ClusterSecretStore: Support namespace glob

[speedfl]

Is your feature request related to a problem? Please describe.
N/A

Describe the solution you'd like

I would like to be able to select namespace using globs so that I can apply company namespace naming convention.

Solution:

1. Add a feature switch such as clustersecretstore-allow-namespace-glob (boolean, default false)
2. Improve client_manager.go to support glob if feature is enabled

An example is the argocd AppProject , it is possible to use glob on destination namespaces

kind: AppProject
apiVersion: argoproj.io/v1alpha1
metadata:
  name: project-two
  namespace: argocd
spec:
 destinations:
  - namespace: 'team-two*'
    server: '*'

If you are interested in this feature I can contribute.

Describe alternatives you've considered

• Create one SecretStore per namespace
• Use Kyverno to mutate SecretStore ref

Additional context
Add any other context or screenshots about the feature request here.

[gusfcarvalho]

Hi @speedfl . AFAIK you can already use MatchExpressions for that use case.

Please let me know if that wouldn’t be fitting any specific case here.

[speedfl]

Hello.

I don't think MatchExpressions would do the job because It does not supports globs. It is useful when you know in advance the values. Here the goal is to support a pattern (kind of prefix).

Another example in argocd:

kind: AppProject
apiVersion: argoproj.io/v1alpha1
metadata:
  name: project-two
  namespace: argocd
spec:
 sourceRepos:
  - https://github.com/speedfl/* => allow to deploy from all repo prefixed with this

[gusfcarvalho]

Hm I wonder how would that effectively work. 🤔

[speedfl]

1. We add a flag in the command such as enable-cluster-store-namespace-glob (default false). We cascade this config to the client_manager.go

2. Create a utility tool for glob (copied from argocd)

package glob

import (
	"github.com/gobwas/glob"
	log "github.com/sirupsen/logrus"
)

func Match(pattern, text string, separators ...rune) bool {
	compiledGlob, err := glob.Compile(pattern, separators...)
	if err != nil {
		log.Warnf("failed to compile pattern %s due to error %v", pattern, err)
		return false
	}
	return compiledGlob.Match(text)
}

func MatchStringInList(list []string, item string, exactMatch bool) bool {
	for _, ll := range list {
		if item == ll || (!exactMatch && Match(ll, item)) {
			return true
		}
	}
	return false
}

4. In client_manager.go support glob

if condition.Namespaces != nil {
	if enableGlobMatching && glob.MatchStringInList(condition.Namespaces, ns, false) {
		return true, nil // namespace in the namespaces list
	} else if slices.Contains(condition.Namespaces, ns) {
		return true, nil // namespace in the namespaces list
	}
}

5. When ClusterSecretStore is reconciled we can reject in error if we detect a glob pattern and feature is not activated

conditions:
    - type: Ready
      status: "False"
      reason: "ConfigError"
      message: "Glob detected in condition.namespaces but feature is not activated"
      lastTransitionTime: "2019-08-12T12:33:02Z"

Then in ClusterSecretStore

apiVersion: external-secrets.io/v1alpha1
kind: ClusterSecretStore
metadata:
  name: example
spec:
  conditions:
    - namespaces:
        - teamone*

If I create following ExternalSecret it should work

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: "hello-world"
  namespace: teamone-dev # or any external secret deployed in any namespace prefixed by teamone
spec:
  secretStoreRef:
    name: example
    kind: ClusterSecretStore

If I create following ExternalSecret it must be blocked:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: "hello-world"
  namespace: teamtwo-other # or any external secret deployed in any namespace not prefixed by teamone
spec:
  secretStoreRef:
    name: example
    kind: ClusterSecretStore

Tell me if it is clearer 😃 If it makes sense for you I can start working on a first PR

[speedfl]

Up. Any feelings on this proposal ?
Do you want me to work on a PR so that you can try it ?

