Passing '{{' and '}}' through ESO

[gaima8]

I have a JSON string in a ConfigMap using an ExternalSecret to template in some secrets. All entirely normal.

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: configjson-eso-template
data:
 configjson.json:
    "{\"secret\": \"{{ .clientSecret }}\"}"
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: configjson-config
spec:
  refreshInterval: 1m
  secretStoreRef:
    kind: ClusterSecretStore
    name: secretstore
  target:
    name: configjson-config
    template:
      engineVersion: v2
      templateFrom:
        - target: Data
          configMap:
            name: configjson-eso-template
            items:
              - key: configjson.json
                templateAs: Values
  data:
    - remoteRef:
        key: 'client1-clientSecret'
      secretKey: clientSecret

I now need to have another element in the JSON that needs to be the literal string '{{otherValue}}'.
No amount of weird extra quoting or escaping is letting me get that past ESO. I either get some sort of parsing failure, unexpected characters, or an invalid string in the resulting secret.

Using three, instead of two, curly braces results in: unexpected "{" in command.
A single backslash on all four curly braces is illegal for kubernetes.
Two backslashes on all four curly braces is legal, and passes ESO, but the resulting string is \{\{otherValue\}\} which isn't legal to the container parsing the JSON.
'{{'otherValue'}}', and not trying to escape otherValue, just results in ESO trying to go-template it, which obviously fails because ESO can't do that.

How do I make ESO ignore something in mustaches?

[gaima8]

This JSON containing configmap is produced by Helm, so I'm already using '{{ {{ .clientSecret }} }}'.
Adding anymore backticks just makes helm not render the chart.

[Skarlso]

Huh, this is a tough one.

[gaima8]

Huh, this is a tough one.

Thanks! ;)

I'm not done with fully working out this, or even a, solution, but by quitting time Friday I did come up with the idea of using a fake secret store to hold the actual mustache values and including ESO parsable references to them in the template.
Helm gets to parse something, and ESO gets to parse something, with ESO printing out the value our container needs, but without having to deal with writing genuinely not-secret plain strings into an actual secret manager.

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: configjson-eso-template
data:
 configjson.json:
    "{\"secret\": \"{{ .clientSecret }}\", \"specialValue\": \"{{ .fakeMustacheValue }}\"}"
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: configjson-fake
spec:
  provider:
    fake:
      data: 
        - key: "mustacheValue"
          value: "{{otherValue}}"
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: configjson-config
spec:
  refreshInterval: 1m
  secretStoreRef:
    kind: ClusterSecretStore
    name: secretstore
  target:
    name: configjson-config
    template:
      engineVersion: v2
      templateFrom:
        - target: Data
          configMap:
            name: configjson-eso-template
            items:
              - key: configjson.json
                templateAs: Values
  data:
    - remoteRef:
        key: 'client1-clientSecret'
      secretKey: clientSecret
    - remoteRef:
        key: 'mustacheValue'
      secretKey: fakeMustacheValue
      sourceRef:
        storeRef:
          kind: SecretStore
          name: configjson-fake

[gusfcarvalho]

doesn't this work?

 configjson.json: "{\"secret\": \"{{ .clientSecret }}\", \"specialValue\": \"{{ printf '{{' }} .fakeMustacheValue {{ printf '}}' }}\"}"

[gaima8]

doesn't this work?

 configjson.json: "{\"secret\": \"{{ .clientSecret }}\", \"specialValue\": \"{{ printf '{{' }} .fakeMustacheValue {{ printf '}}' }}\"}"

Unfortunately it does not.

malformed character constant: '{{'

[gusfcarvalho]

can you run esoctl and copy over the generated template?

[gusfcarvalho]

also, try replacing ' with \" please :D

[gaima8]

also, try replacing ' with \" please :D

So that way does almost work.

These two methods do work

data:
  configjson.json: |-
    {"secret": "{{ .clientSecret }}", "specialValue": "{{ printf "{{" }}mustacheValue{{ printf "}}" }}"}

data:
  configjson.json:
     "{\"secret\": \"{{ .clientSecret }}\", \"specialValue\": \"{{ printf \"{{\" }}mustacheValue{{ printf \"}}\" }}\"}"

However for external complicated reasons I'm not able to generate a string formatted exactly like that, mostly because it isn't valid JSON. Any attempt to use double quotes there are fully escaped (\" becomes \\\" for example) and then fail to pass ESO.

[gusfcarvalho]

However for external complicated reasons I'm not able to generate a string formatted exactly like that, mostly because it isn't valid JSON. Any attempt to use double quotes there are fully escaped (" becomes \" for example) and then fail to pass ESO.

Can you share more about these reasons? Otherwise it might be hard to help out on how to move forward here 😅

[gusfcarvalho]

@gaima8 can you check if the image built with this PR #4558 fixes your issue? basically, you'll be able to set eso controller with the flags --template-left-delimiter and --template-right-delimiter to things different than {{ and }}, which hopefully means you can generate something valid and compatible with helm.