[Infisical] accessing nested items doesn't let you choose folder

[mmueller-rs]

Describe the bug
When trying to access nested items (SecretStore has recursive: true set), it's not possible to choose the path where a secret should lie.
With data, I can only fetch secrets of root layer.
With dataFrom, I can fetch secrets from the whole recursive filestructure specified in the SecretStore, but I cannot provide a path, so when a key is used multiple times, it's random which secret is fetched.

To Reproduce
Steps to reproduce the behavior:
Infisical Version: 1.3.0
External-Secrets Version: 0.12.1
Kubernetes Version: v1.29.11

1. Create a Test Secrets Project in Infisical called test-for-github with the following Secrets Layout:

SECRET_LAYER_0 -> Value: SECRET_LAYER_0
folder0
  UNIQUE_SECRET -> Value: UNIQUE_SECRET
  SECRET_LAYER_1 -> Value: SECRET_LAYER_1_0
folder1
  SECRET_LAYER_1 -> Value: SECRET_LAYER_1_1

2. Create a Machine identity with role Admin (just for testing, reduce it if you want) to the Project.
3. Add a Secret with the Client Credentials to the Kubernetes Test Namespace (for naming, see SecretStore Manifest)
4. Create a SecretStore like this:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: test-for-github
spec:
  provider:
    infisical:
      auth:
        universalAuthCredentials:
          clientId:
            key: clientId
            name: infisical-creds
          clientSecret:
            key: clientSecret
            name: infisical-creds
      hostAPI: https://infisical.example.com # ChangeThis
      secretsScope:
        environmentSlug: staging
        projectSlug: test-for-github-dbn-j # ChangeThis
        recursive: true
        secretsPath: /

5. Create an External Secret (different Options and their results as comments in Manifest):

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: es-test
spec:
  refreshInterval: 1m
  secretStoreRef:
    name: test-for-github
    kind: SecretStore
  target:
    name: es-test
    creationPolicy: Owner
  data:
  # ### Option 1: simple access
  # # Result: Works for Secrets in 0. Layer (SECRET_LAYER_0), but when specifying something else, the key is ""
  # - secretKey: key
  #   remoteRef:
  #     key: SECRET_LAYER_0 # SECRET_LAYER_0 or SECRET_LAYER_1 or UNIQUE_SECRET
  # ### Option 2: data with path
  # # Result: doesn't work, because it's using the whole path as "Secret-Key" with `secretPath=/`, therefore its key is ""
  # # See Logline: "Route GET:/api/v3/secrets/raw/folder0/SECRET_LAYER_1?environment=staging&include_imports=true&secretPath=%2F&workspaceSlug=test-for-github-dbn-j not found"
  # - secretKey: key
  #   remoteRef:
  #     key: folder0/SECRET_LAYER_1
  # ### Option 3: dataFrom with name
  # # Result: Works with `SECRET_LAYER_0` and `UNIQUE_SECRET`, but with `SECRET_LAYER_1`, it saves value `SECRET_LAYER_1_1`
  # dataFrom:
  # - find:
  #     name:
  #       regexp: "SECRET_LAYER_1"
  # ### Option4: dataFrom with path and name
  # # Result: doesn't work at all. As soon as I specify `path`, it doesn't create a secret anymore
  # # The Log-Lines also don't show anything, only the requests of the SecretStore to `"/api/v3/secrets/raw?environment=staging&expandSecretReferences=true&include_imports=true&recursive=true&secretPath=%2F&workspaceSlug=test-for-github-dbn-j"`
  # dataFrom:
  # - find:
  #     path: folder0
  #     name: 
  #       regexp: "SECRET_LAYER_1"

Expected behavior
When creating a SecretStore with spec.provider.infisical.secretsScope.recursive=true and creating an External-Secret with

dataFrom:
  - find:
      path: folder0
      name: 
        regexp: "SECRET_LAYER_1"

it should access the Secret folder0/SECRET_LAYER_1. Instead it doesn't create the Secret and sets the External-Secret to the state SecretSynced with message "secret retained due to DeletionPolicy=Retain"

Additional context
I've checked the Request that is done by the SecretStore

curl --request GET \
  --url 'https://infisical.example.com/api/v3/secrets/raw?environment=staging&expandSecretReferences=true&include_imports=true&recursive=true&secretPath=%252F&workspaceSlug=test-for-github-dbn-j' \
  --header 'authorization: Bearer SECRETBEARERTOKEN'

and it returns all the secrets, even both SECRET_LAYER_1 with their different values, but also different secretPath's.

[Skarlso]

Sadly, I have no idea how infisical works. @akhilmhdh might you be of help here please? :)

[akhilmhdh]

@mmueller-rs I think the secret merge is the issue here. Let me try to reproduce the same and I'll patch it up as needed with a detailed post mortem on what went wrong.

