[Suggestion] dataFrom for a directory

[Aransh]

Is your feature request related to a problem? Please describe.
I manage the secrets in my Hashicorp Vault cluster using Terraform (for example creating AWS access keys, and then writing them to a vault secret).
My logical Vault layout is:
<cluster_name>/<application_name>/<secret_type>

Now, since I have multiple secret types, I must manage them separately (as I can't push them all in a single secret since Terraform will overwrite the data)
And since I want to inject all secret types of an application into it, I must manage an "externalSecret" resource per secret type (each with reference to the specific secret type name), and manually enable/disable secret types per application (as most applications don't require all secret types, and creating an ExternalSecret pointing to a non-existing secret will make it appear unhealthy).

TLDR - I have multiple secrets in the same directory, I want them all to dynamically get the same treatment (be injected into the same k8s secret), but have to manually specify each secret in my implementation.

Describe the solution you'd like
Best approach in my opinion, would be for "dataFrom" to support directories (instead of only final keys).
If provided path is a directory and not a key, get data from all secrets in this directory (maybe also add a "recursive" option?)

Example:

# Will pull data from all secrets under "test" directory
spec:
  dataFrom:
    - extract:
        key: test/

# Will pull data from all secrets under test/object-storage secret (same as current behavior)
spec:
  dataFrom:
    - extract:
        key: test/object-storage

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Possibly regex would be a solution - https://external-secrets.io/latest/guides/getallsecrets/

[Aransh]

Update, tried the regex solution, and while it's a step forward, it doesn't solve my problem, as it just adds any matching secret as a single key (while I need all keys from all matching secrets to be merged)

[Skarlso]

Hello.

Maybe I'm too new here. :D But could you please define what you mean by directory / folder? I assume you don't mean a physical folder, right? But some kind of namespace derived location?

[Aransh]

@Skarlso Correct, not really a namespace, this is comparable to a directory in a filesystem.
Don't know how this works in other secret managers external-secrets supports, but in Hashicorp Vault the data is structured in directories.
So for example I can have a secret called "object-storage", it's content will be key-value, as followed:

ACCESS_KEY=xxxx
SECRET_KEY=yyy

This secret is related to a specific application, let's say "app1", which is deployed under my cluster called "cluster1".
So I'll place this secret under directory path "cluster1/app1/"

Finally, in external secrets, I will point to a secret stored under "cluster1/app1/object-storage", and my secret will contain the actual key-values inside the secret itself.

What I'm asking for is the ability to just set the directory, e.g, "cluster1/app1/" instead of the key, which will pull the key-values from all secrets inside this "directory" (path), including "object-storage", and any other secrets that may be present there, without me having to hardcode the name of each secret I create in this directory.

Note that pulling daya from several secrets is already supported, it's just not dynamic, since I need to specify all secret names.

[Skarlso]

Interesting. And you're saying that with regex you could specify a glob or something but that didn't work because it will create a single secret containing all of those items.

[Skarlso]

This sounds almost like this #2670 but this talks about multiple external secrets.

However the post from Moritz actually explains why a single ES is doing what it does.

Basically, TL;DR an ExternalSecrets manages a single Secret because it merges keys and does reconciliation when things are changing. If it would track multiple secrets there would be no nice way to design a diff, or tracking what status changes, where and why.

#2670 (comment)

[Aransh]

You are correct, this is exactly what I'm requesting, couldn't find it myself.
I'll close this one then and add my 2 cents there, thanks

[Aransh]

@Skarlso just took a second look, and I seem to have misunderstood the linked issue.
They are requesting creating multiple secrets from all secrets in a directory
I am requesting creating a single, merged secret from all secrets in a directory (which seems to me aligns more with the existing external-secrets feature set).

Re-opening this

[Skarlso]

Oh wait, so why is the regex thing not working then? You should be able to create a single secret with all the data.

Update, tried the regex solution, and while it's a step forward, it doesn't solve my problem, as it just adds any matching secret as a single key (while I need all keys from all matching secrets to be merged)

You should be able to create those. Try using Templates with rewrite rules?

[Skarlso]

can you take a look at https://external-secrets.io/latest/guides/datafrom-rewrite/?

[Aransh]

@Skarlso well, unless I'm missing something here, what trying this gave me is not combining the keys/values from each secret, but just using the actual secret name as the key, and the key/values as the values.

e.g. I have 2 secrets, one is called "object-storage" and has this content:
{ "ACCESS_KEY": "XXXX", "SECRET_KEY": "YYYY" }

The other is called "mongo-credentials" with this content:

{ "USERNAME": "XXXX", "PASSWORD": "YYYY" }

I want to provide all these secrets to my app (as they are stored on a specific path dedicated to it), so I'd like regexp to combine them into a k8s secret with this structure:

{ "ACCESS_KEY": "XXXX", "SECRET_KEY": "YYYY", "USERNAME": "XXXX", "PASSWORD": "YYYY" }

But instead, using regexp with rewrite (to remove the path from the name), I get this final secret:

{ "object-storage": { "ACCESS_KEY": "XXXX" "SECRET_KEY": "YYYY" }, "mongo-credentials": { "USERNAME": "XXXX" "PASSWORD": "YYYY" }

Which is not as usable, as it's not what my application expects...

So instead I'm forced to create 2 separate externalSecrets with "extract", one for each secret (and one more/less for any future secret I might add/remove from this path)

[Skarlso]

Huh. Interesting. I honestly thought the former would happen. Like it should just merge all keys without adding stuff to it.

I'll check this out when I'm back home today.