[Infisical] Sync doesn't fail if projectSlug is not available

[mmueller-rs]

Is your feature request related to a problem? Please describe.
I've created a SecretStore with a self-hosted Infisical server as provider. I first entered a wrong projectSlug. Both the SecretStore as well as the ExternalSecret looked fine, they both said that the secret was successfully synced.
Looking at the secret however shows that the Keys have an empty value.
See also #3686.

Describe the solution you'd like
If the External-Secrets-Operator is not able to retrieve a secret (project doesn't exist or missing permissions or similar), the Secret-Store should fail to validate.

Describe alternatives you've considered
If the SecretStore validation cannot check this, at least the ExternalSecret should fail to sync.

Additional context
I've tested the wrong request using an api client against the Infisical-Server and it returned a 500:

{"statusCode": 500,"message": "Something went wrong","error": "Find project by slug"}

So from Infisical's side the behaviour seems correct.

Manifest misconfigured SecretStore (retrieved from Kubernetes, but slightly cleaned up):

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: infisical-foo
  namespace: external-secrets
spec:
  provider:
    infisical:
      auth:
        universalAuthCredentials:
          clientId:
            key: clientId
            name: infisical-creds
            namespace: external-secrets
          clientSecret:
            key: clientSecret
            name: infisical-creds
            namespace: external-secrets
      hostAPI: https://infisical.change.me # changed for data protection
      secretsScope:
        environmentSlug: dev
        projectSlug: foobar # project doesn't exist
        secretsPath: /
status:
  capabilities: ReadOnly
  conditions:
  - lastTransitionTime: "2024-10-29T14:30:24Z"
    message: store validated
    reason: Valid
    status: "True"
    type: Ready

Manifest ExternalSecret (retrieved from Kubernetes, but slightly cleaned up):

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: es-foo
  namespace: external-secrets
spec:
  data:
  - remoteRef:
      conversionStrategy: Default
      decodingStrategy: None
      key: PASSWORD
      metadataPolicy: None
    secretKey: ADMIN_PASS
  refreshInterval: 1h
  secretStoreRef:
    kind: SecretStore
    name: infisical-foo
  target:
    creationPolicy: Owner
    deletionPolicy: Retain
    name: secret-foo
status:
  binding:
    name: secret-foo
  conditions:
  - lastTransitionTime: "2024-10-29T14:33:58Z"
    message: Secret was synced
    reason: SecretSynced
    status: "True"
    type: Ready
  refreshTime: "2024-10-29T14:33:58Z"
  syncedResourceVersion: 1-4fe8a58fdd8d1c1dbe5e34de2c39af9a

Manifest Secret (retrieved from Kubernetes, but slightly cleaned up):

apiVersion: v1
data:
  ADMIN_PASS: ""
immutable: false
kind: Secret
metadata:
  annotations:
    reconcile.external-secrets.io/data-hash: 2f268487e7f9303c1fe8888de1ee50af
  labels:
    reconcile.external-secrets.io/created-by: 512949fc898ec69665a6157fa1ac81e1
  name: secret-foo
  namespace: external-secrets
type: Opaque

[gusfcarvalho]

@akhilmhdh may you take a look?

[akhilmhdh]

Hi @gusfcarvalho

Just got the notification for this. Sure will do the fix for this

[slavaGanzin]

@akhilmhdh have the same problem

[slavaGanzin]

Actually my problem was that I have an identity (organizational), but it didn't have access to project.

When I replicated the query in infimsical API, I got:

curl --request GET \
  --url 'https://eu.infisical.com/api/v3/secrets/raw?workspaceId=XXX&environment=dev' \
  --header 'Authorization: Bearer XXX'

{
  "reqId": "req-iH27AZySsfpk7H",
  "statusCode": 403,
  "message": "You are not allowed to access this resource",
  "error": "Identity is not a member of the specified project with ID 'XXX'"
}

There is no 403 error processing in the code only 401: https://github.com/external-secrets/external-secrets/pull/3477/files#diff-54d77c761cff754b43e7a53dc8911286a082d7b054b5647592abcff47aa285f7R219

Hope that helps, Akhil @akhilmhdh

[slavaGanzin]

And yeah, I used project id and not project slug. My bad. But still it should be errors and/or events.

