add ability to send encrypted secrets to disco backend

For now, this uses a hardcoded RSA key for which I threw away the
private key, since we don't have the ability to pull JWKs yet

This also includes a few test tweaks to help make this easier, and an
example folder which produces an output.json showing how this can work

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>

Author: SgtCoDFish

.gitignore

@@ -15,3 +15,5 @@ predicate.json
 
 _bin
 .envrc
+
+examples/encrypted-secrets/output.json

README.md

@@ -34,6 +34,7 @@ go run . agent \
 > - [./agent.yaml](./agent.yaml).
 > - [./examples/one-shot-secret.yaml](./examples/one-shot-secret.yaml).
 > - [./examples/cert-manager-agent.yaml](./examples/cert-manager-agent.yaml).
+> - [./examples/encrypted-secrets](./examples/encrypted-secrets) - Send encrypted Kubernetes secrets to CyberArk.
 
 You might also want to run a local echo server to monitor requests sent by the agent:
 

deploy/charts/disco-agent/templates/deployment.yaml

@@ -76,6 +76,8 @@ spec:
                 name: {{ .Values.authentication.secretName }}
                 key: ARK_DISCOVERY_API
                 optional: true
+          - name: ARK_SEND_SECRETS
+            value: {{ .Values.config.sendSecrets | default "false" | quote }}
           {{- with .Values.http_proxy }}
           - name: HTTP_PROXY
             value: {{ . }}

deploy/charts/disco-agent/values.yaml

@@ -154,6 +154,12 @@ config:
   # be communicated to the people responsible for the affected secrets.
   clusterDescription: ""
 
+  # Enable sending of Secret data to CyberArk, in addition to the metadata.
+  # When enabled, Secret data is encrypted using envelope encryption using
+  # a key managed by CyberArk.
+  # Default: false (but default will change to true for a future release)
+  sendSecrets: false
+
 authentication:
   secretName: agent-credentials
 

examples/encrypted-secrets/README.md

@@ -0,0 +1,47 @@
+# Encrypted Secrets Example
+
+This example demonstrates how to use the disco agent to gather Kubernetes secrets and encrypt their data fields.
+
+## Overview
+
+When the `ARK_SEND_SECRETS` environment variable is set to `"true"`, the disco agent will:
+
+0. Fetch an encryption key from the configured endpoint (if running in production) or use a local key for testing
+1. Discover Kubernetes secrets in your cluster (excluding common system secret types)
+2. Encrypt each secret's data fields using RSA envelope encryption with JWE (JSON Web Encryption) format
+3. If running in production, send the encrypted secrets to the configured endpoint; otherwise, write them to `output.json` for testing
+
+The encryption uses:
+
+- **Key Algorithm**: RSA-OAEP-256 (for encrypting the content encryption key)
+- **Content Encryption**: AES-256-GCM (for encrypting the actual secret data)
+- **Format**: JWE Compact Serialization
+
+Metadata (names, namespaces, labels, annotations) remains in plaintext for discovery purposes, while the sensitive secret data is encrypted. Some keys in Secret data fields are also preserved in the `data` section, for backwards compatibility.
+
+## Prerequisites
+
+1. A running Kubernetes cluster with secrets to discover
+3. Go installed
+
+## Configuration File
+
+The `config.yaml` file configures:
+
+- The data gatherer to collect Kubernetes secrets
+- Field selectors to exclude system secrets (service account tokens, docker configs, etc.)
+- The cluster ID and organization ID for grouping data
+
+## Running the Example
+
+Test the agent locally by running this script:
+
+```bash
+./test.sh
+```
+
+This will:
+
+- Connect to your current Kubernetes context
+- Gather all non-system secrets
+- Write the raw data to `output.json`

