IBM Provider: Update ESO to use latest v2.0.1 of the secrets manager Go SDK

[Shanti-G]

Is your feature request related to a problem? Please describe.
We have recently added a mechanism to allow IBM Cloud Secrets Manager (SM) users to fetch the secret by name instead of ID as described under #2210.
This mechanism is a 2 step process with caching enabled which involves below:
Step 1: Provider calls the list API to filter the given name to find out the corresponding ID
Step 2: Provider calls the get API with the ID to fetch the secret details
This has also been documented under https://external-secrets.io/v0.9.4/provider/ibm-secrets-manager/#getting-the-kubernetes-secret.

A new API has been introduced in IBM Cloud Secrets Manager's Go SDK v2.0.1 which allows the users to fetch the secret by name through a single API call. See the corresponding API documentation for reference. This API is much more efficient than the current 2 step mechanism.

Describe the solution you'd like
We want IBM Cloud Secrets Manager provider to implement this new API in place of the existing process.
The IBM provider currently supports below formats of specifying the value of remoteRef.key in the External Secret definition:

1. <secret-type>/<secret-id> : to fetch the SM secret by secret ID
2. <secret-type>/<secret-name> : to fetch the SM secret by secret name (this is the recently added functionality)

The new API requires an additional parameter SecretGroupName referring to the name of the secret group the given secret belongs to.
In order to support the new API, the provider.go needs this input passed in as a part of remoteRef.key.
However, we don't want any breaking changes in case any user is already leveraging the existing way of getting the secret by name. We also want to replace the existing 2-step approach to the new API where the group-name is to be provided.

To tackle this, we are proposing below process to achieve this migration:

1. Add support:

• Add support to specify remoteRef.key in the format <secret-type>/<secret-name>/<secret-group-name>, where the secret-group-name is an optional parameter which is to be specified to fetch the secret by name using the new API.

2. Announce deprecation:

• There will be a deprecation notice of around 2 months (exact date is yet to be decided), where any users using the format of <secret-type>/<secret-name> should migrate to use <secret-type>/<secret-name>/<group-name> format. During this deprecation period, both <secret-type>/<secret-name> and <secret-type>/<secret-name>/<secret-group-name> formats will be supported.
• There will be a recommendation to use the new way of providing the remoteRef.key (i.e. <secret-type>/<secret-name>/<secret-group-name>).

4. Post-deprecation notice period:

• Support to use secret-type>/<secret-name> to fetch secret by name will be removed.
• In order to fetch the secret by name, specifying the secret-group-name is mandatory, i.e. remoteRef.key should be provided in the format <secret-type>/<secret-name>/<secret-group-name>.

Additional context
Note that providing remoteRef.key provided in the format <secret-type>/<secret-id> to fetch the secret by ID is unaffected and should function as usual.

[Shanti-G]

Consider a secret of type imported_cert with name my-imported-cert belonging to secret group terraform-secrets-group.
Below is an example External Secret definition for this secret to fetch by name, where remoteRef.key is provided in the format <secret-type>/<secret-name>/<group-name>:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: ibmcloud-secrets-manager-example
spec:
  secretStoreRef:
    name: ibmcloud-secrets-manager-example
    kind: SecretStore
  target:
    name: test-app-secret
    template:
      engineVersion: v2
      type: kubernetes.io/tls
  data:
  - secretKey: tls.crt
    remoteRef:
      key: imported_cert/my-imported-cert/terraform-secrets-group
      property: certificate
  - secretKey: tls.key
    remoteRef:
      key: imported_cert/my-imported-cert/terraform-secrets-group
      property: private_key

[IdanAdar]

@moolen Looking for any input you may have before we start work on this.

[moolen]

Thanks for writing up that detailed issue.

My first thoughts: maybe it would be better to have the group before the secret name:

<secret-type>/<secret-group-name>/<secret-name>

IMO, it's odd/confusing to define the secret-name before the group. If i understand correctly, a secret is part of a group, hence i'd want to first define which group and then the secret (just my opinion on that).

I find this more readable:

secret/fluentd/api-key
secret/fluentd/some-config
secret/grafana/api-key
secret/grafana/some-config

than:

secret/api-key/grafana
secret/some-config/grafana
secret/api-key/fluentd
secret/some-config/fluentd

Are / charaters allowed in the secret name or secret group name, is there a potential of conflict? 🤔 That would make things worse 😨

Apart from that 👆 the proposition LGTM.

Is that API going to be removed from the official IBM Cloud Secrets Manager API? Or will it stay there indefinitely?
If it stays i'd prefer to not break existing users, but if it will be removed we have to move as well 👍 😃

[Shanti-G]

@moolen , thanks for looking into this.
Firstly, apologies for the delayed response.

Initial thought on the format was to retain the existing way of defining the remoteRef.key.
However, would like to re-arrange the format as:

<secret-group-name>/<secret-type>/<secret-name>

Example:

terraform-secret-group/iam_credentials/sample-api-key

Hope this looks good.

/ character is not allowed as secret name or secret group, value must match regular expression^[A-Za-z0-9_][A-Za-z0-9_]*(?:_*-*\.*[A-Za-z0-9]*)*[A-Za-z0-9]+$. So there should be no conflict.

The API should be having a long term support, @IdanAdar can add more on that.

[Shanti-G]

Hi @moolen , we now have a PR to address this issue.
We would like to deprecate the old mechanism of getting the secret by name, for which a deprecation notice will be issued in the documentation.
Deprecation notice would look something like below:

Note that specifying the 'remoteRef.key' in below manner to fetch the secret by name will soon be deprecated by <>
...
    remoteRef:
      key: <SECRET_TYPE>/<SECRET_NAME>
...

In order to get a secret by name, the secret group name should be specified in below manner:
...
    remoteRef:
      key: <SECRET_GROUP_NAME>/<SECRET_TYPE>/<SECRET_NAME>
...
The mechanism of fetching the secret by secret ID is unaffected.

Would you have any suggestion on the time frame till which the old mechanism should be supported. Thanks.

[Shanti-G]

Hi @moolen , in case you missed above, thanks.

[moolen]

Hey! Sorry for the delay, I think we can deprecated it right away and remove the functionality with 0.10.

[IdanAdar]

That works for us. @Shanti-G please update the wording accordingly and then we'll merge this PR to be included in the 0.9.6 release