Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[External Secret] - Can't read a secret from a folder #2469

Open
Tchoupinax opened this issue Sep 23, 2024 · 4 comments
Open

[External Secret] - Can't read a secret from a folder #2469

Tchoupinax opened this issue Sep 23, 2024 · 4 comments

Comments

@Tchoupinax
Copy link
Contributor

Hello!

Describe the bug

I have an opened issue when I want to take a secret from a folder with External Secret.

  • I can read a secret located at root
  • I can read all secrets (recursively) with a regex
  • I get an error when I want to target a deep secret (associated issue)

Expected behavior

I expect to be able to get a secret in a specific folder

I ask your help about this, I don't know exactly if it comes from Infisical or External Secret

Infisical version: v0.85.0-postgres
@akhilmhdh
Copy link
Member

To access secret inside a folder you need to change the secretPath property in Infisical auth store of external secret operator?

@Tchoupinax
Copy link
Contributor Author

So I have to create a store for every folder? I can't allow a store to access all secrets recursively?
The feature is cool on security side but in this case having a store accessing all project's secrets is OK.

@akhilmhdh
Copy link
Member

@Tchoupinax This is how external secrets operator is designed. The issue with if you apply recursive in store level is you can't control which folder to be show. It will always pull recursively.

@6ixfalls
Copy link

@akhilmhdh, a way this could be implemented is using both the remoteRef key and property values. My existing implementation with Infisical is through a webhook SecretStore, which looks as such (prior to machine identities):

Kubernetes Resource 
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: infisical
spec:
  provider:
    webhook:
      url: "${infisicalURL}api/v3/secrets/raw/{{ .remoteRef.property }}?environment={{ .conf.environment }}&workspaceId={{ .conf.workspaceId }}&secretPath=/{{ .remoteRef.key }}"
      method: GET
      timeout: 5s
      result:
        jsonPath: "$.secret.secretValue"
      headers:
        Authorization: "Bearer {{ .conf.infisicalToken }}"
      secrets:
        - name: conf
          secretRef:
            name: cluster-secrets
            namespace: flux-system
---
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: infisical-full
spec:
  provider:
    webhook:
      url: "${infisicalURL}api/v3/secrets/raw/{{ .remoteRef.property }}?environment={{ .conf.environment }}&workspaceId={{ .conf.workspaceId }}&secretPath=/{{ .remoteRef.key }}"
      method: GET
      timeout: 5s
      result: {}
      headers:
        Authorization: "Bearer {{ .conf.infisicalToken }}"
      secrets:
        - name: conf
          secretRef:
            name: cluster-secrets
            namespace: flux-system

The first allows for individual secrets to be accessed, while the the second allows for arbitrary secret population. The key specifies the path to the secret(s) while the property is the value itself.

The current Infisical External Secrets Operator doesn't hit my use-case for Infisical, which is the easy sorting and organization of secrets within a project using folders. It would be ideal to not have to use these workarounds, but I prefer to use external-secrets over the native Infisical operator.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Tchoupinax @6ixfalls @akhilmhdh