                 name: {{ .Values.authentication.secretName }}
                 key: ARK_DISCOVERY_API
                 optional: true
-          - name: ARK_SEND_SECRETS
-            value: {{ .Values.config.sendSecrets | default "false" | quote }}
+          - name: ARK_SEND_SECRET_VALUES
+            value: {{ .Values.config.sendSecretValues | default "false" | quote }}
           {{- with .Values.http_proxy }}
           - name: HTTP_PROXY
             value: {{ . }}

deploy/charts/disco-agent/values.schema.json

@@ -119,8 +119,8 @@
         "period": {
           "$ref": "#/$defs/helm-values.config.period"
         },
-        "sendSecrets": {
-          "$ref": "#/$defs/helm-values.config.sendSecrets"
+        "sendSecretValues": {
+          "$ref": "#/$defs/helm-values.config.sendSecretValues"
         }
       },
       "type": "object"
@@ -151,9 +151,9 @@
       "description": "Push data every 12 hours unless changed.",
       "type": "string"
     },
-    "helm-values.config.sendSecrets": {
+    "helm-values.config.sendSecretValues": {
       "default": false,
-      "description": "Enable sending of Secret data to CyberArk, in addition to the metadata. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk. Default: false (but default will change to true for a future release)",
+      "description": "Enable sending of Secret values to CyberArk in addition to metadata. Metadata is always sent, but the actual values of Secrets are not sent by default. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk. Default: false (but default will change to true for a future release)",
       "type": "boolean"
     },
     "helm-values.extraArgs": {

deploy/charts/disco-agent/values.yaml

@@ -154,11 +154,12 @@ config:
   # be communicated to the people responsible for the affected secrets.
   clusterDescription: ""
 
-  # Enable sending of Secret data to CyberArk, in addition to the metadata.
+  # Enable sending of Secret values to CyberArk in addition to metadata.
+  # Metadata is always sent, but the actual values of Secrets are not sent by default.
   # When enabled, Secret data is encrypted using envelope encryption using
   # a key managed by CyberArk.
   # Default: false (but default will change to true for a future release)
-  sendSecrets: false
+  sendSecretValues: false
 
 authentication:
   secretName: agent-credentials

pkg/agent/run.go

@@ -31,6 +31,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 
 	"github.com/jetstack/preflight/api"
+	"github.com/jetstack/preflight/internal/envelope"
 	"github.com/jetstack/preflight/internal/envelope/rsa"
 	"github.com/jetstack/preflight/pkg/client"
 	"github.com/jetstack/preflight/pkg/datagatherer"
@@ -185,20 +186,14 @@ func Run(cmd *cobra.Command, args []string) (returnErr error) {
 
 			// Check if secret encryption is enabled via environment variable
 			// When enabled, secret data will be kept for encryption instead of being redacted
-			encryptSecrets := strings.ToLower(os.Getenv("ARK_SEND_SECRETS"))
+			encryptSecrets := strings.ToLower(os.Getenv("ARK_SEND_SECRET_VALUES"))
 
 			if encryptSecrets == "true" {
-				// TODO(@SgtCoDFish): this will fetch a key from JWKS endpoint when that endpoint is available
-				key, keyID, err := rsa.LoadHardcodedPublicKey()
-				if err == nil {
-					encryptor, err := rsa.NewEncryptor(keyID, key)
-					if err == nil {
-						dynDg.Encryptor = encryptor
-					} else {
-						log.Error(err, "Failed to create encryptor for secret encryption, secrets will not be sent to backend")
-					}
-				} else {
-					log.Error(err, "Failed to load public key for secret encryption, secrets will not be sent to backend")
+				var err error
+
+				dynDg.Encryptor, err = loadEncryptor()
+				if err != nil {
+					log.Error(err, "Failed to set up encryptor for secrets, secret data will not be sent")
 				}
 			}
 		}
@@ -277,6 +272,22 @@ func Run(cmd *cobra.Command, args []string) (returnErr error) {
 	return nil
 }
 
+// loadEncryptor sets up an encryptor for encrypting secrets. For now, it just loads a hardcoded public key
+func loadEncryptor() (envelope.Encryptor, error) {
+	// TODO(@SgtCoDFish): this will eventually fetch a key from JWKS endpoint when that endpoint is available
+	key, keyID, err := rsa.LoadHardcodedPublicKey()
+	if err != nil {
+		return nil, fmt.Errorf("failed to load public key for secret encryption: %w", err)
+	}
+
+	encryptor, err := rsa.NewEncryptor(keyID, key)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create encryptor for secret encryption: %w", err)
+	}
+
+	return encryptor, nil
+}
+
 // Creates an event recorder for the agent's Pod object. Expects the env var
 // POD_NAME to contain the pod name. Note that the RBAC rule allowing sending
 // events is attached to the pod's service account, not the impersonated service