infisical: support secrets within paths for data references

[lgo]

(cc @akhilmhdh)

Problem Statement

When attempting to access a secret in a directory, provided secretsPath: /, like so:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: infisical-managed-secrets
spec:
  secretStoreRef:
    kind: SecretStore
    name: infisical
  target:
    name: auth-api
  data:
    - secretKey: API_KEY
      remoteRef:
        key: "foo/bar"

This will always result in a 404 API error from Infisical, because the API request is malformed (/api/v3/secrets/raw/foo/bar). The correct API request would instead be /api/v3/secrets/raw/bar?secretPath=/foo. This either:

• Made it so you simply cannot use secrets in folders with direct references via data
• Made it so you have to use a separate secret provider with a distinct path, which isn't very usable or very obvious

In combination with #4059, this would result in empty secrets but after that issue is fixed these would fail to sync with an error.

Overall this was also quite confusing with the SecretStore's secretsPath property - would a remoteRef be an additive path? Would it supercede the SecretStore?

Related Issue

Fixes #4298

Proposed Changes

As suggested on the issue (#4298 (comment)) this makes a particular changes:

• remoteRef's with paths take precedence over any secretsPath on the SecretStore
• If a remoteRef is detected to be a path (i.e. it contains /), an error is raised if it does not start with / with an actionable error indicating to use / and that it is an absolute reference. This should hopefuly further clarify the interaction between this, and secretsPath
• Documentation is updated with more specific examples of data in Infisical and how you would retrieve it, now that these features work

I've tested this against a self-hosted Infisical instance. I used a branch rebased off of #4304 to test this (lgo:joey-infisical-folder-handling-testing)

• With a remoteRef: {key: "foo/bar"}
• ❌ ExternalSecret expectedly fails with a secret key referencing a folder must start with a '/' as it is an absolute path, key: foo/bar
• With a remoteKey: {key: "/foo/bar"}
• ✅ the secret successfully syncs.

TODO:

• This needs to be rebased after merging infisical: fix error handling which previously failed silently (missing secrets, incorrect auth, etc.) #4304. I had a few changes layered on that I'll include after the rebase.

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

[akhilmhdh]

Hi @lgo

That was quick. Code wise looking good to me. I'll do the application test today and give my approval on my side.

One small issue is, can we bring back the secret path option. Removing it would be a breaking change and want to keep it backward compatible. Simply keep that option as it is and if user provides it and not defaultSecretPath, the first one will be used. The docs can be kept with new one, may be mentioning secretPath is depreciated would be great. As both option was optional from the start, this should give customers less headache.

[lgo]

One small issue is, can we bring back the secret path option. Removing it would be a breaking change and want to keep it backward compatible. Simply keep that option as it is and if user provides it and not defaultSecretPath, the first one will be used. The docs can be kept with new one, may be mentioning secretPath is depreciated would be great. As both option was optional from the start, this should give customers less headache.

Sounds good. We could also just keep secretPath and ensure the documentation is clear. Your suggestion of keeping it around if we do add defaultSecretPath is a much better idea than changing it.

[lgo]

I decided to just avoid adding/changing defaultSecretPath and pushed up the changes, a few test fixes, and quality check fixes. This should now be good and just has a few test conflicts with the other PR (which I'll address once it's in).

[Skarlso]

@lgo Hello 👋 Could you please sign your commits? :)

[lgo]

Done! Sorry, I was away on a trip. I have not yet had a chance to build out the e2e tests either.

Hi @akhilmhdh - just checking if you had any additional testing you'd like to do on your end before checking off?

[Skarlso]

Is this now ready for review?

[lgo]

Yep!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[gusfcarvalho]

Hi @lgo ! Were you able to address the points @Skarlso mentioned?

[akhilmhdh]

Hi @Skarlso @gusfcarvalho @lgo

I don't have push access to this branch. Can I make the changes requested as another PR with your commits to make this merged, if @lgo doesn't have time to continue working on it? We would love to see this changes getting shipped.

[gusfcarvalho]

As long as you’re fork from @lgo repo, so his contributions thus far are correctly accredited to him, I’m up for it 😄

[lgo]

Heh, yea - sorry this went stale! I haven't had a lot of spare time lately and I've worked around this by using a custom build that included this patch.

Do feel free to fork this to take it over the finish line (if you don't get to it by EOW, I do have a long weekend that I can likely come back and rebase + address those)

[lgo]

(actually, I'll go ahead and handle the rebase right now as I already had a rebased branch and roll in the existing PR feedback just to leave a slightly cleaner slate, whether or not there's further work needed)

[lgo]

Okay I've pushed up a rebase, squashed the commits down, and addressed the one feedback. Two things that still need to be done:

• Make sure the unit tests are still working. (For some reason go test <file> isn't working and make unit-test is failing but with a large wall of text so I need to revisit that)
• Deploy this and step through the test cases I outlined again
• Check whether Infisical's API requires a leading / on the secretPath query param (https://infisical.com/docs/api-reference/endpoints/secrets/read#parameter-secret-path). If they do, I'll make this much clearer in the code as I've partially written up error / defensive cases for tihs.

I'll take a pass at this later tonight, or tomorrow morning, and see if I can wrap these items up.

[typedrat]

Okay I've pushed up a rebase, squashed the commits down, and addressed the one feedback. Two things that still need to be done:

• Make sure the unit tests are still working. (For some reason go test <file> isn't working and make unit-test is failing but with a large wall of text so I need to revisit that)
• Deploy this and step through the test cases I outlined again
• Check whether Infisical's API requires a leading / on the secretPath query param (https://infisical.com/docs/api-reference/endpoints/secrets/read#parameter-secret-path). If they do, I'll make this much clearer in the code as I've partially written up error / defensive cases for tihs.

I'll take a pass at this later tonight, or tomorrow morning, and see if I can wrap these items up.

Any updates on this? I really prefer using external-secrets over the native Infisical operator, and this would really help make it a lot more usable.

[gusfcarvalho]

Hi @typedrat! If you can take the remaining points from these commits and push your contribution to it, I’d gladly review it!

otherwise, chances are this might go stale just because that’s the nature of community driven effort 🤷🏽‍♂️

[typedrat]

Hi @typedrat! If you can take the remaining points from these commits and push your contribution to it, I’d gladly review it!

otherwise, chances are this might go stale just because that’s the nature of community driven effort 🤷🏽‍♂️

Fair enough, I know how open source goes haha

I don't know Go and I've only got the barest bit of experience with using Infisical's API, so I don't know if I'm really the one to get this over the finish line myself, but I'll come back and look at this when I'm out of my work crunch if no one else has picked this up.

[Skarlso]

@typedrat I'll take a look. :)

[Skarlso]

I had to rebase to get the signed commit to work, but I left an On-behalf-of in the commit message to make sure to credit OP. :) I also tested with a free account and it seems to work as expected as far as I understand it.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Adriien-M]

Thanks @Skarlso for your work 👍