ESO - copy secrets from ns to another ns

[cjabrantes]

Describe the bug
Hi all,

trying to use ESO to sync secrets from a ns to another ns, but i m making a mistake or seems to be a bug.

apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
  name: kubernetes
spec:
  provider:
    kubernetes:
      server:
        caProvider:
          type: ConfigMap
          name: kube-root-ca.crt
          namespace: eso  
          key: ca.crt
      auth:
        serviceAccount:
          name: external-secrets
          namespace: eso

apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: copy-secrets-pushsecret
  namespace: ns_orig
spec:
  refreshInterval: 1h0m0s
  updatePolicy: Replace
  deletionPolicy: Delete
  secretStoreRefs:
    - name: kubernetes
      kind: ClusterSecretStore 
  selector:
    secret:
      name: regcred
  data:
    - match:
        remoteRef:
          remoteKey: my-regcred  
      metadata:
        apiVersion: kubernetes.external-secrets.io/v1alpha1
        kind: PushSecretMetadata
        spec:
          remoteNamespace: eso

but i m getting:
"error":"could not write remote ref to target secretstore kubernetes: the namespace of the provided object does not match the namespace sent on the request"

Error that is related with remoteNamespace being different namespace, if they are the same , its work and secret is copied to same namespace.

But i guess one important use case is to copy to different namespaces

To Reproduce
Steps to reproduce the behaviour:

Using the previous manifest, with external-secrets:v1.2.1

Expected behavior
Get the secret copied from one ns to another

[Skarlso]

Your secretKey is empty. could not write remote ref there is a missing value there. Ironically, that's not the remoteRef as the error suggests. It's the secretKey value.

[evrardj-roche]

@cjabrantes did you see that documentation: https://external-secrets.io/latest/provider/kubernetes/ , bottom of the page, which talks about secret sharing between namespaces? An example is given there.

Could you tell us if you:

• Did not find the page to contain that information (means we need to improve the searchability for your case, it would help if you could explain how you searched)
• landed on that correct doc page, but did not find the content you expected (means we need to improve the phrasing)
• you landed on the paragraph, but it was not clear to you (means we need to improve the clarity of the topic at hand).

Thank you in advance for helping us improve ESO!

[cjabrantes]

Hi @evrardj-roche and @Skarlso,

Sorry for my absence (was 1 week without laptop in a nice almost internet free spot), i will check it to confirm the issue of the source secret key.

If thats the case i would suggest that the following error may be misleading:
the namespace of the provided object does not match the namespace sent on the request

@evrardj-roche,
when i was checking ESO i came across the blog with the use case i needed but was "broken" 404.
#5829

That would help (also maybe read with 2 eyes the docs), will update you asap.

Thanks!

[cjabrantes]

@Skarlso,

From what i read in https://external-secrets.io/latest/guides/pushsecrets/, the secretKey is not mandatory, for example, if you wanna push the all secret and not just one key, is my reading correct?

Even if i set the secretKey

  Warning  Errored  3s (x2 over 3s)    pushsecret  set secret failed: could not write remote ref .dockerconfigjson to target secretstore kubernetesthe namespace of the provided object does not match the namespace sent on the request

@evrardj-roche,
related to the page you sent me i saw that and the pushsecrets mentioned above, so i got there, but, for example in the one you sent me, there is no secret named "pokedex-credentials" being created before or the namespace where it is store or the spec of the secret store.

For me it would be easier to understand the example if we had a kubernetes secrestore spec created (in some namespace), secret spec create in some namespace and the pushsecret copying the secret from one namespace to another, also the pushsecret do not have the destination namespace.

Maybe i misread it..

[evrardj-roche]

Very valuable input on how to improve our docs.

[Skarlso]

@cjabrantes It's required with regards to the Kubernetes provider. Other providers CAN ignore it. But the Kubernetes provider doesn't.

	if data.GetProperty() == "" && data.GetSecretKey() != "" {
		return errors.New("requires property in RemoteRef to push secret value if secret key is defined")
	}

That said, I think you actually might have found a bug here. Because we create the client like this:

client.userSecretClient = userClientset.CoreV1().Secrets(client.store.RemoteNamespace)

But then the PushSecret sets up Metadata info AFTER this and overwrites the actual namespace that the client is allowed to push into.

So then it calls:

_, err := c.userSecretClient.Create(ctx, targetSecret, metav1.CreateOptions{})

And here the targetSecret no longer matches with the created dynamic client and boom things blow up.