add ability to send encrypted secrets to disco backend

SgtCoDFish · SgtCoDFish · commit de4401536b24 · 2026-02-10T13:15:55.000Z
For now, this uses a hardcoded RSA key for which I threw away the
private key, since we don't have the ability to pull JWKs yet

This also includes a few test tweaks to help make this easier, and an
example folder which produces an output.json showing how this can work

Signed-off-by: Ashley Davis &lt;ashley.davis@cyberark.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -15,3 +15,5 @@ predicate.json
 
 _bin
 .envrc
+
+examples/encrypted-secrets/output.json
diff --git a/README.md b/README.md
@@ -34,6 +34,7 @@ go run . agent \
 > - [./agent.yaml](./agent.yaml).
 > - [./examples/one-shot-secret.yaml](./examples/one-shot-secret.yaml).
 > - [./examples/cert-manager-agent.yaml](./examples/cert-manager-agent.yaml).
+> - [./examples/encrypted-secrets](./examples/encrypted-secrets) - Send encrypted Kubernetes secrets to CyberArk.
 
 You might also want to run a local echo server to monitor requests sent by the agent:
 
diff --git a/deploy/charts/disco-agent/README.md b/deploy/charts/disco-agent/README.md
@@ -295,6 +295,13 @@ This cluster name will be associated with the data that the agent uploads to the
 A short description of the cluster where the agent is deployed (optional).  
   
 This description will be associated with the data that the agent uploads to the Discovery and Context service. The description may include contact information such as the email address of the cluster administrator, so that any problems and risks identified by the Discovery and Context service can be communicated to the people responsible for the affected secrets.
+#### **config.sendSecrets** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+Enable sending of Secret data to CyberArk, in addition to the metadata. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk. Default: false (but default will change to true for a future release)
 #### **authentication.secretName** ~ `string`
 > Default value:
 > ```yaml
diff --git a/deploy/charts/disco-agent/templates/deployment.yaml b/deploy/charts/disco-agent/templates/deployment.yaml
@@ -76,6 +76,8 @@ spec:
                 name: {{ .Values.authentication.secretName }}
                 key: ARK_DISCOVERY_API
                 optional: true
+          - name: ARK_SEND_SECRETS
+            value: {{ .Values.config.sendSecrets | default "false" | quote }}
           {{- with .Values.http_proxy }}
           - name: HTTP_PROXY
             value: {{ . }}
diff --git a/deploy/charts/disco-agent/values.schema.json b/deploy/charts/disco-agent/values.schema.json
@@ -118,6 +118,9 @@
         },
         "period": {
           "$ref": "#/$defs/helm-values.config.period"
+        },
+        "sendSecrets": {
+          "$ref": "#/$defs/helm-values.config.sendSecrets"
         }
       },
       "type": "object"
@@ -148,6 +151,11 @@
       "description": "Push data every 12 hours unless changed.",
       "type": "string"
     },
+    "helm-values.config.sendSecrets": {
+      "default": false,
+      "description": "Enable sending of Secret data to CyberArk, in addition to the metadata. When enabled, Secret data is encrypted using envelope encryption using a key managed by CyberArk. Default: false (but default will change to true for a future release)",
+      "type": "boolean"
+    },
     "helm-values.extraArgs": {
       "default": [],
       "description": "extraArgs:\n- --logging-format=json\n- --log-level=6 # To enable HTTP request logging",
diff --git a/deploy/charts/disco-agent/values.yaml b/deploy/charts/disco-agent/values.yaml
@@ -154,6 +154,12 @@ config:
   # be communicated to the people responsible for the affected secrets.
   clusterDescription: ""
 
+  # Enable sending of Secret data to CyberArk, in addition to the metadata.
+  # When enabled, Secret data is encrypted using envelope encryption using
+  # a key managed by CyberArk.
+  # Default: false (but default will change to true for a future release)
+  sendSecrets: false
+
 authentication:
   secretName: agent-credentials
 
