core/zero: add pseudonymization key (#5290)

2025-08-02 16:30:17 +02:00 · 2024-09-19 14:43:01 -06:00 · 2024-09-19 14:43:01 -06:00 · bfc782ff06
commit bfc782ff06
parent 9d6b656fbe
9 changed files with 44 additions and 20 deletions
--- a/internal/zero/bootstrap/source.go
+++ b/internal/zero/bootstrap/source.go
@ -99,4 +99,5 @@ func applyBootstrapConfig(dst *config.Config, src *cluster_api.BootstrapConfig)
 	}
 	dst.ZeroClusterID = src.ClusterId
 	dst.ZeroOrganizationID = src.OrganizationId
+	dst.ZeroPseudonymizationKey = src.PseudonymizationKey
 }
--- a/internal/zero/bootstrap/writers/k8s/secret_test.go
+++ b/internal/zero/bootstrap/writers/k8s/secret_test.go
@ -6,6 +6,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
@ -63,6 +64,7 @@ func TestSecretWriter(t *testing.T) {
 		txt := "test"
 		src := cluster_api.BootstrapConfig{
 			DatabrokerStorageConnection: &txt,
+			PseudonymizationKey:         []byte{1, 2, 3},
 		}

 		writer = writer.WithOptions(writers.ConfigWriterOptions{
@ -95,7 +97,13 @@ func TestSecretWriter(t *testing.T) {
 				"namespace": "pomerium",
 			},
 			"data": map[string]any{
-				"bootstrap.dat": `{"clusterId":"","databrokerStorageConnection":"test","organizationId":"","sharedSecret":null}`,
+				"bootstrap.dat": mustJSON(map[string]any{
+					"clusterId":                   "",
+					"databrokerStorageConnection": "test",
+					"organizationId":              "",
+					"pseudonymizationKey":         "AQID",
+					"sharedSecret":                nil,
+				}),
 			},
 		}, unstructured)
 	})
@ -152,3 +160,11 @@ func TestSecretWriter(t *testing.T) {
 		}
 	})
 }
+
+func mustJSON(v any) string {
+	bs, err := json.Marshal(v)
+	if err != nil {
+		panic(err)
+	}
+	return string(bs)
+}