Skip to content

[VC-43403] Minimize snapshot by filtering non-clientauth TLS secrets #714

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 17, 2025
Merged

[VC-43403] Minimize snapshot by filtering non-clientauth TLS secrets #714

merged 1 commit into from
Sep 17, 2025

Conversation

wallrj-cyberark
Copy link
Member

@wallrj-cyberark wallrj-cyberark commented Sep 12, 2025
edited
Loading

This PR introduces minimizeSnapshot to filter out TLS secrets without client certificates before uploading snapshots to CyberArk.
The goal is to improve privacy, reduce bandwidth/storage, and ensure only relevant secrets are sent.

  • Add minimizeSnapshot to remove TLS secrets without client certificates
  • Improve privacy and reduce bandwidth/storage for CyberArk uploads
  • Implement isTLSSecretWithoutClientCert to detect client certificates
  • Add PEM parsing and client certificate detection helpers

Part of: https://venafi.atlassian.net/browse/VC-43403

Followups

Testing

go test -v -run='TestMinimizeSnapshot$' 
=== RUN   TestMinimizeSnapshot
=== RUN   TestMinimizeSnapshot/empty_snapshot
    client_cyberark.go:234: I0913 15:17:26.013724] Minimized snapshot originalSecretCount=0 filteredSecretCount=0
=== RUN   TestMinimizeSnapshot/snapshot_with_various_secrets_and_service_accounts
    client_cyberark.go:271: I0913 15:17:26.014969] Secret of this type are never excluded namespace="default" name="opaque-secret" type="Opaque"
    client_cyberark.go:234: I0913 15:17:26.015179] Minimized snapshot originalSecretCount=3 filteredSecretCount=2
--- PASS: TestMinimizeSnapshot (0.00s)
    --- PASS: TestMinimizeSnapshot/empty_snapshot (0.00s)
    --- PASS: TestMinimizeSnapshot/snapshot_with_various_secrets_and_service_accounts (0.00s)
PASS
ok  	github.com/jetstack/preflight/pkg/client	0.202s


go test -v -run='TestIsExcludableSecret$' 
...
=== NAME  TestIsExcludableSecret/Non-unstructured
    client_cyberark.go:250: I0913 15:18:26.128861] Object is not a Unstructured type="*v1.Pod"
=== NAME  TestIsExcludableSecret/TLS_secret_with_invalid_base64_in_tls.crt
    client_cyberark.go:294: I0913 15:18:26.130514] Failed to decode tls.crt base64 namespace="default" name="tls-secret-with-invalid-cert" error="illegal base64 data at input byte 7"
=== NAME  TestIsExcludableSecret/TLS_secret_without_tls.crt
    client_cyberark.go:284: I0913 15:18:26.127552] TLS Secret does not contain tls.crt key namespace="default" name="tls-secret-with-no-cert"
=== NAME  TestIsExcludableSecret/Non-TLS_secret
    client_cyberark.go:271: I0913 15:18:26.130669] Secret of this type are never excluded namespace="default" name="non-tls-secret" type="Opaque"
--- PASS: TestIsExcludableSecret (0.01s)
    --- PASS: TestIsExcludableSecret/TLS_secret_with_client_cert_in_tls.crt (0.00s)
    --- PASS: TestIsExcludableSecret/Non-unstructured (0.00s)
    --- PASS: TestIsExcludableSecret/Non-secret (0.00s)
    --- PASS: TestIsExcludableSecret/TLS_secret_with_invalid_base64_in_tls.crt (0.00s)
    --- PASS: TestIsExcludableSecret/TLS_secret_without_tls.crt (0.01s)
    --- PASS: TestIsExcludableSecret/TLS_secret_with_empty_tls.crt (0.00s)
    --- PASS: TestIsExcludableSecret/Non-TLS_secret (0.01s)
    --- PASS: TestIsExcludableSecret/TLS_secret_with_non-client_cert_in_tls.crt (0.00s)
    --- PASS: TestIsExcludableSecret/TLS_secret_with_invalid_PEM_in_tls.crt (0.00s)
PASS
ok  	github.com/jetstack/preflight/pkg/client	0.210s

@wallrj-cyberark wallrj-cyberark mentioned this pull request Sep 13, 2025
Closed
@wallrj-cyberark wallrj-cyberark marked this pull request as ready for review September 13, 2025 14:27
@wallrj-cyberark wallrj-cyberark mentioned this pull request Sep 13, 2025
Draft
@wallrj wallrj requested a review from Copilot September 16, 2025 12:59
Copilot
Copilot AI reviewed Sep 16, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces snapshot minimization functionality to filter out TLS secrets without client certificates before uploading to CyberArk. The goal is to improve privacy, reduce bandwidth/storage usage, and ensure only relevant secrets are transmitted.

  • Adds minimizeSnapshot function to filter TLS secrets without client certificates
  • Implements client certificate detection through PEM parsing and X.509 Extended Key Usage validation
  • Integrates minimization into the CyberArk upload pipeline

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
pkg/client/client_cyberark.go Adds core minimization logic including snapshot filtering, TLS secret analysis, and client certificate detection
pkg/client/client_cyberark_convertdatareadings_test.go Adds comprehensive test coverage for minimization functionality with certificate generation helpers

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@wallrj-cyberark
[VC-43403] Minimize snapshot by excluding non-clientauth TLS secrets
ef50cec 
This introduces minimizeSnapshot to filter out TLS secrets without client
certificates before uploading snapshots to CyberArk.
The goal is to improve privacy, reduce bandwidth/storage, and ensure only
relevant secrets are sent.

- Add minimizeSnapshot to filter out TLS secrets lacking client certificates
- Improve privacy and reduce snapshot size for CyberArk uploads
- Implement isExcludableSecret and isExcludableTLSSecret helpers
- Add unit tests for minimization and exclusion logic

Signed-off-by: Richard Wall <[email protected]>
@wallrj-cyberark wallrj-cyberark merged commit 2d571e0 into master Sep 17, 2025
2 checks passed
@wallrj-cyberark wallrj-cyberark deleted the client-secrets-only-2 branch September 17, 2025 08:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@mladen-rusev-cyberark mladen-rusev-cyberark mladen-rusev-cyberark approved these changes

@maelvls maelvls Awaiting requested review from maelvls

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wallrj-cyberark @mladen-rusev-cyberark