PushSecrets should implement the same `remoteRef.property` options as ExternalSecrets

[giepa]

Describe the solution you'd like

We would like to push values from a given kubernetes secret key, to a given property of a remote secret. Currently it is only possible to push a value to update an entire remote secret.

For example given the below k8s secret:

apiVersion: v1
kind: Secret
metadata:
  name: source-secret
stringData:
  some-key: "this is a secret"
  some-other-key: "this is another secret"

With the below PushSecret

apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
spec:
  selector:
    secret:
      name: source-secret
  data:
    - match:
        secretKey: some-key
        remoteRef:
          remoteKey: my-secret
          property: some-key
    - match:
        secretKey: some-other-key
        remoteRef:
          remoteKey: my-secret
          property: some-other-key

The result would be that the remote secret my-secret is updated with key value pairs as below:

{
  "some-key": "this is a secret"
  "some-other-key": "this is another secret"
}

[shuheiktgw]

Let me see if I could help with this issue!

[shuheiktgw]

I briefly read the source code and realized some providers (Kubernetes and Vault) already support the property field, so IIUC, the actual goal here is to expand the support to the other providers 🙂 The full list is below (I removed providers that do not support the PushSecret feature itself). I think I can help with at least AWS and GCP.

• aws
  • parameterstore
  • secretmanager Support PushSecret Property for AWS SM #2623
• azure
• gcp Support PushSecret Property for GCP #2465
• keepersecurity
• scaleway

[DarrenBishop]

Hi @shuheiktgw any progress on AWS Parameter Store?
I can imagine this is a tricky thing to do; I realise there are at least two possible approaches to this, lets say High-Mileage vs Most-General:

• High-Mileage:
  • The Operator focuses on a single PS, where properties have been declared to be pushed to a single remote parameter (AWS secret), so poll/collective them all a make a single AWS API call
• Most-General:
  • The Operator sees multiple PS's, each declaring properties across various remote parameters

Which of these two approaches are you aiming to support? Is there some other approach you are implementing?

The simplest use-case for me is to just mirror a Kubernetes Secret i.e. with multiple keys into an AWS Parameter Store parameter JSON with fields mapped to the Secret's keys, thus enabling round-tripping with PushSecrets and ExternalSecrets.

The High-Mileage approach fits this use-case well and would be ideal?

[shuheiktgw]

Hi, @DarrenBishop 👋 Thank you for your input. I don't have time to work on this issue lately, so right now I cannot answer your question... But if you have a use case for the parameter store property, I could work on it. Give me some time, or if anyone else wants to work on it, please go ahead and implement it 🙂