IBM Provider: ESO: Ability to pull the Secrets Manager secret by name rather than ID

[Shanti-G]

Describe the solution you'd like
Currently, the ExternalSecret CRD for IBM Secrets Manager requires that the user provide the secret ID along with secret type:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: test-cluster-secret
spec:
  secretStoreRef:
    name: sm-secret-store
    kind: SecretStore
  target:
    name: test-app-secret
  data:
  - secretKey: .secret
    remoteRef:
      key: iam_credentials/6328b1d3-64f4-a976-0c01-d7ee7929097b

So to be transparent, it is needed that the secret name can be provided along with secret type.

What is the added value?
Secret in Secrets Manager can be referenced using Name instead of ID.

Give us examples of the outcome
The ExternalSecret CRD can have the secret_name provided for key along with secret_type in the cases where the
secret needs to be pulled by name:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: test-cluster-secret
spec:
  secretStoreRef:
    name: sm-secret-store
    kind: SecretStore
  target:
    name: test-app-secret
  data:
  - secretKey: .secret
    remoteRef:
      key: iam_credentials/my-secret-name

In order to achieve this, ESO would evaluate the secretID provided for UUID format to determine if it is a secret ID or secret name. The assumption in this duality approach (rather then introducing new externals) is that going forward, referencing by name would be the preferred choice of users, so making the UX of this method consistent with other providers - while still providing backward compatibility for IDs (but de-focussing this use case).

Observations (Constraints, Context, etc):
The existing way of processing given secretID in UUID format is unaffected.
It involves additional ListAllSecrets to get all the secrets in order to match for secret type and secret name combination.
The results of this list call can then be cached for faster processing and reconciliation.

[IdanAdar]

IBM team is working on a PR for this Issue.

[Shanti-G]

Hi @IdanAdar @moolen ,
The proposal to have the secrets referenced by name instead of ID for IBM provider secrets requires caching, where the secret name and secret ID details can be cached.

Setting up a cache involves initializing the cache with a specific cache size and cache expiry time, the values for which differ use case wise. It is also based on the number of externalSecrets being managed by the user. So, it makes more sense to allow the users to set these parameters based on their use case.

In order to do so, planning to update IBMProvider struct to include additional fields, namely SecretCacheSize and SecretCacheExpiry:

type IBMProvider struct {
	// Auth configures how secret-manager authenticates with the IBM secrets manager.
	Auth IBMAuth `json:"auth"`

	// ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
	ServiceURL *string `json:"serviceUrl,omitempty"`

	// SecretCacheSize represents the number of secretName entries that can be stored.
	// The default value is 1000.
	// This is used while referencing the secret when fetched by name
	SecretCacheSize *int `json:secretCacheSize,omitempty"`

	// SecretCacheExpiry in minutes represents the maximum time the secret details can live in cache
	// The default value is 120, i.e 2 hours.
	// This is used while referencing the secret when fetched by name
	SecretCacheExpiry *int `json:SecretCacheExpiry,omitempty"`
}

Hope that sounds good, please let me know if there are other alternatives. Thanks.

[moolen]

What would the lifecycle of bespoke cache would look like? Would it be instantiated per SecretStore ? What is the reason for the cache? That's probably because you can not do a GetSecret call with a name, but only with an id (ref docs). Would you then list all secrets and then do a lookup by name? If that is the case i would rather ask IBM if they could provide such a functionality in their API instead of us working around that issue. List+lookup by name doesn't scale well and there are a lot of edge-cases for cache eviction that have to be documented or worked around.

We have a short-lived cache for aws/secretsmanager already which is bound to the lifecycle of the Client. Everything that is supposed to live beyond that timeframe is really hard to manage and i'd rather stay away from that if possible.

[IdanAdar]

@moolen Re: "Get by name" is planned, but not soon enough - so this is an intermediate solution for a requirement, until we do add it and then update the above accordingly (note: Shanti is from IBM, too).

[Shanti-G]

@moolen alternatively, planning to have a fixed short lived cache, where the cache is initialized at the time of creating a new client to SM and lasts till the lifetime of the SM client. Again, as mentioned, this is an intermediate solution till the API is available for the requirement.

[moolen]

Thanks for the context, that sounds good to me!