Merge pull request #770 from jetstack/sendsecrets

Add ability to send encrypted secrets to disco backend

Author: SgtCoDFish

.gitignore

@@ -15,3 +15,5 @@ predicate.json
 
 _bin
 .envrc
+
+examples/encrypted-secrets/output.json

README.md

@@ -34,6 +34,7 @@ go run . agent \
 > - [./agent.yaml](./agent.yaml).
 > - [./examples/one-shot-secret.yaml](./examples/one-shot-secret.yaml).
 > - [./examples/cert-manager-agent.yaml](./examples/cert-manager-agent.yaml).
+> - [./examples/encrypted-secrets](./examples/encrypted-secrets) - Send encrypted Kubernetes secrets to CyberArk.
 
 You might also want to run a local echo server to monitor requests sent by the agent:
 

deploy/charts/disco-agent/README.md

@@ -295,6 +295,13 @@ This cluster name will be associated with the data that the agent uploads to the
 A short description of the cluster where the agent is deployed (optional).  
   
 This description will be associated with the data that the agent uploads to the Discovery and Context service. The description may include contact information such as the email address of the cluster administrator, so that any problems and risks identified by the Discovery and Context service can be communicated to the people responsible for the affected secrets.
+#### **config.sendSecretValues** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+Enable sending of Secret values to CyberArk in addition to metadata. Metadata is always sent, but the actual values of Secrets are not sent by default. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk. Default: false (but default will change to true for a future release)
 #### **authentication.secretName** ~ `string`
 > Default value:
 > ```yaml

deploy/charts/disco-agent/templates/deployment.yaml

@@ -76,6 +76,8 @@ spec:
                 name: {{ .Values.authentication.secretName }}
                 key: ARK_DISCOVERY_API
                 optional: true
+          - name: ARK_SEND_SECRET_VALUES
+            value: {{ .Values.config.sendSecretValues | default "false" | quote }}
           {{- with .Values.http_proxy }}
           - name: HTTP_PROXY
             value: {{ . }}

deploy/charts/disco-agent/values.schema.json

@@ -118,6 +118,9 @@
         },
         "period": {
           "$ref": "#/$defs/helm-values.config.period"
+        },
+        "sendSecretValues": {
+          "$ref": "#/$defs/helm-values.config.sendSecretValues"
         }
       },
       "type": "object"
@@ -148,6 +151,11 @@
       "description": "Push data every 12 hours unless changed.",
       "type": "string"
     },
+    "helm-values.config.sendSecretValues": {
+      "default": false,
+      "description": "Enable sending of Secret values to CyberArk in addition to metadata. Metadata is always sent, but the actual values of Secrets are not sent by default. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk. Default: false (but default will change to true for a future release)",
+      "type": "boolean"
+    },
     "helm-values.extraArgs": {
       "default": [],
       "description": "extraArgs:\n- --logging-format=json\n- --log-level=6 # To enable HTTP request logging",

deploy/charts/disco-agent/values.yaml

@@ -154,6 +154,13 @@ config:
   # be communicated to the people responsible for the affected secrets.
   clusterDescription: ""
 
+  # Enable sending of Secret values to CyberArk in addition to metadata.
+  # Metadata is always sent, but the actual values of Secrets are not sent by default.
+  # When enabled, Secret data is encrypted using envelope encryption using
+  # a key managed by CyberArk.
+  # Default: false (but default will change to true for a future release)
+  sendSecretValues: false
+
 authentication:
   secretName: agent-credentials
 

examples/encrypted-secrets/README.md

@@ -0,0 +1,47 @@
+# Encrypted Secrets Example
+
+This example demonstrates how to use the disco agent to gather Kubernetes secrets and encrypt their data fields.
+
+## Overview
+
+When the `ARK_SEND_SECRETS` environment variable is set to `"true"`, the disco agent will:
+
+0. Fetch an encryption key from the configured endpoint (if running in production) or use a local key for testing
+1. Discover Kubernetes secrets in your cluster (excluding common system secret types)
+2. Encrypt each secret's data fields using RSA envelope encryption with JWE (JSON Web Encryption) format
+3. If running in production, send the encrypted secrets to the configured endpoint; otherwise, write them to `output.json` for testing
+
+The encryption uses:
+
+- **Key Algorithm**: RSA-OAEP-256 (for encrypting the content encryption key)
+- **Content Encryption**: AES-256-GCM (for encrypting the actual secret data)
+- **Format**: JWE Compact Serialization
+
+Metadata (names, namespaces, labels, annotations) remains in plaintext for discovery purposes, while the sensitive secret data is encrypted. Some keys in Secret data fields are also preserved in the `data` section, for backwards compatibility.
+
+## Prerequisites
+
+1. A running Kubernetes cluster with secrets to discover
+3. Go installed
+
+## Configuration File
+
+The `config.yaml` file configures:
+
+- The data gatherer to collect Kubernetes secrets
+- Field selectors to exclude system secrets (service account tokens, docker configs, etc.)
+- The cluster ID and organization ID for grouping data
+
+## Running the Example
+
+Test the agent locally by running this script:
+
+```bash
+./test.sh
+```
+
+This will:
+
+- Connect to your current Kubernetes context
+- Gather all non-system secrets
+- Write the raw data to `output.json`

