Skip to content

feat: add kubernetes secret sync api#11

Merged
BK1031 merged 5 commits into
mainfrom
bk1031/k8s-secret-operator
Jun 29, 2026
Merged

feat: add kubernetes secret sync api#11
BK1031 merged 5 commits into
mainfrom
bk1031/k8s-secret-operator

Conversation

@BK1031

@BK1031 BK1031 commented Jun 29, 2026

Copy link
Copy Markdown
Contributor
  • Add Kubernetes OIDC verification for service account tokens.
  • Add Kubernetes secret export endpoint and allow-rule CRUD APIs.
  • Add Kubernetes secret rule model and database migration.
  • Validate with go test ./....

@BK1031 BK1031 marked this pull request as ready for review June 29, 2026 04:45

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 97c64757a5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

if err := decodeSegment(parts[0], &header); err != nil {
return Claims{}, invalidToken("decode header: %v", err)
}
if header.Algorithm != "RS256" {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Accept ECDSA service account tokens

Clusters using an ECDSA service-account signing key are valid Kubernetes configurations (docs), but this verifier rejects every JWT whose header is not exactly RS256 before reading the JWKS. In those clusters, every valid pod token sent to /integrations/kubernetes/secrets will be returned as unauthorized; support the ES* algorithms/EC JWKs or fail configuration with an RSA-only requirement.

Useful? React with 👍 / 👎.


var kubernetesClusterPattern = regexp.MustCompile(`^[a-z0-9*][a-z0-9_.*-]*$`)
var kubernetesNamespacePattern = regexp.MustCompile(`^[a-z0-9*][a-z0-9*-]*$`)
var kubernetesServiceAccountPattern = regexp.MustCompile(`^[a-z0-9*][a-z0-9*-]*$`)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Permit dots in service account patterns

ServiceAccount names are Kubernetes DNS subdomain names, so names containing . are valid (docs), but this validator rejects dots in service_account_patterns. A workload running as a valid account such as build.robot cannot be granted access with an exact rule and would require a broader wildcard, which can either block that workload or weaken the rule scope.

Useful? React with 👍 / 👎.

@BK1031 BK1031 merged commit 82af245 into main Jun 29, 2026
7 checks passed
@BK1031 BK1031 deleted the bk1031/k8s-secret-operator branch June 29, 2026 05:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant