secrethandling

package
v0.0.31 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 19, 2025 License: Apache-2.0 Imports: 14 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	WlidPrefix           = "wlid://"
	ClusterWlidPrefix    = "cluster-"
	NamespaceWlidPrefix  = "namespace-"
	DataCenterWlidPrefix = "datacenter-"
	ProjectWlidPrefix    = "project-"
	SecretSIDPrefix      = "secret-"
	SubSecretSIDPrefix   = "subsecret-"
	K8SKindsList         = []string{"ComponentStatus", "ConfigMap", "ControllerRevision", "CronJob",
		"CustomResourceDefinition", "DaemonSet", "Deployment", "Endpoints", "Event", "HorizontalPodAutoscaler",
		"Ingress", "Job", "Lease", "LimitRange", "LocalSubjectAccessReview", "MutatingWebhookConfiguration",
		"Namespace", "NetworkPolicy", "Node", "PersistentVolume", "PersistentVolumeClaim", "Pod",
		"PodDisruptionBudget", "PodSecurityPolicy", "PodTemplate", "PriorityClass", "ReplicaSet",
		"ReplicationController", "ResourceQuota", "Role", "RoleBinding", "Secret", "SelfSubjectAccessReview",
		"SelfSubjectRulesReview", "Service", "ServiceAccount", "StatefulSet", "StorageClass",
		"SubjectAccessReview", "TokenReview", "ValidatingWebhookConfiguration", "VolumeAttachment"}
	NativeKindsList = []string{"Dockerized", "Native"}
	KindReverseMap  = map[string]string{}
)

API fields

View Source 
var (
	ArmoShadowSecretInitalLabel = "cyberarmor.initial"
	ArmoShadowSecretFlagLabel   = "cyberarmor.secret"
	ArmoShadowSecretPrefix      = "ca-"
	ArmoShadowSubsecretSuffix   = ".castatus"
)

Global variables to use in another packages

View Source 
var SecretTLVTag = []byte{231, 197, 24, 237}

SecretTLVTag the tlv tag

Functions

func EditEncryptionSecretPolicy 

func EditEncryptionSecretPolicy(secretAccessPolicy *SecretAccessPolicy)

EditEncryptionSecretPolicy remove subsecret name from sid

func GetFieldsToDecrypt 

func GetFieldsToDecrypt(secretDate map[string][]byte, subsecretName string) ([]string, error)

GetFieldsToDecrypt get encrypted secret fields

func GetFieldsToEncrypt 

func GetFieldsToEncrypt(secretDate map[string][]byte, secretPolicy *SecretAccessPolicy, subsecretName string) (map[string]string, error)

GetFieldsToEncrypt get fields from secret data to encrypt

func GetFieldsToEncryptFromSecretPolicy 

func GetFieldsToEncryptFromSecretPolicy(secretDate map[string][]byte, secretPolicy *SecretAccessPolicy) (map[string]string, error)

GetFieldsToEncryptFromSecretPolicy -

func GetNativeSID 

func GetNativeSID(datacenter, project, name, subsecret string) string

GetNativeSID get native secret is

func GetSID 

func GetSID(cluster, namespace, name, subsecret string) string

GetSID get secret is

func GetSIDCluster 

func GetSIDCluster(sid string) string

GetSIDCluster get cluster name from secret-id

func GetSIDLevel0 

func GetSIDLevel0(sid string) string

GetSIDLevel0 get level0 name from secret-id

func GetSIDLevel1 

func GetSIDLevel1(sid string) string

GetSIDLevel1 get level1 name from secret-id

func GetSIDName 

func GetSIDName(sid string) string

GetSIDName get secret name from secret-id

func GetSIDNamespace 

func GetSIDNamespace(sid string) string

GetSIDNamespace get namespace name from secret-id

func GetSIDSubsecret 

func GetSIDSubsecret(sid string) string

GetSIDSubsecret get subsecret name from secret-id, if not found, return empty string

func GetSecret 

func GetSecret(clientset *kubernetes.Clientset, namespace, name string) (*registry.AuthConfig, error)

func GetSecretContent 

func GetSecretContent(secret *corev1.Secret) (interface{}, error)

GetSecretContent -

func GetSecretIDsFromPolicy 

func GetSecretIDsFromPolicy(secretAccessPolicy *SecretAccessPolicy) []string

GetSecretIDsFromPolicy list secret-ids from a secret policy

func GetSecretIDsFromPolicyList 

func GetSecretIDsFromPolicyList(listSecretAccessPolicy []SecretAccessPolicy) map[string]SecretAccessPolicy

