[VC-43403] Minimize snapshot by filtering non-clientauth TLS secrets by wallrj-cyberark · Pull Request #714 · jetstack/jetstack-secure

wallrj-cyberark · 2025-09-12T13:19:41Z

This PR introduces minimizeSnapshot to filter out TLS secrets without client certificates before uploading snapshots to CyberArk.
The goal is to improve privacy, reduce bandwidth/storage, and ensure only relevant secrets are sent.

Add minimizeSnapshot to remove TLS secrets without client certificates
Improve privacy and reduce bandwidth/storage for CyberArk uploads
Implement isTLSSecretWithoutClientCert to detect client certificates
Add PEM parsing and client certificate detection helpers

Part of: https://venafi.atlassian.net/browse/VC-43403

Followups

refactor(cyberark): update Snapshot resource types to client.Object #715

Testing

go test -v -run='TestMinimizeSnapshot$' 
=== RUN   TestMinimizeSnapshot
=== RUN   TestMinimizeSnapshot/empty_snapshot
    client_cyberark.go:234: I0913 15:17:26.013724] Minimized snapshot originalSecretCount=0 filteredSecretCount=0
=== RUN   TestMinimizeSnapshot/snapshot_with_various_secrets_and_service_accounts
    client_cyberark.go:271: I0913 15:17:26.014969] Secret of this type are never excluded namespace="default" name="opaque-secret" type="Opaque"
    client_cyberark.go:234: I0913 15:17:26.015179] Minimized snapshot originalSecretCount=3 filteredSecretCount=2
--- PASS: TestMinimizeSnapshot (0.00s)
    --- PASS: TestMinimizeSnapshot/empty_snapshot (0.00s)
    --- PASS: TestMinimizeSnapshot/snapshot_with_various_secrets_and_service_accounts (0.00s)
PASS
ok  	github.com/jetstack/preflight/pkg/client	0.202s

go test -v -run='TestIsExcludableSecret$' 
...
=== NAME  TestIsExcludableSecret/Non-unstructured
    client_cyberark.go:250: I0913 15:18:26.128861] Object is not a Unstructured type="*v1.Pod"
=== NAME  TestIsExcludableSecret/TLS_secret_with_invalid_base64_in_tls.crt
    client_cyberark.go:294: I0913 15:18:26.130514] Failed to decode tls.crt base64 namespace="default" name="tls-secret-with-invalid-cert" error="illegal base64 data at input byte 7"
=== NAME  TestIsExcludableSecret/TLS_secret_without_tls.crt
    client_cyberark.go:284: I0913 15:18:26.127552] TLS Secret does not contain tls.crt key namespace="default" name="tls-secret-with-no-cert"
=== NAME  TestIsExcludableSecret/Non-TLS_secret
    client_cyberark.go:271: I0913 15:18:26.130669] Secret of this type are never excluded namespace="default" name="non-tls-secret" type="Opaque"
--- PASS: TestIsExcludableSecret (0.01s)
    --- PASS: TestIsExcludableSecret/TLS_secret_with_client_cert_in_tls.crt (0.00s)
    --- PASS: TestIsExcludableSecret/Non-unstructured (0.00s)
    --- PASS: TestIsExcludableSecret/Non-secret (0.00s)
    --- PASS: TestIsExcludableSecret/TLS_secret_with_invalid_base64_in_tls.crt (0.00s)
    --- PASS: TestIsExcludableSecret/TLS_secret_without_tls.crt (0.01s)
    --- PASS: TestIsExcludableSecret/TLS_secret_with_empty_tls.crt (0.00s)
    --- PASS: TestIsExcludableSecret/Non-TLS_secret (0.01s)
    --- PASS: TestIsExcludableSecret/TLS_secret_with_non-client_cert_in_tls.crt (0.00s)
    --- PASS: TestIsExcludableSecret/TLS_secret_with_invalid_PEM_in_tls.crt (0.00s)
PASS
ok  	github.com/jetstack/preflight/pkg/client	0.210s

Copilot

Pull Request Overview

This PR introduces snapshot minimization functionality to filter out TLS secrets without client certificates before uploading to CyberArk. The goal is to improve privacy, reduce bandwidth/storage usage, and ensure only relevant secrets are transmitted.

Adds minimizeSnapshot function to filter TLS secrets without client certificates
Implements client certificate detection through PEM parsing and X.509 Extended Key Usage validation
Integrates minimization into the CyberArk upload pipeline

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
pkg/client/client_cyberark.go	Adds core minimization logic including snapshot filtering, TLS secret analysis, and client certificate detection
pkg/client/client_cyberark_convertdatareadings_test.go	Adds comprehensive test coverage for minimization functionality with certificate generation helpers

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

pkg/client/client_cyberark_convertdatareadings_test.go

pkg/client/client_cyberark.go

This introduces minimizeSnapshot to filter out TLS secrets without client certificates before uploading snapshots to CyberArk. The goal is to improve privacy, reduce bandwidth/storage, and ensure only relevant secrets are sent. - Add minimizeSnapshot to filter out TLS secrets lacking client certificates - Improve privacy and reduce snapshot size for CyberArk uploads - Implement isExcludableSecret and isExcludableTLSSecret helpers - Add unit tests for minimization and exclusion logic Signed-off-by: Richard Wall <richard.wall@cyberark.com>

wallrj-cyberark force-pushed the client-secrets-only-2 branch from d674c3b to 56dbef5 Compare September 13, 2025 13:55

wallrj-cyberark mentioned this pull request Sep 13, 2025

[VC-43403] Add filter for excluding TLS secrets without client certificates #713

Closed

wallrj-cyberark marked this pull request as ready for review September 13, 2025 14:27

wallrj-cyberark requested a review from maelvls September 13, 2025 14:28

wallrj-cyberark mentioned this pull request Sep 13, 2025

refactor(cyberark): update Snapshot resource types to client.Object #715

Draft

wallrj requested a review from Copilot September 16, 2025 12:59

Copilot AI reviewed Sep 16, 2025

View reviewed changes

pkg/client/client_cyberark_convertdatareadings_test.go Outdated Show resolved Hide resolved

pkg/client/client_cyberark.go Outdated Show resolved Hide resolved

pkg/client/client_cyberark.go Outdated Show resolved Hide resolved

wallrj-cyberark force-pushed the client-secrets-only-2 branch from 56dbef5 to ef50cec Compare September 17, 2025 08:40

mladen-rusev-cyberark approved these changes Sep 17, 2025

View reviewed changes

wallrj-cyberark merged commit 2d571e0 into master Sep 17, 2025
2 checks passed

wallrj-cyberark deleted the client-secrets-only-2 branch September 17, 2025 08:50

maelvls removed their request for review October 17, 2025 12:59

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[VC-43403] Minimize snapshot by filtering non-clientauth TLS secrets#714

[VC-43403] Minimize snapshot by filtering non-clientauth TLS secrets#714
wallrj-cyberark merged 1 commit intomasterfrom
client-secrets-only-2

wallrj-cyberark commented Sep 12, 2025 •

edited

Loading

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

wallrj-cyberark commented Sep 12, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Followups

Testing

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull Request Overview

Reviewed Changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

wallrj-cyberark commented Sep 12, 2025 •

edited

Loading