examples/encrypted-secrets/config.yaml

@@ -0,0 +1,41 @@
+# encrypted-secrets config.yaml
+#
+# An example configuration file demonstrating how to use the disco agent
+# to send encrypted secrets to CyberArk Discovery & Context.
+#
+# The agent will:
+# 1. Discover Kubernetes secrets in the cluster
+# 2. Encrypt the secret data fields using RSA envelope encryption (JWE format)
+# 3. Upload the encrypted secrets to CyberArk Discovery & Context
+#
+# Example usage:
+#
+#  export ARK_SUBDOMAIN="your-subdomain"
+#  export ARK_USERNAME="your-username"
+#  export ARK_SECRET="your-secret"
+#  export ARK_SEND_SECRETS="true"
+#
+#  go run . agent \
+#     --agent-config-file examples/encrypted-secrets/config.yaml \
+#     --one-shot \
+#     --output-path output.json
+#
+organization_id: "my-organization"
+cluster_id: "my_cluster"
+period: 1m
+data-gatherers:
+- kind: "k8s-dynamic"
+  name: "k8s/secrets"
+  config:
+    resource-type:
+      version: v1
+      resource: secrets
+    # Filter out common system secret types to focus on application secrets
+    field-selectors:
+    - type!=kubernetes.io/service-account-token
+    - type!=kubernetes.io/dockercfg
+    - type!=kubernetes.io/dockerconfigjson
+    - type!=kubernetes.io/basic-auth
+    - type!=kubernetes.io/ssh-auth
+    - type!=bootstrap.kubernetes.io/token
+    - type!=helm.sh/release.v1

examples/encrypted-secrets/test.sh

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+# test.sh - Test script for the encrypted secrets example
+#
+# This script demonstrates running the disco agent with encrypted secrets enabled.
+# It will run in one-shot mode and output to a local file for inspection.
+
+set -euo pipefail
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+echo -e "${GREEN}=== Encrypted Secrets Example Test ===${NC}\n"
+
+echo -e "${GREEN}Testing agent with Kubernetes secrets${NC}"
+echo ""
+
+# Enable encrypted secrets
+export ARK_SEND_SECRETS="true"
+
+# Check Kubernetes connectivity
+if ! kubectl cluster-info &> /dev/null; then
+    echo -e "${RED}Error: Unable to connect to Kubernetes cluster${NC}"
+    echo "Please ensure your kubeconfig is configured correctly."
+    exit 1
+fi
+
+echo -e "${GREEN}✓ Connected to Kubernetes cluster${NC}"
+CONTEXT=$(kubectl config current-context)
+echo "  Context: ${CONTEXT}"
+echo ""
+
+# Check for secrets
+SECRET_COUNT=$(kubectl get secrets --all-namespaces --no-headers 2>/dev/null | wc -l | tr -d ' ')
+echo "Found ${SECRET_COUNT} secrets in cluster"
+echo ""
+
+# Run the agent in one-shot mode with output to file
+OUTPUT_FILE="output.json"
+echo -e "${GREEN}Running disco agent with encrypted secrets enabled...${NC}"
+echo "Command: go run ../.. agent --agent-config-file config.yaml --one-shot --output-path ${OUTPUT_FILE}"
+echo ""
+
+if go run ../.. agent \
+    --agent-config-file config.yaml \
+    --one-shot \
+    --output-path "${OUTPUT_FILE}"; then
+
+    echo ""
+    echo -e "${GREEN}✓ Agent completed successfully${NC}"
+
+    # Check if output file was created
+    if [ -f "${OUTPUT_FILE}" ]; then
+        echo -e "${GREEN}✓ Output file created: ${OUTPUT_FILE}${NC}"
+    else
+        echo -e "${RED}✗ Output file was not created${NC}"
+        exit 1
+    fi
+else
+    echo ""
+    echo -e "${RED}✗ Agent failed${NC}"
+    exit 1
+fi

internal/envelope/rsa/keys.go

@@ -10,6 +10,25 @@ import (
 
 // This file contains helpers for loading keys. In practice we'll retrieve keys in some format from a DisCo endpoint
 