diff --git a/examples/encrypted-secrets/README.md b/examples/encrypted-secrets/README.md
@@ -0,0 +1,47 @@
+# Encrypted Secrets Example
+
+This example demonstrates how to use the disco agent to gather Kubernetes secrets and encrypt their data fields.
+
+## Overview
+
+When the `ARK_SEND_SECRETS` environment variable is set to `"true"`, the disco agent will:
+
+0. Fetch an encryption key from the configured endpoint (if running in production) or use a local key for testing
+1. Discover Kubernetes secrets in your cluster (excluding common system secret types)
+2. Encrypt each secret's data fields using RSA envelope encryption with JWE (JSON Web Encryption) format
+3. If running in production, send the encrypted secrets to the configured endpoint; otherwise, write them to `output.json` for testing
+
+The encryption uses:
+
+- **Key Algorithm**: RSA-OAEP-256 (for encrypting the content encryption key)
+- **Content Encryption**: AES-256-GCM (for encrypting the actual secret data)
+- **Format**: JWE Compact Serialization
+
+Metadata (names, namespaces, labels, annotations) remains in plaintext for discovery purposes, while the sensitive secret data is encrypted. Some keys in Secret data fields are also preserved in the `data` section, for backwards compatibility.
+
+## Prerequisites
+
+1. A running Kubernetes cluster with secrets to discover
+3. Go installed
+
+## Configuration File
+
+The `config.yaml` file configures:
+
+- The data gatherer to collect Kubernetes secrets
+- Field selectors to exclude system secrets (service account tokens, docker configs, etc.)
+- The cluster ID and organization ID for grouping data
+
+## Running the Example
+
+Test the agent locally by running this script:
+
+```bash
+./test.sh
+```
+
+This will:
+
+- Connect to your current Kubernetes context
+- Gather all non-system secrets
+- Write the raw data to `output.json`
diff --git a/examples/encrypted-secrets/config.yaml b/examples/encrypted-secrets/config.yaml
@@ -0,0 +1,41 @@
+# encrypted-secrets config.yaml
+#
+# An example configuration file demonstrating how to use the disco agent
+# to send encrypted secrets to CyberArk Discovery & Context.
+#
+# The agent will:
+# 1. Discover Kubernetes secrets in the cluster
+# 2. Encrypt the secret data fields using RSA envelope encryption (JWE format)
+# 3. Upload the encrypted secrets to CyberArk Discovery & Context
+#
+# Example usage:
+#
+#  export ARK_SUBDOMAIN="your-subdomain"
+#  export ARK_USERNAME="your-username"
+#  export ARK_SECRET="your-secret"
+#  export ARK_SEND_SECRETS="true"
+#
+#  go run . agent \
+#     --agent-config-file examples/encrypted-secrets/config.yaml \
+#     --one-shot \
+#     --output-path output.json
+#
+organization_id: "my-organization"
+cluster_id: "my_cluster"
+period: 1m
+data-gatherers:
+- kind: "k8s-dynamic"
+  name: "k8s/secrets"
+  config:
+    resource-type:
+      version: v1
+      resource: secrets
+    # Filter out common system secret types to focus on application secrets
+    field-selectors:
+    - type!=kubernetes.io/service-account-token
+    - type!=kubernetes.io/dockercfg
+    - type!=kubernetes.io/dockerconfigjson
+    - type!=kubernetes.io/basic-auth
+    - type!=kubernetes.io/ssh-auth
+    - type!=bootstrap.kubernetes.io/token
+    - type!=helm.sh/release.v1
diff --git a/examples/encrypted-secrets/test.sh b/examples/encrypted-secrets/test.sh
@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+# test.sh - Test script for the encrypted secrets example
+#
+# This script demonstrates running the disco agent with encrypted secrets enabled.
+# It will run in one-shot mode and output to a local file for inspection.
+
+set -euo pipefail
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+echo -e "${GREEN}=== Encrypted Secrets Example Test ===${NC}\n"
+
+echo -e "${GREEN}Testing agent with Kubernetes secrets${NC}"
+echo ""
+
+# Enable encrypted secrets
+export ARK_SEND_SECRETS="true"
+
+# Check Kubernetes connectivity
+if ! kubectl cluster-info &> /dev/null; then
+    echo -e "${RED}Error: Unable to connect to Kubernetes cluster${NC}"
+    echo "Please ensure your kubeconfig is configured correctly."
+    exit 1
+fi
+
+echo -e "${GREEN}✓ Connected to Kubernetes cluster${NC}"
+CONTEXT=$(kubectl config current-context)
+echo "  Context: ${CONTEXT}"
+echo ""
+
+# Check for secrets
+SECRET_COUNT=$(kubectl get secrets --all-namespaces --no-headers 2>/dev/null | wc -l | tr -d ' ')
+echo "Found ${SECRET_COUNT} secrets in cluster"
+echo ""
+
+# Run the agent in one-shot mode with output to file
+OUTPUT_FILE="output.json"
+echo -e "${GREEN}Running disco agent with encrypted secrets enabled...${NC}"
+echo "Command: go run ../.. agent --agent-config-file config.yaml --one-shot --output-path ${OUTPUT_FILE}"
+echo ""
+
+if go run ../.. agent \
+    --agent-config-file config.yaml \
+    --one-shot \
+    --output-path "${OUTPUT_FILE}"; then
+
+    echo ""
+    echo -e "${GREEN}✓ Agent completed successfully${NC}"
+
+    # Check if output file was created
+    if [ -f "${OUTPUT_FILE}" ]; then
+        echo -e "${GREEN}✓ Output file created: ${OUTPUT_FILE}${NC}"
+    else
+        echo -e "${RED}✗ Output file was not created${NC}"
+        exit 1
+    fi
+else
+    echo ""
+    echo -e "${RED}✗ Agent failed${NC}"
+    exit 1
+fi
diff --git a/internal/envelope/rsa/keys.go b/internal/envelope/rsa/keys.go
@@ -10,6 +10,25 @@ import (
 