examples/encrypted-secrets/config.yaml

@@ -0,0 +1,41 @@
+# encrypted-secrets config.yaml
+#
+# An example configuration file demonstrating how to use the disco agent
+# to send encrypted secrets to CyberArk Discovery & Context.
+#
+# The agent will:
+# 1. Discover Kubernetes secrets in the cluster
+# 2. Encrypt the secret data fields using RSA envelope encryption (JWE format)
+# 3. Upload the encrypted secrets to CyberArk Discovery & Context
+#
+# Example usage:
+#
+#  export ARK_SUBDOMAIN="your-subdomain"
+#  export ARK_USERNAME="your-username"
+#  export ARK_SECRET="your-secret"
+#  export ARK_SEND_SECRETS="true"
+#
+#  go run . agent \
+#     --agent-config-file examples/encrypted-secrets/config.yaml \
+#     --one-shot \
+#     --output-path output.json
+#
+organization_id: "my-organization"
+cluster_id: "my_cluster"
+period: 1m
+data-gatherers:
+- kind: "k8s-dynamic"
+  name: "k8s/secrets"
+  config:
+    resource-type:
+      version: v1
+      resource: secrets
+    # Filter out common system secret types to focus on application secrets
+    field-selectors:
+    - type!=kubernetes.io/service-account-token
+    - type!=kubernetes.io/dockercfg
+    - type!=kubernetes.io/dockerconfigjson
+    - type!=kubernetes.io/basic-auth
+    - type!=kubernetes.io/ssh-auth
+    - type!=bootstrap.kubernetes.io/token
+    - type!=helm.sh/release.v1

examples/encrypted-secrets/test.sh

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+# test.sh - Test script for the encrypted secrets example
+#
+# This script demonstrates running the disco agent with encrypted secrets enabled.
+# It will run in one-shot mode and output to a local file for inspection.
+
+set -euo pipefail
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+echo -e "${GREEN}=== Encrypted Secrets Example Test ===${NC}\n"
+
+echo -e "${GREEN}Testing agent with Kubernetes secrets${NC}"
+echo ""
+
+# Enable encrypted secrets
+export ARK_SEND_SECRETS="true"
+
+# Check Kubernetes connectivity
+if ! kubectl cluster-info &> /dev/null; then
+    echo -e "${RED}Error: Unable to connect to Kubernetes cluster${NC}"
+    echo "Please ensure your kubeconfig is configured correctly."
+    exit 1
+fi
+
+echo -e "${GREEN}✓ Connected to Kubernetes cluster${NC}"
+CONTEXT=$(kubectl config current-context)
+echo "  Context: ${CONTEXT}"
+echo ""
+
+# Check for secrets
+SECRET_COUNT=$(kubectl get secrets --all-namespaces --no-headers 2>/dev/null | wc -l | tr -d ' ')
+echo "Found ${SECRET_COUNT} secrets in cluster"
+echo ""
+
+# Run the agent in one-shot mode with output to file
+OUTPUT_FILE="output.json"
+echo -e "${GREEN}Running disco agent with encrypted secrets enabled...${NC}"
+echo "Command: go run ../.. agent --agent-config-file config.yaml --one-shot --output-path ${OUTPUT_FILE}"
+echo ""
+
+if go run ../.. agent \
+    --agent-config-file config.yaml \
+    --one-shot \
+    --output-path "${OUTPUT_FILE}"; then
+
+    echo ""
+    echo -e "${GREEN}✓ Agent completed successfully${NC}"
+
+    # Check if output file was created
+    if [ -f "${OUTPUT_FILE}" ]; then
+        echo -e "${GREEN}✓ Output file created: ${OUTPUT_FILE}${NC}"
+    else
+        echo -e "${RED}✗ Output file was not created${NC}"
+        exit 1
+    fi
+else
+    echo ""
+    echo -e "${RED}✗ Agent failed${NC}"
+    exit 1
+fi

internal/cyberark/dataupload/mock.go

@@ -181,8 +181,8 @@ func (mds *mockDataUploadServer) handleSnapshotLinks(w http.ResponseWriter, r *h
 	}
 
 	// Write response body
-	w.WriteHeader(http.StatusOK)
 	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
 	_ = json.NewEncoder(w).Encode(struct {
 		URL string `json:"url"`
 	}{presignedURL})