Finally it works, but lack of debug capabilities making this pain in the ass.

[Skarlso]

Is this now working for the OP as well? @mmueller-rs ? @slavaGanzin What improvements do you think we could take to make this a better experience?

[akhilmhdh]

Hi @Skarlso @slavaGanzin

Apologies for the delay happened over this issue, as we had to re-prioritize somethings and later holidays kicked in. As @slavaGanzin mentioned need to check the particular status code project missing cases and handle it more gracefully.

I'll be putting a PR over the weekend to resolve this, again apologizing for the delay occurred.

[Skarlso]

Thank you very much! :) No worries. :) Ping me please in the PR.

[slavaGanzin]

Gergely, I do not have vast experience with k8s operators, but I don't understand how to debug issues with them. Usually pods have only error messages and not that informative ones (and are spoiled with developer information):

{"level":"error","ts":1736438881.2772188,"msg":"Reconciler error","controller":"externalsecret","controllerGroup":"external-secrets.io","controllerKind":"ExternalSecret","ExternalSecret":{"name":"infisical","namespace":"external-secrets"},"namespace":"external-secrets","name":"infisical","reconcileID":"42e13aa6-62c5-420e-9bd4-da125c1b4ac6","error":"error processing spec.dataFrom[0].find, err: could not get SecretStore \"infisical\", SecretStore.external-secrets.io \"infisical\" not found","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.19.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.19.3/pkg/internal/controller/controller.go:263\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.19.3/pkg/internal/controller/controller.go:224"}

And deployments, replicates, pods, secrets have an empty events. And in my eyes that would be pretty neat, if secret will show event when it was synchronized, pods/replicasets/deployment would have error events when something was not working properly and when secrets were provisioned to namespace.

To me experience with operators are more akin to black boxes. And that's not great

@Skarlso

[slavaGanzin]

@akhilmhdh Thanks Akhil.

If it's not a problem to you, could you explain how do you develop operator/plugins? I had an idea to fix this error myself, but I have no knowledge of SLDC process of k8s operators.

[Skarlso]

@slavaGanzin you're absolutely right that we aren't doing great in event handlings. Some of the providers already create events but I think they are hard to discovery. A proper overhaul of our event handling is required.

[mmueller-rs]

@Skarlso sorry, the issue still persists.
My Version of external-Secrets Helm-chart is 0.12.1.
In a ClusterSecretStore, I've configured .spec.provider.infisical.secretsScope.projectSlug: test (which doesn't exist in my Infisical Instance) and describing the ClusterSecretStore shows that it's valid and Ready.

[Skarlso]

I don't know what to do. The validation is the same as for all the providers. And Infisical looks like it's validating correctly.

func (p *Provider) Validate() (esv1beta1.ValidationResult, error) {
	// try to fetch the secrets to ensure provided credentials has access to read secrets
	_, err := p.apiClient.GetSecretsV3(api.GetSecretsV3Request{
		EnvironmentSlug: p.apiScope.EnvironmentSlug,
		ProjectSlug:     p.apiScope.ProjectSlug,
		Recursive:       p.apiScope.Recursive,
		SecretPath:      p.apiScope.SecretPath,
	})

	if err != nil {
		return esv1beta1.ValidationResultError, fmt.Errorf("cannot read secrets with provided project scope project:%s environment:%s secret-path:%s recursive:%t, %w", p.apiScope.ProjectSlug, p.apiScope.EnvironmentSlug, p.apiScope.SecretPath, p.apiScope.Recursive, err)
	}

	return esv1beta1.ValidationResultReady, nil
}

And then validation:

	validationResult, err := cl.Validate()
	if err != nil && validationResult != esapi.ValidationResultUnknown {
		cond := NewSecretStoreCondition(esapi.SecretStoreReady, v1.ConditionFalse, esapi.ReasonValidationFailed, fmt.Sprintf(errUnableValidateStore, err))
		SetExternalSecretCondition(store, *cond, gaugeVecGetter)
		recorder.Event(store, v1.EventTypeWarning, esapi.ReasonValidationFailed, err.Error())
		return fmt.Errorf(errValidationFailed, err)
	}

I don't know what's going on. 🤷