 // This file contains helpers for loading keys. In practice we'll retrieve keys in some format from a DisCo endpoint
 
+const (
+	// HardcodedPublicKeyPEM contains a temporary hardcoded RSA public key (2048-bit) for envelope encryption.
+	// This is a TEMPORARY solution for initial development and testing.
+	// TODO: Replace with dynamic key fetching from CyberArk Discovery & Context API.
+	HardcodedPublicKeyPEM = `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoeq+dk4aoGdV9xjrnGJt
+VbUh5jvkQgynkP+9Ph2NVeoasXWqYOmOVeKOI7Yr58W/L8Mro6C22iSEJrPFgPF6
+t+RJsLAsAY6w1Pocq16COeelAWtxhHQGXt77WQKk0kmwhOJZ4VSeiQC4hWLUnq4N
+Ft7lwLw/50opTXLuSErrwec/bEV7G/Xp11BMsHGEL7dzpwWAfIrbCEomyWrO/L6p
+O3SAgYMdfup5ddnszeCU2FbFQziOkuMLOyir91XXk8wgdSy4IGAEGpwNx88i8fuj
+Qafze2aGWUtpWlOEQPP8lH2cj2TGUgLxGITbczJRcwuGIoJBOzAmPDWi/bapj4b6
+zQIDAQAB
+-----END PUBLIC KEY-----`
+
+	// hardcodedUID is a temporary hardcoded UID associated with the hardcoded public key
+	// It was randomly generated with the macOS "uuidgen" command
+	hardcodedUID = "A39798E6-8CE7-4E6E-9CF6-24A3C923B3A7"
+)
+
 // LoadPublicKeyFromPEM parses an RSA public key from PEM-encoded bytes.
 // The PEM block should be of type "PUBLIC KEY" or "RSA PUBLIC KEY".
 func LoadPublicKeyFromPEM(pemBytes []byte) (*rsa.PublicKey, error) {
@@ -55,3 +74,16 @@ func LoadPublicKeyFromPEMFile(path string) (*rsa.PublicKey, error) {
 
 	return LoadPublicKeyFromPEM(pemBytes)
 }
+
+// LoadHardcodedPublicKey loads and parses the hardcoded RSA public key.
+// Returns a hardcoded UID associated with the key.
+// This is a temporary solution for initial development and testing.
+// Returns an error if the hardcoded key is invalid or cannot be parsed.
+func LoadHardcodedPublicKey() (*rsa.PublicKey, string, error) {
+	key, err := LoadPublicKeyFromPEM([]byte(HardcodedPublicKeyPEM))
+	if err != nil {
+		return nil, "", err
+	}
+
+	return key, hardcodedUID, nil
+}
diff --git a/internal/envelope/rsa/keys_test.go b/internal/envelope/rsa/keys_test.go
@@ -142,3 +142,24 @@ func TestLoadPublicKeyFromPEMFile_InvalidContent(t *testing.T) {
 	require.Error(t, err)
 	require.Nil(t, key)
 }
+
+func TestLoadHardcodedPublicKey_CanBeUsedWithEncryptor(t *testing.T) {
+	// Test that the hardcoded key can be used to create an encryptor
+	// First, test that the key can be loaded successfully
+	key, uid, err := internalrsa.LoadHardcodedPublicKey()
+	require.NoError(t, err)
+	require.NotNil(t, key)
+	require.NotEmpty(t, uid)
+
+	encryptor, err := internalrsa.NewEncryptor(uid, key)
+	require.NoError(t, err)
+	require.NotNil(t, encryptor)
+
+	// Test that the encryptor can encrypt data
+	testData := []byte("test data for encryption")
+	encryptedData, err := encryptor.Encrypt(testData)
+	require.NoError(t, err)
+	require.NotNil(t, encryptedData)
+	require.NotEmpty(t, encryptedData.Data)
+	require.Equal(t, "JWE-RSA", encryptedData.Type)
+}
diff --git a/internal/envelope/types.go b/internal/envelope/types.go
@@ -1,11 +1,33 @@
 package envelope
 