[lgo]

Okay I've also happened to stumble on this alongside #4059 and I've sorted through what the particular issue is. In combination with #4059 not correctly handling errors code, as @mmueller-rs pointed out the underlying request being done for secrets in folders (intuitively, as the ExternalSecret's docs for Infisical are fairly sparse) is to use key: folder/secret but that inadverdently causes the request to be

/api/v3/secrets/raw/folder/secret

This always just 404s with any / following `raw/ . I tried to create a top-level secret in Infisical with a slash on the UI, just to see if that's even possible, and unsurprisngly I got UI errors about the secret failing to be created so I suspect that's just not valid in the first place.

I suspect there's two ways to handle this.

1. Continue to use /api/v3/secrets/raw/:secret, and munge the incoming SecretKey to put any path prefixes into the secretPath to automatically handle secret directories.
2. Use /api/v3/secrets/raw and simply do the filtering at that point to instead let (a) key be a folder path, and (b) property be the secret name.

(1) seems more in-line with ExternalSecrets and it also allows for avoiding retrieval of all secrets on every call. With the right documentation, that would be relatively intuitive.

Additionally, while going down this rabbit hole I realize "I just added recursive: true because I could not figure things out". I reckon the docs could use a lot more clarification, using examples of Infisical secret layouts, to actually guide people down scenarios and situations.

[akhilmhdh]

~~ @lgo I'm not sure if that's the convention I believe the External Secrets Operator follows. The store should scope it correctly, and the key should only be the key name.

  - find:
      path: path-to-filter
      name:
        regexp: ".*foobar.*"

I believe this is the point where the filtering should occur, not at the key level. Otherwise, Infisical would be the only one following this convention, potentially causing more confusion.

What we did was a simple filter.

	for key, value := range secrets {
		if (matcher != nil && !matcher.MatchName(key)) || (ref.Path != nil && !strings.HasPrefix(key, *ref.Path)) {
			continue
		}
		selected[key] = []byte(value)
	}

I guess we need to correct the above part? Let me fix that.

@Skarlso Feel free to correct me, and my understanding. ~~

Updated information below

[akhilmhdh]

I had a discussion with my teammates, and these are the changes we are planning to implement:

1. Secret Path Scoping
   We realized that the secret path should not be too strongly scoped, as it is in the current secret store. This is making usage more harder. When performing a dataFrom operation to list secrets without providing a path option in find, secrets will be fetched from the secret path specified in the store. If the path option is provided, it will be used directly to locate the secrets.

2. Single Secret Access
   For single secret access using data, we propose modifying the key format as @igo suggested to support specifying the path as well. If only the key name is provided, the secret will be fetched from the default secret path specified in the store.

   We noticed that this pattern is also present in AWS providers. This change will align our API more closely with the provider as well.

3. Recursion Behavior
   Recursion will remain unchanged. When the recursive option is set to true in the store configuration (since ExternalSecret CRDs cannot accept custom configurations), it will only affect list operations. A list operation with the path option will fetch all secrets from that path to every path below. Single secret lookups using find will not be impacted by recursion.

@mmuler, you no longer need to perform additional dataFrom operations. You can fetch secrets directly using data and a key in the format: key: /path/KEY.

The validation for secret access will be handled from server side based on the role identity has.

CC: @Skarlso

[lgo]

We realized that the secret path should not be too strongly scoped, as it is in the current secret store. This is making usage more harder. When performing a dataFrom operation to list secrets without providing a path option in find, secrets will be fetched from the secret path specified in the store. If the path option is provided, it will be used directly to locate the secrets.

Would the provider option be clearer if it had a name like defaultSecretPath?

We noticed that this pattern is also present in AWS providers. This change will align our API more closely with the provider as well.

Thank you for taking a read through the other providers for consistency! I do agree making it more consistent would be fantastic.

Recursion will remain unchanged. When the recursive option is set to true in the store configuration (since ExternalSecret CRDs cannot accept custom configurations), it will only affect list operations. A list operation with the path option will fetch all secrets from that path to every path below. Single secret lookups using find will not be impacted by recursion.

Yep, this makes sense and thanks for explaining - I also didn't realize it was possible to specify both a path and name on a dataFrom entry together until I read your 2nd last comment! That would make another good example for the docs to showcase how this works.

---

If it's fine, I can probably pick up these changes today and cc you on the PRs. It saves me the effort of having to swap my self-hosted Infisical for something else 😬

[akhilmhdh]

Would the provider option be clearer if it had a name like defaultSecretPath?

It would be actually. But I guess to avoid another depreciated field I just didn't suggested it. 😅

If it's fine, I can probably pick up these changes today and cc you on the PRs. It saves me the effort of having to swap my self-hosted Infisical for something else

Haha, Sure! Just let me CC and I'll chime in, although may not catch up on it today [A bit too late for me here 🌙 ].

[hpza]

Hi,
I'm running into the same issue and I would be happy if the path prefix could be implemented :-)
Thanks

[itimky]

As a workaround one can configure SecretStore per infisical directory like this:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
# ...
spec:
  provider:
    infisical:
#     ...
      secretsScope:
#       ...
        secretsPath: /directory