Retain certs when posting tls secrets (#189)

* Retain tls.crt & ca.crt when redacting secret data

Certificate data is needed to make some of our recommendations in the
cert-manager package.

Signed-off-by: Charlie Egan <[email protected]>

* Document secret redaction process

Signed-off-by: Charlie Egan <[email protected]>

Author: charlieegan3

docs/datagatherers/k8s-dynamic.md

@@ -63,3 +63,28 @@ resource referenced in the `kind` for that datagatherer.
 
 There is an example `ClusterRole` and `ClusterRoleBinding` which can be found in
 [`./deployment/kubernetes/base/00-rbac.yaml`](./deployment/kubernetes/base/00-rbac.yaml).
+
+# Secrets
+
+Secrets can be gathered using the following config:
+
+```yaml
+- kind: "k8s-dynamic"
+  name: "k8s/secrets"
+  config:
+    resource-type:
+      version: v1
+      resource: secrets
+```
+
+Before Secrets are sent to the Preflight backend, they are redacted in the
+following way:
+
+- `last-applied-configuration` annotation is removed
+- For Secrets of type `kubernetes.io/tls`
+  - All keys under data other than the following are removed:
+    - tls.crt
+    - ca.crt
+- All other secrets have all keys removed from their data.
+
+**All resource other than Kubernetes Secrets are sent in full.**

pkg/datagatherer/k8s/dynamic.go

@@ -158,7 +158,6 @@ func redactList(list *unstructured.UnstructuredList) error {
 	// In principal we could only redact the list if it's kind is SecretList or
 	// a generic mixed List, however the test suite does not set the list kind
 	// and it is safer to always check for Secrets.
-	// Iterate over the items in the list.
 	for i := range list.Items {
 		// Determine the kind of items in case this is a generic 'mixed' list.
 		gvks, _, err := scheme.Scheme.ObjectKinds(&list.Items[i])
@@ -168,17 +167,38 @@ func redactList(list *unstructured.UnstructuredList) error {
 		for _, gvk := range gvks {
 			// If this item is a Secret then we need to redact it.
 			if gvk.Kind == "Secret" && (gvk.Group == "core" || gvk.Group == "") {
-				// Redact secret data
-				list.Items[i].Object["data"] = map[string]interface{}{}
+				secret := list.Items[i]
+
+				// If the secret is a tls secret, we redact all data other then
+				// the tls.crt and ca.crt. This is because we need to inspect
+				// the certificate to make recommendations.
+				if secret.Object["type"] == "kubernetes.io/tls" {
+					secretData, ok := secret.Object["data"].(map[string]interface{})
+					if ok {
+						for k := range secretData {
+							// Only these two keys will be sent, all others are
+							// deleted
+							if k != "tls.crt" && k != "ca.crt" {
+								delete(secretData, k)
+							}
+						}
+					} else {
+						// If secret is not string mapping, redact all secret data
+						secret.Object["data"] = map[string]interface{}{}
+					}
+				} else {
+					// Redact all secret data for non-tls secrets
+					secret.Object["data"] = map[string]interface{}{}
+				}
 
 				// Redact last-applied-configuration annotation if set
-				annotations, present := list.Items[i].Object["annotations"].(map[string]interface{})
+				annotations, present := secret.Object["annotations"].(map[string]interface{})
 				if present {
 					_, annotationPresent := annotations["kubectl.kubernetes.io/last-applied-configuration"]
 					if annotationPresent {
 						annotations["kubectl.kubernetes.io/last-applied-configuration"] = "redacted"
 					}
-					list.Items[i].Object["annotations"] = annotations
+					secret.Object["annotations"] = annotations
 				}
 				break
 			}

pkg/datagatherer/k8s/dynamic_test.go

@@ -27,10 +27,15 @@ func getObject(version, kind, name, namespace string) *unstructured.Unstructured
 	}
 }
 
-func getSecret(name, namespace string, data map[string]interface{}, withLastApplied bool) *unstructured.Unstructured {
+func getSecret(name, namespace string, data map[string]interface{}, isTLS bool, withLastApplied bool) *unstructured.Unstructured {
 	object := getObject("v1", "Secret", name, namespace)
 	object.Object["data"] = data
 
+	object.Object["type"] = "Opaque"
+	if isTLS {
+		object.Object["type"] = "kubernetes.io/tls"
+	}
+
 	// if we're creating a 'raw' secret as scraped that was applied by kubectl
 	if withLastApplied {
 		jsonData, _ := json.Marshal(data)
@@ -137,14 +142,37 @@ func TestDynamicGatherer_Fetch(t *testing.T) {
 			objects: []runtime.Object{
 				getSecret("testsecret", "testns", map[string]interface{}{
 					"secretKey": "secretValue",
-				}, true),
+				}, false, true),
 				getSecret("anothertestsecret", "differentns", map[string]interface{}{
 					"secretNumber": "12345",
-				}, true),
+				}, false, true),
 			},
 			expected: asUnstructuredList(
-				getSecret("testsecret", "testns", map[string]interface{}{}, false),
-				getSecret("anothertestsecret", "differentns", map[string]interface{}{}, false),
+				getSecret("testsecret", "testns", map[string]interface{}{}, false, false),
+				getSecret("anothertestsecret", "differentns", map[string]interface{}{}, false, false),
+			),
+		},
+		"Secret of type kubernetes.io/tls should have crts and not keys": {
+			gvr: schema.GroupVersionResource{Group: "", Version: "v1", Resource: "secrets"},
+			objects: []runtime.Object{
+				getSecret("testsecret", "testns", map[string]interface{}{
+					"tls.key": "secretValue",
+					"tls.crt": "value",
+					"ca.crt":  "value",
+				}, true, true),
+				getSecret("anothertestsecret", "differentns", map[string]interface{}{
+					"example.key": "secretValue",
+					"example.crt": "value",
+				}, true, true),
+			},
+			expected: asUnstructuredList(
+				// only tls.crt and ca.cert remain
+				getSecret("testsecret", "testns", map[string]interface{}{
+					"tls.crt": "value",
+					"ca.crt":  "value",
+				}, true, false),
+				// all other keys removed
+				getSecret("anothertestsecret", "differentns", map[string]interface{}{}, true, false),
 			),
 		},
 		"Foos in different namespaces should be returned if they are in the namespace list for the gatherer": {