(Vault Provider) - Getting multiple secrets does not work if KV store name contains `data` keyword

[JulesCohonner]

Hello,

First of all thank you for creating this project and maintaining it

Describe the bug

I'm not able to get multiple secrets from a Vault KV V2 store if the KV name contains data keyword (for example: mykv_data)

To Reproduce

Steps to reproduce the behavior:

1. provide all relevant manifests:

First I have a ClusterSecretStore:

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: myClusterSecretStore
spec:
  provider:
    vault:
      auth:
        ...
      server: https://myvault_fqdn
      version: v2

I'm not setting any path prefix in my ClusterSecretStore as I want to be able to fetch secrets from different KV stores using the same ClusterSecretStore.

Then I create an ExternalSecret which lists secrets from my KV store

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: list-secrets
spec:
  dataFrom:
  - find:
      path: mykv_data/data/path/to/my/secrets
      name:
        regexp: ".*"
  refreshInterval: 1m
  secretStoreRef:
    kind: ClusterSecretStore
    name: myClusterSecretStore
  target:
    name: list-secrets

Then describing the secret by running:

k describe externalsecrets.external-secrets.io list-secrets

I get this error:

* 1 error occurred:
           * permission denied
  Warning  UpdateFailed         2m (x5 over 2m)      external-secrets  cannot read secret data from Vault: Error making API request.

URL: GET https://myvault_fqdn/v1/mykv_metadata/data/path/to/my/secrets?list=true
Code: 403. Errors:

* 1 error occurred:
  * permission denied

Note that mykv_data became mykv_metadata and, as explained in KV V2 List Secrets, the path should be /:secret-mount-path/metadata/:path not /:secret-mount-path/data/:path.

2. provide the Kubernetes and ESO version

kubernetes version: 1.28

External secret version: v0.9.11

Expected behavior

The expected URL should be : https://myvault_fqdn/v1/mykv_data/metadata/path/to/my/secrets?list=true

Additional context

The problem comes from the function buildMetadataPath

As a quick fix I'd suggest changing line 202 from:

  path = strings.Replace(path, "data", "metadata", 1)

to:

  path = strings.Replace(path, "/data/", "/metadata/", 1)

Also, I think the API is not clear enough.
From what I understand from the code, if path prefix is defined at ClusterSecretStore level (c.store.Path in the context of the function) you must only pass the path to secrets within the KV :

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: list-secrets
spec:
  dataFrom:
  - find:
      path: path/to/my/secrets
...

But If it's not defined then you need to pass the KV Store name + "/data/" + path to secrets within the KV:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: list-secrets
spec:
  dataFrom:
  - find:
      path: mykv_data/data/path/to/my/secrets
...

I would expect the API to have uniform parameters, either we always need to pass the Vault API path (with /data/ or /metadata/) either we never pass them and the code build the right url behind the scene.

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[github-actions]

This issue was closed because it has been stalled for 30 days with no activity.

[pereiratps]

Hi. Is there a solution for this case?

[Skarlso]

Sorry, I reopened this one. Let me take a look at what's going on here.

Do I understand correctly, that this is still an issue?

[Skarlso]

Yes, this is still an issue. I'll opt for the "quick fix" just because overhauling how we construct the path might not be backwards compatibly.

[Skarlso]

Although, do note, that won't replace things like data/something. I assume that's invalid?