+const (
+	// HardcodedPublicKeyPEM contains a temporary hardcoded RSA public key (2048-bit) for envelope encryption.
+	// This is a TEMPORARY solution for initial development and testing.
+	// TODO: Replace with dynamic key fetching from CyberArk Discovery & Context API.
+	HardcodedPublicKeyPEM = `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoeq+dk4aoGdV9xjrnGJt
+VbUh5jvkQgynkP+9Ph2NVeoasXWqYOmOVeKOI7Yr58W/L8Mro6C22iSEJrPFgPF6
+t+RJsLAsAY6w1Pocq16COeelAWtxhHQGXt77WQKk0kmwhOJZ4VSeiQC4hWLUnq4N
+Ft7lwLw/50opTXLuSErrwec/bEV7G/Xp11BMsHGEL7dzpwWAfIrbCEomyWrO/L6p
+O3SAgYMdfup5ddnszeCU2FbFQziOkuMLOyir91XXk8wgdSy4IGAEGpwNx88i8fuj
+Qafze2aGWUtpWlOEQPP8lH2cj2TGUgLxGITbczJRcwuGIoJBOzAmPDWi/bapj4b6
+zQIDAQAB
+-----END PUBLIC KEY-----`
+
+	// hardcodedUID is a temporary hardcoded UID associated with the hardcoded public key
+	// It was randomly generated with the macOS "uuidgen" commmand
+	hardcodedUID = "A39798E6-8CE7-4E6E-9CF6-24A3C923B3A7"
+)
+
 // LoadPublicKeyFromPEM parses an RSA public key from PEM-encoded bytes.
 // The PEM block should be of type "PUBLIC KEY" or "RSA PUBLIC KEY".
 func LoadPublicKeyFromPEM(pemBytes []byte) (*rsa.PublicKey, error) {
@@ -55,3 +74,16 @@ func LoadPublicKeyFromPEMFile(path string) (*rsa.PublicKey, error) {
 
 	return LoadPublicKeyFromPEM(pemBytes)
 }
+
+// LoadHardcodedPublicKey loads and parses the hardcoded RSA public key.
+// Returns a hardcoded UID associated with the key.
+// This is a temporary solution for initial development and testing.
+// Returns an error if the hardcoded key is invalid or cannot be parsed.
+func LoadHardcodedPublicKey() (*rsa.PublicKey, string, error) {
+	key, err := LoadPublicKeyFromPEM([]byte(HardcodedPublicKeyPEM))
+	if err != nil {
+		return nil, "", err
+	}
+
+	return key, hardcodedUID, nil
+}

internal/envelope/rsa/keys_test.go

@@ -142,3 +142,24 @@ func TestLoadPublicKeyFromPEMFile_InvalidContent(t *testing.T) {
 	require.Error(t, err)
 	require.Nil(t, key)
 }
+
+func TestLoadHardcodedPublicKey_CanBeUsedWithEncryptor(t *testing.T) {
+	// Test that the hardcoded key can be used to create an encryptor
+	// First, test that the key can be loaded successfully
+	key, uid, err := internalrsa.LoadHardcodedPublicKey()
+	require.NoError(t, err)
+	require.NotNil(t, key)
+	require.NotEmpty(t, uid)
+
+	encryptor, err := internalrsa.NewEncryptor(uid, key)
+	require.NoError(t, err)
+	require.NotNil(t, encryptor)
+
+	// Test that the encryptor can encrypt data
+	testData := []byte("test data for encryption")
+	encryptedData, err := encryptor.Encrypt(testData)
+	require.NoError(t, err)
+	require.NotNil(t, encryptedData)
+	require.NotEmpty(t, encryptedData.Data)
+	require.Equal(t, "JWE-RSA", encryptedData.Type)
+}

internal/envelope/types.go

@@ -1,11 +1,33 @@
 package envelope
 
+import "encoding/json"
+
 // EncryptedData represents encrypted data along with metadata about the encryption type.
 type EncryptedData struct {
 	// Data contains the encrypted payload
-	Data []byte
+	Data []byte `json:"data"`
 	// Type indicates the encryption format (e.g., "JWE-RSA")
-	Type string
+	Type string `json:"type"`
+}
+
+// ToMap converts the EncryptedData struct to a map representation. Since we store data as an "_encryptedData" field in
+// a Kubernetes unstructured object, passing a raw struct would cause a panic due to the behaviour of
+// https://pkg.go.dev/k8s.io/apimachinery/pkg/runtime#DeepCopyJSONValue
+// Passing a map to unstructured.SetNestedField avoids this issue.
+func (ed *EncryptedData) ToMap() map[string]interface{} {
+	marshalled, err := json.Marshal(ed)
+	if err != nil {
+		return nil
+	}
+
+	var out map[string]any
+
+	err = json.Unmarshal(marshalled, &out)
+	if err != nil {
+		return nil
+	}
+
+	return out
 }
 
 // Encryptor performs envelope encryption on arbitrary data.