feat: have parity with 1Password connect service for GetSecretMap#4895
feat: have parity with 1Password connect service for GetSecretMap#4895Skarlso merged 2 commits intoexternal-secrets:mainfrom
Conversation
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
|
one question though - does this PR makes |
|
@gusfcarvalho Yes, it does. It did that before that as well I believe. 🤔 Are you okay with that? ( before I merge this ). Also, this is an obvious breaking change in that. But it's okay, because it's alpha. |
|
|
It's not really about the breaking change, but the fact this provider will be the only one not in line with other provider implementations. If a property is passed we parse it, but if no property is passed we just parse what we've found at the root of the secret e.g. given the following content on a given secret provider (vault, aws sm, gcp sm, ...) if no property is specified we generate this secret: while if and lastly if that above is the behavior most providers implement ☝️ so I am having second thoughts if we should allow a provider that would not follow that 🤔 AFAIK the OG implementation is a subset of that (i.e. the property bit was 'not implemented') right? |
|
@gusfcarvalho It definitely was. That's exactly how the old implementation is working. I agree that it's an outlier. |
|
To be clear, I don't know what to do about it. :D It makes sense to have parity, but yeah, essentially, this is working differently, than other providers. |
|
Does 1password connect behaves differently than that today? 🤔 |
|
Nope. It behovass exactly the same way. |
|
@gusfcarvalho Actually... :D Property is not required. If not provided, it will default to fetching fields. :) |
…ternal-secrets#4895) Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Signed-off-by: asrormirzoev <asrormirzoev@yandex-team.ru>
|
Hi, sorry @Skarlso, but i can not figure out the new behavior :) I used to set a plain json content in a plain note onepassword secret, such as: {
"foo": "123",
"bar": "456"
}Then, using a ...
dataFrom:
- extract:
key: my_secret/notesPlain
...I was able to either:
...
target:
deletionPolicy: Retain
template:
engineVersion: v2
type: Opaque
...
target:
deletionPolicy: Retain
template:
engineVersion: v2
type: Opaque
data:
foo: {{ `{{ .foo }}` }}
bar: {{ `{{ .bar }}` }}Now, in both cases, i receive some events: Isn't that the supposed way to do it ? |
|
Hello @nervo. Humm. The code is almost the same. So it should have worked. |
|
They key does exist in your given vault given in your Store, right? |
|
@Skarlso, i finally found out what had changed :) Right before this pr, the provider behaved just like the Google Cloud "all-keys-example-secret" here https://external-secrets.io/v0.18.2/guides/all-keys-one-secret/ , namely, a single secret item holds a single field, which contains raw json content, this json was unmarshalled, and boom, we got all our keys/values. dataFrom:
- extract:
key: my_secret/notesPlainRobust, but not very intuitive :) Now, after that pr, i can continue to use "Secure Note" items, but i directly set keys/values as fields of my items, which is way more intuitive :) And i just need to declare the name of my item as dataFrom:
- extract:
key: my_secret(note that the "notesPlain" field seems not to be taken into account) I've struggled a bit to understand this new behavior, digging the code and made many tests, but anyway, it works, and it works quite well ! Thanks for the good and hard job 💪 |
|
Thank you! Do you think we should add more tests or some documentation update to make that clearer? |
|
Well, that's the fun part, the documentation did not mention at all the previous behavior with |
Problem Statement
What is the problem you're trying to solve?
Related Issue
Fixes #4893
Proposed Changes
How do you like to solve the issue and why?
Checklist
git commit --signoffmake testmake reviewable