Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cyberark refactor #96

Merged
merged 14 commits into from
Jan 29, 2025
Merged

Cyberark refactor #96

merged 14 commits into from
Jan 29, 2025

Conversation

joseph-klein-cmm
Copy link
Contributor

@joseph-klein-cmm joseph-klein-cmm commented Jan 15, 2025
edited
Loading

Summary

Adds the ability for secrets to be pulled from CyberArk, as well as AKV.

This includes a good bit of refactoring to avoid having to a) litter the code with type checks, and b) try to hijack the keyvault-based Secret object for storing CyberArk secrets. At a high level, the refactoring:

  1. Abstracts the client code to allow an additional implementation for CyberArk
  2. Moves the resource retrieval functions (GetSecret, GetKey, etc) to methods of the concrete Client objects.
  3. Rewrite the Secret resource type that can be used for both CyberArk and AKV secrets

Testing:

  • Default credentials:
    • Cyberark and Keyvault defaults both defined in env vars
    • Keyvault default only defined in env vars
    • cyberark defauly only defined in env vars
    • Neither defined in env vars
  • Syncing secrets
    • Cyberark secret pull/sync
    • Cyberark all secrets pull/sync
    • Kevault secret pull/sync

Sanitized version of the file used for testing the above cases:

credentials:
  -
    name: cyberark_test_one
    login: D-AppA-POC-Workload
    apiKey: ****
    account: conjur
    applianceURL: https://****.cyberark.cloud/api
  -
    name: cyberark_test_all
    login: D-AppA-POC-Workload
    apiKey: ****
    account: conjur
    applianceURL: https://****.cyberark.cloud/api

workers:
  -
    resources:
      - kind: secret
        name: test
        vaultBaseURL: https://****.vault.azure.net/
        credential: default
    sinks:
      - path: ./password-akv
        template: "{{ .Secrets.test.Value }}"
  -
    resources:
      - kind: cyberark-secret
        name: 'Operating System-SelfManaged-dummy-foo/password'
        safeName: D-AppA
        credential: cyberark_test_one
        version: 1
        alias: password
    sinks:
      - path: ./password-cyberark-one.json
        template: '{{ .Secrets.password.Value }}'
  -
    resources:
      - kind: cyberark-secret
        name: 'Operating System-SelfManaged-dummy-foo/password'
        safeName: D-AppA
        credential: default_cyberark
        alias: password
    sinks:
      - path: ./password-cyberark-default.json
        template: '{{ .Secrets.password.Value }}'
  -
    resources:
      - kind: all-cyberark-secrets
        safeName: D-AppA
        credential: cyberark_test_all
    sinks:
      - path: ./password-cyberark-all.json
        template: '{{ index .Secrets "Operating System-SelfManaged-dummy-foo/password" | toString }}'

chrisjohnson
chrisjohnson approved these changes Jan 29, 2025
View reviewed changes
Copy link
Contributor

@chrisjohnson chrisjohnson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fantastic work :)

@joseph-klein-cmm joseph-klein-cmm merged commit 03b6292 into master Jan 29, 2025
@joseph-klein-cmm joseph-klein-cmm deleted the cyberark-refactor branch January 29, 2025 18:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@drew-valentine-cmm drew-valentine-cmm drew-valentine-cmm left review comments

@chrisjohnson chrisjohnson chrisjohnson approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@joseph-klein-cmm @chrisjohnson @drew-valentine-cmm