+import "encoding/json"
+
 // EncryptedData represents encrypted data along with metadata about the encryption type.
 type EncryptedData struct {
 	// Data contains the encrypted payload
-	Data []byte
+	Data []byte `json:"data"`
 	// Type indicates the encryption format (e.g., "JWE-RSA")
-	Type string
+	Type string `json:"type"`
+}
+
+// ToMap converts the EncryptedData struct to a map representation. Since we store data as an "_encryptedData" field in
+// a Kubernetes unstructured object, passing a raw struct would cause a panic due to the behaviour of
+// https://pkg.go.dev/k8s.io/apimachinery/pkg/runtime#DeepCopyJSONValue
+// Passing a map to unstructured.SetNestedField avoids this issue.
+func (ed *EncryptedData) ToMap() map[string]any {
+	marshalled, err := json.Marshal(ed)
+	if err != nil {
+		return nil
+	}
+
+	var out map[string]any
+
+	err = json.Unmarshal(marshalled, &out)
+	if err != nil {
+		return nil
+	}
+
+	return out
 }
 
 // Encryptor performs envelope encryption on arbitrary data.
diff --git a/pkg/agent/run.go b/pkg/agent/run.go
@@ -31,6 +31,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 
 	"github.com/jetstack/preflight/api"
+	"github.com/jetstack/preflight/internal/envelope/rsa"
 	"github.com/jetstack/preflight/pkg/client"
 	"github.com/jetstack/preflight/pkg/datagatherer"
 	"github.com/jetstack/preflight/pkg/datagatherer/k8sdynamic"
@@ -181,6 +182,25 @@ func Run(cmd *cobra.Command, args []string) (returnErr error) {
 		if isDynamicGatherer {
 			dynDg.ExcludeAnnotKeys = config.ExcludeAnnotationKeysRegex
 			dynDg.ExcludeLabelKeys = config.ExcludeLabelKeysRegex
+
+			// Check if secret encryption is enabled via environment variable
+			// When enabled, secret data will be kept for encryption instead of being redacted
+			encryptSecrets := strings.ToLower(os.Getenv("ARK_SEND_SECRETS"))
+
+			if encryptSecrets == "true" {
+				// TODO(@SgtCoDFish): this will fetch a key from JWKS endpoint when that endpoint is available
+				key, keyID, err := rsa.LoadHardcodedPublicKey()
+				if err == nil {
+					encryptor, err := rsa.NewEncryptor(keyID, key)
+					if err == nil {
+						dynDg.Encryptor = encryptor
+					} else {
+						log.Error(err, "Failed to create encryptor for secret encryption, secrets will not be sent to backend")
+					}
+				} else {
+					log.Error(err, "Failed to load public key for secret encryption, secrets will not be sent to backend")
+				}
+			}
 		}
 
 		log.V(logs.Debug).Info("Starting DataGatherer", "name", dgConfig.Name)
diff --git a/pkg/client/client_cyberark.go b/pkg/client/client_cyberark.go
@@ -35,6 +35,8 @@ var _ Client = &CyberArkClient{}
 // NewCyberArk initializes a CyberArk client using configuration from environment variables.
 // It requires an HTTP client to be provided, which will be used for making requests.
 // The environment variables ARK_SUBDOMAIN, ARK_USERNAME, and ARK_SECRET must be set for authentication.
+// Sending secrets is controlled by the ARK_SEND_SECRETS environment variable (defaults to "false").
+// If sending secrets is enabled, the hardcoded public key will be loaded and an encryptor will be created.
 // If the configuration is invalid or missing, an error is returned.
 func NewCyberArk(httpClient *http.Client) (*CyberArkClient, error) {
 	configLoader := cyberark.LoadClientConfigFromEnvironment
diff --git a/pkg/datagatherer/k8sdynamic/dynamic.go b/pkg/datagatherer/k8sdynamic/dynamic.go
diff --git a/pkg/datagatherer/k8sdynamic/dynamic_test.go b/pkg/datagatherer/k8sdynamic/dynamic_test.go

-Original file line number
+Diff line change
 _bin
 .envrc
++
 +examples/encrypted-secrets/output.json