Can't retrieve secrets when working with Gitlab variables at group level defined for different environments

[felixprado-mc]

Describe the bug
We are getting an error when retrieving some variables in Gitlab that:

• Are defined at the group level (instead of the project level).
• Have different values for environments (review/*, dev, stage and prod)

The error we receive is:
error retrieving secret at .data[1], key: MY_VARIABLE, err: GET https://gitlab.com/api/v4/groups/XXXXXXX/variables/MY_VARIABLE: 409 {message: There are multiple variables with provided parameters. Please use 'filter[environment_scope]'}

I'm pretty convinced that in this particular case, the query does not includes that filter. I have made the same request with Postman (see snapshots) and using the same token that ExternalSecret uses and I can retrieve the variable:

To Reproduce
1- These are my manifests. You can't reproduce the issue but at least see the configuration.
2. Kubernetes version; v1.27.9
ESO: v0.9.14

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: my-product
spec:
  provider:
    gitlab:
      auth:
        SecretRef:
          accessToken:
            key: EXTERNAL_SECRETS_GITLAB_TOKEN
            name: external-secret-gitlab-token
      environment: dev
      groupIDs:
      - "{my_group_id}"
      projectID: "{my_project_id}"

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name:  my-product
spec:
  data:
  - remoteRef:
      key: MY_VARIABLE
    secretKey: MY_VARIABLE
  refreshInterval: 1h
  secretStoreRef:
    kind: SecretStore
    name:  my-product
  target:
    creationPolicy: Owner
    name: secrets-external

Expected behavior
The variable can be retrieved as any other using ExternalSecrets even if it has different values per environment.

Screenshots

Additional context
Add any other context about the problem here.

[Farfaday]

I can confirm the issue as I also am affected :)

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[felixprado-mc]

The bug is still there.

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[hpza]

Hi,
I'm not sure if it is the same issue, but when upgrading from 0.10.7 to 0.11.0 I get following error:

"error":"error retrieving secret at .data[0], key: F5NC_F5_USER, err: 404 Not Found","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.19.2/pkg/in ternal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.19.2/pkg/internal/controller/controller.go:263\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[. .[]).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.19.2/pkg/internal/controller/controller.go:224"

I checked the logs on gitlab side;
"method": "GET", "path": "/api/v4/groups/31/variables",
The same request with 0.10.7:

"method": "GET", "path": "/api/v4/groups/31/variables/F5NC_F5_PWD",

So, for some reason the variable key is missing!? should be
"route": "/api/:version/groups/:id/variables/:key",

Thanks for any help!

[Skarlso]

@hpza can you test with 0.14.2 please? We made some fixes to gitlap provider.

[hpza]

Hi, thanks, I can confirm, that it is working again :-)

[fprado]

Hi @Skarlso @hpza

How did you make it work? It still fails to me in v0.14.3.

My Kubernetes manifest is like this:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
  name: blueprint
  namespace: trx
spec:
  provider:
    gitlab:
      auth:
        SecretRef:
          accessToken:
            key: EXTERNAL_SECRETS_GITLAB_TOKEN
            name: trx-external-secret-gitlab-token
      environment: dev
      groupIDs:
      - "1"
      projectID: "2"

And:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: blueprint
spec:
  data:
  - remoteRef:
      key: DUMMY_CI_VARIABLE_GITLAB
    secretKey: DUMMY_EXTERNAL_SECRET_VALUE
  refreshInterval: 1h
  secretStoreRef:
    kind: SecretStore
    name: blueprint
  target:
    creationPolicy: Owner
    name: blueprint-external

In the Gitlab group with groupId = 1 (which is the parent of project with projectid = 2), I have defined a variable DUMMY_CI_VARIABLE_GITLAB for environment "dev", the same declared in the SecretStore object.

The deployment ends successfully (this didn't happen before), but the value of the variable (in Kubernetes is named DUMMY_EXTERNAL_SECRET_VALUE) is empty.

Any idea?

[fprado]

I have also tried to add the inheritFromGroups: true like defined in the documentation:

• https://external-secrets.io/latest/provider/gitlab-variables/
• https://external-secrets.io/latest/api/spec/

spec:
  provider:
    gitlab:
      auth:
        SecretRef:
          accessToken:
            key: EXTERNAL_SECRETS_GITLAB_TOKEN
            name: trx-external-secret-gitlab-token
      environment: dev
      inheritFromGroups: true
      groupIDs:
        - '1'
      projectID: '2'

but I get this error:

Unable to save changes: error patching resource: admission webhook "validate.secretstore.external-secrets.io" denied the request: defining groupIDs and inheritFromGroups = true is not allowed