GCP Provider- `GetSecret` method successfully parses broken JSON - it should fail.

[johanntienhaara-tealbook]

Is your feature request related to a problem? Please describe.
It would be nice if the dataFrom / extract form of an ExternalSecret could handle a trailing comma, a la:

{
"TEST1": "abc123",
}

With a trailing comma, ESO produces the error:

unable to unmarshal secret: invalid character '}' looking for beginning of object key string

(Technically, this is indeed invalid JSON, according to https://www.rfc-editor.org/rfc/rfc4627. However, allowing trailing commas would make maintaining JSON secrets a bit easier for humans; and many JSON parsers do accept trailing commas -- including the External Secrets Operator data / secretKey parser, which happily pulls each property out of a comma-tailed JSON secret.)

Describe the solution you'd like
Allow JSON with a trailing comma in the dataFrom / extract code: { "TEST1": "abc123", }

Describe alternatives you've considered
This would just be a nicety. Creating a JSON secret with no trailing comma works fine: { "TEST1": "abc123" }

Additional context
If accepted, and if someone could point me in the direction of the JSON parsing code for dataFrom / extract (even if it's a third party library), I'd be happy to take a shot at a PR to relax the no-trailing-comma rule.

Full ExternalSecret example:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name:  johann-test-secrets
  namespace: default
spec:
  refreshInterval: 5m           # rate External Secret Operator pulls from GSM
  secretStoreRef:
    kind: ClusterSecretStore
    name: gcp-sa-connectivity   # name of the SecretStore (or kind specified)
  target:
    name: johann-test-secrets  # name of the k8s Secret to be created
    creationPolicy: Owner

  #
  # https://external-secrets.io/latest/guides/all-keys-one-secret/
  #
  dataFrom:
    - extract:
        key: johann-test                        # Google Secret Manager Secret
        version: "1"

In Google Secret Manager "johann-test" secret version "1" is:

{
"TEST1": "abc123",
}

Error logs:

{
  "insertId": "mq2flcgbkj1zrklr",
  "jsonPayload": {
    "logger": "controllers.ExternalSecret",
    "stacktrace": "github.com/external-secrets/external-secrets/pkg/controllers/externalsecret.(*Reconciler).markAsFailed\n\t/home/runner/work/external-secrets/external-secrets/pkg/controllers/externalsecret/externalsecret_controller.go:359\ngithub.com/external-secrets/external-secrets/pkg/controllers/externalsecret.(*Reconciler).Reconcile\n\t/home/runner/work/external-secrets/external-secrets/pkg/controllers/externalsecret/externalsecret_controller.go:228\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.19.0/pkg/internal/controller/controller.go:116\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.19.0/pkg/internal/controller/controller.go:303\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.19.0/pkg/internal/controller/controller.go:263\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.19.0/pkg/internal/controller/controller.go:224",
    "msg": "could not get secret data from provider",
    "ExternalSecret": {
      "name": "johann-test-secrets",
      "namespace": "default"
    },
    "ts": 1737727568.8965504,
    "level": "error",
    "error": "unable to unmarshal secret: invalid character '}' looking for beginning of object key string"
  },
...etc...

Thank you ESO folks, you rock! 🙏

[Skarlso]

Hello 👋

External Secrets Operator data / secretKey parser

Which part is this exactly? :D Just so I know where to look. :D :D :D

[johanntienhaara-tealbook]

Hi @Skarlso ,

If I'm interpreting your question correctly, this is what the data / secretKey form of the above ExternalSecret would look like:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name:  johann-test-secrets
  namespace: default
spec:
  refreshInterval: 5m           # rate External Secret Operator pulls from GSM
  secretStoreRef:
    kind: ClusterSecretStore
    name: gcp-sa-connectivity   # name of the SecretStore (or kind specified)
  target:
    name: johann-test-secrets  # name of the k8s Secret to be created
    creationPolicy: Owner

  data:
    - secretKey: fieldInKubernetesSecret          # Kubernetes Secret field name
      remoteRef:
        key: johann-test-secrets                  # Google Secret Manager Secret
        property: TEST1                           # JSON field in GSM Secret

Specifically, referencing each property in the Google Secret Manager Secret works, even when there is a trailing comma in the JSON:

  data:
    - secretKey: fieldInKubernetesSecret          # Kubernetes Secret field name
      remoteRef:
        key: johann-test-secrets                  # Google Secret Manager Secret
        property: TEST1                           # JSON field in GSM Secret

{
"TEST1": "abc123",
}

Does that make sense? Or did I miss the thrust of your question?

Thank you! 🙏

[Skarlso]

Nope, that was it, thanks. I'll take a look when I can on what's up there.

[gusfcarvalho]

I kinda disagree that we should parse for invalid JSON. This could be a typo from the user missing elements there.

And personally I would just fix the issue on secretKey 😅

[Skarlso]

But it's explicitly doing that in secretKey. :D Like, it's been coded that way. :DDD Are you saying it shouldn't be? :D

[gusfcarvalho]

But it's explicitly doing that in secretKey. :D Like, it's been coded that way. :DDD Are you saying it shouldn't be? :D

yup, it is my personal opinion that I don't like to support broken format for standards, so I'd say we fix that on secretKey.

I think we're doing it indirectly via this being supported with gjson package, so maybe checking if it is a valid json with a json.Unmarshal call before using gjson might be enough.

(again, my opinion. I'm fine if we decide to support broken json just because we have that precedent. If that's the case, I think we can simply use gjson to Unmarshal dataFrom.extract calls, so if this ever stops being supported there, we also maintain behavior)

[Skarlso]

There is a usecase for it I think if the value is templated somehow maybe? And once it's fetched it will be turned into something else. WDYT?

[johanntienhaara-tealbook]

But it's explicitly doing that in secretKey. :D Like, it's been coded that way. :DDD Are you saying it shouldn't be? :D

yup, it is my personal opinion that I don't like to support broken format for standards, so I'd say we fix that on secretKey.

I think we're doing it indirectly via this being supported with gjson package, so maybe checking if it is a valid json with a json.Unmarshal call before using gjson might be enough.

(again, my opinion. I'm fine if we decide to support broken json just because we have that precedent. If that's the case, I think we can simply use gjson to Unmarshal dataFrom.extract calls, so if this ever stops being supported there, we also maintain behavior)

This is all fine by me, I just wanted to point out that fixing secretKey would presumably require a major semantic version change, and upgrade release notes, since users of ESO would have to comb through all their secret JSON to make sure there are no trailing commas.

(That won't affect me, because I've removed commas from our secrets, but just wanted to point it out in case it's a consideration.)

[Skarlso]

@gusfcarvalho

And personally I would just fix the issue on secretKey 😅

By this do you mean on the GCP side? Or where?

[gusfcarvalho]

The issue here is that dataFrom.extract on our codebase for GCP SM fails for broken JSON, but passes if we leverage data.remoteRef.property (the GetSecret method). IMO, we should fix the GetSecret method to only parse valid json.

[Skarlso]

Ah so you would rather be actually MORE strict.