GetSecretIDsFromPolicyList list secret-ids from a list of policies

func GetSecretTLVLength 

func GetSecretTLVLength(secret []byte) uint32

GetSecretTLVLength return TLV length

func GetSubSecretFromAnnotation 

func GetSubSecretFromAnnotation(annotationTag string) string

GetSubSecretFromAnnotation extract from annotation tag the desired sub-secret name

func GetSubSecretKeyIDFromAnnotation 

func GetSubSecretKeyIDFromAnnotation(annotationVal string) string

GetSubSecretKeyIDFromAnnotation extract from annotation value the desired key id

func HasSecretTLV 

func HasSecretTLV(secret []byte) bool

HasSecretTLV is the byte slice an encrypted secret

func IsKindK8S 

func IsKindK8S(k string) bool

IsKindK8S returns true if kind is a k8s

func IsSIDK8s 

func IsSIDK8s(sid string) bool

IsSIDK8s get secret kind

func IsSecretTypeSupported 

func IsSecretTypeSupported(secretType corev1.SecretType) bool

IsSecretTypeSupported does Armo support protection on this type of secret

func ParseSecret 

func ParseSecret(res *corev1.Secret, name string) (*registry.AuthConfig, error)

func ReadSecret 

func ReadSecret(secret interface{}, secretName string) (registry.AuthConfig, error)

ReadSecret -

func RemoveSIDSubsecret 

func RemoveSIDSubsecret(sid string) string

RemoveSIDSubsecret get subsecret name from secret-id, if not found, return empty string

func SplitSecretID 

func SplitSecretID(sid string) ([]string, error)

SplitSecretID splits the secret id string into cluster, namespace, secret-name [,sub-secret-name]

func SubsecretToEncrypt 

func SubsecretToEncrypt(subsecrets map[string][]byte, subsecretName string) ([]byte, error)

SubsecretToEncrypt check if the given subsecret should be encrypted

func ValidateSecretAccessPolicy 

func ValidateSecretAccessPolicy(policy *SecretAccessPolicy) error

ValidateSecretAccessPolicy validate secret policy object

func ValidateSecretID 

func ValidateSecretID(sid string) error

ValidateSecretID test secret validation

Types

type CAK8SMeta 

type CAK8SMeta struct {
	CustomerGUID   string    `json:"customerGUID"`
	CAClusterName  string    `json:"caClusterName,omitempty"`
	LastUpdateTime time.Time `json:"caLastUpdate"`
	IsActive       bool      `json:"isActive"`
}

CAK8SMeta holds common metadata about k8s objects

type DockerConfigJsonstructure 

type DockerConfigJsonstructure map[string]map[string]registry.AuthConfig

DockerConfigJsonstructure -

type K8SSecret 

type K8SSecret struct {
	CAK8SMeta     `json:",inline"`
	corev1.Secret `json:",inline"`
	Protected     int `json:"protected"`
}

K8SSecret represents single k8s secret in cluster

func (*K8SSecret) GetID 

func (sec *K8SSecret) GetID() string

GetID returnd the sid of the secret

type PortalBase 

type PortalBase struct {
	GUID       string                 `json:"guid"`
	Name       string                 `json:"name"`
	Attributes map[string]interface{} `json:"attributes,omitempty"` // could be string
}

DEPRECATED - "github.com/armosec/capacketsgo/armotypes" PortalBase holds basic items data from portal BE

type PortalDesignator 

type PortalDesignator struct {
	DesignatorType string            `json:"designatorType"`
	WLID           string            `json:"wlid"`
	WildWLID       string            `json:"wildwlid"`
	Attributes     map[string]string `json:"attributes"`
}

DEPRECATED - "github.com/armosec/capacketsgo/armotypes" PortalDesignator represented single designation options

type PortalSecretDefinition 

type PortalSecretDefinition struct {
	SecretID string                      `json:"sid"`
	KeyIDs   []PortalSubSecretDefinition `json:"keyIDs"`
}

PortalSecretDefinition defines a relation between keys and sub secrets of specific secret

type PortalSubSecretDefinition 

type PortalSubSecretDefinition struct {
	SubSecretName string `json:"subSecretName"`
	KeyID         string `json:"keyID"`
}

PortalSubSecretDefinition defines a relation between keyID and sub secret

type SecretAccessPolicy 

type SecretAccessPolicy struct {
	PortalBase   `json:",inline"`
	PolicyType   string                   `json:"policyType"`
	CreationDate string                   `json:"creation_time"`
	Designators  []PortalDesignator       `json:"designators"`
	Secrets      []PortalSecretDefinition `json:"secrets"`
}

SecretAccessPolicy represent list od workloads allows to access some secrets Notice that in K8S, workload can use secret only in case they are in the same namespace

func GenerateDefaultNamespacePolicy 

func GenerateDefaultNamespacePolicy(sid string) *SecretAccessPolicy

GenerateDefaultNamespacePolicy generate default secret access policy based on namespace

func (*SecretAccessPolicy) LoadSubSecretsIntoPolicy 

func (sap *SecretAccessPolicy) LoadSubSecretsIntoPolicy(shadowSecret *K8SSecret, initialSID string) bool

LoadSubSecretsIntoPolicy fills the subsecrets names + keyIDs in this policy returns if this policy had changed during the process

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.