[gusfcarvalho]

No problems for me. @shuheiktgw do you see any technical issues here? 😁

[12345ieee]

This is not relevant to the proposal proper, but I had the same exact need and I solved it by adding.

  syncPolicy:
    managedNamespaceMetadata:
      labels:
        team: team1

in my relevant argocd app definitions.

Then I fetch this back with a:

  namespaceSelector:
    matchLabels:
      team: team1

in the CES.

This would have solved my usecase much more directly.

[speedfl]

I thought about it however you need additional mechanisms such as admission because nothing prevents Team 2 from adding label team1 to their namespace...

[shuheiktgw]

Hmm, first of all, I believe we need to be careful to add a new feature since once we add it, we need to support it forever. Also, if we allow matching namespaces with regex, we should support it for the other (and future) cluster-scoped resources as well. Therefore, this is a relatively important interface decision.

Having said that, I'm still trying to figure out if this really is the feature that we need to support or if this is something specific to limited use cases.

thought about it however you need additional mechanisms such as admission because nothing prevents Team 2 from adding label team1 to their namespace...

IIUC, in your organization, developers cannot create but can edit namespaces, correct? Why don't you prohibit them from editing namespaces as well? Also, this is a pretty common requirement, and as you commented above, there are tons of solutions for admission control, such as OPA.

To be clear, I'm not totally against implementing the feature, yet I need to understand the use case more clearly to tell if this is the right feature we should support... I'm open to discussion, so please let me know what you think about it 🙂

[speedfl]

Hello!

Thanks a lot for your answer. I can understand your question regarding the "forever" feature support. And this needs to be taken into consideration in the final decision.

Concerning the OPA usage as I said we thought about it. However this is more complex than just Team one can use namespace prefixed or tagged by teamone (I tried to take a simple example).

Almost all AppProject features in ArgoCD can be implemented with OPA however they decided to invest in flexibility and user experience. An example is the source repository with glob support. Instead of having to declare all source repository you can use a prefix like https://gitprovider.company.com/organization/department/team/*. The same apply for destination namespace.

Here if we come back to our example. It is totally possible to implement the spec.conditions.namespaces with OPA. However it has been implemented to address a user experience requirement.

I think this is a matter of vision of the product. A balance between flexibility and not having too much to maintain. That's why I can totally understand your first argument.

Even if I would love to have this feature available, if you decide to not implement it we will still use one SecretStore per namespace. This is totally acceptable on our side.

[gusfcarvalho]

For a lot of time I thought this was related to ClusterExternalSecrets!!

ClusterSecretStores are where the credentials live to a given provider.

I’d rather not implement glob as this can be very easily used as an attack pattern, that you can only stop anyways with OPA or similar.

here, IMO, security is more important than user experience.

[speedfl]

I can understand your fear @gusfcarvalho.

However, "glob on name" is no more risky than labeling. A name is fixed. You cannot change the name while you can change labels

And as mentioned in my proposal it would be possible to activate or deactivate this feature with a feature switch at controller level (default will be deactivated)

[shuheiktgw]

@speedfl Thank you for your clarification! I agree with your points, and in the end, if enough people want it, I believe we should implement it 🙂

Just FYI, but when it comes to comparison with AppProject, it seems they primarily use regex to match multiple resources, and they don't support label match. (My point here is they just have a different strategy to match multiple resources from us) Using labels to match multiple resources is quite common in the Kubernetes community, and it should cover most of the use cases. In addition to that, as you pointed out, we have workarounds for that purpose, such as using SecretStore or installing OPA. So I'm still not too sure if the feature is worth the cost we have to pay...🙇

In terms of security, I also think "glob on name" is not that different from labels, but I'd like more feedback from @gusfcarvalho on this point!

[speedfl]

Thanks @shuheiktgw.

On my side I already evaluated the usage of conditions.namespaces without glob.
It is totally acceptable to put all namespace without regex.
In parallel I will work on an mutating webhook to add labels to namespaces based on our logic so that we could use labelselector 🙂

If you want to close this issue you can proceed.

Thanks a lot for your time and your work!